Serge Bazanski | c6fd662 | 2018-11-01 22:39:01 +0100 | [diff] [blame] | 1 | # source me to have all the nice things |
| 2 | |
| 3 | if [ "$0" == "$BASH_SOURCE" ]; then |
| 4 | echo "You should be sourcing this." |
| 5 | exit 1 |
| 6 | fi |
| 7 | |
| 8 | hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )" |
| 9 | |
Sergiusz Bazanski | f2a812b | 2019-01-13 17:51:34 +0100 | [diff] [blame^] | 10 | if [ ! -f "$hscloud_root/WORKSPACE" ]; then |
| 11 | echo "Could not find WORKSPACE" |
| 12 | exit 1 |
| 13 | fi |
| 14 | |
| 15 | hscloud_path="$hscloud_root/bazel-bin/tools" |
| 16 | |
| 17 | [[ ":$PATH:" != *":$hscloud_path:"* ]] && PATH="$hscloud_path:${PATH}" |
| 18 | |
| 19 | # legacy crap follows |
| 20 | |
Serge Bazanski | c6fd662 | 2018-11-01 22:39:01 +0100 | [diff] [blame] | 21 | hscloud-dc() { |
| 22 | ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" ) |
| 23 | } |
| 24 | |
| 25 | hscloud-pki-dev() { |
| 26 | ( |
| 27 | set -e |
| 28 | |
| 29 | cd "$hscloud_root" |
| 30 | rm -rf docker/pki |
| 31 | |
| 32 | cp -rv go/pki/dev-certs docker/pki |
| 33 | cd docker/pki |
| 34 | bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client |
| 35 | ls *pem |
| 36 | ) |
| 37 | } |
| 38 | |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 39 | # Generate a per-node certificate remotely on the node. |
| 40 | hscloud-node-remote-cert() { |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 41 | ( |
| 42 | set -e |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 43 | if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then |
| 44 | echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 45 | exit 1 |
| 46 | fi |
| 47 | fqdn="$1" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 48 | certname="$2" |
| 49 | subj="$3" |
| 50 | |
| 51 | echo "Node: ${fqdn}; Cert: ${certname}" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 52 | |
| 53 | echo "Checking node livenes..." |
| 54 | ssh root@$fqdn uname -a |
| 55 | |
| 56 | echo "Checking if node already has key..." |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 57 | ssh root@$fqdn stat /opt/hscloud/${certname}.key || ( |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 58 | echo "Generating key..." |
| 59 | ssh root@$fqdn -- mkdir -p /opt/hscloud |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 60 | ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" |
| 61 | ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 62 | ) |
| 63 | |
| 64 | echo "Checking if node already has cert..." |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 65 | ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0 |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 66 | echo "No cert, will generate..." |
| 67 | |
| 68 | cd "$hscloud_root" |
| 69 | secrets="$hscloud_root/secrets" |
Sergiusz Bazanski | 711c4a9 | 2019-01-13 00:02:10 +0100 | [diff] [blame] | 70 | ca="$secrets/ca.key" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 71 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 72 | |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame] | 73 | cp data/openssl.cnf san.cnf |
| 74 | echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf |
| 75 | scp san.cnf root@$fqdn:/opt/hscloud/san.cnf |
| 76 | |
| 77 | ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\"" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 78 | scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame] | 79 | openssl x509 -req \ |
| 80 | -in ${fqdn}-${certname}.csr \ |
| 81 | -CA data/ca.crt \ |
| 82 | -CAkey "$ca" -CAcreateserial \ |
| 83 | -out "data/${fqdn}-${certname}.crt" \ |
| 84 | -extensions SAN -extfile san.cnf |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 85 | |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 86 | scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 87 | scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 88 | ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt |
| 89 | rm ${fqdn}-${certname}.csr |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame] | 90 | rm san.cnf |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 91 | ) |
| 92 | } |
| 93 | |
| 94 | # Generate locally (if not present) a shared certificate, and upload it to the node |
| 95 | hscloud-node-shared-cert() { |
| 96 | ( |
| 97 | set -e |
| 98 | if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then |
| 99 | echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj" |
| 100 | exit 1 |
| 101 | fi |
| 102 | fqdn="$1" |
| 103 | certname="$2" |
| 104 | subj="$3" |
| 105 | |
| 106 | cd "$hscloud_root" |
| 107 | secrets="$hscloud_root/secrets" |
| 108 | keyfile="$secrets/$certname.key" |
| 109 | cert="$hscloud_root/data/$certname.crt" |
| 110 | csr="$hscloud_root/data/$certname.csr" |
Sergiusz Bazanski | 711c4a9 | 2019-01-13 00:02:10 +0100 | [diff] [blame] | 111 | ca="$secrets/ca.key" |
Sergiusz Bazanski | 52c8718 | 2019-01-12 22:30:41 +0100 | [diff] [blame] | 112 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 113 | |
| 114 | echo "Checking if key exists..." |
| 115 | if [ ! -f "$keyfile" ]; then |
| 116 | echo "No key, trying to decrypt..." |
| 117 | if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then |
| 118 | echo "No encrypted key, generating..." |
| 119 | openssl genrsa -out $keyfile 4096 |
| 120 | echo "Encrypting..." |
| 121 | scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key" |
| 122 | fi |
| 123 | fi |
| 124 | |
| 125 | echo "Checking if cert exists..." |
| 126 | if [ ! -f "$cert" ]; then |
| 127 | echo "No cert, generating..." |
| 128 | rm -f "${csr}" |
| 129 | openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}" |
| 130 | openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}" |
| 131 | fi |
| 132 | |
| 133 | echo "Copying certificate to node..." |
| 134 | scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt |
| 135 | scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key |
| 136 | ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt |
| 137 | ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key |
| 138 | ) |
| 139 | } |
| 140 | |
| 141 | hscloud-node-certs() { |
| 142 | ( |
| 143 | set -e |
| 144 | |
| 145 | if [ -z "$1" ]; then |
| 146 | echo >&2 "Usage: hscloud-node-certs node.fqdn.com" |
| 147 | exit 1 |
| 148 | fi |
| 149 | fqdn="$1" |
| 150 | |
| 151 | hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\"" |
| 152 | hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\"" |
| 153 | for component in controller-manager proxy scheduler; do |
| 154 | hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}" |
| 155 | done |
Sergiusz Bazanski | ee7c1aa | 2019-01-12 23:56:17 +0100 | [diff] [blame] | 156 | hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net" |
| 157 | hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts" |
Serge Bazanski | a5be0d8 | 2018-12-23 01:35:07 +0100 | [diff] [blame] | 158 | ) |
| 159 | } |
| 160 | |
Sergiusz Bazanski | b0b0f3f | 2019-01-13 13:32:19 +0100 | [diff] [blame] | 161 | hscloud-k8s-config() { |
| 162 | ( |
| 163 | set -e |
| 164 | |
| 165 | if [ -z "$1" ]; then |
| 166 | echo >&2 "Usage: hscloud-k8s-config username" |
| 167 | exit 1 |
| 168 | fi |
| 169 | username="$1" |
| 170 | |
| 171 | cd "$hscloud_root" |
| 172 | mkdir -p .kubectl |
| 173 | |
| 174 | cert="$hscloud_root/.kubectl/client.crt" |
| 175 | csr="$hscloud_root/.kubectl/client.csr" |
| 176 | keyfile="$hscloud_root/.kubectl/client.key" |
| 177 | secrets="$hscloud_root/secrets" |
| 178 | ca="$secrets/ca.key" |
| 179 | |
| 180 | if [ ! -f "$keyfile" ]; then |
| 181 | echo "Generating ${keyfile}..." |
| 182 | openssl genrsa -out $keyfile 4096 |
| 183 | rm -f "$cert" |
| 184 | fi |
| 185 | if [ ! -f "$cert" ]; then |
| 186 | echo "Signing ${cert}..." |
| 187 | [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca ) |
| 188 | openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}" |
| 189 | openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}" |
| 190 | fi |
| 191 | |
| 192 | kubeconfig="$hscloud_root/.kubectl/client.kubeconfig" |
| 193 | echo "Generating ${kubeconfig}..." |
| 194 | rm -rf ${kubeconfig} |
| 195 | |
| 196 | kubectl config set-cluster k0.hswaw.net \ |
| 197 | --certificate-authority=${hscloud_root}/data/ca.crt \ |
| 198 | --embed-certs=true \ |
| 199 | --server=https://k0.hswaw.net:4001 \ |
| 200 | --kubeconfig=${kubeconfig} |
| 201 | |
| 202 | kubectl config set-credentials ${username} \ |
| 203 | --client-certificate=${cert} \ |
| 204 | --client-key=${keyfile} \ |
| 205 | --embed-certs=true \ |
| 206 | --kubeconfig=${kubeconfig} |
| 207 | |
| 208 | kubectl config set-context default \ |
| 209 | --cluster=k0.hswaw.net \ |
| 210 | --user=${username} \ |
| 211 | --kubeconfig=${kubeconfig} |
| 212 | |
| 213 | kubectl config use-context default --kubeconfig=${kubeconfig} |
| 214 | ) |
| 215 | } |