Recover some necessary files

nec-openstack · Jul 4, 2017 · 2c4b6e6 · 2c4b6e6
1 parent a3c5244
commit 2c4b6e6
Show file tree

Hide file tree

Showing 7 changed files with 206 additions and 0 deletions.
diff --git a/tools/gen-cert-apiserver.sh b/tools/gen-cert-apiserver.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+set -eu
+export LC_ALL=C
+
+script_dir=`dirname $0`
+NODE_IP=${1:-"192.168.1.111"}
+
+CA_KEY=${CA_KEY:-"${LOCAL_CERTS_DIR}/ca.key"}
+CA_CERT=${CA_CERT:-"${LOCAL_CERTS_DIR}/ca.crt"}
+KUBE_KEY=${KUBE_KEY:-"${LOCAL_CERTS_DIR}/apiserver-${NODE_IP}.key"}
+KUBE_CERT_REQ=${KUBE_CERT_REQ:-"${LOCAL_CERTS_DIR}/apiserver-${NODE_IP}.csr"}
+KUBE_CERT=${KUBE_CERT:-"${LOCAL_CERTS_DIR}/apiserver-${NODE_IP}.crt"}
+OPENSSL_CONFIG="${LOCAL_CERTS_DIR}/apiserver-${NODE_IP}.cnf"
+
+sans="DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
+sans="${sans},IP:${KUBE_PUBLIC_SERVICE_IP},IP:${KUBE_PRIVATE_SERVICE_IP}"
+sans="${sans},IP:${NODE_IP}"
+for HOSTNAME in ${KUBE_ADDITIONAL_HOSTNAMES}
+do
+    sans="${sans},DNS:${HOSTNAME}"
+done
+for IP in ${KUBE_ADDITIONAL_SERVICE_IPS}
+do
+    sans="${sans},IP:${IP}"
+done
+
+# Create config for server's csr
+cat > ${OPENSSL_CONFIG} <<EOF
+[req]
+req_extensions      = v3_req
+distinguished_name  = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints    = CA:FALSE
+keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage    = serverAuth
+subjectAltName      = ${sans}
+EOF
+
+if [[ ! -f ${KUBE_KEY} ]]; then
+    openssl genrsa -out "${KUBE_KEY}" 4096
+fi
+
+openssl req -new -key "${KUBE_KEY}" \
+            -out "${KUBE_CERT_REQ}" \
+            -subj "/CN=kube-apiserver" \
+            -config ${OPENSSL_CONFIG}
+
+openssl x509 -req -in "${KUBE_CERT_REQ}" \
+             -CA "${CA_CERT}" \
+             -CAkey "${CA_KEY}" \
+             -CAcreateserial \
+             -out "${KUBE_CERT}" \
+             -days 365 \
+             -extensions v3_req \
+             -extfile ${OPENSSL_CONFIG}
diff --git a/tools/gen-cert-ca.sh b/tools/gen-cert-ca.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -eu
+export LC_ALL=C
+
+script_dir=`dirname $0`
+
+CA_KEY=${CA_KEY:-"${LOCAL_CERTS_DIR}/ca.key"}
+CA_CERT=${CA_CERT:-"${LOCAL_CERTS_DIR}/ca.crt"}
+
+if [[ ! -f ${CA_KEY} ]]; then
+    openssl genrsa -out "${CA_KEY}" 4096
+fi
+openssl req -x509 -new -nodes \
+            -key "${CA_KEY}" \
+            -days 10000 \
+            -out "${CA_CERT}" \
+            -subj "/CN=kube-ca"
diff --git a/tools/gen-cert-client.sh b/tools/gen-cert-client.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# ## for apiserver-kubelet-client
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       apiserver-kubelet-client \
+#       "/O=system:masters/CN=kube-apiserver-kubelet-client"
+#
+# ## for etcd-client
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       etcd-client \
+#       "/CN=etcd-client"
+#
+# ## for controller-manager
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       controller-manager \
+#       "/CN=system:kube-controller-manager"
+#
+# ## for scheduler
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       scheduler \
+#       "/CN=system:kube-scheduler"
+#
+# ## for kubelet
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       kubelet \
+#       "/O=system:nodes/CN=system:node:kubelet-${CLIENT_IP//'.'/'-'}"
+#
+# ## for admin
+# $ bash tools/gen-cert-client ${CLIENT_IP} \
+#       admin \
+#       "/O=system:masters/CN=kubernetes-admin"
+#
+
+set -eu
+export LC_ALL=C
+
+script_dir=`dirname $0`
+CLIENT_IP=${1:-"192.168.1.111"}
+PREFIX=${2:-"client"}
+SUBJECT=${3:-"/CN=client"}
+
+CA_KEY=${CA_KEY:-"${LOCAL_CERTS_DIR}/ca.key"}
+CA_CERT=${CA_CERT:-"${LOCAL_CERTS_DIR}/ca.crt"}
+CLIENT_KEY=${CLIENT_KEY:-"${LOCAL_CERTS_DIR}/${PREFIX}-${CLIENT_IP}.key"}
+CLIENT_CERT_REQ=${CLIENT_CERT_REQ:-"${LOCAL_CERTS_DIR}/${PREFIX}-${CLIENT_IP}.csr"}
+CLIENT_CERT=${CLIENT_CERT:-"${LOCAL_CERTS_DIR}/${PREFIX}-${CLIENT_IP}.crt"}
+
+if [[ ! -f ${CLIENT_KEY} ]]; then
+    openssl genrsa -out "${CLIENT_KEY}" 4096
+fi
+
+openssl req -new -key "${CLIENT_KEY}" \
+            -out "${CLIENT_CERT_REQ}" \
+            -subj "${SUBJECT}" \
+            -config ${script_dir}/openssl-client.cnf
+
+openssl x509 -req -in "${CLIENT_CERT_REQ}" \
+             -CA "${CA_CERT}" \
+             -CAkey "${CA_KEY}" \
+             -CAcreateserial \
+             -out "${CLIENT_CERT}" \
+             -days 365 \
+             -extensions v3_req \
+             -extfile ${script_dir}/openssl-client.cnf
diff --git a/tools/gen-cert-etcd-server.sh b/tools/gen-cert-etcd-server.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -eu
+export LC_ALL=C
+
+script_dir=`dirname $0`
+NODE_IP=${1:-"192.168.1.111"}
+
+CA_KEY=${CA_KEY:-"${LOCAL_CERTS_DIR}/ca.key"}
+CA_CERT=${CA_CERT:-"${LOCAL_CERTS_DIR}/ca.crt"}
+ETCD_KEY=${ETCD_KEY:-"${LOCAL_CERTS_DIR}/etcd-${NODE_IP}.key"}
+ETCD_CERT_REQ=${ETCD_CERT_REQ:-"${LOCAL_CERTS_DIR}/etcd-${NODE_IP}.csr"}
+ETCD_CERT=${ETCD_CERT:-"${LOCAL_CERTS_DIR}/etcd-${NODE_IP}.crt"}
+OPENSSL_CONFIG="${script_dir}/openssl-server-client.cnf"
+
+if [[ ! -f ${ETCD_KEY} ]]; then
+    openssl genrsa -out "${ETCD_KEY}" 4096
+fi
+
+NODE_IP=${NODE_IP} \
+openssl req -new -key "${ETCD_KEY}" \
+            -out "${ETCD_CERT_REQ}" \
+            -subj "/CN=etcd-server" \
+            -config ${OPENSSL_CONFIG}
+
+NODE_IP=${NODE_IP} \
+openssl x509 -req -in "${ETCD_CERT_REQ}" \
+             -CA "${CA_CERT}" \
+             -CAkey "${CA_KEY}" \
+             -CAcreateserial \
+             -out "${ETCD_CERT}" \
+             -days 365 \
+             -extensions v3_req \
+             -extfile ${OPENSSL_CONFIG}
diff --git a/tools/gen-keypair-sa.sh b/tools/gen-keypair-sa.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -eu
+export LC_ALL=C
+
+script_dir=`dirname $0`
+
+SA_KEY=${SA_KEY:-"${LOCAL_CERTS_DIR}/sa.key"}
+SA_PUB=${SA_PUB:-"${LOCAL_CERTS_DIR}/sa.pub"}
+
+if [[ ! -f ${SA_KEY} ]]; then
+    openssl genrsa -out "${SA_KEY}" 4096
+    openssl rsa -pubout -in "${SA_KEY}" -out "${SA_PUB}"
+fi
diff --git a/tools/openssl-client.cnf b/tools/openssl-client.cnf
@@ -0,0 +1,8 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
diff --git a/tools/openssl-server-client.cnf b/tools/openssl-server-client.cnf
@@ -0,0 +1,11 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage         = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = @alt_names
+[alt_names]
+IP.1 = $ENV::NODE_IP