132 lines
3.9 KiB
YAML
132 lines
3.9 KiB
YAML
#cloud-config
|
|
write_files:
|
|
- path: /etc/systemd/system/make-cert.service
|
|
owner: "root:root"
|
|
permissions: "0644"
|
|
content: |
|
|
[Unit]
|
|
Description=Make TLS certificates
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
EnvironmentFile=/etc/sysconfig/heat-params
|
|
ExecStart=/etc/sysconfig/make-cert.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
- path: /etc/sysconfig/make-cert.sh
|
|
owner: "root:root"
|
|
permissions: "0755"
|
|
content: |
|
|
#!/bin/bash
|
|
|
|
# Parse the JSON response that contains the TLS certificate, and print
|
|
# out the certificate content.
|
|
function parse_json_response {
|
|
json_response=$1
|
|
# {..,"pem": "ABCD",..} -> ABCD
|
|
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
|
|
# decode newline characters
|
|
key=$(echo "$key" | sed 's/\\n/\n/g')
|
|
echo "$key"
|
|
}
|
|
|
|
. /etc/sysconfig/heat-params
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
if [ "$TLS_DISABLED" == "True" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
cert_conf_dir=${KUBE_CERTS_PATH}/conf
|
|
|
|
mkdir -p ${cert_conf_dir}
|
|
|
|
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
|
|
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
|
|
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
|
|
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
|
|
|
|
#Get a token by user credentials and trust
|
|
cat > auth.json << EOF
|
|
{
|
|
"auth": {
|
|
"identity": {
|
|
"methods": [
|
|
"password"
|
|
],
|
|
"password": {
|
|
"user": {
|
|
"id": "$TRUSTEE_USER_ID",
|
|
"password": "$TRUSTEE_PASSWORD"
|
|
}
|
|
}
|
|
},
|
|
"scope": {
|
|
"OS-TRUST:trust": {
|
|
"id": "$TRUST_ID"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
#trust is introduced in Keystone v3 version
|
|
AUTH_URL=${AUTH_URL/v2.0/v3}
|
|
USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
|
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
|
|
|
|
rm -rf auth.json
|
|
|
|
ca_cert_json=$(curl -k -X GET \
|
|
-H "X-Auth-Token: $USER_TOKEN" \
|
|
-H "OpenStack-API-Version: container-infra latest" \
|
|
$MAGNUM_URL/certificates/$CLUSTER_UUID)
|
|
parse_json_response "${ca_cert_json}" > ${CA_CERT}
|
|
|
|
# Create config for client's csr
|
|
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
req_extensions = req_ext
|
|
prompt = no
|
|
[req_distinguished_name]
|
|
CN = kubernetes.invalid
|
|
[req_ext]
|
|
keyUsage=critical,digitalSignature,keyEncipherment
|
|
extendedKeyUsage=clientAuth
|
|
subjectAltName=dirName:kubelet,dirName:kubeproxy
|
|
[kubelet]
|
|
CN=kubelet
|
|
[kubeproxy]
|
|
CN=kube-proxy
|
|
EOF
|
|
|
|
# Generate client's private key and csr
|
|
openssl genrsa -out "${CLIENT_KEY}" 4096
|
|
chmod 400 "${CLIENT_KEY}"
|
|
openssl req -new -days 1000 \
|
|
-key "${CLIENT_KEY}" \
|
|
-out "${CLIENT_CSR}" \
|
|
-reqexts req_ext \
|
|
-config "${cert_conf_dir}/worker-openssl.conf"
|
|
|
|
# encode newline (\n) characters
|
|
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
|
|
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
|
|
# Send csr to Magnum to have it signed
|
|
client_cert_json=$(curl -k -X POST \
|
|
-H "X-Auth-Token: $USER_TOKEN" \
|
|
-H "OpenStack-API-Version: container-infra latest" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$csr_req" \
|
|
$MAGNUM_URL/certificates)
|
|
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
|
|
|
|
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
|
|
chown root:root ${KUBE_CERTS_PATH}/*-key.pem
|