Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
bcb8d8b8
Commit
bcb8d8b8
authored
Dec 09, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
extra discovery start and cert generation
parent
59c31373
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
134 additions
and
1 deletion
+134
-1
util.sh
hack/lib/util.sh
+134
-1
local-up-cluster.sh
hack/local-up-cluster.sh
+0
-0
No files found.
hack/lib/util.sh
View file @
bcb8d8b8
...
...
@@ -32,7 +32,7 @@ kube::util::wait_for_url() {
local
i
for
i
in
$(
seq
1
$times
)
;
do
local
out
if
out
=
$(
curl
-gkfs
$url
2>/dev/null
)
;
then
if
out
=
$(
curl
-
-max-time
1
-
gkfs
$url
2>/dev/null
)
;
then
kube::log::status
"On try
${
i
}
,
${
prefix
}
:
${
out
}
"
return
0
fi
...
...
@@ -443,4 +443,137 @@ kube::util::download_file() {
return
1
}
# Test whether cfssl and cfssljson are installed.
# Sets:
# CFSSL_BIN: The path of the installed cfssl binary
# CFSSLJSON_BIN: The path of the installed cfssljson binary
function
kube::util::test_cfssl_installed
{
if
!
command
-v
cfssl &>/dev/null
||
!
command
-v
cfssljson &>/dev/null
;
then
echo
"Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in
\$
PATH."
echo
"Hint: export PATH=
\$
PATH:
\$
GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
exit
1
fi
CFSSL_BIN
=
$(
command
-v
cfssl
)
CFSSLJSON_BIN
=
$(
command
-v
cfssljson
)
}
# Test whether openssl is installed.
# Sets:
# OPENSSL_BIN: The path to the openssl binary to use
function
test_openssl_installed
{
openssl version
>
& /dev/null
if
[
"
$?
"
!=
"0"
]
;
then
echo
"Failed to run openssl. Please ensure openssl is installed"
exit
1
fi
OPENSSL_BIN
=
$(
command
-v
openssl
)
}
# creates a client CA, args are sudo, dest-dir, ca-id, purpose
# purpose is dropped in after "key encipherment", you usually want
# '"client auth"'
# '"server auth"'
# '"client auth","server auth"'
function
kube::util::create_signing_certkey
{
local sudo
=
$1
local
dest_dir
=
$2
local id
=
$3
local
purpose
=
$4
# Create client ca
${
sudo
}
/bin/bash
-e
<<
EOF
rm -f "
${
dest_dir
}
/
${
id
}
-ca.crt" "
${
dest_dir
}
/
${
id
}
-ca.key"
${
OPENSSL_BIN
}
req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "
${
dest_dir
}
/
${
id
}
-ca.key" -out "
${
dest_dir
}
/
${
id
}
-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment",
${
purpose
}
]}}}' > "
${
dest_dir
}
/
${
id
}
-ca-config.json"
EOF
}
# signs a client certificate: args are sudo, dest-dir, CA, filename (roughly), username, groups...
function
kube::util::create_client_certkey
{
local sudo
=
$1
local
dest_dir
=
$2
local
ca
=
$3
local id
=
$4
local
cn
=
${
5
:-
$4
}
local groups
=
""
local
SEP
=
""
shift
5
while
[
-n
"
${
1
:-}
"
]
;
do
groups
+
=
"
${
SEP
}
{
\"
O
\"
:
\"
$1
\"
}"
SEP
=
","
shift
1
done
${
sudo
}
/bin/bash
-e
<<
EOF
cd
${
dest_dir
}
echo '{"CN":"
${
cn
}
","names":[
${
groups
}
],"hosts":[""],"key":{"algo":"rsa","size":2048}}' |
${
CFSSL_BIN
}
gencert -ca=
${
ca
}
.crt -ca-key=
${
ca
}
.key -config=
${
ca
}
-config.json - |
${
CFSSLJSON_BIN
}
-bare client-
${
id
}
mv "client-
${
id
}
-key.pem" "client-
${
id
}
.key"
mv "client-
${
id
}
.pem" "client-
${
id
}
.crt"
rm -f "client-
${
id
}
.csr"
EOF
}
# signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts...
function
kube::util::create_serving_certkey
{
local sudo
=
$1
local
dest_dir
=
$2
local
ca
=
$3
local id
=
$4
local
cn
=
${
5
:-
$4
}
local
hosts
=
""
local
SEP
=
""
shift
5
while
[
-n
"
${
1
:-}
"
]
;
do
hosts+
=
"
${
SEP
}
\"
$1
\"
"
SEP
=
","
shift
1
done
${
sudo
}
/bin/bash
-e
<<
EOF
cd
${
dest_dir
}
echo '{"CN":"
${
cn
}
","hosts":[
${
hosts
}
],"key":{"algo":"rsa","size":2048}}' |
${
CFSSL_BIN
}
gencert -ca=
${
ca
}
.crt -ca-key=
${
ca
}
.key -config=
${
ca
}
-config.json - |
${
CFSSLJSON_BIN
}
-bare serving-
${
id
}
mv "serving-
${
id
}
-key.pem" "serving-
${
id
}
.key"
mv "serving-
${
id
}
.pem" "serving-
${
id
}
.crt"
rm -f "serving-
${
id
}
.csr"
EOF
}
# creates a self-contained kubeconfig: args are sudo, dest-dir, ca file, host, port, client id, token(optional)
function
kube::util::write_client_kubeconfig
{
local sudo
=
$1
local
dest_dir
=
$2
local
ca_file
=
$3
local
api_host
=
$4
local
api_port
=
$5
local
client_id
=
$6
local
token
=
${
7
:-}
cat
<<
EOF
|
${
sudo
}
tee "
${
dest_dir
}
"/
${
client_id
}
.kubeconfig > /dev/null
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority:
${
ca_file
}
server: https://
${
api_host
}
:
${
api_port
}
/
name: local-up-cluster
users:
- user:
token:
${
token
}
client-certificate:
${
dest_dir
}
/client-
${
client_id
}
.crt
client-key:
${
dest_dir
}
/client-
${
client_id
}
.key
name: local-up-cluster
contexts:
- context:
cluster: local-up-cluster
user: local-up-cluster
name: local-up-cluster
current-context: local-up-cluster
EOF
# flatten the kubeconfig files to make them self contained
username
=
$(
whoami
)
${
sudo
}
/bin/bash
-e
<<
EOF
${
GO_OUT
}
/kubectl --kubeconfig="
${
dest_dir
}
/
${
client_id
}
.kubeconfig" config view --minify --flatten > "/tmp/
${
client_id
}
.kubeconfig"
mv -f "/tmp/
${
client_id
}
.kubeconfig" "
${
dest_dir
}
/
${
client_id
}
.kubeconfig"
chown
${
username
}
"
${
dest_dir
}
/
${
client_id
}
.kubeconfig"
EOF
}
# ex: ts=2 sw=2 et filetype=sh
hack/local-up-cluster.sh
View file @
bcb8d8b8
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment