Created
April 5, 2017 17:47
-
-
Save adamreese/c78b9d2f072c29a493f8110348c6b101 to your computer and use it in GitHub Desktop.
Generate tiller certs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Copyright 2016 The Kubernetes Authors All rights reserved. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# Bash 'Strict Mode' | |
# http://redsymbol.net/articles/unofficial-bash-strict-mode | |
set -euo pipefail | |
IFS=$'\n\t' | |
HELM_HOME="${HELM_HOME:-$(helm home)}" | |
DOMAIN="${DOMAIN:-localhost}" | |
cleanup() { | |
rm -rf "${TMP}" | |
} | |
trap cleanup EXIT | |
TMP="${HELM_HOME}/tmp" | |
mkdir -p "${TMP}" | |
pushd "${TMP}" > /dev/null | |
echo "Generating CA private and public keys" | |
openssl genrsa -aes256 -out ca-key.pem 4096 | |
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
echo "\nCreating server key and certificate signing request (CSR)" | |
openssl genrsa -out server-key.pem 4096 | |
openssl req -subj "/CN=$DOMAIN" -sha256 -new -key server-key.pem -out server.csr | |
echo subjectAltName = DNS:$DOMAIN,IP:127.0.0.1 > extfile.cnf | |
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
echo "\nCreating client key and certificate signing request (CSR)" | |
openssl genrsa -out key.pem 4096 | |
openssl req -subj '/CN=client' -new -key key.pem -out client.csr | |
echo extendedKeyUsage = clientAuth > extfile.cnf | |
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf | |
echo "\nCoping CA, key, and cert to helm home" | |
cp -v {ca,key,cert}.pem "${HELM_HOME}" | |
popd > /dev/null | |
cat << EOF | |
To initialize tiller using tls: | |
helm init --tiller-tls-verify | |
Test the connection after the pod is running: | |
helm version --tls-verify | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment