ericchiang/etcd-tls.sh

## etcd-tls.sh
#!/bin/bash -e

rm -rf assets
mkdir assets

HOSTS=${HOSTS:-"127.0.0.1 127.0.0.2 127.0.0.3"}

function unpack {
    DIR="$( dirname $1 )"
    NAME="$( basename $1 )"
    NAME="${NAME%.*}"

    jq -r '.cert' < $1 > $DIR/$NAME.crt
    jq -r '.key' < $1 > $DIR/$NAME.key
}

echo '{
  "signing": {
    "default": {
      "expiry": "43800h"
    },
    "profiles": {
      "server": {
        "expiry": "43800h",
        "usages": ["signing", "key encipherment", "server auth"]
      },
      "client": {
        "expiry": "43800h",
        "usages": ["signing", "key encipherment", "client auth"]
      },
      "peer": {
        "expiry": "43800h",
        "usages": ["signing", "key encipherment", "server auth", "client auth"]
      }
    }
  }
}' > assets/ca-config.json

echo '{"CN":"etcd-ca","key":{"algo":"ecdsa","size":256}}' > assets/etcd-ca-csr.json
echo '{"CN":"etcd-client","key":{"algo":"ecdsa","size":256}}' > assets/etcd-client-csr.json
echo '{"CN":"etcd-member","key":{"algo":"ecdsa","size":256}}' > assets/etcd-peer-csr.json
echo '{"CN":"etcd-server","key":{"algo":"ecdsa","size":256}}' > assets/etcd-server-csr.json

cfssl gencert -initca assets/etcd-ca-csr.json > assets/ca.json
unpack assets/ca.json

cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
    -profile=client assets/etcd-client-csr.json > assets/etcd-client.json
unpack assets/etcd-client.json

I=0
for HOST in $( echo "$HOSTS" ); do
    cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
        -profile=peer -hostname="$HOST" assets/etcd-peer-csr.json > assets/etcd-$I-peer.json
    cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
        -profile=server -hostname="$HOST" assets/etcd-server-csr.json > assets/etcd-$I-server.json

    unpack assets/etcd-$I-peer.json
    unpack assets/etcd-$I-server.json

    I=$((I+1))
done

rm assets/*.json
	#!/bin/bash -e

	rm -rf assets
	mkdir assets

	HOSTS=${HOSTS:-"127.0.0.1 127.0.0.2 127.0.0.3"}

	function unpack {
	DIR="$( dirname $1 )"
	NAME="$( basename $1 )"
	NAME="${NAME%.*}"

	jq -r '.cert' < $1 > $DIR/$NAME.crt
	jq -r '.key' < $1 > $DIR/$NAME.key
	}

	echo '{
	"signing": {
	"default": {
	"expiry": "43800h"
	},
	"profiles": {
	"server": {
	"expiry": "43800h",
	"usages": ["signing", "key encipherment", "server auth"]
	},
	"client": {
	"expiry": "43800h",
	"usages": ["signing", "key encipherment", "client auth"]
	},
	"peer": {
	"expiry": "43800h",
	"usages": ["signing", "key encipherment", "server auth", "client auth"]
	}
	}
	}
	}' > assets/ca-config.json

	echo '{"CN":"etcd-ca","key":{"algo":"ecdsa","size":256}}' > assets/etcd-ca-csr.json
	echo '{"CN":"etcd-client","key":{"algo":"ecdsa","size":256}}' > assets/etcd-client-csr.json
	echo '{"CN":"etcd-member","key":{"algo":"ecdsa","size":256}}' > assets/etcd-peer-csr.json
	echo '{"CN":"etcd-server","key":{"algo":"ecdsa","size":256}}' > assets/etcd-server-csr.json

	cfssl gencert -initca assets/etcd-ca-csr.json > assets/ca.json
	unpack assets/ca.json

	cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
	-profile=client assets/etcd-client-csr.json > assets/etcd-client.json
	unpack assets/etcd-client.json

	I=0
	for HOST in $( echo "$HOSTS" ); do
	cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
	-profile=peer -hostname="$HOST" assets/etcd-peer-csr.json > assets/etcd-$I-peer.json
	cfssl gencert -ca=assets/ca.crt -ca-key=assets/ca.key -config=assets/ca-config.json \
	-profile=server -hostname="$HOST" assets/etcd-server-csr.json > assets/etcd-$I-server.json

	unpack assets/etcd-$I-peer.json
	unpack assets/etcd-$I-server.json

	I=$((I+1))
	done

	rm assets/*.json