Skip to content

Instantly share code, notes, and snippets.

@gswallow

gswallow/01_mk_ca.sh

Last active November 3, 2018 04:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gswallow/2d4175ad67ec1718a427fb73886e359e to your computer and use it in GitHub Desktop.
Save gswallow/2d4175ad67ec1718a427fb73886e359e to your computer and use it in GitHub Desktop.
Download ZIP
kubernetes the hard way on aws: so many certs
Raw
01_mk_ca.sh
#!/bin/bash
country=${country:=US}
state=${state:=Indiana}
city=${city:=Carmel}
if [ ! -d ca ]; then
mkdir ca
fi
cat > ca/ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca/ca-csr.json <<"EOF"
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "${country}",
"L": "${city}",
"O": "Kubernetes",
"OU": "CA",
"ST": "${state}"
}
]
}
EOF
cd ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cd ..
Raw
02_mk_admin_cert.sh
#!/bin/bash
country=${country:=US}
state=${state:=Indiana}
city=${city:=Carmel}
if [ ! -d admin ]; then
mkdir admin
fi
cat > admin/admin-csr.json <<"EOF"
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "$country",
"L": "$city",
"O": "system:masters",
"OU": "kubernetes",
"ST": "$state"
}
]
}
EOF
cd admin
cfssl gencert \
-ca=../ca/ca.pem \
-ca-key=../ca/ca-key.pem \
-config=../ca/ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
cd ..
Raw
03_mk_kubelet_certs.sh
#!/bin/bash
country=${country:=US}
state=${state:=Indiana}
city=${city:=Carmel}
gencert() {
node=$1
pub=$2
priv=$3
cat > node${node}-csr.json <<"EOF"
{
"CN": "system:node:node${node}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "$country",
"L": "$city",
"O": "system:nodes",
"OU": "kubernetes",
"ST": "$state"
}
]
}
EOF
cfssl gencert \
-ca=../ca/ca.pem \
-ca-key=../ca/ca-key.pem \
-config=../ca/ca-config.json \
-hostname=node${node},${pub},${priv} \
-profile=kubernetes \
node${node}-csr.json | cfssljson -bare node${node}
}
if [ ! -d kubelet ]; then
mkdir kubelet
fi
i=0
aws ec2 describe-instances \
--region us-east-2 \
--filters 'Name=tag:Name,Values=k8s-node' \
--query 'Reservations[].Instances[].{public: PublicIpAddress, private: PrivateIpAddress}' \
--output text \
| while read pub priv; do
cd kubelet
gencert $i $pub $priv
i=$[i+1]
cd ..
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment