github-mirrors/imagepullsecret-injector
1
0
Fork 0
mirror of https://github.com/ysoftdevs/imagepullsecret-injector.git synced 2026-01-15 16:23:45 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
da0fc5b1889d4b51154ab23928ae731d7ea7c99f
imagepullsecret-injector/helm/imagepullsecret-injector/scripts/create-signed-cert.sh
Martin Šalata da0fc5b188 Initial commit
2021-04-02 21:53:17 +02:00

138 lines
3.9 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
usage() {
cat <<EOF
Generate certificate suitable for use with an imagepullsecret-injector webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with imagepullsecret-injector webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explanation and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
--service Service name of webhook.
--namespace Namespace where webhook service and secret reside.
--secret Secret name for CA certificate and server certificate/key pair.
EOF
exit 1
}
while [[ $# -gt 0 ]]; do
case ${1} in
--service)
service="$2"
shift
;;
--secret)
secret="$2"
shift
;;
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done
[ -z "${service}" ] && service=ips-injector-svc
[ -z "${secret}" ] && secret=imagepullsecret-injector-webhook-certs
[ -z "${namespace}" ] && namespace=imagepullsecret-injector
if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi
csrName=${service}.${namespace}
tmpdir=$(mktemp -d)
echo "Creating certs in tmpdir ${tmpdir}"
cat <<EOF >> "${tmpdir}"/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out "${tmpdir}"/server-key.pem 2048
openssl req -new -key "${tmpdir}"/server-key.pem -subj "/O=system:nodes/CN=system:node:${service}.${namespace}.svc" -out "${tmpdir}"/server.csr -config "${tmpdir}"/csr.conf
# clean-up any previously created CSR for our service. Ignore errors if not present.
echo "Deleting old CertificateSigningRequests"
kubectl delete csr ${csrName} 2>/dev/null || true
echo "Creating new CertificateSigningRequests"
# create server cert/key CSR and send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
signerName: kubernetes.io/kubelet-serving
groups:
- system:authenticated
request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
# verify CSR has been created
while true; do
if kubectl get csr ${csrName}; then
break
else
sleep 1
fi
done
echo "Approving CertificateSigningRequests"
# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
echo "Fetching certificate from approved CertificateSigningRequests"
# verify certificate has been signed
for _ in $(seq 10); do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo "${serverCert}" | openssl base64 -d -A -out "${tmpdir}"/server-cert.pem
echo "Creating secret $secret based on the retrieved certificate"
# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem="${tmpdir}"/server-key.pem \
--from-file=cert.pem="${tmpdir}"/server-cert.pem \
--dry-run=client -o yaml |
kubectl -n ${namespace} apply -f -
Reference in New Issue View Git Blame Copy Permalink