v0.5

Author: iKubernetes

gencerts.sh

@@ -23,11 +23,13 @@ if [ "$1" == 'k8s' ]; then
     read -p "Enter Kubernetes Cluster Name [kubernetes]: " CLUSTER_NAME
     echo -n -e "Enter the IP Address in default namespace \n  of the Kubernetes API Server[10.96.0.1]: "
     read  APISERVER_CLUSTER_IP
+    read -p "Enter Master servers name[master01 master02 master03]: " MASTERS
 
     CLUSTER_NAME=${CLUSTER_NAME:-kubernetes}
     APISERVER_CLUSTER_IP=${APISERVER_CLUSTER_IP:-10.96.0.1}
+    MASTERS=${MASTERS:-"master01 master02 master03"}
 
-    export CLUSTER_NAME APISERVER_CLUSTER_IP
+    export CLUSTER_NAME APISERVER_CLUSTER_IP MASTERS
 
     bash ./k8s-certs-gen.sh kubernetes
 fi

k8s-certs-gen.sh

@@ -7,11 +7,11 @@ Usage: ./k8s-certs-gen.sh
 Set the following environment variables to run this script:
 
     BASE_DOMAIN     Base domain name of the cluster. For example if your API
-                    server is running on "my-cluster-k8s.example.com", the
-                    base domain is "example.com"
+                    server is running on "my-cluster-k8s.ilinux.io", the
+                    base domain is "ilinux.io"
 
     CLUSTER_NAME    Name of the cluster. If your API server is running on the
-                    domain "my-cluster-k8s.example.com", the name of the cluster
+                    domain "my-cluster-k8s.ilinux.io", the name of the cluster
                     is "my-cluster"
 
     APISERVER_CLUSTER_IP
@@ -20,6 +20,10 @@ Set the following environment variables to run this script:
 
     CA_CERT         Path to the pem encoded CA certificate of your cluster.
     CA_KEY          Path to the pem encoded CA key of your cluster.
+
+    MASTERS      Name list. If all of your master's name is 
+                    "master01.ilinux.io", "master02.ilinux.io" and "master03.ilinux.io",
+		    the list value is "master01 master02 master03". 
 EOF
     exit 1
 }
@@ -33,26 +37,30 @@ fi
 if [ -z $APISERVER_CLUSTER_IP ]; then
     usage
 fi
+if [ -z "$MASTERS" ]; then
+    usage
+fi
 
 export DIR="generated"
 if [ $# -eq 1 ]; then
     DIR="$1"
 fi
 
-export CERT_DIR=$DIR/pki
+export CERT_DIR=$DIR/CA
 mkdir -p $CERT_DIR
-PATCHES=$DIR/patches
-mkdir -p $PATCHES
-mkdir -p $DIR/auth
 
-if [ -z "$CA_CERT" -o -z "$CA_KEY" ]; then
+export CA_CERT="$CERT_DIR/ca.crt"
+export CA_KEY="$CERT_DIR/ca.key"
+if [ -f "$CA_CERT" -a -f "$CA_KEY" ]; then
+    echo "Using the CA: $CA_CERT and $CA_KEY"
+    read -p "pause" A
+else
+    echo "Generating CA key and self signed cert." 
     openssl genrsa -out $CERT_DIR/ca.key 4096
     openssl req -config openssl.conf \
         -new -x509 -days 3650 -sha256 \
         -key $CERT_DIR/ca.key -out $CERT_DIR/ca.crt \
 	-subj "/CN=k8s-ca"
-    export CA_KEY=$CERT_DIR/ca.key
-    export CA_CERT=$CERT_DIR/ca.crt
 fi
 
 # Configure expected OpenSSL CA configs.
@@ -77,95 +85,127 @@ function openssl_sign() {
         -cert ${1} -keyfile ${2}
 }
 
-# Generate CSRs for all components
-openssl_req $CERT_DIR apiserver "/CN=kube-apiserver/O=kube-master"
-openssl_req $CERT_DIR apiserver-kubelet-client "/CN=kube-apiserver-kubelet-client/O=system:masters"
-openssl_req $CERT_DIR kube-controller-manager "/CN=system:kube-controller-manager"
-openssl_req $CERT_DIR kube-scheduler "/CN=system:kube-scheduler"
-openssl_req $CERT_DIR kube-proxy "/CN=system:kube-proxy"
-openssl_req $CERT_DIR ingress-server "/CN=${CLUSTER_NAME}.${BASE_DOMAIN}"
-
-# Sign CSRs for all components
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR apiserver apiserver_cert
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR apiserver-kubelet-client client_cert
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR kube-controller-manager client_cert
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR kube-scheduler client_cert
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR kube-proxy client_cert
-openssl_sign $CA_CERT $CA_KEY $CERT_DIR ingress-server server_cert
-
-
-# Add debug information to directories
-#for CERT in $CERT_DIR/*.crt; do
-#    openssl x509 -in $CERT -noout -text > "${CERT%.crt}.txt"
-#done
-
-# Use openssl for base64'ing instead of base64 which has different wrap behavior
-# between Linux and Mac.
-# https://stackoverflow.com/questions/46463027/base64-doesnt-have-w-option-in-mac 
-cat > $DIR/auth/admin.conf << EOF
+# If supplied, generate a new etcd CA and associated certs.
+if [ -n $FRONT_PROXY_CA_CERT ]; then
+    front_proxy_dir=${DIR}/front-proxy
+    if [ ! -d "$front_proxy_dir" ]; then
+	mkdir $front_proxy_dir
+    fi
+
+    openssl genrsa -out ${front_proxy_dir}/front-proxy-ca.key 2048
+    openssl req -config openssl.conf \
+        -new -x509 -days 3650 -sha256 \
+        -key ${front_proxy_dir}/front-proxy-ca.key \
+        -out ${front_proxy_dir}/front-proxy-ca.crt -subj "/CN=front-proxy-ca"
+    
+    openssl_req ${front_proxy_dir} front-proxy-client "/CN=front-proxy-client"
+    
+    openssl_sign ${front_proxy_dir}/front-proxy-ca.crt ${front_proxy_dir}/front-proxy-ca.key ${front_proxy_dir} front-proxy-client client_cert
+    rm -f ${front_proxy_dir}/*.csr
+fi
+
+# Generate and sihn CSRs for all components of masters
+for master in $MASTERS; do
+    master_dir="${DIR}/${master}"
+
+    if [ ! -d "${master_dir}" ]; then
+        mkdir -p ${master_dir}/{auth,pki}
+    fi
+    
+    export MASTER_NAME=${master}
+
+    openssl_req "${master_dir}/pki" apiserver "/CN=kube-apiserver"
+    openssl_req "${master_dir}/pki" kube-controller-manager "/CN=system:kube-controller-manager"
+    openssl_req "${master_dir}/pki" kube-scheduler "/CN=system:kube-scheduler"
+    openssl_req "${master_dir}/pki" apiserver-kubelet-client "/CN=kube-apiserver-kubelet-client/O=system:masters"
+
+    openssl_sign $CA_CERT $CA_KEY "${master_dir}/pki" apiserver apiserver_cert
+    openssl_sign $CA_CERT $CA_KEY "${master_dir}/pki" kube-controller-manager master_component_client_cert
+    openssl_sign $CA_CERT $CA_KEY "${master_dir}/pki" kube-scheduler master_component_client_cert
+    openssl_sign $CA_CERT $CA_KEY "${master_dir}/pki" apiserver-kubelet-client client_cert
+    rm -f ${master_dir}/pki/*.csr
+
+    echo "Copy CA key and cert file to ${master_dir}"
+    cp $CA_CERT $CA_KEY ${master_dir}/pki/
+
+    echo "Copy front-proxy CA key and cert file to ${master_dir}"
+    cp $front_proxy_dir/front-proxy* ${master_dir}/pki/
+
+    echo "Generating kubeconfig for kube-controller-manager"
+    cat > ${master_dir}/auth/controller-manager.conf << EOF
 apiVersion: v1
 kind: Config
 clusters:
 - name: ${CLUSTER_NAME}
   cluster:
-    server: https://${CLUSTER_NAME}-api.${BASE_DOMAIN}:6443
+    server: https://${master}.${BASE_DOMAIN}:6443
     certificate-authority-data: $( openssl base64 -A -in $CA_CERT ) 
 users:
-- name: k8s-admin
+- name: system:kube-controller-manager
   user:
-    client-certificate-data: $( openssl base64 -A -in $CERT_DIR/apiserver-kubelet-client.crt ) 
-    client-key-data: $( openssl base64 -A -in $CERT_DIR/apiserver-kubelet-client.key ) 
+    client-certificate-data: $( openssl base64 -A -in ${master_dir}/pki/kube-controller-manager.crt ) 
+    client-key-data: $( openssl base64 -A -in ${master_dir}/pki/kube-controller-manager.key ) 
 contexts:
 - context:
     cluster: ${CLUSTER_NAME}
-    user: k8s-admin
-  name: k8s-admin@${CLUSTER_NAME}
-current-context: k8s-admin@${CLUSTER_NAME}
+    user: system:kube-controller-manager
+  name: system:kube-controller-manager@${CLUSTER_NAME}
+current-context: system:kube-controller-manager@${CLUSTER_NAME}
 EOF
 
-cat > $DIR/auth/controller-manager.conf << EOF
+    echo "Generating kubeconfig for kube-scheduler"
+    cat > ${master_dir}/auth/scheduler.conf << EOF
 apiVersion: v1
 kind: Config
 clusters:
 - name: ${CLUSTER_NAME}
   cluster:
-    server: https://${CLUSTER_NAME}-api.${BASE_DOMAIN}:6443
+    server: https://${master}.${BASE_DOMAIN}:6443
     certificate-authority-data: $( openssl base64 -A -in $CA_CERT ) 
 users:
-- name: system:kube-controller-manager
+- name: system:kube-scheduler
   user:
-    client-certificate-data: $( openssl base64 -A -in $CERT_DIR/kube-controller-manager.crt ) 
-    client-key-data: $( openssl base64 -A -in $CERT_DIR/kube-controller-manager.key ) 
+    client-certificate-data: $( openssl base64 -A -in ${master_dir}/pki/kube-scheduler.crt ) 
+    client-key-data: $( openssl base64 -A -in ${master_dir}/pki/kube-scheduler.key ) 
 contexts:
 - context:
     cluster: ${CLUSTER_NAME}
-    user: system:kube-controller-manager
-  name: system:kube-controller-manager@${CLUSTER_NAME}
-current-context: system:kube-controller-manager@${CLUSTER_NAME}
+    user: system:kube-scheduler
+  name: system:kube-scheduler@${CLUSTER_NAME}
+current-context: system:kube-scheduler@${CLUSTER_NAME}
 EOF
 
-cat > $DIR/auth/scheduler.conf << EOF
+    echo "Generating kubeconfig for Cluster Admin"
+    cat > ${master_dir}/auth/admin.conf << EOF
 apiVersion: v1
 kind: Config
 clusters:
 - name: ${CLUSTER_NAME}
   cluster:
-    server: https://${CLUSTER_NAME}-api.${BASE_DOMAIN}:6443
+    server: https://${master}.${BASE_DOMAIN}:6443
     certificate-authority-data: $( openssl base64 -A -in $CA_CERT ) 
 users:
-- name: system:kube-scheduler
+- name: k8s-admin
   user:
-    client-certificate-data: $( openssl base64 -A -in $CERT_DIR/kube-scheduler.crt ) 
-    client-key-data: $( openssl base64 -A -in $CERT_DIR/kube-scheduler.key ) 
+    client-certificate-data: $( openssl base64 -A -in ${master_dir}/pki/apiserver-kubelet-client.crt ) 
+    client-key-data: $( openssl base64 -A -in ${master_dir}/pki/apiserver-kubelet-client.key ) 
 contexts:
 - context:
     cluster: ${CLUSTER_NAME}
-    user: system:kube-scheduler
-  name: system:kube-scheduler@${CLUSTER_NAME}
-current-context: system:kube-scheduler@${CLUSTER_NAME}
+    user: k8s-admin
+  name: k8s-admin@${CLUSTER_NAME}
+current-context: k8s-admin@${CLUSTER_NAME}
 EOF
+done
+
+# Generate key and cert for kubelet
+kubelet_dir=${DIR}/kubelet
+mkdir -p ${kubelet_dir}/{pki,auth}
+
+openssl_req ${kubelet_dir}/pki kube-proxy "/CN=system:kube-proxy"
+openssl_sign $CA_CERT $CA_KEY ${kubelet_dir}/pki kube-proxy client_cert
 
-cat > $DIR/auth/kube-proxy.conf << EOF
+cat > ${kubelet_dir}/auth/kube-proxy.conf << EOF
 apiVersion: v1
 kind: Config
 clusters:
@@ -176,8 +216,8 @@ clusters:
 users:
 - name: system:kube-proxy
   user:
-    client-certificate-data: $( openssl base64 -A -in $CERT_DIR/kube-proxy.crt ) 
-    client-key-data: $( openssl base64 -A -in $CERT_DIR/kube-proxy.key ) 
+    client-certificate-data: $( openssl base64 -A -in ${kubelet_dir}/pki/kube-proxy.crt ) 
+    client-key-data: $( openssl base64 -A -in ${kubelet_dir}/pki/kube-proxy.key ) 
 contexts:
 - context:
     cluster: ${CLUSTER_NAME}
@@ -186,51 +226,28 @@ contexts:
 current-context: system:kube-proxy@${CLUSTER_NAME}
 EOF
 
+# Generate key and cert for ingress
+ingress_dir=${DIR}/ingress
+mkdir -p ${DIR}/ingress/patches
+
+openssl_req ${ingress_dir} ingress-server "/CN=${CLUSTER_NAME}.${BASE_DOMAIN}"
+openssl_sign $CA_CERT $CA_KEY ${ingress_dir} ingress-server server_cert
+rm -f ${ingress_dir}/*.csr
 
 # Generate secret patches. We include the metadata here so
 # `kubectl patch -f ( file ) -p $( cat ( file ) )` works.
-cat > $PATCHES/ingress-tls.patch << EOF
-apiVersion: v1
-kind: Secret
-metadata:
-  name: tectonic-ingress-tls-secret
-  namespace: tectonic-system
-data:
-  tls.crt: $( openssl base64 -A -in ${CERT_DIR}/ingress-server.crt )
-  tls.key: $( openssl base64 -A -in ${CERT_DIR}/ingress-server.key )
-EOF
-
-cat > $PATCHES/kube-apiserver-secret.patch << EOF
+cat > ${ingress_dir}/patches/ingress-tls.patch << EOF
 apiVersion: v1
 kind: Secret
 metadata:
-  name: kube-apiserver
+  name: ingress-tls-secret
   namespace: kube-system
 data:
-  apiserver.crt: $( openssl base64 -A -in ${CERT_DIR}/apiserver.crt )
-  apiserver.key: $( openssl base64 -A -in ${CERT_DIR}/apiserver.key )
+  tls.crt: $( openssl base64 -A -in ${ingress_dir}/ingress-server.crt )
+  tls.key: $( openssl base64 -A -in ${ingress_dir}/ingress-server.key )
 EOF
 
-# If supplied, generate a new etcd CA and associated certs.
-if [ -n $FRONT_PROXY_CA_CERT ]; then
-    openssl genrsa -out $CERT_DIR/front-proxy-ca.key 2048
-    openssl req -config openssl.conf \
-        -new -x509 -days 3650 -sha256 \
-        -key $CERT_DIR/front-proxy-ca.key \
-        -out $CERT_DIR/front-proxy-ca.crt -subj "/CN=front-proxy-ca"
-    
-    openssl_req $CERT_DIR front-proxy-client "/CN=front-proxy-client"
-    
-    openssl_sign $CERT_DIR/front-proxy-ca.crt $CERT_DIR/front-proxy-ca.key $CERT_DIR front-proxy-client client_cert
-
-    # Add debug information to directories
-    #for CERT in $CERT_DIR/front-proxy-*.crt; do
-    #    openssl x509 -in $CERT -noout -text > "${CERT%.crt}.txt"
-    #done
-fi
-
 # Clean up openssl config
-rm $CERT_DIR/index*
-rm $CERT_DIR/100*
-rm $CERT_DIR/serial*
-rm $CERT_DIR/*.csr
+rm -f $CERT_DIR/index*
+rm -f $CERT_DIR/100*
+rm -f $CERT_DIR/serial*

openssl.conf

@@ -3,6 +3,7 @@ BASE_DOMAIN=
 CLUSTER_NAME=
 CERT_DIR=
 APISERVER_CLUSTER_IP=
+MASTER_NAME=
 
 [ ca ]
 # `man ca`
@@ -118,12 +119,26 @@ subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
-subjectAltName = @alt_names
+subjectAltName = @apiserver_names
 
-[alt_names]
+[ master_component_client_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+subjectAltName = @master_names
+
+[apiserver_names]
 DNS.1 = ${ENV::CLUSTER_NAME}-api.${ENV::BASE_DOMAIN}
-DNS.2 = kubernetes
-DNS.3 = kubernetes.default
-DNS.4 = kubernetes.default.svc
-DNS.5 = kubernetes.default.svc.cluster.local
+DNS.2 = ${ENV::MASTER_NAME}.${ENV::BASE_DOMAIN}
+DNS.3 = kubernetes
+DNS.4 = kubernetes.default
+DNS.5 = kubernetes.default.svc
+DNS.6 = kubernetes.default.svc.cluster.local
 IP.1 = ${ENV::APISERVER_CLUSTER_IP}
+
+[ master_names ]
+DNS.1 = ${ENV::MASTER_NAME}.${ENV::BASE_DOMAIN}