Skip to content

Instantly share code, notes, and snippets.

@adamancini
Forked from divolgin/secret.sh
Created October 10, 2022 17:20
Show Gist options
  • Save adamancini/94a15e32ab01ee2168dbb6fa2086cb7e to your computer and use it in GitHub Desktop.
Save adamancini/94a15e32ab01ee2168dbb6fa2086cb7e to your computer and use it in GitHub Desktop.
#!/bin/bash
set -e
bail() {
printf "${RED}$1${NC}\n" 1>&2
exit 1
}
function registry_pki_secret() {
if [ -z "$DOCKER_REGISTRY_IP" ]; then
bail "Docker registry address required"
fi
local tmp="/tmp/registry-pki"
rm -rf "$tmp"
mkdir -p "$tmp"
pushd "$tmp"
cat > registry.cnf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
CN = registry.kurl.svc.cluster.local
[ req_ext ]
subjectAltName = @alt_names
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectAltName=@alt_names
[ alt_names ]
DNS.1 = registry
DNS.2 = registry.kurl
DNS.3 = registry.kurl.svc
DNS.4 = registry.kurl.svc.cluster
DNS.5 = registry.kurl.svc.cluster.local
IP.1 = $DOCKER_REGISTRY_IP
EOF
if [ -n "$REGISTRY_PUBLISH_PORT" ]; then
echo "IP.2 = $PRIVATE_ADDRESS" >> registry.cnf
if [ -n "$PUBLIC_ADDRESS" ]; then
echo "IP.3 = $PUBLIC_ADDRESS" >> registry.cnf
fi
fi
local ca_crt="/etc/kubernetes/pki/ca.crt"
local ca_key="/etc/kubernetes/pki/ca.key"
openssl req -newkey rsa:2048 -nodes -keyout registry.key -out registry.csr -config registry.cnf
openssl x509 -req -days 365 -in registry.csr -CA "${ca_crt}" -CAkey "${ca_key}" -CAcreateserial -out registry.crt -extensions v3_ext -extfile registry.cnf
# rotate the cert and restart the pod every time
kubectl -n kurl delete secret registry-pki || true
kubectl -n kurl create secret generic registry-pki --from-file=registry.key --from-file=registry.crt
kubectl -n kurl delete pod -l app=registry || true
popd
rm -r "$tmp"
}
export KUBECONFIG=/etc/kubernetes/admin.conf
export DOCKER_REGISTRY_IP=$(kubectl -n kurl get svc registry -o jsonpath='{ .spec.clusterIP }')
registry_pki_secret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment