alexeldeib · September 18, 2019 10:27
diff --git a/gencluster.ps1 b/gencluster.ps1
 [cmdletbinding()]
 Param(
    [string] $name 
 )

 if (-not $name) {
    throw "name is namdatory"
 }

 mkdir "$name"
 cp root-cert.pem "$name/root-cert.pem"

 $intermediate = @"
 [ req ]
 encrypt_key = no
 prompt = no
 utf8 = yes
 default_md = sha256
 default_bits = 4096
 req_extensions = req_ext
 x509_extensions = req_ext
 distinguished_name = req_dn
 [ req_ext ]
 subjectKeyIdentifier = hash
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
 subjectAltName=@san
 [ san ]
 URI.1 = spiffe://cluster.local/ns/istio-system/sa/citadel
 URI.2 = spiffe://$name/ns/istio-system/sa/citadel
 DNS.1 = localhost
 [ req_dn ]
 O = Istio
 CN = Intermediate CA
 L = $name
 "@

 $conf = New-Item "$name/intermediate.conf"

 $intermediate | Out-File -FilePath $conf.FullName -Encoding utf8

 openssl genrsa -out "$name/ca-key.pem" 4096
 openssl req -new -config "$name/intermediate.conf" -key "$name/ca-key.pem" -out "$name/cluster-ca.csr"
 openssl x509 -req -days 730 -CA root-cert.pem -CAkey root-key.pem -set_serial $(Get-Random) -extensions req_ext -extfile "$name/intermediate.conf" -in "$name/cluster-ca.csr" -out "$name/ca-cert.pem"

 cat root-cert.pem "$name/ca-cert.pem" | Out-File "$name/cert-chain.pem" -Encoding utf8
diff --git a/genroot.ps1 b/genroot.ps1
 openssl genrsa -out root-key.pem 4096
 openssl req -new -key root-key.pem -config root-ca.conf -out root-cert.csr
 openssl x509 -req -days 3650 -signkey root-key.pem -extensions req_ext -extfile root-ca.conf -in root-cert.csr -out root-cert.pem
diff --git a/root-ca.conf b/root-ca.conf
 [ req ]
 encrypt_key = no
 prompt = no
 utf8 = yes
 default_md = sha256
 default_bits = 4096
 req_extensions = req_ext
 x509_extensions = req_ext
 distinguished_name = req_dn

 [ req_ext ]
 subjectKeyIdentifier = hash
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign

 [ req_dn ]
 O = Istio
 CN = Root CA
diff --git a/setup.ps1 b/setup.ps1
 $one = "queen"
 $two = "king"

 ./gen.ps1
 ./gencluster.ps1 -name $one
 ./gencluster.ps1 -name $two

 git clone https://github.com/istio/istio/.git
 cd istio
 helm template install/kubernetes/helm/istio --name istio --namespace istio-system -f install/kubernetes/helm/istio/example-values/values-istio-multicluster-gateways.yaml | out-file .\istio.yaml -Encoding utf8
 helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | out-file .\istio-init.yaml -Encoding utf8

 kubectl --kubeconfig $one create ns istio-system
 kubectl --kubeconfig $one create secret generic cacerts -n istio-system --from-file="$one\ca-cert.pem" --from-file=."$one\ca-key.pem" --from-file="$one\root-cert.pem" --from-file="$one\cert-chain.pem"
 kubectl --kubeconfig $one apply -f .\istio-init.yaml

 # wait, do some other stuff

 kubectl --kubeconfig $two create ns istio-system
 kubectl --kubeconfig $two create secret generic cacerts -n istio-system --from-file="$two\ca-cert.pem" --from-file=."$two\ca-key.pem" --from-file="$two\root-cert.pem" --from-file="$two\cert-chain.pem"
 kubectl --kubeconfig $two apply -f .\istio-init.yaml

 ## screwy var names....

 $dnsConf = @"
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: coredns
  namespace: kube-system
 data:
  Corefile: |
    .:53 {
        errors
        health
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           upstream
           fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        proxy . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }
    global:53 {
        errors
        cache 30
        proxy . <<VALUE>>
    }
 "@

 $queenIP = "$(kubectl --kubeconfig C:\Users\alexe\code\genesys\kubequeen  get svc -n istio-system istiocoredns -o jsonpath='{.spec.clusterIP}')"
 $kingIP = "$(kubectl --kubeconfig C:\Users\alexe\code\genesys\kubeking  get svc -n istio-system istiocoredns -o jsonpath='{.spec.clusterIP}')"

 $dnsConf.Replace("<<VALUE>>", $queenIP) | out-file -encoding utf8 queen-dns.yaml
 $dnsConf.Replace("<<VALUE>>", $kingIP) | out-file -encoding utf8 king-dns.yaml

 kubectl --kubeconfig C:\Users\alexe\code\genesys\kubequeen apply -f queen-dns.yaml
 kubectl --kubeconfig C:\Users\alexe\code\genesys\kubeking apply -f king-dns.yaml
	[cmdletbinding()]
	Param(
	[string] $name
	)

	if (-not $name) {
	throw "name is namdatory"
	}

	mkdir "$name"
	cp root-cert.pem "$name/root-cert.pem"

	$intermediate = @"
	[ req ]
	encrypt_key = no
	prompt = no
	utf8 = yes
	default_md = sha256
	default_bits = 4096
	req_extensions = req_ext
	x509_extensions = req_ext
	distinguished_name = req_dn
	[ req_ext ]
	subjectKeyIdentifier = hash
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
	subjectAltName=@san
	[ san ]
	URI.1 = spiffe://cluster.local/ns/istio-system/sa/citadel
	URI.2 = spiffe://$name/ns/istio-system/sa/citadel
	DNS.1 = localhost
	[ req_dn ]
	O = Istio
	CN = Intermediate CA
	L = $name
	"@

	$conf = New-Item "$name/intermediate.conf"

	$intermediate \| Out-File -FilePath $conf.FullName -Encoding utf8

	openssl genrsa -out "$name/ca-key.pem" 4096
	openssl req -new -config "$name/intermediate.conf" -key "$name/ca-key.pem" -out "$name/cluster-ca.csr"
	openssl x509 -req -days 730 -CA root-cert.pem -CAkey root-key.pem -set_serial $(Get-Random) -extensions req_ext -extfile "$name/intermediate.conf" -in "$name/cluster-ca.csr" -out "$name/ca-cert.pem"

	cat root-cert.pem "$name/ca-cert.pem" \| Out-File "$name/cert-chain.pem" -Encoding utf8
	openssl genrsa -out root-key.pem 4096
	openssl req -new -key root-key.pem -config root-ca.conf -out root-cert.csr
	openssl x509 -req -days 3650 -signkey root-key.pem -extensions req_ext -extfile root-ca.conf -in root-cert.csr -out root-cert.pem
	$one = "queen"
	$two = "king"

	./gen.ps1
	./gencluster.ps1 -name $one
	./gencluster.ps1 -name $two

	git clone https://github.com/istio/istio/.git
	cd istio
	helm template install/kubernetes/helm/istio --name istio --namespace istio-system -f install/kubernetes/helm/istio/example-values/values-istio-multicluster-gateways.yaml \| out-file .\istio.yaml -Encoding utf8
	helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system \| out-file .\istio-init.yaml -Encoding utf8

	kubectl --kubeconfig $one create ns istio-system
	kubectl --kubeconfig $one create secret generic cacerts -n istio-system --from-file="$one\ca-cert.pem" --from-file=."$one\ca-key.pem" --from-file="$one\root-cert.pem" --from-file="$one\cert-chain.pem"
	kubectl --kubeconfig $one apply -f .\istio-init.yaml

	# wait, do some other stuff

	kubectl --kubeconfig $two create ns istio-system
	kubectl --kubeconfig $two create secret generic cacerts -n istio-system --from-file="$two\ca-cert.pem" --from-file=."$two\ca-key.pem" --from-file="$two\root-cert.pem" --from-file="$two\cert-chain.pem"
	kubectl --kubeconfig $two apply -f .\istio-init.yaml

	## screwy var names....

	$dnsConf = @"
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: coredns
	namespace: kube-system
	data:
	Corefile: \|
	.:53 {
	errors
	health
	kubernetes cluster.local in-addr.arpa ip6.arpa {
	pods insecure
	upstream
	fallthrough in-addr.arpa ip6.arpa
	}
	prometheus :9153
	proxy . /etc/resolv.conf
	cache 30
	loop
	reload
	loadbalance
	}
	global:53 {
	errors
	cache 30
	proxy . <<VALUE>>
	}
	"@

	$queenIP = "$(kubectl --kubeconfig C:\Users\alexe\code\genesys\kubequeen get svc -n istio-system istiocoredns -o jsonpath='{.spec.clusterIP}')"
	$kingIP = "$(kubectl --kubeconfig C:\Users\alexe\code\genesys\kubeking get svc -n istio-system istiocoredns -o jsonpath='{.spec.clusterIP}')"

	$dnsConf.Replace("<<VALUE>>", $queenIP) \| out-file -encoding utf8 queen-dns.yaml
	$dnsConf.Replace("<<VALUE>>", $kingIP) \| out-file -encoding utf8 king-dns.yaml

	kubectl --kubeconfig C:\Users\alexe\code\genesys\kubequeen apply -f queen-dns.yaml
	kubectl --kubeconfig C:\Users\alexe\code\genesys\kubeking apply -f king-dns.yaml