kubernetes cert generation

#!/bin/bash
set -e
set -x
# create certs for a kubernetes cluster

usage() {
    echo $0 [cluster_name] [service_ip] [additional_names]
    echo additional name is generally the dns name
    exit -1
}

CLUSTER_NAME=$1
shift

mkdir ${CLUSTER_NAME}
cat <<EOF > ${CLUSTER_NAME}/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.cluster.local
DNS.4 = kubernetes.svc.cluster.local
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 127.0.0.1
IP.2 = 192.168.0.1
EOF
#IP.3 = ${SERVICE_IP}
i=6
for NAME in "$@"; do
    echo "DNS.${i} = ${NAME}" >> ${CLUSTER_NAME}/openssl.cnf
    let i++
done

cd ${CLUSTER_NAME}

#apiserver
openssl genrsa -out apiserver-key.pem 2048
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ../ca.pem -CAkey ../ca-key.pem -CAcreateserial -out apiserver.pem -days 99999 -extensions v3_req -extfile openssl.cnf

#worker
openssl genrsa -out worker-key.pem 2048
openssl req -new -key worker-key.pem -out worker.csr -subj "/CN=kube-worker"
openssl x509 -req -in worker.csr -CA ../ca.pem -CAkey ../ca-key.pem -CAcreateserial -out worker.pem -days 99999

#admin
openssl genrsa -out admin-key.pem 2048
openssl req -new -key admin-key.pem -out admin.csr -subj "/CN=kube-admin"
openssl x509 -req -in admin.csr -CA ../ca.pem -CAkey ../ca-key.pem -CAcreateserial -out admin.pem -days 99999

I forget what I based this on, but I think was on CoreOS docs site.