Created
June 7, 2018 22:08
-
-
Save camilosantana/55c7c96cad3f3e367fd09024ba5c52ad to your computer and use it in GitHub Desktop.
generate a csr for DT agents overseas - enables DT devops to access k8s cluster - written in 40min. fingers crossed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set +x | |
| # pre-requisites | |
| for PREREQ in \ | |
| /usr/bin/whoami \ | |
| /usr/bin/openssl \ | |
| /usr/bin/tar \ | |
| /usr/bin/gzip \ | |
| /usr/bin/tr; | |
| do | |
| [ -f $PREREQ ] && echo "$PREREQ exists - ok!" || echo "missing $PREREQ" | |
| done | |
| # vars | |
| IAM=$(whoami) | |
| KEY="$IAM.key" | |
| CSR="$IAM.csr" | |
| DN="/CN=employee/O=dt:engineer" | |
| KEYLENGTH=2048 | |
| CLUSTER="k8s20170905.etcd-k8s-eu-central-1a.iameliza.net" | |
| DEVOPS_CONTACT="[email protected]" | |
| K8S_CONTEXT="iamplus_eliza_project" | |
| OBFUSCATE="$(echo $RANDOM | tr 0123456789 mveqnobzrl)" | |
| WORKSPACE_DIR="workspace_iamplus-"$OBFUSCATE | |
| TARBALL="$IAM.tarball" | |
| HARDBALL="$TARBALL.enc" | |
| # exec | |
| mkdir $WORKSPACE_DIR && cd $WORKSPACE_DIR | |
| openssl genrsa -out $KEY $KEYLENGTH | |
| openssl req -new -key $KEY -out $CSR -subj "$DN" | |
| # compress and encrypt | |
| tar czf $TARBALL $IAM.* | |
| printf "\nfiles have been packaged into \n\t\t$TARBALL\n enter -=A UNIQUE TEMPORARY PASSPHRASE=- to encrypt data\n\n" | |
| openssl aes-256-cbc -a -salt -in $TARBALL -out $HARDBALL | |
| printf "\nemail the $HARDBALL file to $DEVOPS_CONTACT\n Send your temporary passphrase to Arul via any other method - aside from email." | |
| # verify | |
| # openssl req -in $CSR -noout -text | |
| tr [:alnum:] [:alnum:] <<< " | |
| Once you recieve both your approved crt key files, you can connect to cluster. | |
| Run the following commands to store authentication credentials in ~/.kube/config | |
| kubectl config set-credentials $IAM --client-certificate=$IAM.crt --client-key=$KEY | |
| kubectl config set-context $K8S_CONTEXT --cluster=$CLUSTER --namespace=default --user=$IAM | |
| kubectl config use-context $K8S_CONTEXT | |
| Finally, you need the cluster certificate authority data, server endpoint and context name added | |
| to your ~/.kube/config file. Lastly, run the included 200_cluster_cert.sh file. | |
| " | |
| # clean up | |
| # rm files and set vars to null | |
| cd .. | |
| mv $WORKSPACE_DIR/$HARDBALL . | |
| rm -rf $WORKSPACE_DIR | |
| IAM="" | |
| KEY="" | |
| CSR="" | |
| DN="" | |
| KEYLENGTH="" | |
| CLUSTER="" | |
| DEVOPS_CONTACT="" | |
| K8S_CONTEXT="" | |
| WORKSPACE_DIR="" | |
| OBFUSCATE="" | |
| TARBALL="" | |
| HARDBALL="" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment