gswallow · November 3, 2018 04:18
diff --git a/01_mk_ca.sh b/01_mk_ca.sh
 #!/bin/bash

 country=${country:=US}
 state=${state:=Indiana}
 city=${city:=Carmel}

 if [ ! -d ca ]; then
  mkdir ca
 fi

 cat > ca/ca-config.json <<EOF
 {
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "8760h"
      }
    }
  }
 }
 EOF

 cat > ca/ca-csr.json <<"EOF"
 {
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "${country}",
      "L": "${city}",
      "O": "Kubernetes",
      "OU": "CA",
      "ST": "${state}"
    }
  ]
 }
 EOF

 cd ca
 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
 cd ..
diff --git a/02_mk_admin_cert.sh b/02_mk_admin_cert.sh
 #!/bin/bash

 country=${country:=US}
 state=${state:=Indiana}
 city=${city:=Carmel}

 if [ ! -d admin ]; then
  mkdir admin
 fi

 cat > admin/admin-csr.json <<"EOF"
 {
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "$country",
      "L": "$city",
      "O": "system:masters",
      "OU": "kubernetes",
      "ST": "$state"
    }
  ]
 }
 EOF

 cd admin
 cfssl gencert \
  -ca=../ca/ca.pem \
  -ca-key=../ca/ca-key.pem \
  -config=../ca/ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin
 cd ..
diff --git a/03_mk_kubelet_certs.sh b/03_mk_kubelet_certs.sh
 #!/bin/bash

 country=${country:=US}
 state=${state:=Indiana}
 city=${city:=Carmel}

 gencert() {
  node=$1
  pub=$2
  priv=$3

  cat > node${node}-csr.json <<"EOF"
 {
  "CN": "system:node:node${node}",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "$country",
      "L": "$city",
      "O": "system:nodes",
      "OU": "kubernetes",
      "ST": "$state"
    }
  ]
 }
 EOF

  cfssl gencert \
    -ca=../ca/ca.pem \
    -ca-key=../ca/ca-key.pem \
    -config=../ca/ca-config.json \
    -hostname=node${node},${pub},${priv} \
    -profile=kubernetes \
    node${node}-csr.json | cfssljson -bare node${node}
 }

 if [ ! -d kubelet ]; then
  mkdir kubelet
 fi

 i=0
 aws ec2 describe-instances \
  --region us-east-2 \
  --filters 'Name=tag:Name,Values=k8s-node' \
  --query 'Reservations[].Instances[].{public: PublicIpAddress, private: PrivateIpAddress}' \
  --output text \
  | while read pub priv; do
  cd kubelet
  gencert $i $pub $priv
  i=$[i+1]
  cd ..
 done
	#!/bin/bash

	country=${country:=US}
	state=${state:=Indiana}
	city=${city:=Carmel}

	if [ ! -d ca ]; then
	mkdir ca
	fi

	cat > ca/ca-config.json <<EOF
	{
	"signing": {
	"default": {
	"expiry": "8760h"
	},
	"profiles": {
	"kubernetes": {
	"usages": ["signing", "key encipherment", "server auth", "client auth"],
	"expiry": "8760h"
	}
	}
	}
	}
	EOF

	cat > ca/ca-csr.json <<"EOF"
	{
	"CN": "Kubernetes",
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"C": "${country}",
	"L": "${city}",
	"O": "Kubernetes",
	"OU": "CA",
	"ST": "${state}"
	}
	]
	}
	EOF

	cd ca
	cfssl gencert -initca ca-csr.json \| cfssljson -bare ca
	cd ..