hexfusion · May 18, 2020 02:00
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/usr/bin/env bash

 CLUSTER_DOMAIN_1="uit-nonprod.pka.domain.com"
 CLUSTER_DOMAIN_2="uit-nonprod.rz.domain.com"
 NODE_IP="123.123.123.123"

 init() {
  if [ -d "$PWD/certs" ]; then
    echo "$PWD/certs already exists please remove and retry"
    exit 1
  fi
  mkdir -p $PWD/certs/{csr,ca}
 }

 get_ca_crt() {
  local namespace=$1
  local secret=$2
  for ext in key crt; do
    eval oc get secrets -n ${namespace} ${secret} -o jsonpath={.data.tls\\\\.${ext}} | base64 -d > $PWD/certs/ca/ca.$ext
  done
 }

 gen_cnf() {
  echo "Generating openssl config..."
 cat > $PWD/certs/csr/openssl.cnf <<-EOF
 [ req ]
 default_bits            = 2048
 default_md              = sha256
 distinguished_name      = dn
 x509_extensions         = v3_req
 prompt                  = no

 [ dn ]
 organizationName        = system:etcd-metrics
 commonName              = system:etcd-metric:server-certs

 [ v3_req ]
 keyUsage                = critical,digitalSignature,keyEncipherment
 extendedKeyUsage        = serverAuth,clientAuth
 basicConstraints        = critical,CA:FALSE
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid
 subjectAltName          = @alt_names

 [ alt_names ]
 DNS.1   = *.${CLUSTER_DOMAIN_1}
 DNS.2   = *.${CLUSTER_DOMAIN_2}
 DNS.3   = etcd.kube-system.svc
 DNS.4   = etcd.kube-system.svc.cluster.local
 DNS.5   = etcd.openshift-etcd.svc
 DNS.6   = etcd.openshift-etcd.svc.cluster.local
 DNS.7   = localhost
 IP.1    = 127.0.0.1
 IP.2    = ${NODE_IP}
 EOF
 }

 gen_csr() {
 	echo "Generating CSR request..."
 	eval openssl req -new -newkey rsa:2048 -nodes -keyout $PWD/certs/server.key -out $PWD/certs/csr/server.csr -config $PWD/certs/csr/openssl.cnf
 }

 gen_cert() {
  echo "Generating certificates..."
  eval openssl x509 -req -days 3650 -in $PWD/certs/csr/server.csr -CA $PWD/certs/ca/ca.crt -CAkey $PWD/certs/ca/ca.key -CAcreateserial -out $PWD/certs/server.crt -sha256 -extensions 'v3_req' -extfile $PWD/certs/csr/openssl.cnf
  rm -rf $PWD/certs/ca
  echo 
 }  


 # workflow
 init
 get_ca_crt openshift-config etcd-metric-signer
 gen_cnf
 gen_csr
 gen_cert

 cat $PWD/certs/server.crt | openssl x509 -text -noout
	#!/usr/bin/env bash

	CLUSTER_DOMAIN_1="uit-nonprod.pka.domain.com"
	CLUSTER_DOMAIN_2="uit-nonprod.rz.domain.com"
	NODE_IP="123.123.123.123"

	init() {
	if [ -d "$PWD/certs" ]; then
	echo "$PWD/certs already exists please remove and retry"
	exit 1
	fi
	mkdir -p $PWD/certs/{csr,ca}
	}

	get_ca_crt() {
	local namespace=$1
	local secret=$2
	for ext in key crt; do
	eval oc get secrets -n ${namespace} ${secret} -o jsonpath={.data.tls\\\\.${ext}} \| base64 -d > $PWD/certs/ca/ca.$ext
	done
	}

	gen_cnf() {
	echo "Generating openssl config..."
	cat > $PWD/certs/csr/openssl.cnf <<-EOF
	[ req ]
	default_bits = 2048
	default_md = sha256
	distinguished_name = dn
	x509_extensions = v3_req
	prompt = no

	[ dn ]
	organizationName = system:etcd-metrics
	commonName = system:etcd-metric:server-certs

	[ v3_req ]
	keyUsage = critical,digitalSignature,keyEncipherment
	extendedKeyUsage = serverAuth,clientAuth
	basicConstraints = critical,CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid
	subjectAltName = @alt_names

	[ alt_names ]
	DNS.1 = *.${CLUSTER_DOMAIN_1}
	DNS.2 = *.${CLUSTER_DOMAIN_2}
	DNS.3 = etcd.kube-system.svc
	DNS.4 = etcd.kube-system.svc.cluster.local
	DNS.5 = etcd.openshift-etcd.svc
	DNS.6 = etcd.openshift-etcd.svc.cluster.local
	DNS.7 = localhost
	IP.1 = 127.0.0.1
	IP.2 = ${NODE_IP}
	EOF
	}

	gen_csr() {
	echo "Generating CSR request..."
	eval openssl req -new -newkey rsa:2048 -nodes -keyout $PWD/certs/server.key -out $PWD/certs/csr/server.csr -config $PWD/certs/csr/openssl.cnf
	}

	gen_cert() {
	echo "Generating certificates..."
	eval openssl x509 -req -days 3650 -in $PWD/certs/csr/server.csr -CA $PWD/certs/ca/ca.crt -CAkey $PWD/certs/ca/ca.key -CAcreateserial -out $PWD/certs/server.crt -sha256 -extensions 'v3_req' -extfile $PWD/certs/csr/openssl.cnf
	rm -rf $PWD/certs/ca
	echo
	}


	# workflow
	init
	get_ca_crt openshift-config etcd-metric-signer
	gen_cnf
	gen_csr
	gen_cert

	cat $PWD/certs/server.crt \| openssl x509 -text -noout