richardsonlima · January 30, 2019 13:41
diff --git a/make-ca-cert.sh b/make-ca-cert.sh
 #!/usr/bin/env bash

 # Copyright 2014 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 set -o errexit
 set -o nounset
 set -o pipefail

 DEBUG="${DEBUG:-false}"

 if [ "${DEBUG}" == "true" ]; then
 	set -x
 fi

 cert_ip=$1
 extra_sans=${2:-}
 cert_dir=${CERT_DIR:-/etc/kubernetes/ssl}
 cert_group=${CERT_GROUP:-kube-cert}

 mkdir -p "$cert_dir"

 use_cn=false

 sans="IP:${cert_ip}"
 if [[ -n "${extra_sans}" ]]; then
  sans="${sans},${extra_sans}"
 fi

 tmpdir=$(mktemp -d -t kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
 cd "${tmpdir}"

 # TODO: For now, this is a patched tool that makes subject-alt-name work, when
 # the fix is upstream  move back to the upstream easyrsa.  This is cached in GCS
 # but is originally taken from:
 #   https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
 #
 # To update, do the following:
 # curl -o easy-rsa.tar.gz https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
 # gsutil cp easy-rsa.tar.gz gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
 # gsutil acl ch -R -g all:R gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
 #
 # Due to GCS caching of public objects, it may take time for this to be widely
 # distributed.
 #
 # Use ~/kube/easy-rsa.tar.gz if it exists, so that it can be
 # pre-pushed in cases where an outgoing connection is not allowed.
 if [ -f ~/kube/easy-rsa.tar.gz ]; then
 	ln -s ~/kube/easy-rsa.tar.gz .
 else
 	curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz > /dev/null 2>&1
 fi
 tar xzf easy-rsa.tar.gz > /dev/null 2>&1

 cd easy-rsa-master/easyrsa3
 ./easyrsa init-pki > /dev/null 2>&1
 ./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass > /dev/null 2>&1
 if [ $use_cn = "true" ]; then
    ./easyrsa build-server-full "${cert_ip}" nopass > /dev/null 2>&1
    cp -p "pki/issued/${cert_ip}.crt" "${cert_dir}/server.cert" > /dev/null 2>&1
    cp -p "pki/private/${cert_ip}.key" "${cert_dir}/server.key" > /dev/null 2>&1
 else
    ./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
    cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
    cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
 fi
 # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
 ./easyrsa --dn-mode=org \
  --req-cn=kubecfg --req-org=system:masters \
  --req-c= --req-st= --req-city= --req-email= --req-ou= \
  build-client-full kubecfg nopass > /dev/null 2>&1
 cp -p pki/ca.crt "${cert_dir}/ca.crt"
 cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
 cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
 # Make server certs accessible to apiserver.
 chgrp "${cert_group}" "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
 chmod 660 "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
	#!/usr/bin/env bash

	# Copyright 2014 The Kubernetes Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	set -o errexit
	set -o nounset
	set -o pipefail

	DEBUG="${DEBUG:-false}"

	if [ "${DEBUG}" == "true" ]; then
	set -x
	fi

	cert_ip=$1
	extra_sans=${2:-}
	cert_dir=${CERT_DIR:-/etc/kubernetes/ssl}
	cert_group=${CERT_GROUP:-kube-cert}

	mkdir -p "$cert_dir"

	use_cn=false

	sans="IP:${cert_ip}"
	if [[ -n "${extra_sans}" ]]; then
	sans="${sans},${extra_sans}"
	fi

	tmpdir=$(mktemp -d -t kubernetes_cacert.XXXXXX)
	trap 'rm -rf "${tmpdir}"' EXIT
	cd "${tmpdir}"

	# TODO: For now, this is a patched tool that makes subject-alt-name work, when
	# the fix is upstream move back to the upstream easyrsa. This is cached in GCS
	# but is originally taken from:
	# https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
	#
	# To update, do the following:
	# curl -o easy-rsa.tar.gz https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
	# gsutil cp easy-rsa.tar.gz gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
	# gsutil acl ch -R -g all:R gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
	#
	# Due to GCS caching of public objects, it may take time for this to be widely
	# distributed.
	#
	# Use ~/kube/easy-rsa.tar.gz if it exists, so that it can be
	# pre-pushed in cases where an outgoing connection is not allowed.
	if [ -f ~/kube/easy-rsa.tar.gz ]; then
	ln -s ~/kube/easy-rsa.tar.gz .
	else
	curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz > /dev/null 2>&1
	fi
	tar xzf easy-rsa.tar.gz > /dev/null 2>&1

	cd easy-rsa-master/easyrsa3
	./easyrsa init-pki > /dev/null 2>&1
	./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass > /dev/null 2>&1
	if [ $use_cn = "true" ]; then
	./easyrsa build-server-full "${cert_ip}" nopass > /dev/null 2>&1
	cp -p "pki/issued/${cert_ip}.crt" "${cert_dir}/server.cert" > /dev/null 2>&1
	cp -p "pki/private/${cert_ip}.key" "${cert_dir}/server.key" > /dev/null 2>&1
	else
	./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
	cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
	cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
	fi
	# Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
	./easyrsa --dn-mode=org \
	--req-cn=kubecfg --req-org=system:masters \
	--req-c= --req-st= --req-city= --req-email= --req-ou= \
	build-client-full kubecfg nopass > /dev/null 2>&1
	cp -p pki/ca.crt "${cert_dir}/ca.crt"
	cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
	cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
	# Make server certs accessible to apiserver.
	chgrp "${cert_group}" "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
	chmod 660 "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"