Last active
June 29, 2023 13:19
-
-
Save rvennam/c317328d2e0970daf124029859039c38 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RELAY_ROOT_CERT_NAME=relay-root | |
| RELAY_SERVER_CERT_NAME=relay-server-tls | |
| RELAY_SIGNING_CERT_NAME=relay-tls-signing | |
| MGMT_CONTEXT=mgmt | |
| REMOTE_CONTEXT=cluster1 | |
| echo "creating root cert ..." | |
| openssl req -new -newkey rsa:4096 -x509 -sha256 \ | |
| -days 3650 -nodes -out ${RELAY_ROOT_CERT_NAME}.crt -keyout ${RELAY_ROOT_CERT_NAME}.key \ | |
| -subj "/CN=enterprise-networking-ca" \ | |
| -addext "extendedKeyUsage = clientAuth, serverAuth" | |
| echo "creating grpc server tls cert ..." | |
| # server cert | |
| cat > "${RELAY_SERVER_CERT_NAME}.conf" <<EOF | |
| [req] | |
| req_extensions = v3_req | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth, serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS = *.mgmt-ocp-cluster-0ca535f43f530e703037d0998030fd5f-0000.us-east.containers.appdomain.cloud | |
| EOF | |
| openssl genrsa -out "${RELAY_SERVER_CERT_NAME}.key" 2048 | |
| openssl req -new -key "${RELAY_SERVER_CERT_NAME}.key" -out ${RELAY_SERVER_CERT_NAME}.csr -subj "/CN=enterprise-networking-ca" -config "${RELAY_SERVER_CERT_NAME}.conf" | |
| openssl x509 -req \ | |
| -days 3650 \ | |
| -CA ${RELAY_ROOT_CERT_NAME}.crt -CAkey ${RELAY_ROOT_CERT_NAME}.key \ | |
| -set_serial 0 \ | |
| -in ${RELAY_SERVER_CERT_NAME}.csr -out ${RELAY_SERVER_CERT_NAME}.crt \ | |
| -extensions v3_req -extfile "${RELAY_SERVER_CERT_NAME}.conf" | |
| echo "creating identity server signing cert ..." | |
| # Signing cert. When the agents first connect to the mgmt plane, they do so over standard TLS (not mTLS). When they first connect, they offer their token and the mgmt cluster will sign a new client cert. The cert a it uses is the signing cert. It will use the signing cert to generate the certs for the agent. | |
| cat > "${RELAY_SIGNING_CERT_NAME}.conf" <<EOF | |
| [req] | |
| req_extensions = v3_req | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_req ] | |
| basicConstraints = critical,CA:TRUE | |
| keyUsage = digitalSignature, keyEncipherment, keyCertSign | |
| extendedKeyUsage = clientAuth, serverAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS = *.mgmt-ocp-cluster-0ca535f43f530e703037d0998030fd5f-0000.us-east.containers.appdomain.cloud | |
| EOF | |
| openssl genrsa -out "${RELAY_SIGNING_CERT_NAME}.key" 2048 | |
| openssl req -new -key "${RELAY_SIGNING_CERT_NAME}.key" -out ${RELAY_SIGNING_CERT_NAME}.csr -subj "/CN=enterprise-networking-ca" -config "${RELAY_SIGNING_CERT_NAME}.conf" | |
| openssl x509 -req \ | |
| -days 3650 \ | |
| -CA ${RELAY_ROOT_CERT_NAME}.crt -CAkey ${RELAY_ROOT_CERT_NAME}.key \ | |
| -set_serial 0 \ | |
| -in ${RELAY_SIGNING_CERT_NAME}.csr -out ${RELAY_SIGNING_CERT_NAME}.crt \ | |
| -extensions v3_req -extfile "${RELAY_SIGNING_CERT_NAME}.conf" | |
| # ensure gloo-mesh namespace exists on both mgmt and remote clusters | |
| for context in ${MGMT_CONTEXT} ${REMOTE_CONTEXT}; do | |
| kubectl --context ${context} create namespace gloo-mesh | |
| done | |
| # create secrets from certs | |
| # Note: ${RELAY_SERVER_CERT_NAME}-secret must match the server Helm value `relayTlsSecret.Name` | |
| kubectl create secret generic ${RELAY_SERVER_CERT_NAME}-secret \ | |
| --from-file=tls.key=${RELAY_SERVER_CERT_NAME}.key \ | |
| --from-file=tls.crt=${RELAY_SERVER_CERT_NAME}.crt \ | |
| --from-file=ca.crt=${RELAY_ROOT_CERT_NAME}.crt \ | |
| --dry-run=client -oyaml | kubectl apply -f- \ | |
| --context ${MGMT_CONTEXT} \ | |
| --namespace gloo-mesh | |
| # Note: ${RELAY_SIGNING_CERT_NAME}-secret must match the server Helm value `signingTlsSecret.Name` | |
| kubectl create secret generic ${RELAY_SIGNING_CERT_NAME}-secret \ | |
| --from-file=tls.key=${RELAY_SIGNING_CERT_NAME}.key \ | |
| --from-file=tls.crt=${RELAY_SIGNING_CERT_NAME}.crt \ | |
| --from-file=ca.crt=${RELAY_ROOT_CERT_NAME}.crt \ | |
| --dry-run=client -oyaml | kubectl apply -f- \ | |
| --context ${MGMT_CONTEXT} \ | |
| --namespace gloo-mesh | |
| # Note: ${RELAY_ROOT_CERT_NAME}-tls-secret must match the agent Helm value `relay.rootTlsSecret.Name` | |
| for context in ${MGMT_CONTEXT} ${REMOTE_CONTEXT}; do | |
| echo "creating matching root cert for agent in cluster context ${context}..." | |
| kubectl create secret generic ${RELAY_ROOT_CERT_NAME}-tls-secret \ | |
| --from-file=ca.crt=${RELAY_ROOT_CERT_NAME}.crt \ | |
| --dry-run=client -oyaml | kubectl apply -f- \ | |
| --context ${context} \ | |
| --namespace gloo-mesh | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment