-
Notifications
You must be signed in to change notification settings - Fork 75
/
cert-deployer
executable file
·46 lines (41 loc) · 1.67 KB
/
cert-deployer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash -x
SSL_CRTS_DIR=${CRTS_DEPLOY_PATH:-/etc/kubernetes/ssl}
mkdir -p $SSL_CRTS_DIR
chmod 755 $SSL_CRTS_DIR
for i in $(env | grep -o KUBE_.*=); do
name="$(echo "$i" | cut -f1 -d"=" | tr '[:upper:]' '[:lower:]' | tr '_' '-').pem"
env=$(echo "$i" | cut -f1 -d"=")
value=$(echo "${!env}")
if [ ! -f $SSL_CRTS_DIR/$name ] || [ "$FORCE_DEPLOY" = "true" ]; then
echo "$value" > $SSL_CRTS_DIR/$name
chmod 600 $SSL_CRTS_DIR/$name
fi
done
for i in $(env | grep -o KUBECFG_.*=); do
name="$(echo "$i" | cut -f1 -d"=" | tr '[:upper:]' '[:lower:]' | tr '_' '-').yaml"
env=$(echo "$i" | cut -f1 -d"=")
value=$(echo "${!env}")
if [ ! -f $SSL_CRTS_DIR/$name ]; then
echo "$value" > $SSL_CRTS_DIR/$name
chmod 600 $SSL_CRTS_DIR/$name
fi
done
# only enabled if we are running etcd with custom uid/gid
# change ownership of etcd cert and key and kube-ca to the custom uid/gid
if [ -n "${ETCD_UID}" ] && [ -n "${ETCD_GID}" ]; then
# set minial mask to allow effective read access to the certificates
setfacl -R -m m::rX "${SSL_CRTS_DIR}" && echo "Successfully set ACL mask for certs dir"
# we remove certs dir acl if any for the custom etcd uid, since chown will give that access
setfacl -R -x u:${ETCD_UID} "${SSL_CRTS_DIR}" && echo "Successfully unset user ACL for certs dir"
# allow certs dir read access to the custom etcd gid
setfacl -R -x g:${ETCD_GID} "${SSL_CRTS_DIR}" && echo "Successfully unset group ACL for certs dir"
for name in $SSL_CRTS_DIR/*.pem; do
if [[ $name == *kube-etcd* ]] ; then
chown "${ETCD_UID}":"${ETCD_GID}" $name
fi
if [[ $name == *kube-ca.pem ]] ; then
chmod 644 $name
fi
done
chmod 755 $SSL_CRTS_DIR
fi