forked from skinny/kubernetes-ovn-heterogeneous-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
make-certs
36 lines (27 loc) · 927 Bytes
/
make-certs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/bin/bash -
set -o errexit
set -o nounset
set -o pipefail
cert_group=kube-cert
cert_dir=/etc/kubernetes/tls
mkdir -p "$cert_dir"
rm -rf "$cert_dir/*"
pem_ca=$cert_dir/ca.pem
pem_ca_key=$cert_dir/ca-key.pem
pem_node=$cert_dir/node.pem
pem_node_key=$cert_dir/node-key.pem
pem_node_csr=$cert_dir/node-csr.pem
# Make sure cert group exists
groupadd -r $cert_group
# Make sure perms are right
chgrp $cert_group $pem_ca $pem_ca_key
chmod 600 $pem_ca_key
chmod 660 $pem_ca
# Generate TLS artifacts
openssl genrsa -out $pem_node_key 2048
openssl req -new -key $pem_node_key -out $pem_node_csr -subj "/CN=__HOSTNAME__" -config openssl.cnf
openssl x509 -req -in $pem_node_csr -CA $pem_ca -CAkey $pem_ca_key -CAcreateserial -out $pem_node -days 365 -extensions v3_req -extfile openssl.cnf
# Make server certs accessible to apiserver.
chgrp $cert_group $pem_node $pem_node_key
chmod 600 $pem_node_key
chmod 660 $pem_node $pem_ca