-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathssl_AKS.sh
88 lines (78 loc) · 2.36 KB
/
ssl_AKS.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#! /bin/sh
set -uo errexit
export APP="${1}"
export NAMESPACE="${2}"
export CSR_NAME="${APP}.${NAMESPACE}.svc"
echo "... creating RS private key ${APP}.key"
openssl genrsa -out ${APP}.key 2048
echo "... creating a certificate request ${APP}.csr"
cat >csr.conf<<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${APP}
DNS.2 = ${APP}.${NAMESPACE}
DNS.3 = ${CSR_NAME}
DNS.4 = ${CSR_NAME}.cluster.local
EOF
echo "openssl req -new -key ${APP}.key -subj \"/CN=${CSR_NAME}\" -out ${APP}.csr -config csr.conf"
openssl req -new -key ${APP}.key -subj "/O=system:nodes;/CN=system:node:${CSR_NAME}" -out ${APP}.csr -config csr.conf
echo "... deleting existing csr, if any"
echo "kubectl delete csr ${CSR_NAME} || :"
kubectl delete csr ${CSR_NAME} || :
echo "... creating kubernetes CSR object"
echo "kubectl create -f -"
kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: ${CSR_NAME}
spec:
groups:
- system:authenticated
request: $(cat ${APP}.csr | base64 | tr -d '\n')
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
- server auth
EOF
SECONDS=0
while true; do
echo "... waiting for csr to be present in kubernetes"
echo "kubectl get csr ${CSR_NAME}"
kubectl get csr ${CSR_NAME} > /dev/null 2>&1
if [ "$?" -eq 0 ]; then
break
fi
if [[ $SECONDS -ge 60 ]]; then
echo "[!] timed out waiting for csr"
exit 1
fi
sleep 2
done
kubectl certificate approve ${CSR_NAME}
SECONDS=0
while true; do
echo "... waiting for serverCert to be present in kubernetes. Certificate to be issued."
echo "kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}'"
serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
if [[ $serverCert != "" ]]; then
break
fi
if [[ $SECONDS -ge 80 ]]; then
echo "[!] timed out waiting for serverCert"
exit 1
fi
sleep 2
done
echo "... export the issued certificate in ${APP}.crt file"
echo "\$serverCert | openssl base64 -d -A -out ${APP}.crt"
echo ${serverCert} | openssl base64 -d -A -out ${APP}.crt