-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbootstrap.sh
executable file
·102 lines (73 loc) · 2.89 KB
/
bootstrap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/usr/bin/env bash
set -euo pipefail
function render_template() {
local filename="${1%%.tpl}"
echo "Rendering $1..."
envsubst < "$1" > "$filename"
}
TOKENS_FILE=etc/tokens/tokens.csv
if [ ! -f "$TOKENS_FILE" ]; then
echo "Creating $TOKENS_FILE..."
render_template "$TOKENS_FILE.tpl"
fi
function mkcert() {
local dir="$(dirname $1)"
local certName="$(basename $1)"
shift
mkdir -p "$dir"
if [ ! -f "$dir/$certName.crt" ]; then
(set -x; certin create "$dir/$certName.key" "$dir/$certName.crt" $@)
else
echo "$dir/$certName.crt exists already."
fi
}
function mksigned() {
local cert="$1"
local signer="$2"
shift
shift
mkcert "$cert" --signer-key "$signer.key" --signer-cert "$signer.crt" $@
}
PKI_DIR=pki
(
mkdir -p "$PKI_DIR"
cd "$PKI_DIR"
# Kubernetes Root CA
mkcert kubernetes/root-ca --cn kubernetes --is-ca
# create service account signer keypair
mksigned service-account/signer kubernetes/root-ca --cn service-account-signer
# TLS serving cert for the kube apiserver
mksigned apiserver/serving kubernetes/root-ca --cn apiserver --sans "apiserver,localhost,127.0.0.1"
# TLS serving cert for the machine-controller webhook (for convenience this is signed by Kubernetes' root CA)
mksigned machine-controller/serving kubernetes/root-ca --cn machine-controller-webhook --sans "machine-controller-webhook,localhost,127.0.0.1"
chmod 644 machine-controller/*
# TLS serving cert for the operating-system-manager webhook (for convenience this is signed by Kubernetes' root CA)
mksigned operating-system-manager/tls kubernetes/root-ca --cn operating-system-manager-webhook --sans "operating-system-manager-webhook,localhost,127.0.0.1"
chmod 644 operating-system-manager/*
# CA for client certs in Kubernetes
mksigned kubernetes/client/ca kubernetes/root-ca --cn kubernetes-client-ca --is-ca
# kubelet client cert
mksigned kubernetes/client/kubelet kubernetes/client/ca --cn kubelet-client
# CA for the front proxy
mksigned kubernetes/front-proxy/ca kubernetes/root-ca --cn kubernetes-front-proxy-ca --is-ca
# front proxy client cert for the kube apiserver
mksigned kubernetes/front-proxy/client/apiserver kubernetes/root-ca --cn apiserver
)
# render kubeconfig and other config file templates
export KUBE_ROOT_CA="$(base64 -w0 "$PKI_DIR/kubernetes/root-ca.crt")"
export KUBE_ADMIN_TOKEN="$(grep admin "$TOKENS_FILE" | cut -d, -f1)"
export KUBE_SECURE_PORT=${KUBE_SECURE_PORT:-32479}
export ETCD_DATA_DIR="${ETCD_DATA_DIR:-./data/etcd}"
export KINDOF_PKI_DIR="$(realpath "$PKI_DIR")"
export KINDOF_ETC_DIR="$(realpath etc)"
render_template compose.yaml.tpl
find etc -name '*.tpl' -print0 | while read -d $'\0' file; do
render_template "$file"
done
# for convenience, allow to provide templates in kube/
# and we render them here
if [ -d kube ]; then
find kube -name '*.tpl' -print0 | while read -d $'\0' file; do
render_template "$file"
done
fi