133 lines
4.1 KiB
Bash
133 lines
4.1 KiB
Bash
#!/usr/bin/env bash
|
|
#
|
|
|
|
#---
|
|
fatal() {
|
|
echo "ERROR: $1"
|
|
exit 1
|
|
}
|
|
|
|
msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
|
|
err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
|
|
|
|
exit_trap () {
|
|
local lc="$BASH_COMMAND" rc=$?
|
|
if [ $rc != 0 ]; then
|
|
if [[ -n "$SLEEP_ON_ERROR" ]]; then
|
|
echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
|
|
sleep $SLEEP_ON_ERROR
|
|
fi
|
|
fi
|
|
}
|
|
trap exit_trap EXIT
|
|
|
|
usage() {
|
|
echo "Usage:
|
|
$0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
|
|
|
|
Example:
|
|
$0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
|
|
|
|
"
|
|
}
|
|
|
|
# Args
|
|
while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
|
|
do
|
|
key=$1
|
|
value=$2
|
|
|
|
case $key in
|
|
-h|--help)
|
|
usage
|
|
exit
|
|
;;
|
|
-n|--namespace)
|
|
NAMESPACE="$value"
|
|
shift
|
|
;;
|
|
--server-cert-cn)
|
|
SERVER_CERT_CN="$value"
|
|
shift
|
|
;;
|
|
--server-cert-extra-sans)
|
|
SERVER_CERT_EXTRA_SANS="$value"
|
|
shift
|
|
;;
|
|
esac
|
|
shift # past argument or value
|
|
done
|
|
|
|
API_HOST=${1:-"$CF_API_HOST"}
|
|
API_TOKEN=${2:-"$CF_API_TOKEN"}
|
|
|
|
[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
|
|
[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
|
|
|
|
|
|
API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
|
|
|
|
NAMESPACE=${NAMESPACE:-default}
|
|
RELEASE=${RELEASE:-cf-runtime}
|
|
|
|
DIR=$(dirname $0)
|
|
TMPDIR=/tmp/codefresh/
|
|
|
|
TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
|
|
TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
|
|
CERTS_DIR=$TMPDIR/ssl
|
|
SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
|
|
SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
|
|
SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
|
|
SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
|
|
CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
|
|
CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
|
|
mkdir -p $TMPDIR $CERTS_DIR
|
|
|
|
K8S_CERT_SECRET_NAME=codefresh-certs-server
|
|
echo -e "\n------------------\nGenerating server tls certificates ... "
|
|
|
|
SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
|
|
SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
|
|
###
|
|
|
|
openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
|
|
openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR || fatal "Failed to generate openssl csr "
|
|
GENERATE_CERTS=true
|
|
CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
|
|
|
|
SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
|
|
if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
|
|
SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
|
|
fi
|
|
echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
|
|
|
|
rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
|
|
|
|
SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
|
|
-o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
|
|
|
|
echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
|
|
if [[ $SIGN_STATUS != 200 ]]; then
|
|
echo "ERROR: Cannot sign certificates"
|
|
if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
|
|
mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
|
|
cat ${TMP_CERTS_FILE_ZIP}.error
|
|
fi
|
|
exit 1
|
|
fi
|
|
unzip -o -d ${CERTS_DIR}/ ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
|
|
cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
|
|
cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
|
|
|
|
|
|
echo -e "\n------------------\nCreating certificate secret "
|
|
|
|
kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
|
|
--from-file=$SRV_TLS_CA_CERT \
|
|
--from-file=$SRV_TLS_KEY \
|
|
--from-file=$SRV_TLS_CERT \
|
|
--dry-run=client -o yaml | kubectl apply --overwrite -f -
|
|
kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
|
|
kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'
|