Improve certificate generation.

2017-07-11 11:36:26 +02:00
parent eae7933016
commit caf3b10680
7 changed files with 123 additions and 40 deletions
--- a/pki/ca-config.json
+++ b/pki/ca-config.json
@@ -0,0 +1,34 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "43800h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "server auth"
+                    ]
+            },
+            "client": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "client auth"
+                    ]
+            },
+            "peer": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                "key encipherment",
+                "server auth",
+                "client auth"
+                    ]
+            }
+        }
+    }
+}
--- a/pki/ca.json
+++ b/pki/ca.json
@@ -1,9 +1,5 @@
 {
-    "hosts": [
-        "itpartner.no",
-        "itpartner.intern",
-        "cluster.local"
-    ],
+    "CN": "k8s0",
    "key": {
        "algo": "rsa",
        "size": 2048
--- a/pki/client.json
+++ b/pki/client.json
@@ -1,9 +1,6 @@
 {
-    "CN": "@host@",
-    "hosts": [
-        "@host@",
-        "@ip@"
-    ],
+    "CN": "client",
+    "hosts": [ "" ],
    "key": {
        "algo": "rsa",
        "size": 2048
--- a/pki/etcd.json
+++ b/pki/etcd.json
@@ -1,7 +1,8 @@
 {
+    "CN": "@host@",
    "hosts": [
-        "etcd0",
-        "etcd1"
+        "@host@",
+        "@ip"
    ],
    "key": {
        "algo": "rsa",
--- a/pki/mkcerts.sh
+++ b/pki/mkcerts.sh
@@ -1,57 +1,55 @@
 #!/usr/bin/env bash

-hosts="k8s0-0,100 k8s0-1,101 k8s0-2,102"
+etcd="etcd0,100 etcd1,101"

-mkcacert () {
+cacert () {
    cfssl genkey -initca ca.json | cfssljson -bare ca
 }

-mkapicert () {
-    cfssl gencert -ca ca.pem -ca-key ca-key.pem apiserver.json \
-    | cfssljson -bare apiserver
+servercert () {
+    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=server server.json \
+        | cfssljson -bare server
 }

-mketcdcert () {
-    cfssl gencert -ca ca.pem -ca-key ca-key.pem etcd.json \
-    | cfssljson -bare etcd
-}
-
-# mkclientcert () {
-#     cfssl gencert -ca ca.pem -ca-key ca-key.pem client.json \
-#     | cfssljson -bare client
-# }
-
-mkclientcert () {
+etcdcert () {
    host=$1
    ip=$2
-    sed "s/@host@/$host/g; s/@ip@/$ip/g; " client.json \
-        | cfssl gencert -ca ca.pem -ca-key ca-key.pem - \
+    sed "s/@host@/$host/g; s/@ip@/$ip/g;" etcd.json \
+        | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=peer - \
        | cfssljson -bare $host
 }

-mkclientcerts () {
-    for i in $hosts; do
+clientcert () {
+    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
+        -config=ca-config.json -profile=client client.json \
+        | cfssljson -bare client
+}
+
+mketcdcerts () {
+    for i in $etcd; do
        IFS=","
        set -- $i
-        mkclientcert $1 10.253.18.$2
+        etcdcert $1 10.253.18.$2
    done
 }

 case $1 in
    all)
-        mkcacert
-        mkapicert
-        mketcdcert
-        mkclientcert
+        cacert
+        servercert
+        mketcdcerts
+        clientcert
        ;;
    client)
-        mkclientcerts
+        clientcert
        ;;
    api)
-        mkapicert
+        servercert
        ;;
    etcd)
-        mketcdcert
+        mketcdcerts
        ;;
    *)
        echo "usege: mkcerts.sh (all|client|api|etcd)"
--- a/pki/apiserver.json
+++ b/pki/apiserver.json
@@ -1,4 +1,5 @@
 {
+    "CN": "server",
    "hosts": [
        "k8s0-0",
        "kubernetes",
--- a/test/gitlab.yaml
+++ b/test/gitlab.yaml
@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+  labels:
+    run: gitlab
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  - port: 443
+    protocol: TCP
+    name: https
+  - port: 22
+    protocol: TCP
+    name: ssh
+  selector:
+   run: gitlab
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: gitlab
+  namespace: default
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: busybox
+      containers:
+      - image: gitlab/gitlab-ce:latest
+        name: gitlab-container
+        ports:
+        - containerPort: 80
+        - containerPort: 22
+        - containerPort: 443
+      volumeMounts:
+      - mountPath: /etc/gitlab
+        name: gitlab-data
+        subPath: config
+      - mountPath: /var/log/gitlab
+        name: gitlab-data
+        subPath: logs
+      - mountPath: /var/opt/gitlab
+        name: gitlab-data
+        subPath: data
+      volumes:
+      - name: gitlab-data
+        nfs:
+          server: 10.253.10.103
+          path: /data/gitlab
+          ReadOnly: false