let pkgs = import {}; runWithOpenSSL = file: cmd: pkgs.runCommand file { buildInputs = [ pkgs.openssl_1_1_0 ]; } ("export RANDFILE=/tmp/rnd;" + cmd); etcd_cnf = pkgs.writeText "etcd-openssl.cnf" '' [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = etcd0 DNS.2 = etcd1 DNS.3 = etcd2 DNS.4 = k8s0-0 DNS.5 = k8s0-1 DNS.6 = k8s0-2 IP.1 = 127.0.0.1 ''; etcd_client_cnf = pkgs.writeText "etcd-client-openssl.cnf" '' [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth ''; apiserver_cnf = pkgs.writeText "apiserver-openssl.cnf" '' [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local DNS.4 = k8s0-0.itpartner.no IP.1 = 10.0.0.1 IP.2 = 10.253.18.100 ''; worker_cnf = pkgs.writeText "worker-openssl.cnf" '' [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.itpartner.no DNS.2 = *.itpartner.intern DNS.3 = k8s0-0 DNS.4 = k8s0-1 DNS.5 = k8s0-2 DNS.6 = git01 ''; ca_key = runWithOpenSSL "ca-key.pem" "openssl genrsa -out $out 2048"; ca_pem = runWithOpenSSL "ca.pem" '' openssl req \ -x509 -new -nodes -key ${ca_key} \ -days 10000 -out $out -subj "/CN=kube-ca" ''; etcd_key = runWithOpenSSL "etcd-key.pem" "openssl genrsa -out $out 2048"; etcd_csr = runWithOpenSSL "etcd.csr" '' openssl req \ -new -key ${etcd_key} \ -out $out -subj "/CN=etcd" \ -config ${etcd_cnf} ''; etcd_cert = runWithOpenSSL "etcd.pem" '' openssl x509 \ -req -in ${etcd_csr} \ -CA ${ca_pem} -CAkey ${ca_key} \ -CAcreateserial -out $out \ -days 365 -extensions v3_req \ -extfile ${etcd_cnf} ''; etcd_client_key = runWithOpenSSL "etcd-client-key.pem" "openssl genrsa -out $out 2048"; etcd_client_csr = runWithOpenSSL "etcd-client.csr" '' openssl req \ -new -key ${etcd_client_key} \ -out $out -subj "/CN=etcd-client" \ -config ${etcd_client_cnf} ''; etcd_client_cert = runWithOpenSSL "etcd-client.pem" '' openssl x509 \ -req -in ${etcd_client_csr} \ -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \ -out $out -days 365 -extensions v3_req \ -extfile ${etcd_client_cnf} ''; apiserver_key = runWithOpenSSL "apiserver-key.pem" "openssl genrsa -out $out 2048"; apiserver_csr = runWithOpenSSL "apiserver.csr" '' openssl req \ -new -key ${apiserver_key} \ -out $out -subj "/CN=kube-apiserver" \ -config ${apiserver_cnf} ''; apiserver_cert = runWithOpenSSL "apiserver.pem" '' openssl x509 \ -req -in ${apiserver_csr} \ -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \ -out $out -days 365 -extensions v3_req \ -extfile ${apiserver_cnf} ''; worker_key = runWithOpenSSL "worker-key.pem" "openssl genrsa -out $out 2048"; worker_csr = runWithOpenSSL "worker.csr" '' openssl req \ -new -key ${worker_key} \ -out $out -subj "/CN=kube-worker" \ -config ${worker_cnf} ''; worker_cert = runWithOpenSSL "worker.pem" '' openssl x509 \ -req -in ${worker_csr} \ -CA ${ca_pem} -CAkey ${ca_key} -CAcreateserial \ -out $out -days 365 -extensions v3_req \ -extfile ${worker_cnf} ''; in { inherit ca_key ca_pem; inherit etcd_key etcd_cert; inherit etcd_client_key etcd_client_cert; inherit apiserver_key apiserver_cert; inherit worker_key worker_cert; }