|
@@ -1,192 +0,0 @@
|
|
|
-#!/bin/bash
|
|
|
-
|
|
|
-function generate_JKS_chain() {
|
|
|
- dir=${SCRATCH_DIR:-_output}
|
|
|
- ADD_OID=$1
|
|
|
- NODE_NAME=$2
|
|
|
- CERT_NAMES=${3:-$NODE_NAME}
|
|
|
- ks_pass=${KS_PASS:-kspass}
|
|
|
- ts_pass=${TS_PASS:-tspass}
|
|
|
- rm -rf $NODE_NAME
|
|
|
-
|
|
|
- extension_names=""
|
|
|
- for name in ${CERT_NAMES//,/ }; do
|
|
|
- extension_names="${extension_names},dns:${name}"
|
|
|
- done
|
|
|
-
|
|
|
- if [ "$ADD_OID" = true ]; then
|
|
|
- extension_names="${extension_names},oid:1.2.3.4.5.5"
|
|
|
- fi
|
|
|
-
|
|
|
- echo Generating keystore and certificate for node $NODE_NAME
|
|
|
-
|
|
|
- "$keytool" -genkey \
|
|
|
- -alias $NODE_NAME \
|
|
|
- -keystore $dir/keystore.jks \
|
|
|
- -keypass $ks_pass \
|
|
|
- -storepass $ks_pass \
|
|
|
- -keyalg RSA \
|
|
|
- -keysize 2048 \
|
|
|
- -validity 712 \
|
|
|
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
|
|
|
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
|
|
|
-
|
|
|
- echo Generating certificate signing request for node $NODE_NAME
|
|
|
-
|
|
|
- "$keytool" -certreq \
|
|
|
- -alias $NODE_NAME \
|
|
|
- -keystore $dir/keystore.jks \
|
|
|
- -storepass $ks_pass \
|
|
|
- -file $dir/$NODE_NAME.csr \
|
|
|
- -keyalg rsa \
|
|
|
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
|
|
|
- -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
|
|
|
-
|
|
|
- echo Sign certificate request with CA
|
|
|
-
|
|
|
- openssl ca \
|
|
|
- -in $dir/$NODE_NAME.csr \
|
|
|
- -notext \
|
|
|
- -out $dir/$NODE_NAME.crt \
|
|
|
- -config $dir/signing.conf \
|
|
|
- -extensions v3_req \
|
|
|
- -batch \
|
|
|
- -extensions server_ext
|
|
|
-
|
|
|
- echo "Import back to keystore (including CA chain)"
|
|
|
-
|
|
|
- "$keytool" \
|
|
|
- -import \
|
|
|
- -file $dir/ca.crt \
|
|
|
- -keystore $dir/keystore.jks \
|
|
|
- -storepass $ks_pass \
|
|
|
- -noprompt -alias sig-ca
|
|
|
-
|
|
|
- "$keytool" \
|
|
|
- -import \
|
|
|
- -file $dir/$NODE_NAME.crt \
|
|
|
- -keystore $dir/keystore.jks \
|
|
|
- -storepass $ks_pass \
|
|
|
- -noprompt \
|
|
|
- -alias $NODE_NAME
|
|
|
-
|
|
|
- echo "Import CA to truststore for validating client certs"
|
|
|
-
|
|
|
- "$keytool" \
|
|
|
- -import \
|
|
|
- -file $dir/ca.crt \
|
|
|
- -keystore $dir/truststore.jks \
|
|
|
- -storepass $ts_pass \
|
|
|
- -noprompt -alias sig-ca
|
|
|
-
|
|
|
- echo All done for $NODE_NAME
|
|
|
-}
|
|
|
-
|
|
|
-function generate_PEM_cert() {
|
|
|
- NODE_NAME="$1"
|
|
|
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
|
|
|
-
|
|
|
- echo Generating keystore and certificate for node ${NODE_NAME}
|
|
|
-
|
|
|
- openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
|
|
|
-
|
|
|
- echo Sign certificate request with CA
|
|
|
- openssl ca \
|
|
|
- -in "$dir/$NODE_NAME.csr" \
|
|
|
- -notext \
|
|
|
- -out "$dir/$NODE_NAME.crt" \
|
|
|
- -config $dir/signing.conf \
|
|
|
- -extensions v3_req \
|
|
|
- -batch \
|
|
|
- -extensions server_ext
|
|
|
-}
|
|
|
-
|
|
|
-function generate_JKS_client_cert() {
|
|
|
- NODE_NAME="$1"
|
|
|
- ks_pass=${KS_PASS:-kspass}
|
|
|
- ts_pass=${TS_PASS:-tspass}
|
|
|
- dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
|
|
|
-
|
|
|
- echo Generating keystore and certificate for node ${NODE_NAME}
|
|
|
-
|
|
|
- "$keytool" -genkey \
|
|
|
- -alias $NODE_NAME \
|
|
|
- -keystore $dir/$NODE_NAME.jks \
|
|
|
- -keyalg RSA \
|
|
|
- -keysize 2048 \
|
|
|
- -validity 712 \
|
|
|
- -keypass $ks_pass \
|
|
|
- -storepass $ks_pass \
|
|
|
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
|
|
|
-
|
|
|
- echo Generating certificate signing request for node $NODE_NAME
|
|
|
-
|
|
|
- "$keytool" -certreq \
|
|
|
- -alias $NODE_NAME \
|
|
|
- -keystore $dir/$NODE_NAME.jks \
|
|
|
- -file $dir/$NODE_NAME.csr \
|
|
|
- -keyalg rsa \
|
|
|
- -keypass $ks_pass \
|
|
|
- -storepass $ks_pass \
|
|
|
- -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
|
|
|
-
|
|
|
- echo Sign certificate request with CA
|
|
|
- openssl ca \
|
|
|
- -in "$dir/$NODE_NAME.csr" \
|
|
|
- -notext \
|
|
|
- -out "$dir/$NODE_NAME.crt" \
|
|
|
- -config $dir/signing.conf \
|
|
|
- -extensions v3_req \
|
|
|
- -batch \
|
|
|
- -extensions server_ext
|
|
|
-
|
|
|
- echo "Import back to keystore (including CA chain)"
|
|
|
-
|
|
|
- "$keytool" \
|
|
|
- -import \
|
|
|
- -file $dir/ca.crt \
|
|
|
- -keystore $dir/$NODE_NAME.jks \
|
|
|
- -storepass $ks_pass \
|
|
|
- -noprompt -alias sig-ca
|
|
|
-
|
|
|
- "$keytool" \
|
|
|
- -import \
|
|
|
- -file $dir/$NODE_NAME.crt \
|
|
|
- -keystore $dir/$NODE_NAME.jks \
|
|
|
- -storepass $ks_pass \
|
|
|
- -noprompt \
|
|
|
- -alias $NODE_NAME
|
|
|
-
|
|
|
- echo All done for $NODE_NAME
|
|
|
-}
|
|
|
-
|
|
|
-function join { local IFS="$1"; shift; echo "$*"; }
|
|
|
-
|
|
|
-function get_es_dcs() {
|
|
|
- oc get dc --selector logging-infra=elasticsearch -o name
|
|
|
-}
|
|
|
-
|
|
|
-function get_curator_dcs() {
|
|
|
- oc get dc --selector logging-infra=curator -o name
|
|
|
-}
|
|
|
-
|
|
|
-function extract_nodeselector() {
|
|
|
- local inputstring="${1//\"/}" # remove any errant double quotes in the inputs
|
|
|
- local selectors=()
|
|
|
-
|
|
|
- for keyvalstr in ${inputstring//\,/ }; do
|
|
|
-
|
|
|
- keyval=( ${keyvalstr//=/ } )
|
|
|
-
|
|
|
- if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
|
|
|
- selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
|
|
|
- else
|
|
|
- echo "Could not make a node selector label from '${keyval[*]}'"
|
|
|
- exit 255
|
|
|
- fi
|
|
|
- done
|
|
|
-
|
|
|
- if [[ "${#selectors[*]}" -gt 0 ]]; then
|
|
|
- echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
|
|
|
- fi
|
|
|
-}
|