|
#!/bin/bash #MASTERS是所有Master节点,有多少填多少
MASTERS="node1 node2"
#HOSTS代表所有节点,有多少填多少
HOSTS="node1 node2 node3 node4"
set -o errexit
set -o pipefail
usage()
{
cat /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
fi
gen_key_and_cert() {
local name=$1
local subject=$2
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 3650 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
}
# Admins
if [ -n "$MASTERS" ]; then
# kube-apiserver
# Generate only if we don't have existing ca and apiserver certs
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
gen_key_and_cert "apiserver" "/CN=kube-apiserver"
cat ca.pem >> apiserver.pem
fi
# If any host requires new certs, just regenerate scheduler and controller-manager master certs
# kube-scheduler
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
for host in $MASTERS; do
cn="${host%%.*}"
# admin
gen_key_and_cert "admin-${host}" "/CN=kube-admin-${cn}/O=system:masters"
done
fi
# Nodes
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
cn="${host%%.*}"
gen_key_and_cert "node-${host}" "/CN=system:node:${cn,,}/O=system:nodes"
done
fi
# system:node-proxier
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
# kube-proxy
gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier"
done
fi
# Install certs
mv *.pem ${SSLDIR}/
|
|
|
|
|
|
|