/
kubernetes.sh
107 lines (93 loc) · 3.99 KB
/
kubernetes.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash
# Here is a script to deploy cert to a kubernetes cluster.
#returns 0 means success, otherwise error.
######## Public functions #####################
#domain keyfile certfile cafile fullchain
kubernetes_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
DEFAULT_K8S_API_CA="-k"
if [ -z "${DEFAULT_K8S_API_CA}" ]; then
_k8sapica="--cacert ${DEFAULT_K8S_API_CA}"
_cleardomainconf DEFAULT_K8S_API_CA
else
_k8sapica="${DEFAULT_K8S_API_CA}"
_savedomainconf DEFAULT_K8S_API_CA "$DEFAULT_K8S_API_CA"
fi
DEFAULT_K8S_PORT="6443"
if [ -z "${DEPLOY_K8S_PORT}" ]; then
_k8sport="${DEFAULT_K8S_PORT}"
_cleardomainconf DEPLOY_K8S_PORT
else
_k8sport="${DEPLOY_K8S_PORT}"
_savedomainconf DEPLOY_K8S_PORT "$DEPLOY_K8S_PORT"
fi
DEFAULT_K8S_SCHEME="https"
if [ -z "${DEPLOY_K8S_SCHEME}" ]; then
_k8sscheme="${DEFAULT_K8S_SCHEME}"
_cleardomainconf DEPLOY_K8S_SCHEME
else
_k8sscheme="${DEPLOY_K8S_SCHEME}"
_savedomainconf DEPLOY_K8S_SCHEME "$DEPLOY_K8S_SCHEME"
fi
_k8surl="${DEPLOY_K8S_URL}"
if [ -z "$_k8surl" ]; then
_err "Kubernetes cluster URL not found. Please define DEPLOY_K8S_URL."
return 1
fi
_savedomainconf DEPLOY_K8S_URL "$DEPLOY_K8S_URL"
# build the full URL to the kubernetes cluster
_k8sfullurl="$_k8sscheme://$_k8surl:$_k8sport"
_info "Full URL to kubernetes cluster $_k8sfullurl"
_k8snamespace="${DEPLOY_K8S_NAMESPACE}"
if [ -z "$_k8snamespace" ]; then
_err "Kubernetes namespace not found. Please define DEPLOY_K8S_NAMESPACE."
return 1
fi
_savedomainconf DEPLOY_K8S_NAMESPACE "$DEPLOY_K8S_NAMESPACE"
_k8ssecretname="$_k8snamespace-tls-secret-autogen"
_savedomainconf DEPLOY_K8S_SA_TOKEN "$DEPLOY_K8S_SA_TOKEN"
_k8ssatoken="${DEPLOY_K8S_SA_TOKEN}"
if [ -z "$_k8ssatoken" ]; then
_err "Kubernetes ServiceAccount token not found. Please define DEPLOY_K8S_SA_TOKEN."
return 1
fi
_k8s_endpoint_secret="$_k8sfullurl/api/v1/namespaces/$_k8snamespace/secrets/$_k8ssecretname"
_k8s_endpoint_secrets="$_k8sfullurl/api/v1/namespaces/$_k8snamespace/secrets"
_k8s_endpoint_namespace="$_k8sfullurl/api/v1/namespaces/$_k8snamespace"
# base64 encode the key and fullchain into a single pem and install
_tlscrt="$(base64 -w 0 "$_cfullchain")"
_tlskey="$(base64 -w 0 "$_ckey")"
_secret_payload="{\"apiVersion\":\"v1\",\"data\":{\"tls.crt\":\"$_tlscrt\",\"tls.key\":\"$_tlskey\"},\"kind\":\"Secret\",\"metadata\":{\"name\":\"$_k8ssecretname\",\"namespace\":\"$_k8snamespace\"},\"type\":\"kubernetes.io/tls\"}"
# _info "tls.crt value is $_tlscrt"
# _info "tls.key value is $_tlskey"
# _info "secret payload is $_secret_payload"
_info "namespace endpoint $_k8s_endpoint_namespace"
_existing_namespace=$(curl $_k8sapica -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $_k8ssatoken" "$_k8s_endpoint_namespace")
if [ $_existing_namespace != "200" ]
then
_err "Kubernetes namespace, $_k8snamespace, not found ($_existing_namespace). Please make sure the namespace exists."
fi
_existing_secret=$(curl $_k8sapica -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $_k8ssatoken" "$_k8s_endpoint_secret")
if [ $_existing_secret -eq 404 ]
then
# create a new secret
_new_secret=$(curl $_k8sapica -s -X POST -H "Content-type: application/json" -H "Authorization: Bearer $_k8ssatoken" "$_k8s_endpoint_secrets" -d "$_secret_payload")
_info "Created new Secret"
else
# patch an existing secret
_updated_secret=$(curl $_k8sapica -s -X PATCH -H "Content-type: application/strategic-merge-patch+json" -H "Authorization: Bearer $_k8ssatoken" "$_k8s_endpoint_secret" -d "$_secret_payload")
_info "PATCHed existing secret"
fi
# restart isn't required after creating a kubernetes resource
_info "Certificate successfully deployed as kubernetes Secret"
_info "Success: kubernetes Secret resource created!"
}