/
generate-proxying.sh
executable file
·123 lines (95 loc) · 2.59 KB
/
generate-proxying.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/bin/bash
set -e -o pipefail
trap exithandler EXIT
TEMP_DIR=$(mktemp --tmpdir -d generate-proxying.XXXXXX)
exithandler() {
exitcode=$?
if [ "$exitcode" != "0" ]; then
echo "WARNING: unsuccessful exit code: $exitcode" >&2
fi
rm -rf "$TEMP_DIR"
exit $exitcode
}
usage() {
cat <<EOT
This script generates a client certificate and then creates a TLS secret with it
for Hawtio proxying on OpenShift 4.
Usage:
$(basename "$0") [-h] [SECRET_NAME] [CN]
Options:
-h Show this help
EOT
exit
}
kube_binary() {
local k
k=$(command -v "${1}" 2> /dev/null)
# shellcheck disable=SC2181
if [ $? != 0 ]; then
return
fi
echo "${k}"
}
while getopts h OPT; do
case $OPT in
h)
usage
;;
*)
;;
esac
done
if [ -n "${KUBECLI}" ]; then
KUBECLI=$(kube_binary "${KUBECLI}")
else
# try finding oc
KUBECLI=$(kube_binary oc)
if [ -z "${KUBECLI}" ]; then
# try finding kubectl
KUBECLI=$(kube_binary kubectl)
fi
fi
if [ -z "${KUBECLI}" ]; then
echo "Error: Cannot find kube cluster client command, eg. oc or kubectl"
exit 1
fi
if [ -z "${NAMESPACE}" ]; then
NAMESPACE=$(${KUBECLI} config view --minify -o jsonpath='{..namespace}')
if [ -z "${NAMESPACE}" ]; then
echo "Error: Cannot determine the target namespace for the new secret"
exit 1
fi
fi
SECRET_NAME=${1:-hawtio-online-tls-proxying}
CN=${2:-hawtio-online.hawtio.svc}
cd "$TEMP_DIR"
# The CA private key
${KUBECLI} get secrets/signing-key -n openshift-service-ca -o "jsonpath={.data['tls\.key']}" | base64 --decode > ca.key
# The CA certificate
${KUBECLI} get secrets/signing-key -n openshift-service-ca -o "jsonpath={.data['tls\.crt']}" | base64 --decode > ca.crt
# Generate the private key
openssl genrsa -out server.key 2048
# Write the CSR config file
cat <<EOT > csr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = ${CN}
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
keyUsage=keyEncipherment,dataEncipherment,digitalSignature
extendedKeyUsage=serverAuth,clientAuth
EOT
# Generate the CSR
openssl req -new -key server.key -out server.csr -config csr.conf
# Issue the signed certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
if ${KUBECLI} get secret "${SECRET_NAME}" -n "${NAMESPACE}" 1> /dev/null 2>& 1; then
echo "The secret ${SECRET_NAME} in ${NAMESPACE} already exists"
exit 0
fi
# Create the secret for Hawtio Online
${KUBECLI} create secret tls "${SECRET_NAME}" --cert server.crt --key server.key -n "${NAMESPACE}"