-
Notifications
You must be signed in to change notification settings - Fork 430
/
ipsec.sh
106 lines (90 loc) · 4.15 KB
/
ipsec.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/bash
set -euo pipefail
OVN_NB_POD=
showHelp(){
echo "sh ipsec.sh [init|start|stop|status]"
}
getOvnCentralPod(){
NB_POD=$(kubectl get pod -n kube-system -l ovn-nb-leader=true | grep ovn-central | head -n 1 | awk '{print $1}')
if [ -z "$NB_POD" ]; then
echo "nb leader not exists"
exit 1
fi
OVN_NB_POD=$NB_POD
}
initIpsec (){
podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
for pod in $podNames; do
caPod=$pod
break
done
echo " Initing CA $caPod "
kubectl exec -it $caPod -n kube-system -- ovs-pki init --force > /dev/null
for pod in $podNames; do
echo " Initing privkey,req,cert file on pod $pod "
systemId=$(kubectl exec -it ${pod} -n kube-system -- ovs-vsctl get Open_vSwitch . external_ids:system-id | tr -d '"' | tr -d '\r')
kubectl exec -it $pod -n kube-system -- ovs-pki req -u $systemId --force > /dev/null
kubectl exec -it $pod -n kube-system -- mv "${systemId}-privkey.pem" /etc/ipsec.d/private/
kubectl exec -it $pod -n kube-system -- mv "${systemId}-req.pem" /etc/ipsec.d/reqs/
if [[ $pod == $caPod ]]; then
kubectl exec -it $pod -n kube-system -- rm -f "/etc/ipsec.d/reqs/${systemId}-cert.pem" > /dev/null
kubectl exec -it $pod -n kube-system -- ovs-pki sign -b "/etc/ipsec.d/reqs/${systemId}" switch > /dev/null
kubectl exec -it $pod -n kube-system -- mv "/etc/ipsec.d/reqs/${systemId}-cert.pem" /etc/ipsec.d/certs/
kubectl exec -it $pod -n kube-system -- cp /var/lib/openvswitch/pki/switchca/cacert.pem /etc/ipsec.d/cacerts/ > /dev/null
else
kubectl cp "${pod}:/etc/ipsec.d/reqs/${systemId}-req.pem" "${systemId}-req.pem" -n kube-system > /dev/null
kubectl cp "${systemId}-req.pem" "${caPod}:/kube-ovn/" -n kube-system > /dev/null
# ovs-pki sign do not have options --force so rm cert first
kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem"
kubectl exec -it $caPod -n kube-system -- ovs-pki sign -b ${systemId} switch > /dev/null
kubectl cp "${caPod}:/kube-ovn/${systemId}-cert.pem" "${systemId}-cert.pem" -n kube-system > /dev/null
kubectl cp "${systemId}-cert.pem" "${pod}:/etc/ipsec.d/certs/" -n kube-system > /dev/null
kubectl cp "${caPod}:/var/lib/openvswitch/pki/switchca/cacert.pem" cacert.pem -n kube-system > /dev/null
kubectl cp cacert.pem "${pod}:/etc/ipsec.d/cacerts/" -n kube-system > /dev/null
# clean temp files
kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-req.pem"
kubectl exec -it $caPod -n kube-system -- rm -f "/kube-ovn/${systemId}-cert.pem"
rm -f ${systemId}-req.pem
rm -f ${systemId}-cert.pem
rm -f cacert.pem
fi
kubectl exec -it $pod -n kube-system -- ovs-vsctl set Open_vSwitch . \
other_config:certificate=/etc/ipsec.d/certs/"${systemId}-cert.pem" \
other_config:private_key=/etc/ipsec.d/private/"${systemId}-privkey.pem" \
other_config:ca_cert=/etc/ipsec.d/cacerts/cacert.pem
done
echo " Enabling ovn ipsec "
kubectl ko nbctl set nb_global . ipsec=true
for pod in $podNames; do
echo " Starting pod ${pod} ipsec service"
kubectl exec -it -n kube-system $pod -- service openvswitch-ipsec restart > /dev/null
kubectl exec -it -n kube-system $pod -- service ipsec restart > /dev/null
done
echo " Kube-OVN ipsec init successfully, it may take a few seconds to setup ipsec completely "
}
getOvnCentralPod
subcommand="$1"; shift
case $subcommand in
init)
initIpsec
;;
start)
kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=true
echo " Kube-OVN ipsec started "
;;
stop)
kubectl exec "$OVN_NB_POD" -n kube-system -c ovn-central -- ovn-nbctl set nb_global . ipsec=false
echo " Kube-OVN ipsec stopped "
;;
status)
podNames=`kubectl get pod -n kube-system -l app=ovs -o 'jsonpath={.items[*].metadata.name}'`
for pod in $podNames; do
echo " Pod {$pod} ipsec status..."
kubectl exec -it $pod -n kube-system -- ovs-appctl -t ovs-monitor-ipsec tunnels/show
done
;;
*)
showHelp
exit 1
;;
esac