fix cloudcore cert gen

99nil · Oct 28, 2022 · a003fdd · a003fdd
1 parent 6fa152b
commit a003fdd
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 23 deletions.
diff --git a/core/assistant/init.go b/core/assistant/init.go
@@ -193,16 +193,20 @@ func GenerateCerts(opt *common.InitOption) aide.StepFunc {
 		sc.Log("Generate admission certificate successful")
 
 		// cloudcore cert
-		targetPath = filepath.Join(constants.RootDir, "certgen.sh")
+		targetPath = filepath.Join(constants.RootDir, "gen-cloudcore-secret.sh")
 		if err := os.WriteFile(targetPath, static.CoreCertScript, os.ModePerm); err != nil {
 			sc.Errorf("Generate cloudcore certificate script failed: %v", err)
 		}
-		if err := sc.Shell(fmt.Sprintf("%s buildCloudcoreSecret -i %s", targetPath, opt.AdvertiseAddress)); err != nil {
+		if err := sc.Shell(fmt.Sprintf("IP=%s %s", opt.AdvertiseAddress, targetPath)); err != nil {
 			sc.Errorf("Generate cloudcore certificate failed: %v", err)
 		}
 		sc.Log("Generate cloudcore certificate successful")
 
 		// cloud stream cert
+		targetPath = filepath.Join(constants.RootDir, "gen-stream-secret.sh")
+		if err := os.WriteFile(targetPath, static.StreamCertScript, os.ModePerm); err != nil {
+			sc.Errorf("Generate cloudcore stream certificate script failed: %v", err)
+		}
 		advAddr := strings.Join(strings.Split(opt.AdvertiseAddress, ","), " ")
 		var domain string
 		cmd := fmt.Sprintf(

diff --git a/static/resource/scripts/gen-cloudcore-secret.sh b/static/resource/scripts/gen-cloudcore-secret.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+set -o errexit
+
+NAMESPACE=${NAMESPACE:-kubeedge}
+SECRET=${SECRET:-"cloudcore"}
+ENABLE_CREATE_SECRET=${ENABLE_CREATE_SECRET:-true}
+readonly caPath=${CA_PATH:-/etc/diplomat/ca}
+readonly certPath=${CERT_PATH:-/etc/diplomat/certs}
+readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io}
+CN=""
+# TODO 支持多IP
+IP=${IP:-"127.0.0.1"}
+if [[ ${IP} != "127.0.0.1" ]]; then
+  echo "生成IP证书：${IP}"
+  CN=${IP}
+fi
+
+function createCerts() {
+  echo "creating certs in dir ${CERTDIR} "
+  cat <<EOF > ${certPath}/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+IP = 127.0.0.1
+IP = ${IP}
+EOF
+
+  openssl genrsa -out ${caPath}/rootCA.key 2048
+  openssl req -x509 -days 3650 -new -nodes -key ${caPath}/rootCA.key -subj "/CN=${CN}" -out ${caPath}/rootCA.crt
+
+  openssl genrsa -out ${certPath}/edge.key 2048
+  openssl req -new -days 3650 -key ${certPath}/edge.key -subj "/CN=${CN}" -out ${certPath}/edge.csr -config ${certPath}/csr.conf
+
+  openssl x509 -req -days 3650 -in  ${certPath}/edge.csr -CA  ${caPath}/rootCA.crt -CAkey  ${caPath}/rootCA.key \
+  -CAcreateserial -out  ${certPath}/edge.crt \
+  -extensions v3_req -extfile  ${certPath}/csr.conf
+}
+
+function createObjects() {
+  # `ENABLE_CREATE_SECRET` should always be set to `true` unless it has been already created.
+  if [[ "${ENABLE_CREATE_SECRET}" = true ]]; then
+      kubectl get ns ${NAMESPACE} || kubectl create ns ${NAMESPACE}
+
+      # create the secret with CA cert and server cert/key
+      kubectl create secret generic ${SECRET} \
+          --from-file=edge.key=${certPath}/edge.key \
+          --from-file=edge.crt=${certPath}/edge.crt \
+          --from-file=rootCA.crt=${caPath}/rootCA.crt \
+          --from-file=rootCA.key=${caPath}/rootCA.key \
+          -n ${NAMESPACE}
+  fi
+}
+
+ensureFolder() {
+    if [ ! -d ${caPath} ]; then
+        mkdir -p ${caPath}
+    fi
+    if [ ! -d ${certPath} ]; then
+        mkdir -p ${certPath}
+    fi
+}
+
+ensureFolder
+createCerts
+createObjects
diff --git a/static/resource/scripts/certgen.sh → static/resource/scripts/gen-stream-secret.sh b/static/resource/scripts/certgen.sh → static/resource/scripts/gen-stream-secret.sh
@@ -9,23 +9,21 @@ readonly certPath=${CERT_PATH:-/etc/diplomat/certs}
 readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io/CN=127.0.0.1}
 
 genCA() {
-  #2
     local IPs=(${@:1})
     echo $IPs
     local subj=${subject}
-    if [ -n "$IPs" ]; then
-        for ip in ${IPs[*]}; do
-            subj="${subj}/CN=${ip}"
-        done
-    fi
+#    if [ -n "$IPs" ]; then
+#        for ip in ${IPs[*]}; do
+#            subj="${subj}/CN=${ip}"
+#        done
+#    fi
     echo ${subj}
     openssl genrsa -des3 -out ${caPath}/rootCA.key -passout pass:kubeedge.io 4096
     openssl req -x509 -new -nodes -key ${caPath}/rootCA.key -sha256 -days 3650 \
     -subj ${subj} -passin pass:kubeedge.io -out ${caPath}/rootCA.crt
 }
 
 ensureCA() {
-  #1
     local serverIPs=$1
     echo $serverIPs
     if [ ! -e ${caPath}/rootCA.key ] || [ ! -e ${caPath}/rootCA.crt ]; then
@@ -43,21 +41,19 @@ ensureFolder() {
 }
 
 genCsr() {
-  #3
     local name=$1 IPs=(${@:2})
     local subj=${subject}
-    if [ -n "$IPs" ]; then
-        for ip in ${IPs[*]}; do
-            subj="${subj}/CN=${ip}"
-        done
-    fi
+#    if [ -n "$IPs" ]; then
+#        for ip in ${IPs[*]}; do
+#            subj="${subj}/CN=${ip}"
+#        done
+#    fi
     echo ${subj}
     openssl genrsa -out ${certPath}/${name}.key 2048
     openssl req -new -key ${certPath}/${name}.key -subj ${subj} -out ${certPath}/${name}.csr
 }
 
 genCert() {
-  #4
     local name=$1 IPs=(${@:2})
     echo "IPS: " $IPs
     if  [ -z "$IPs" ] ;then
@@ -66,11 +62,12 @@ genCert() {
     else
         index=1
         SUBJECTALTNAME="subjectAltName = IP.1:127.0.0.1"
-        for ip in ${IPs[*]}; do
-            SUBJECTALTNAME="${SUBJECTALTNAME},"
-            index=$(($index+1))
-            SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}"
-        done
+        # TODO err unable to ParsePKCS1PrivateKey: asn1: structure error: length too large
+#        for ip in ${IPs[*]}; do
+#            SUBJECTALTNAME="${SUBJECTALTNAME},"
+#            index=$(($index+1))
+#            SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}"
+#        done
         echo $SUBJECTALTNAME > /tmp/server-extfile.cnf
         openssl x509 -req -in ${certPath}/${name}.csr -CA ${caPath}/rootCA.crt -CAkey ${caPath}/rootCA.key \
         -CAcreateserial -passin pass:kubeedge.io -out ${certPath}/${name}.crt -days 365 -sha256 -extfile /tmp/server-extfile.cnf

diff --git a/static/static.go b/static/static.go
@@ -27,10 +27,14 @@ const (
 var EmbedResource embed.FS
 
 var (
-	// CoreCertScript defines the stream or cloudcore cert script
-	//go:embed resource/scripts/certgen.sh
+	// CoreCertScript defines the cloudcore cert script
+	//go:embed resource/scripts/gen-cloudcore-secret.sh
 	CoreCertScript []byte
 
+	// StreamCertScript defines the stream or cloudcore cert script
+	//go:embed resource/scripts/gen-stream-secret.sh
+	StreamCertScript []byte
+
 	// AdmissionCertScript defines the admission cert script
 	//go:embed resource/scripts/gen-admission-secret.sh
 	AdmissionCertScript []byte