From a003fdddb7d72006db3ecc391a3fe7d23d7e55a1 Mon Sep 17 00:00:00 2001 From: TianTianBigWang Date: Fri, 28 Oct 2022 15:37:23 +0800 Subject: [PATCH] fix cloudcore cert gen --- core/assistant/init.go | 8 +- .../resource/scripts/gen-cloudcore-secret.sh | 73 +++++++++++++++++++ .../{certgen.sh => gen-stream-secret.sh} | 35 ++++----- static/static.go | 8 +- 4 files changed, 101 insertions(+), 23 deletions(-) create mode 100755 static/resource/scripts/gen-cloudcore-secret.sh rename static/resource/scripts/{certgen.sh => gen-stream-secret.sh} (92%) diff --git a/core/assistant/init.go b/core/assistant/init.go index d37f920..01d2ba5 100644 --- a/core/assistant/init.go +++ b/core/assistant/init.go @@ -193,16 +193,20 @@ func GenerateCerts(opt *common.InitOption) aide.StepFunc { sc.Log("Generate admission certificate successful") // cloudcore cert - targetPath = filepath.Join(constants.RootDir, "certgen.sh") + targetPath = filepath.Join(constants.RootDir, "gen-cloudcore-secret.sh") if err := os.WriteFile(targetPath, static.CoreCertScript, os.ModePerm); err != nil { sc.Errorf("Generate cloudcore certificate script failed: %v", err) } - if err := sc.Shell(fmt.Sprintf("%s buildCloudcoreSecret -i %s", targetPath, opt.AdvertiseAddress)); err != nil { + if err := sc.Shell(fmt.Sprintf("IP=%s %s", opt.AdvertiseAddress, targetPath)); err != nil { sc.Errorf("Generate cloudcore certificate failed: %v", err) } sc.Log("Generate cloudcore certificate successful") // cloud stream cert + targetPath = filepath.Join(constants.RootDir, "gen-stream-secret.sh") + if err := os.WriteFile(targetPath, static.StreamCertScript, os.ModePerm); err != nil { + sc.Errorf("Generate cloudcore stream certificate script failed: %v", err) + } advAddr := strings.Join(strings.Split(opt.AdvertiseAddress, ","), " ") var domain string cmd := fmt.Sprintf( diff --git a/static/resource/scripts/gen-cloudcore-secret.sh b/static/resource/scripts/gen-cloudcore-secret.sh new file mode 100755 index 0000000..1633934 --- /dev/null +++ b/static/resource/scripts/gen-cloudcore-secret.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash + +set -o errexit + +NAMESPACE=${NAMESPACE:-kubeedge} +SECRET=${SECRET:-"cloudcore"} +ENABLE_CREATE_SECRET=${ENABLE_CREATE_SECRET:-true} +readonly caPath=${CA_PATH:-/etc/diplomat/ca} +readonly certPath=${CERT_PATH:-/etc/diplomat/certs} +readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io} +CN="" +# TODO 支持多IP +IP=${IP:-"127.0.0.1"} +if [[ ${IP} != "127.0.0.1" ]]; then + echo "生成IP证书:${IP}" + CN=${IP} +fi + +function createCerts() { + echo "creating certs in dir ${CERTDIR} " + cat < ${certPath}/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +IP = 127.0.0.1 +IP = ${IP} +EOF + + openssl genrsa -out ${caPath}/rootCA.key 2048 + openssl req -x509 -days 3650 -new -nodes -key ${caPath}/rootCA.key -subj "/CN=${CN}" -out ${caPath}/rootCA.crt + + openssl genrsa -out ${certPath}/edge.key 2048 + openssl req -new -days 3650 -key ${certPath}/edge.key -subj "/CN=${CN}" -out ${certPath}/edge.csr -config ${certPath}/csr.conf + + openssl x509 -req -days 3650 -in ${certPath}/edge.csr -CA ${caPath}/rootCA.crt -CAkey ${caPath}/rootCA.key \ + -CAcreateserial -out ${certPath}/edge.crt \ + -extensions v3_req -extfile ${certPath}/csr.conf +} + +function createObjects() { + # `ENABLE_CREATE_SECRET` should always be set to `true` unless it has been already created. + if [[ "${ENABLE_CREATE_SECRET}" = true ]]; then + kubectl get ns ${NAMESPACE} || kubectl create ns ${NAMESPACE} + + # create the secret with CA cert and server cert/key + kubectl create secret generic ${SECRET} \ + --from-file=edge.key=${certPath}/edge.key \ + --from-file=edge.crt=${certPath}/edge.crt \ + --from-file=rootCA.crt=${caPath}/rootCA.crt \ + --from-file=rootCA.key=${caPath}/rootCA.key \ + -n ${NAMESPACE} + fi +} + +ensureFolder() { + if [ ! -d ${caPath} ]; then + mkdir -p ${caPath} + fi + if [ ! -d ${certPath} ]; then + mkdir -p ${certPath} + fi +} + +ensureFolder +createCerts +createObjects diff --git a/static/resource/scripts/certgen.sh b/static/resource/scripts/gen-stream-secret.sh similarity index 92% rename from static/resource/scripts/certgen.sh rename to static/resource/scripts/gen-stream-secret.sh index f476ac6..5a8ce9a 100755 --- a/static/resource/scripts/certgen.sh +++ b/static/resource/scripts/gen-stream-secret.sh @@ -9,15 +9,14 @@ readonly certPath=${CERT_PATH:-/etc/diplomat/certs} readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io/CN=127.0.0.1} genCA() { - #2 local IPs=(${@:1}) echo $IPs local subj=${subject} - if [ -n "$IPs" ]; then - for ip in ${IPs[*]}; do - subj="${subj}/CN=${ip}" - done - fi +# if [ -n "$IPs" ]; then +# for ip in ${IPs[*]}; do +# subj="${subj}/CN=${ip}" +# done +# fi echo ${subj} openssl genrsa -des3 -out ${caPath}/rootCA.key -passout pass:kubeedge.io 4096 openssl req -x509 -new -nodes -key ${caPath}/rootCA.key -sha256 -days 3650 \ @@ -25,7 +24,6 @@ genCA() { } ensureCA() { - #1 local serverIPs=$1 echo $serverIPs if [ ! -e ${caPath}/rootCA.key ] || [ ! -e ${caPath}/rootCA.crt ]; then @@ -43,21 +41,19 @@ ensureFolder() { } genCsr() { - #3 local name=$1 IPs=(${@:2}) local subj=${subject} - if [ -n "$IPs" ]; then - for ip in ${IPs[*]}; do - subj="${subj}/CN=${ip}" - done - fi +# if [ -n "$IPs" ]; then +# for ip in ${IPs[*]}; do +# subj="${subj}/CN=${ip}" +# done +# fi echo ${subj} openssl genrsa -out ${certPath}/${name}.key 2048 openssl req -new -key ${certPath}/${name}.key -subj ${subj} -out ${certPath}/${name}.csr } genCert() { - #4 local name=$1 IPs=(${@:2}) echo "IPS: " $IPs if [ -z "$IPs" ] ;then @@ -66,11 +62,12 @@ genCert() { else index=1 SUBJECTALTNAME="subjectAltName = IP.1:127.0.0.1" - for ip in ${IPs[*]}; do - SUBJECTALTNAME="${SUBJECTALTNAME}," - index=$(($index+1)) - SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}" - done + # TODO err unable to ParsePKCS1PrivateKey: asn1: structure error: length too large +# for ip in ${IPs[*]}; do +# SUBJECTALTNAME="${SUBJECTALTNAME}," +# index=$(($index+1)) +# SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}" +# done echo $SUBJECTALTNAME > /tmp/server-extfile.cnf openssl x509 -req -in ${certPath}/${name}.csr -CA ${caPath}/rootCA.crt -CAkey ${caPath}/rootCA.key \ -CAcreateserial -passin pass:kubeedge.io -out ${certPath}/${name}.crt -days 365 -sha256 -extfile /tmp/server-extfile.cnf diff --git a/static/static.go b/static/static.go index a980986..800c86f 100644 --- a/static/static.go +++ b/static/static.go @@ -27,10 +27,14 @@ const ( var EmbedResource embed.FS var ( - // CoreCertScript defines the stream or cloudcore cert script - //go:embed resource/scripts/certgen.sh + // CoreCertScript defines the cloudcore cert script + //go:embed resource/scripts/gen-cloudcore-secret.sh CoreCertScript []byte + // StreamCertScript defines the stream or cloudcore cert script + //go:embed resource/scripts/gen-stream-secret.sh + StreamCertScript []byte + // AdmissionCertScript defines the admission cert script //go:embed resource/scripts/gen-admission-secret.sh AdmissionCertScript []byte