-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdeploy-kubernetes-credhub.sh
executable file
·218 lines (178 loc) · 6.08 KB
/
deploy-kubernetes-credhub.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#!/bin/bash
echo "We will deploy the kubernetes-credhub integration.
This involves:
- Building 2 containers (with your credhub credentials compiled in)
- Pushing the containers to a container registry
- Getting the K8s extension-apiserver CA
- Creating and deploying the following K8s constructs:
- kubernetes-credhub namespace
- kubernetes-credhub webhook
- kubernetes-credhub CSR
- kubernetes-credhub ServiceAccount
- kubernetes-credhub ClusterRoleBinding
- kubernetes-credhub service
- kubernetes-credhub deployment (webhook and controller containers)
kubectl is required
docker is required
base64 is required
openssl is required
Ensure kubectl is logged in with a user that has permission to deploy
deployments, MutatingWebhookConfigurations, and services.
Ensure docker is logged in and you can push to a docker repository under the
tag you will provide."
read -p "Press <ENTER> when all the above are met and you are ready to go"
if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi
if [ ! -x "$(command -v base64)" ]; then
echo "base64 not found"
exit 1
fi
if [ ! -x "$(command -v kubectl)" ]; then
echo "kubectl not found"
exit 1
fi
which docker
if [ $? -eq 0 ]
then
docker --version | grep -i "docker version"
if [ $? -eq 0 ]
then
echo "docker found"
else
echo "docker not found"
exit 1
fi
else
echo "docker not found"
exit 1
fi
read -p "Enter FULL Path to PEM Encoded Credhub Trusted CA: " capath
read -p "Enter FULL Path to PEM Encoded Credhub RSA Key: " keypath
read -p "Enter FULL URL to Credhub instance (ensure k8s pods have access to this): " credhuburl
read -p "Enter Credhub Admin Client: " credhubclient
read -p "Enter Credhub Admin Client Secret: " credhubsecret
read -p "While it is not recommended, should we skip tls-validation on your Credhub instance? (y/n)" skiptls
read -p "Enter Docker Repository to store the credhub containers in: " docker
case "$skiptls" in
[yY])
skiptlsbool=true
;;
*)
skiptlsbool=false
;;
esac
echo "Using $capath for the Credhub Trusted CA"
echo "Using $keypath for the Credhub Trusted RSA Key"
echo "Using $credhuburl for the URL to Credhub instance"
echo "Using $credhubclient for the Credhub Admin Client"
echo "Using $credhubsecret for the Credhub Admin Client Secret"
echo "SkipTLSValidation for your Credhub instance is: $skiptlsbool"
echo "Using $docker as your docker repository"
read -p "Verify the correct values are correct and hit <ENTER> when ready"
echo "SORRYY!!!! Still work in Progress...."
exit 1
docker build --no-cache -t oskoss/kubernetes-credhub-init:v0 . && docker push oskoss/kubernetes-credhub-init:v0
ca_bundle=$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')
service=kubernetes-credhub-svc
namespace=kubernetes-credhub
kubectl create namespace ${namespace} && 0
csrName=${service}.${namespace}
rm -rf generatedCerts
mkdir -p generatedCerts
tmpdir=generatedCerts/
echo "creating certs in tmpdir ${tmpdir} "
cat <<EOF >> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF
openssl genrsa -out ${tmpdir}/server-key.pem 2048
openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
# clean-up any previously created CSR for our service. Ignore errors if not present.
kubectl delete csr ${csrName} 2>/dev/null || true
# create server cert/key CSR and send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${csrName}
spec:
groups:
- system:authenticated
request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
# verify CSR has been created
while true; do
kubectl get csr ${csrName}
if [ "$?" -eq 0 ]; then
break
fi
done
# approve and fetch the signed certificate
kubectl certificate approve ${csrName}
# verify certificate has been signed
for x in $(seq 10); do
serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
if [[ ${serverCert} != '' ]]; then
break
fi
sleep 1
done
if [[ ${serverCert} == '' ]]; then
echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
exit 1
fi
echo ${serverCert} | openssl base64 -d -A -out ${tmpdir}/server-cert.pem
# create the secret with CA cert and server cert/key
kubectl create secret generic credhub-webhook-cert \
--from-file=key.pem=${tmpdir}/server-key.pem \
--from-file=cert.pem=${tmpdir}/server-cert.pem \
--dry-run -o yaml |
kubectl -n ${namespace} apply -f -
# create the webhook
cat << EOF > webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: kubernetes-credhub-webhook-cfg
labels:
app: kubernetes-credhub-injector
webhooks:
- name: kubernetes-credhub-injector.pivotal.io
clientConfig:
service:
name: kubernetes-credhub-svc
namespace: ${namespace}
path: "/mutate"
caBundle: ${ca_bundle}
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
EOF
# ensure we delete then recreate all our services
kubectl -n ${namespace} delete -f rbac.yaml
kubectl -n ${namespace} delete -f webhook.yaml
kubectl -n ${namespace} delete -f service.yaml
kubectl -n ${namespace} delete -f deployment.yaml
kubectl -n ${namespace} create -f rbac.yaml
kubectl -n ${namespace} create -f webhook.yaml
kubectl -n ${namespace} create -f service.yaml
kubectl -n ${namespace} create -f deployment.yaml