From ee66d6f47f4ee317488ce82e116a857129592134 Mon Sep 17 00:00:00 2001 From: Steve Sloka Date: Fri, 1 Sep 2017 16:09:40 -0400 Subject: [PATCH] Generate certs for Kibana automatically --- pkg/k8sutil/certs.go | 41 ++++++++++++++++++++++++++++++++++++++ pkg/k8sutil/deployments.go | 12 +++++++++++ 2 files changed, 53 insertions(+) diff --git a/pkg/k8sutil/certs.go b/pkg/k8sutil/certs.go index e61ae61b6..782f1904b 100644 --- a/pkg/k8sutil/certs.go +++ b/pkg/k8sutil/certs.go @@ -108,6 +108,27 @@ func (k *K8sutil) generateConfig(configDir, certsDir, namespace, clusterName str }, } + reqKibanaCSR := csr{ + CN: "kibana", + Hosts: []string{ + "localhost", + fmt.Sprintf("kibana-%s", clusterName), + fmt.Sprintf("%s.%s", fmt.Sprintf("kibana-%s", clusterName), namespace), + fmt.Sprintf("%s.%s.svc.cluster.local", fmt.Sprintf("kibana-%s", clusterName), namespace), + }, + Key: key{ + Algo: "rsa", + Size: 2048, + }, + Names: []names{ + names{ + O: "autogenerated", + OU: "elasticsearch cluster", + L: "operator", + }, + }, + } + caCSR := csr{ Hosts: []string{ "localhost", @@ -144,6 +165,13 @@ func (k *K8sutil) generateConfig(configDir, certsDir, namespace, clusterName str logrus.Error(err) } + reqKibanaCSRJSON, _ := json.Marshal(reqKibanaCSR) + f, err = os.Create(fmt.Sprintf("%s/req-kibana-csr.json", configDir)) + _, err = f.Write(reqKibanaCSRJSON) + if err != nil { + logrus.Error(err) + } + reqCACSRJSON, _ := json.Marshal(caCSR) f, err = os.Create(fmt.Sprintf("%s/ca-csr.json", configDir)) _, err = f.Write(reqCACSRJSON) @@ -181,6 +209,15 @@ func (k *K8sutil) GenerateCerts(configDir, certsDir, namespace, clusterName stri logrus.Error(err) } + // Generate Kibana Cert + logrus.Info("Creating kibana cert...") + cmdKibana1 := exec.Command("cfssl", "gencert", "-ca", fmt.Sprintf("%s/ca.pem", certsDir), "-ca-key", fmt.Sprintf("%s/ca-key.pem", certsDir), "-config", fmt.Sprintf("%s/ca-config.json", configDir), "-profile=server", fmt.Sprintf("%s/req-kibana-csr.json", configDir)) + cmdKibana2 := exec.Command("cfssljson", "-bare", fmt.Sprintf("%s/kibana", certsDir)) + _, err = pipeCommands(cmdKibana1, cmdKibana2) + if err != nil { + logrus.Error(err) + } + logrus.Info("Converting node to pkcs12...") cmdConvertNode := exec.Command("openssl", "pkcs12", "-export", "-inkey", fmt.Sprintf("%s/node-key.pem", certsDir), "-in", fmt.Sprintf("%s/node.pem", certsDir), "-out", fmt.Sprintf("%s/node.pkcs12", certsDir), "-password", "pass:changeit", "-certfile", fmt.Sprintf("%s/ca.pem", certsDir)) out, err := cmdConvertNode.Output() @@ -241,6 +278,8 @@ func (k *K8sutil) CreateCertsSecret(namespace, clusterName, certsDir string) err caKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/ca-key.pem", certsDir)) node, _ := ioutil.ReadFile(fmt.Sprintf("%s/node.pem", certsDir)) nodeKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/node-key.pem", certsDir)) + kibanaKey, _ := ioutil.ReadFile(fmt.Sprintf("%s/kibana-key.pem", certsDir)) + kibana, _ := ioutil.ReadFile(fmt.Sprintf("%s/kibana.pem", certsDir)) secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ @@ -253,6 +292,8 @@ func (k *K8sutil) CreateCertsSecret(namespace, clusterName, certsDir string) err "ca-key.pem": caKey, "node.pem": node, "node-key.pem": nodeKey, + "kibana-key.pem": kibanaKey, + "kibana.pem": kibana, }, } diff --git a/pkg/k8sutil/deployments.go b/pkg/k8sutil/deployments.go index 2eef3d134..47dfc308d 100644 --- a/pkg/k8sutil/deployments.go +++ b/pkg/k8sutil/deployments.go @@ -321,6 +321,18 @@ func (k *K8sutil) CreateKibanaDeployment(baseImage, clusterName, namespace strin Name: "ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES", Value: "/elasticsearch/config/certs/ca.pem", }, + v1.EnvVar{ + Name: "SERVER_SSL_ENABLED", + Value: "true", + }, + v1.EnvVar{ + Name: "SERVER_SSL_KEY", + Value: "/elasticsearch/config/certs/kibana-key.pem", + }, + v1.EnvVar{ + Name: "SERVER_SSL_CERTIFICATE", + Value: "/elasticsearch/config/certs/kibana.pem", + }, v1.EnvVar{ Name: "NODE_DATA", Value: "false",