blob: c436f1cab32482c9c5bcefb07a0a3b4be3041a4b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#!/bin/sh -e
# This script generates certificates using setup-ca.sh and converts them into
# the Kubernetes secrets that the PMEM-CSI deployments rely upon for
# securing communication between PMEM-CSI components. Existing secrets
# are updated with new certificates when running it again.
# The script needs a functional kubectl that uses the target cluster.
: ${KUBECTL:=kubectl}
# The directory containing setup-ca*.sh.
: ${TEST_DIRECTORY:=$(dirname $(readlink -f $0))}
tmpdir=`mktemp -d`
trap 'rm -r $tmpdir' EXIT
# Generate certificates. They are not going to be needed again and will
# be deleted together with the temp directory.
WORKDIR="$tmpdir" "$TEST_DIRECTORY/setup-ca.sh"
# This reads a file and encodes it for use in a secret.
read_key () {
base64 -w 0 "$1"
}
# Read certificate files and turn them into Kubernetes secrets.
#
# -caFile (controller and all nodes)
CA=$(read_key "$tmpdir/ca.pem")
# -certFile (controller)
REGISTRY_CERT=$(read_key "$tmpdir/pmem-registry.pem")
# -keyFile (controller)
REGISTRY_KEY=$(read_key "$tmpdir/pmem-registry-key.pem")
# -certFile (same for all nodes)
NODE_CERT=$(read_key "$tmpdir/pmem-node-controller.pem")
# -keyFile (same for all nodes)
NODE_KEY=$(read_key "$tmpdir/pmem-node-controller-key.pem")
${KUBECTL} apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: pmem-csi-registry-secrets
type: kubernetes.io/tls
data:
ca.crt: ${CA}
tls.crt: ${REGISTRY_CERT}
tls.key: ${REGISTRY_KEY}
---
apiVersion: v1
kind: Secret
metadata:
name: pmem-csi-node-secrets
type: Opaque
data:
ca.crt: ${CA}
tls.crt: ${NODE_CERT}
tls.key: ${NODE_KEY}
EOF
|
