mirror of
https://github.com/vcscsvcscs/GenerationsHeritage.git
synced 2025-08-13 22:39:06 +02:00
148 lines
4.4 KiB
YAML
148 lines
4.4 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: certs-creator
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: secret-creator
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ "secrets" ]
|
|
verbs: [ "create", "patch" ]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: certs-creator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: certs-creator
|
|
roleRef:
|
|
kind: Role
|
|
name: secret-creator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: create-certs
|
|
spec:
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: certs-creator
|
|
initContainers:
|
|
- command:
|
|
- /bin/ash
|
|
- -c
|
|
- |
|
|
function createKey() {
|
|
USER=$1
|
|
openssl genrsa -out ${USER}.key 2048
|
|
echo "created ${USER}.key"
|
|
}
|
|
|
|
function createSigningRequest() {
|
|
USER=$1
|
|
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
|
|
echo "created ${USER}.csr"
|
|
}
|
|
|
|
function generateServerConfig() {
|
|
cat<<EOF
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_req
|
|
prompt = no
|
|
[req_distinguished_name]
|
|
CN = db-postgresql
|
|
[v3_req]
|
|
keyUsage = keyEncipherment, dataEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
|
|
EOF
|
|
}
|
|
|
|
function signCertificate() {
|
|
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
|
|
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
|
|
}
|
|
|
|
function secretJson {
|
|
USER=$1
|
|
cat<<EOF
|
|
{
|
|
"apiVersion": "v1",
|
|
"kind": "Secret",
|
|
"data": {
|
|
"ca.crt": "$(base64 -w 0 ./ca.crt)",
|
|
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
|
|
"tls.key": "$(base64 -w 0 ./${USER}.key)"
|
|
},
|
|
"metadata": {
|
|
"name": "${USER}-cert"
|
|
},
|
|
"type": "kubernetes.io/tls"
|
|
}
|
|
EOF
|
|
}
|
|
|
|
function createCertSecret {
|
|
USER=$1
|
|
secretJson ${USER} >> ${USER}-cert.json
|
|
}
|
|
|
|
cd /secret
|
|
|
|
# Create a CA key and cert for signing other certs
|
|
createKey ca
|
|
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
|
|
|
|
createKey postgres
|
|
createSigningRequest postgres
|
|
signCertificate postgres.csr postgres.crt ca.crt ca.key
|
|
createCertSecret postgres
|
|
|
|
createKey zitadel
|
|
createSigningRequest zitadel
|
|
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
|
|
createCertSecret zitadel
|
|
image: alpine/openssl
|
|
imagePullPolicy: IfNotPresent
|
|
name: create-certs
|
|
volumeMounts:
|
|
- mountPath: /secret
|
|
name: secret
|
|
containers:
|
|
- image: alpine/curl
|
|
name: apply-certs
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- /bin/ash
|
|
- -c
|
|
- |
|
|
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
|
|
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
|
|
|
|
function uploadSecret {
|
|
USER=$1
|
|
curl \
|
|
--cacert ${CACERT} \
|
|
--header "Authorization: Bearer ${TOKEN}" \
|
|
--header "Content-Type: application/json" \
|
|
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
|
|
--data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
|
|
> /dev/null || echo "error uploading ${USER} secret: $?"
|
|
}
|
|
|
|
uploadSecret postgres
|
|
uploadSecret zitadel
|
|
volumeMounts:
|
|
- mountPath: /secret
|
|
name: secret
|
|
volumes:
|
|
- name: secret
|
|
emptyDir:
|
|
medium: Memory |