k8s-image/make-secrets.sh at master · TableflippersAnonymous/k8s-image · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
#!/bin/bash
mkdir secrets
cd secrets

TOKEN_BOOTSTRAP="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"
TOKEN_CONTROLLER_MANAGER="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"
TOKEN_SCHEDULER="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"
TOKEN_ADMIN="$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')"

cat >tokens <<EOF
${TOKEN_BOOTSTRAP},kubelet-bootstrap,10001,"system:bootstrappers"
${TOKEN_CONTROLLER_MANAGER},system:kube-controller-manager,10002,"system:kube-controller-manager"
${TOKEN_SCHEDULER},system:kube-scheduler,10003,"system:kube-scheduler"
${TOKEN_ADMIN},admin,10004,"system:masters"
EOF

cat >bootstrap.yaml <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/pki/k8sca.crt
    server: https://k8s-masters.as53546.tblflp.zone
  name: tblflp
contexts:
- context:
    cluster: tblflp
    user: bootstrap
  name: tblflp
current-context: tblflp
kind: Config
preferences: {}
users:
- name: bootstrap
  user:
    token: ${TOKEN_BOOTSTRAP}
EOF

cat >controller.yaml <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://k8s-masters.as53546.tblflp.zone
  name: tblflp
contexts:
- context:
    cluster: tblflp
    user: controller
  name: tblflp
current-context: tblflp
kind: Config
preferences: {}
users:
- name: controller
  user:
    token: ${TOKEN_CONTROLLER_MANAGER}
EOF

cat >scheduler.yaml <<EOF
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://k8s-masters.as53546.tblflp.zone
  name: tblflp
contexts:
- context:
    cluster: tblflp
    user: scheduler
  name: tblflp
current-context: tblflp
kind: Config
preferences: {}
users:
- name: scheduler
  user:
    token: ${TOKEN_SCHEDULER}
EOF

cat >shadow <<EOF
root:*:18449:0:99999:7:::
daemon:*:18419:0:99999:7:::
bin:*:18419:0:99999:7:::
sys:*:18419:0:99999:7:::
sync:*:18419:0:99999:7:::
games:*:18419:0:99999:7:::
man:*:18419:0:99999:7:::
lp:*:18419:0:99999:7:::
mail:*:18419:0:99999:7:::
news:*:18419:0:99999:7:::
uucp:*:18419:0:99999:7:::
proxy:*:18419:0:99999:7:::
www-data:*:18419:0:99999:7:::
backup:*:18419:0:99999:7:::
list:*:18419:0:99999:7:::
irc:*:18419:0:99999:7:::
gnats:*:18419:0:99999:7:::
nobody:*:18419:0:99999:7:::
_apt:*:18419:0:99999:7:::
messagebus:*:18448:0:99999:7:::
uuidd:*:18448:0:99999:7:::
ntp:*:18448:0:99999:7:::
systemd-network:*:18448:0:99999:7:::
systemd-resolve:*:18448:0:99999:7:::
EOF

mkdir pki
cd pki
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8s-masters.as53546.tblflp.zone" -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
cat >csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = NC
L = Raleigh
O = Legion, Inc.
OU = AS53546
CN = k8s-masters.as53546.tblflp.zone

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = k8s-masters.as53546.tblflp.zone
DNS.7 = k8s-masters
IP.1 = 10.199.15.200
IP.2 = 10.195.1.1
IP.3 = 10.195.0.1

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF

openssl req -new -key server.key -out server.csr -config csr.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf

## EXTENSION API SERVER
openssl genrsa -out ext-ca.key 2048
openssl req -x509 -new -nodes -key ext-ca.key -subj "/CN=front-proxy-ca" -days 10000 -out ext-ca.crt
openssl genrsa -out ext-proxy.key 2048
cat >ext-csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = NC
L = Raleigh
O = Legion, Inc.
OU = AS53546
CN = front-proxy-client

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = front-proxy-client
DNS.2 = kubernetes
DNS.3 = kubernetes.default
DNS.4 = kubernetes.default.svc
DNS.5 = kubernetes.default.svc.cluster
DNS.6 = kubernetes.default.svc.cluster.local
DNS.7 = k8s-masters.as53546.tblflp.zone
DNS.8 = k8s-masters
IP.1 = 10.199.15.200
IP.2 = 10.195.1.1
IP.3 = 10.195.0.1

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
openssl req -new -key ext-proxy.key -out ext-proxy.csr -config ext-csr.conf
openssl x509 -req -in ext-proxy.csr -CA ext-ca.crt -CAkey ext-ca.key -CAcreateserial -out ext-proxy.crt -days 10000 -extensions v3_ext -extfile ext-csr.conf