summaryrefslogtreecommitdiffstats
path: root/roles/openshift_logging/files/util.sh
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_logging/files/util.sh')
-rw-r--r--roles/openshift_logging/files/util.sh192
1 files changed, 192 insertions, 0 deletions
diff --git a/roles/openshift_logging/files/util.sh b/roles/openshift_logging/files/util.sh
new file mode 100644
index 000000000..5752a0fcd
--- /dev/null
+++ b/roles/openshift_logging/files/util.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+
+function generate_JKS_chain() {
+ dir=${SCRATCH_DIR:-_output}
+ ADD_OID=$1
+ NODE_NAME=$2
+ CERT_NAMES=${3:-$NODE_NAME}
+ ks_pass=${KS_PASS:-kspass}
+ ts_pass=${TS_PASS:-tspass}
+ rm -rf $NODE_NAME
+
+ extension_names=""
+ for name in ${CERT_NAMES//,/ }; do
+ extension_names="${extension_names},dns:${name}"
+ done
+
+ if [ "$ADD_OID" = true ]; then
+ extension_names="${extension_names},oid:1.2.3.4.5.5"
+ fi
+
+ echo Generating keystore and certificate for node $NODE_NAME
+
+ "$keytool" -genkey \
+ -alias $NODE_NAME \
+ -keystore $dir/keystore.jks \
+ -keypass $ks_pass \
+ -storepass $ks_pass \
+ -keyalg RSA \
+ -keysize 2048 \
+ -validity 712 \
+ -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+ -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+ echo Generating certificate signing request for node $NODE_NAME
+
+ "$keytool" -certreq \
+ -alias $NODE_NAME \
+ -keystore $dir/keystore.jks \
+ -storepass $ks_pass \
+ -file $dir/$NODE_NAME.csr \
+ -keyalg rsa \
+ -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging" \
+ -ext san=dns:localhost,ip:127.0.0.1"${extension_names}"
+
+ echo Sign certificate request with CA
+
+ openssl ca \
+ -in $dir/$NODE_NAME.csr \
+ -notext \
+ -out $dir/$NODE_NAME.crt \
+ -config $dir/signing.conf \
+ -extensions v3_req \
+ -batch \
+ -extensions server_ext
+
+ echo "Import back to keystore (including CA chain)"
+
+ "$keytool" \
+ -import \
+ -file $dir/ca.crt \
+ -keystore $dir/keystore.jks \
+ -storepass $ks_pass \
+ -noprompt -alias sig-ca
+
+ "$keytool" \
+ -import \
+ -file $dir/$NODE_NAME.crt \
+ -keystore $dir/keystore.jks \
+ -storepass $ks_pass \
+ -noprompt \
+ -alias $NODE_NAME
+
+ echo "Import CA to truststore for validating client certs"
+
+ "$keytool" \
+ -import \
+ -file $dir/ca.crt \
+ -keystore $dir/truststore.jks \
+ -storepass $ts_pass \
+ -noprompt -alias sig-ca
+
+ echo All done for $NODE_NAME
+}
+
+function generate_PEM_cert() {
+ NODE_NAME="$1"
+ dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
+
+ echo Generating keystore and certificate for node ${NODE_NAME}
+
+ openssl req -out "$dir/$NODE_NAME.csr" -new -newkey rsa:2048 -keyout "$dir/$NODE_NAME.key" -subj "/CN=$NODE_NAME/OU=OpenShift/O=Logging" -days 712 -nodes
+
+ echo Sign certificate request with CA
+ openssl ca \
+ -in "$dir/$NODE_NAME.csr" \
+ -notext \
+ -out "$dir/$NODE_NAME.crt" \
+ -config $dir/signing.conf \
+ -extensions v3_req \
+ -batch \
+ -extensions server_ext
+}
+
+function generate_JKS_client_cert() {
+ NODE_NAME="$1"
+ ks_pass=${KS_PASS:-kspass}
+ ts_pass=${TS_PASS:-tspass}
+ dir=${SCRATCH_DIR:-_output} # for writing files to bundle into secrets
+
+ echo Generating keystore and certificate for node ${NODE_NAME}
+
+ "$keytool" -genkey \
+ -alias $NODE_NAME \
+ -keystore $dir/$NODE_NAME.jks \
+ -keyalg RSA \
+ -keysize 2048 \
+ -validity 712 \
+ -keypass $ks_pass \
+ -storepass $ks_pass \
+ -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+ echo Generating certificate signing request for node $NODE_NAME
+
+ "$keytool" -certreq \
+ -alias $NODE_NAME \
+ -keystore $dir/$NODE_NAME.jks \
+ -file $dir/$NODE_NAME.csr \
+ -keyalg rsa \
+ -keypass $ks_pass \
+ -storepass $ks_pass \
+ -dname "CN=$NODE_NAME, OU=OpenShift, O=Logging"
+
+ echo Sign certificate request with CA
+ openssl ca \
+ -in "$dir/$NODE_NAME.csr" \
+ -notext \
+ -out "$dir/$NODE_NAME.crt" \
+ -config $dir/signing.conf \
+ -extensions v3_req \
+ -batch \
+ -extensions server_ext
+
+ echo "Import back to keystore (including CA chain)"
+
+ "$keytool" \
+ -import \
+ -file $dir/ca.crt \
+ -keystore $dir/$NODE_NAME.jks \
+ -storepass $ks_pass \
+ -noprompt -alias sig-ca
+
+ "$keytool" \
+ -import \
+ -file $dir/$NODE_NAME.crt \
+ -keystore $dir/$NODE_NAME.jks \
+ -storepass $ks_pass \
+ -noprompt \
+ -alias $NODE_NAME
+
+ echo All done for $NODE_NAME
+}
+
+function join { local IFS="$1"; shift; echo "$*"; }
+
+function get_es_dcs() {
+ oc get dc --selector logging-infra=elasticsearch -o name
+}
+
+function get_curator_dcs() {
+ oc get dc --selector logging-infra=curator -o name
+}
+
+function extract_nodeselector() {
+ local inputstring="${1//\"/}" # remove any errant double quotes in the inputs
+ local selectors=()
+
+ for keyvalstr in ${inputstring//\,/ }; do
+
+ keyval=( ${keyvalstr//=/ } )
+
+ if [[ -n "${keyval[0]}" && -n "${keyval[1]}" ]]; then
+ selectors+=( "\"${keyval[0]}\": \"${keyval[1]}\"")
+ else
+ echo "Could not make a node selector label from '${keyval[*]}'"
+ exit 255
+ fi
+ done
+
+ if [[ "${#selectors[*]}" -gt 0 ]]; then
+ echo nodeSelector: "{" $(join , "${selectors[@]}") "}"
+ fi
+}
generated by cgit v1.2.1 (git 2.18.0) at 2024-04-28 22:20:36 +0000