Skip to content

Commit 1e7f752

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#126798 from borg-land/easy-rsa-patch
Use easyrsa from Github
2 parents 2fabf5f + 16b18c0 commit 1e7f752

File tree

1 file changed

+41
-38
lines changed

1 file changed

+41
-38
lines changed

cluster/gce/util.sh

+41-38
Original file line numberDiff line numberDiff line change
@@ -1776,23 +1776,26 @@ function setup-easyrsa {
17761776
# Note: This was heavily cribbed from make-ca-cert.sh
17771777
(set -x
17781778
cd "${KUBE_TEMP}"
1779-
curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz
1780-
tar xzf easy-rsa.tar.gz
1781-
mkdir easy-rsa-master/kubelet
1782-
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/kubelet
1783-
mkdir easy-rsa-master/aggregator
1784-
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/aggregator
1785-
mkdir easy-rsa-master/cloud-pvl-admission
1786-
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/cloud-pvl-admission
1787-
mkdir easy-rsa-master/konnectivity-server
1788-
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/konnectivity-server
1789-
mkdir easy-rsa-master/konnectivity-agent
1790-
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/konnectivity-agent) &>"${cert_create_debug_output}" || true
1791-
CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3"
1792-
AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/aggregator"
1793-
CLOUD_PVL_ADMISSION_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission"
1794-
KONNECTIVITY_SERVER_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-server"
1795-
KONNECTIVITY_AGENT_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-agent"
1779+
curl -L -o easy-rsa.tar.gz --connect-timeout 20 --retry 6 --retry-delay 2 https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz
1780+
mkdir -p easy-rsa && tar xzf easy-rsa.tar.gz -C easy-rsa --strip-components 1
1781+
local -r files_to_copy=(easyrsa openssl-easyrsa.cnf x509-types vars.example)
1782+
mkdir easy-rsa/aggregator
1783+
# shellcheck disable=SC2145
1784+
cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/aggregator
1785+
mkdir easy-rsa/cloud-pvl-admission
1786+
# shellcheck disable=SC2145
1787+
cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/cloud-pvl-admission
1788+
mkdir easy-rsa/konnectivity-server
1789+
# shellcheck disable=SC2145
1790+
cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-server
1791+
mkdir easy-rsa/konnectivity-agent
1792+
# shellcheck disable=SC2145
1793+
cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-agent) &>"${cert_create_debug_output}" || true
1794+
CERT_DIR="${KUBE_TEMP}/easy-rsa"
1795+
AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa/aggregator"
1796+
CLOUD_PVL_ADMISSION_CERT_DIR="${KUBE_TEMP}/easy-rsa/cloud-pvl-admission"
1797+
KONNECTIVITY_SERVER_CERT_DIR="${KUBE_TEMP}/easy-rsa/konnectivity-server"
1798+
KONNECTIVITY_AGENT_CERT_DIR="${KUBE_TEMP}/easy-rsa/konnectivity-agent"
17961799
if [ ! -x "${CERT_DIR}/easyrsa" ] || [ ! -x "${AGGREGATOR_CERT_DIR}/easyrsa" ]; then
17971800
# TODO(roberthbailey,porridge): add better error handling here,
17981801
# see https://github.com/kubernetes/kubernetes/issues/55229
@@ -1825,8 +1828,8 @@ function generate-certs {
18251828
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
18261829
# SANS (expected to be) defined by caller
18271830
# shellcheck disable=SC2153
1828-
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
1829-
./easyrsa build-client-full kube-apiserver nopass
1831+
./easyrsa --batch --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
1832+
./easyrsa --batch build-client-full kube-apiserver nopass
18301833

18311834
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
18321835

@@ -1839,8 +1842,8 @@ function generate-certs {
18391842
rm -f "kubelet.csr"
18401843

18411844
# Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
1842-
./easyrsa --dn-mode=org \
1843-
--req-cn=kubecfg --req-org=system:masters \
1845+
./easyrsa --batch --dn-mode=org \
1846+
--req-org=system:masters \
18441847
--req-c= --req-st= --req-city= --req-email= --req-ou= \
18451848
build-client-full kubecfg nopass) &>"${cert_create_debug_output}" || true
18461849
local output_file_missing=0
@@ -1886,12 +1889,12 @@ function generate-aggregator-certs {
18861889
local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX")
18871890
# Note: This was heavily cribbed from make-ca-cert.sh
18881891
(set -x
1889-
cd "${KUBE_TEMP}/easy-rsa-master/aggregator"
1892+
cd "${KUBE_TEMP}/easy-rsa/aggregator"
18901893
./easyrsa init-pki
18911894
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
18921895
./easyrsa --batch "--req-cn=${AGGREGATOR_PRIMARY_CN}@$(date +%s)" build-ca nopass
1893-
./easyrsa --subject-alt-name="${AGGREGATOR_SANS}" build-server-full "${AGGREGATOR_MASTER_NAME}" nopass
1894-
./easyrsa build-client-full aggregator-apiserver nopass
1896+
./easyrsa --batch --subject-alt-name="${AGGREGATOR_SANS}" build-server-full "${AGGREGATOR_MASTER_NAME}" nopass
1897+
./easyrsa --batch build-client-full aggregator-apiserver nopass
18951898

18961899
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
18971900

@@ -1904,8 +1907,8 @@ function generate-aggregator-certs {
19041907
rm -f "proxy-client.csr"
19051908

19061909
# Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
1907-
./easyrsa --dn-mode=org \
1908-
--req-cn=proxy-clientcfg --req-org=system:aggregator \
1910+
./easyrsa --batch --dn-mode=org \
1911+
--req-org=system:aggregator \
19091912
--req-c= --req-st= --req-city= --req-email= --req-ou= \
19101913
build-client-full proxy-clientcfg nopass) &>"${cert_create_debug_output}" || true
19111914
local output_file_missing=0
@@ -1947,12 +1950,12 @@ function generate-konnectivity-server-certs {
19471950
# Note: This was heavily cribbed from make-ca-cert.sh
19481951
(set -x
19491952
# Make the client <-> konnectivity server side certificates.
1950-
cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-server"
1953+
cd "${KUBE_TEMP}/easy-rsa/konnectivity-server"
19511954
./easyrsa init-pki
19521955
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
19531956
./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass
1954-
./easyrsa --subject-alt-name="IP:127.0.0.1,${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass
1955-
./easyrsa build-client-full client nopass
1957+
./easyrsa --batch --subject-alt-name="IP:127.0.0.1,${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass
1958+
./easyrsa --batch build-client-full client nopass
19561959

19571960
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
19581961

@@ -1963,12 +1966,12 @@ function generate-konnectivity-server-certs {
19631966
rm -f "konnectivity-server.csr"
19641967

19651968
# Make the agent <-> konnectivity server side certificates.
1966-
cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-agent"
1969+
cd "${KUBE_TEMP}/easy-rsa/konnectivity-agent"
19671970
./easyrsa init-pki
19681971
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
19691972
./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass
1970-
./easyrsa --subject-alt-name="${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass
1971-
./easyrsa build-client-full client nopass
1973+
./easyrsa --batch --subject-alt-name="${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass
1974+
./easyrsa --batch build-client-full client nopass
19721975

19731976
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
19741977

@@ -2025,12 +2028,12 @@ function generate-cloud-pvl-admission-certs {
20252028
# Note: This was heavily cribbed from make-ca-cert.sh
20262029
(set -x
20272030
# Make the client <-> cloud-pvl-admission server side certificates.
2028-
cd "${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission"
2031+
cd "${KUBE_TEMP}/easy-rsa/cloud-pvl-admission"
20292032
./easyrsa init-pki
20302033
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
20312034
./easyrsa --batch "--req-cn=${CLOUD_PVL_ADMISSION_PRIMARY_CN}@$(date +%s)" build-ca nopass
2032-
./easyrsa --subject-alt-name="IP:127.0.0.1,${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass
2033-
./easyrsa build-client-full client nopass
2035+
./easyrsa --batch --subject-alt-name="IP:127.0.0.1,${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass
2036+
./easyrsa --batch build-client-full client nopass
20342037

20352038
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
20362039

@@ -2041,12 +2044,12 @@ function generate-cloud-pvl-admission-certs {
20412044
rm -f "cloud-pvl-admission.csr"
20422045

20432046
# Make the cloud-pvl-admission server side certificates.
2044-
cd "${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission"
2047+
cd "${KUBE_TEMP}/easy-rsa/cloud-pvl-admission"
20452048
./easyrsa init-pki
20462049
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
20472050
./easyrsa --batch "--req-cn=${CLOUD_PVL_ADMISSION_PRIMARY_CN}@$(date +%s)" build-ca nopass
2048-
./easyrsa --subject-alt-name="${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass
2049-
./easyrsa build-client-full client nopass
2051+
./easyrsa --batch --subject-alt-name="${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass
2052+
./easyrsa --batch build-client-full client nopass
20502053

20512054
kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
20522055

0 commit comments

Comments
 (0)