【备忘录】自动生成kubernetes 认证脚本

于 2024-04-16 15:07:46 发布
阅读量191 收藏
点赞数 3
分类专栏: 备忘录 文章标签: kubernetes 容器 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/tanlintanlin/article/details/137825994
版权
该文章介绍了一个bash脚本,用于自动化生成Kubernetes的认证信息,包括证书、kubeconfig文件和必要的环境设置。
摘要由CSDN通过智能技术生成

自动化生成kubernetes 认证信息脚本:

#!/bin/bash
set -e
ACTION=$1

MIP=$2
IPS=${@:2}

KUBE_APISERVER="https://qinghub.net:6443"
CA_PATH="/opt/etc/ssl"
K8S_SSL="/opt/etc/kubernetes/ssl"
K8S_CFG="/opt/etc/kubernetes/kubecfg"

if [ ! -z $API  ];then
    KUBE_APISERVER=$API
fi

[ -d "$CA_PATH" ] || mkdir -p $CA_PATH
[ -d "$K8S_SSL" ] || mkdir -p $K8S_SSL
[ -d "$K8S_CFG" ] || mkdir -p $K8S_CFG
[ -d "/qcdata/kubernetes" ] || mkdir -p /qcdata/kubernetes

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')

generate_ssl(){
    pushd $K8S_SSL
    cfssl gencert -initca /opt/cfssl/ca-csr.json | cfssljson -bare ca

    for ip in ${IPS[@]};do
    sed -i "/\"127.0.0.1\",/a\""$ip"\"," /opt/cfssl/k8s-csr-new.json
    done
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=/opt/cfssl/ca-config.json -profile=kubernetes /opt/cfssl/k8s-csr-new.json | cfssljson -bare kubernetes

	  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=/opt/cfssl/ca-config.json -profile=kubernetes /opt/cfssl/admin-csr.json | cfssljson -bare admin
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=/opt/cfssl/ca-config.json -profile=kubernetes /opt/cfssl/kubelet-csr.json | cfssljson -bare kubelet
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=/opt/cfssl/ca-config.json -profile=kubernetes /opt/cfssl/kube-proxy-csr.json | cfssljson -bare kube-proxy
    popd
}

generate_k8s(){
    pushd $K8S_CFG
    cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

      kubectl config set-cluster kubernetes \
        --certificate-authority=${K8S_SSL}/ca.pem \
        --embed-certs=true \
        --server=${KUBE_APISERVER} \
        --kubeconfig=bootstrap.kubeconfig

      kubectl config set-credentials kubelet-bootstrap \
        --token=${BOOTSTRAP_TOKEN} \
        --kubeconfig=bootstrap.kubeconfig

      kubectl config set-context default \
        --cluster=kubernetes \
        --user=kubelet-bootstrap \
        --kubeconfig=bootstrap.kubeconfig

      kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

      kubectl config set-cluster kubernetes \
        --certificate-authority=${K8S_SSL}/ca.pem \
        --embed-certs=true \
        --server=${KUBE_APISERVER} \
        --kubeconfig=kube-proxy.kubeconfig

      kubectl config set-credentials kube-proxy \
        --client-certificate=${K8S_SSL}/kube-proxy.pem \
        --client-key=${K8S_SSL}/kube-proxy-key.pem \
        --embed-certs=true \
        --kubeconfig=kube-proxy.kubeconfig

      kubectl config set-context default \
        --cluster=kubernetes \
        --user=kube-proxy \
        --kubeconfig=kube-proxy.kubeconfig

      kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

            kubectl config set-cluster kubernetes \
        --certificate-authority=${K8S_SSL}/ca.pem \
        --embed-certs=true \
        --server=${KUBE_APISERVER} \
        --kubeconfig=admin.kubeconfig

      kubectl config set-credentials admin \
        --client-certificate=${K8S_SSL}/admin.pem \
        --client-key=${K8S_SSL}/admin-key.pem \
        --embed-certs=true \
        --kubeconfig=admin.kubeconfig

      kubectl config set-context default \
        --cluster=kubernetes \
        --user=admin \
        --kubeconfig=admin.kubeconfig

      kubectl config use-context default --kubeconfig=admin.kubeconfig

            kubectl config set-cluster kubernetes \
        --certificate-authority=${K8S_SSL}/ca.pem \
        --embed-certs=true \
        --server=${KUBE_APISERVER} \
        --kubeconfig=kubelet.kubeconfig

      kubectl config set-credentials node \
        --client-certificate=${K8S_SSL}/kubelet.pem \
        --client-key=${K8S_SSL}/kubelet-key.pem \
        --embed-certs=true \
        --kubeconfig=kubelet.kubeconfig

      kubectl config set-context default \
        --cluster=kubernetes \
        --user=node \
        --kubeconfig=kubelet.kubeconfig

      kubectl config use-context default --kubeconfig=kubelet.kubeconfig
    popd
}
case $ACTION in
    sh|bash)
        exec /bin/bash
    ;;
    *)
        [ ! -f "$K8S_SSL/ca.pem" ] && generate_ssl
        [ ! -f "$K8S_CFG/admin.kubeconfig" ] && generate_k8s
        if [ -f "/qcdata/kubernetes/kube-proxy.kubeconfig" ]; then
            diff /qcdata/kubernetes/kube-proxy.kubeconfig $K8S_CFG/kube-proxy.kubeconfig
            [ "$?" -ne 0 ] && cp -a $K8S_CFG/kube-proxy.kubeconfig /grdata/kubernetes/kube-proxy.kubeconfig && chmod 600 /qcdata/kubernetes/kube-proxy.kubeconfig
        else
            cp -a $K8S_CFG/kube-proxy.kubeconfig /grdata/kubernetes/kube-proxy.kubeconfig
            chmod 600 /qcdata/kubernetes/kube-proxy.kubeconfig
        fi
        [ ! -f "${CA_PATH}/server.key.pem" ] && generate_r6d
        exec /bin/bash
    ;;
esac
轻云UC
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值