forked from rancher/rke-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cert-deployer
executable file
·35 lines (31 loc) · 1.33 KB
/
cert-deployer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/bash -x
SSL_CRTS_DIR=${CRTS_DEPLOY_PATH:-/etc/kubernetes/ssl}
mkdir -p $SSL_CRTS_DIR
chmod 700 $SSL_CRTS_DIR
for i in $(env | grep -o KUBE_.*=); do
name="$(echo "$i" | cut -f1 -d"=" | tr '[:upper:]' '[:lower:]' | tr '_' '-').pem"
env=$(echo "$i" | cut -f1 -d"=")
value=$(echo "${!env}")
if [ ! -f $SSL_CRTS_DIR/$name ] || [ "$FORCE_DEPLOY" = "true" ]; then
echo "$value" > $SSL_CRTS_DIR/$name
chmod 600 $SSL_CRTS_DIR/$name
fi
done
for i in $(env | grep -o KUBECFG_.*=); do
name="$(echo "$i" | cut -f1 -d"=" | tr '[:upper:]' '[:lower:]' | tr '_' '-').yaml"
env=$(echo "$i" | cut -f1 -d"=")
value=$(echo "${!env}")
if [ ! -f $SSL_CRTS_DIR/$name ]; then
echo "$value" > $SSL_CRTS_DIR/$name
chmod 600 $SSL_CRTS_DIR/$name
fi
done
# only enabled if we are running etcd with custom uid/gid
if [ -n "${ETCD_UID}" ] && [ -n "${ETCD_GID}" ]; then
# set minial mask to allow effective read access to the certificates
setfacl -R -m m::rX "${SSL_CRTS_DIR}" && echo "Successfully set ACL mask for certs dir"
# allow certs dir read access to the custom etcd uid
setfacl -R -m u:${ETCD_UID}:rX "${SSL_CRTS_DIR}" && echo "Successfully set user ACL for certs dir"
# allow certs dir read access to the custom etcd gid
setfacl -R -m g:${ETCD_GID}:rX "${SSL_CRTS_DIR}" && echo "Successfully set group ACL for certs dir"
fi