|
17 | 17 | # Generates a CA certificate, a server key, and a server certificate signed by the CA. |
18 | 18 |
|
19 | 19 | set -e |
| 20 | +SCRIPT=`basename ${BASH_SOURCE[0]}` |
| 21 | + |
| 22 | +function usage { |
| 23 | + cat<< EOF |
| 24 | + Usage: $SCRIPT |
| 25 | + Options: |
| 26 | + -h | --help This help info. |
| 27 | + -n | --namespace <namespace> The namespace where the Spark operator is installed. |
| 28 | + -p | --pod-container whether the script is running inside a pod container or manually invoked |
| 29 | +EOF |
| 30 | +} |
| 31 | + |
| 32 | +function parse_arguments { |
| 33 | + while [ $# -gt 0 ] |
| 34 | + do |
| 35 | + case "$1" in |
| 36 | + -n|--namespace) |
| 37 | + if [ -n "$2" ]; then |
| 38 | + NAMESPACE="$2" |
| 39 | + else |
| 40 | + echo "-n or --namespace requires a value." |
| 41 | + exit 1 |
| 42 | + fi |
| 43 | + shift 2 |
| 44 | + continue |
| 45 | + ;; |
| 46 | + -p|--pod-container) # Whether the script is running inside a pod container or invoked manually |
| 47 | + export IN_POD=true |
| 48 | + shift 1 |
| 49 | + continue |
| 50 | + ;; |
| 51 | + -h|--help) |
| 52 | + usage |
| 53 | + exit 0 |
| 54 | + ;; |
| 55 | + --) # End of all options. |
| 56 | + shift |
| 57 | + break |
| 58 | + ;; |
| 59 | + '') # End of all options. |
| 60 | + break |
| 61 | + ;; |
| 62 | + *) |
| 63 | + echo "Unrecognized option: $1" |
| 64 | + exit 1 |
| 65 | + ;; |
| 66 | + esac |
| 67 | + done |
| 68 | +} |
| 69 | + |
| 70 | +# Set the namespace to "sparkoperator" by default if not provided |
| 71 | +IN_POD=false |
| 72 | +NAMESPACE="sparkoperator" |
| 73 | +parse_arguments "$@" |
20 | 74 |
|
21 | | -NAMESPACE=$1 |
22 | | -if [ -z $NAMESPACE ]; then |
23 | | - NAMESPACE="sparkoperator" |
24 | | -fi |
25 | 75 |
|
26 | 76 | CN_BASE="spark-webhook" |
27 | 77 | TMP_DIR="/tmp/spark-pod-webhook-certs" |
@@ -49,34 +99,38 @@ openssl genrsa -out ${TMP_DIR}/server-key.pem 2048 |
49 | 99 | openssl req -new -key ${TMP_DIR}/server-key.pem -out ${TMP_DIR}/server.csr -subj "/CN=spark-webhook.sparkoperator.svc" -config ${TMP_DIR}/server.conf |
50 | 100 | openssl x509 -req -in ${TMP_DIR}/server.csr -CA ${TMP_DIR}/ca-cert.pem -CAkey ${TMP_DIR}/ca-key.pem -CAcreateserial -out ${TMP_DIR}/server-cert.pem -days 100000 -extensions v3_req -extfile ${TMP_DIR}/server.conf |
51 | 101 |
|
52 | | -# Base64 encode secrets and then remove the trailing newline to avoid issues in the curl command |
53 | | -ca_cert=$(cat ${TMP_DIR}/ca-cert.pem | base64 | tr -d '\n') |
54 | | -ca_key=$(cat ${TMP_DIR}/ca-key.pem | base64 | tr -d '\n') |
55 | | -server_cert=$(cat ${TMP_DIR}/server-cert.pem | base64 | tr -d '\n') |
56 | | -server_key=$(cat ${TMP_DIR}/server-key.pem | base64 | tr -d '\n') |
| 102 | +if [ "$IN_POD" == "true" ]; then |
| 103 | + # Base64 encode secrets and then remove the trailing newline to avoid issues in the curl command |
| 104 | + ca_cert=$(cat ${TMP_DIR}/ca-cert.pem | base64 | tr -d '\n') |
| 105 | + ca_key=$(cat ${TMP_DIR}/ca-key.pem | base64 | tr -d '\n') |
| 106 | + server_cert=$(cat ${TMP_DIR}/server-cert.pem | base64 | tr -d '\n') |
| 107 | + server_key=$(cat ${TMP_DIR}/server-key.pem | base64 | tr -d '\n') |
57 | 108 |
|
58 | | -# Create the secret resource |
59 | | -echo "Creating a secret for the certificate and keys" |
60 | | -curl -ik \ |
61 | | - -X POST \ |
62 | | - -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ |
63 | | - -H 'Accept: application/json' \ |
64 | | - -H 'Content-Type: application/json' \ |
65 | | - -d '{ |
66 | | - "kind": "Secret", |
67 | | - "apiVersion": "v1", |
68 | | - "metadata": { |
69 | | - "name": "spark-webhook-certs", |
70 | | - "namespace": "'"$NAMESPACE"'" |
71 | | - }, |
72 | | - "data": { |
73 | | - "ca-cert.pem": "'"$ca_cert"'", |
74 | | - "ca-key.pem": "'"$ca_key"'", |
75 | | - "server-cert.pem": "'"$server_cert"'", |
76 | | - "server-key.pem": "'"$server_key"'" |
77 | | - } |
78 | | -}' \ |
79 | | -https://kubernetes.default.svc/api/v1/namespaces/${NAMESPACE}/secrets |
| 109 | + # Create the secret resource |
| 110 | + echo "Creating a secret for the certificate and keys" |
| 111 | + curl -ik \ |
| 112 | + -X POST \ |
| 113 | + -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ |
| 114 | + -H 'Accept: application/json' \ |
| 115 | + -H 'Content-Type: application/json' \ |
| 116 | + -d '{ |
| 117 | + "kind": "Secret", |
| 118 | + "apiVersion": "v1", |
| 119 | + "metadata": { |
| 120 | + "name": "spark-webhook-certs", |
| 121 | + "namespace": "'"$NAMESPACE"'" |
| 122 | + }, |
| 123 | + "data": { |
| 124 | + "ca-cert.pem": "'"$ca_cert"'", |
| 125 | + "ca-key.pem": "'"$ca_key"'", |
| 126 | + "server-cert.pem": "'"$server_cert"'", |
| 127 | + "server-key.pem": "'"$server_key"'" |
| 128 | + } |
| 129 | + }' \ |
| 130 | + https://kubernetes.default.svc/api/v1/namespaces/${NAMESPACE}/secrets |
| 131 | +else |
| 132 | + kubectl create secret --namespace=${NAMESPACE} generic spark-webhook-certs --from-file=${TMP_DIR}/ca-key.pem --from-file=${TMP_DIR}/ca-cert.pem --from-file=${TMP_DIR}/server-key.pem --from-file=${TMP_DIR}/server-cert.pem |
| 133 | +fi |
80 | 134 |
|
81 | 135 | # Clean up after we're done. |
82 | 136 | printf "\nDeleting ${TMP_DIR}.\n" |
|
0 commit comments