alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

check for permissions init autocert deploy script

Browse source
This commit is contained in:
Mike Malone 2019-02-06 13:56:33 -08:00
parent 74114a6234
commit 3a516d92aa
1 changed files with 75 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
autocert/init/autocert.sh
View file

@ -1,16 +1,83 @@
#!/bin/bash #!/bin/bash
#set -x #set -x
set -e
echo "Welcome to Autocert configuration. Press any key to begin." echo "Welcome to Autocert configuration. Press return to begin."
read ANYKEY read ANYKEY
STEPPATH=/home/step/.step STEPPATH=/home/step/.step
CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '') CA_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
AUTOCERT_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '') AUTOCERT_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo '')
echo -e "\e[1mChecking cluster permissions...\e[0m"
function permission_error {
# TODO: Figure out the actual service account instead of assuming default.
echo
echo -e "\033[0;31mPERMISSION ERROR\033[0m"
echo "Set permissions by running the following command, then try again:"
echo -e "\e[1m"
echo " kubectl create clusterrolebinding autocert-init-binding \\"
echo " --clusterrole cluster-admin \\"
echo " --user \"system:serviceaccount:default:default\""
echo -e "\e[0m"
echo "Once setup is complete you can remove this binding by running:"
echo -e "\e[1m"
echo " kubectl delete clusterrolebinding autocert-init-binding"
echo -e "\e[0m"
exit 1
}
echo -n "Checking for permission to create step namespace: "
kubectl auth can-i create namespaces
if [ $? -ne 0 ]; then
permission_error "create step namespace"
fi
echo -n "Checking for permission to create configmaps in step namespace: "
kubectl auth can-i create configmaps --namespace step
if [ $? -ne 0 ]; then
permission_error "create configmaps"
fi
echo -n "Checking for permission to create secrets in step namespace: "
kubectl auth can-i create secrets --namespace step
if [ $? -ne 0 ]; then
permission_error "create secrets"
fi
echo -n "Checking for permission to create deployments in step namespace: "
kubectl auth can-i create deployments --namespace step
if [ $? -ne 0 ]; then
permission_error "create deployments"
fi
echo -n "Checking for permission to create services in step namespace: "
kubectl auth can-i create services --namespace step
if [ $? -ne 0 ]; then
permission_error "create services"
fi
echo -n "Checking for permission to create cluster role: "
kubectl auth can-i create clusterrole
if [ $? -ne 0 ]; then
permission_error "create cluster roles"
fi
echo -n "Checking for permission to create cluster role binding:"
kubectl auth can-i create clusterrolebinding
if [ $? -ne 0 ]; then
permission_error "create cluster role bindings"
exit 1
fi
# Setting this here on purpose, after the above section which explicitly checks
# for and handles exit errors.
set -e
step ca init \ step ca init \
--name "$CA_NAME" \ --name "$CA_NAME" \
--dns "$CA_DNS" \ --dns "$CA_DNS" \
@ -84,11 +151,14 @@ webhooks:
autocert.step.sm: enabled autocert.step.sm: enabled
EOF EOF
FINGERPRINT=$(step certificate fingerprint $(step path)/certs/root_ca.crt)
echo echo
echo -e "\e[1mAutocert installed!\e[0m" echo -e "\e[1mAutocert installed!\e[0m"
echo echo
echo "Store these passwords somewhere safe:" echo "Store this information somewhere safe:"
echo " CA & admin provisioner password: $CA_PASSWORD" echo " CA & admin provisioner password: ${CA_PASSWORD}"
echo " Autocert password: $AUTOCERT_PASSWORD" echo " Autocert password: ${AUTOCERT_PASSWORD}"
echo " CA Fingerprint: ${FINGERPRINT}"
echo echo