Sign upLogin

cloudfoundry/stratos

View on GitHub
Star
deploy/containers/config-init/config-init.sh

Summary

Maintainability
Test Coverage
#!/bin/bash

echo "============================================"
echo "Stratos Configuration Init Job"
echo "============================================"
echo ""
echo "Generating Secrets"
echo ""
echo "NAMESPACE                   : ${NAMESPACE}"
echo "RELEASE_NAME                : ${RELEASE_NAME}"
echo "RELEASE_REVISION            : ${RELEASE_REVISION}"
echo "IS_UPGRADE                  : ${IS_UPGRADE}"
echo "CONSOLE_TLS_SECRET_NAME     : ${CONSOLE_TLS_SECRET_NAME}"
echo ""
echo "============================================"
echo ""

# Kubernetes token
KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_API_SERVER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT

function deleteSecret {
  SECRET_NAME=$1

  # Delete the old secret
  curl -k -s \
       --fail \
      -X DELETE \
      -d @- \
      -H "Authorization: Bearer $KUBE_TOKEN" \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      ${KUBE_API_SERVER}/api/v1/namespaces/${NAMESPACE}/secrets/${RELEASE_NAME}-${SECRET_NAME} > /dev/null 2>&1 <<'EOF' 
  {}
EOF
  DELETED=$?
  if [ $DELETED -ne 0 ]; then
    echo "Unable to delete secret: ${RELEASE_NAME}-${SECRET_NAME} - error code: ${DELETED}"
  fi
}

function generateCert {
  echo "Using cert generator to generate a self-signed certificate ..."
  export CERTS_PATH=./certs
  export DEV_CERTS_DOMAIN=tls
  mkdir -p ${CERTS_PATH}
  /generate_cert.sh
  CERT_CRT=$(cat ${CERTS_PATH}/tls.crt | base64 -w 0)
  CERT_KEY=$(cat ${CERTS_PATH}/tls.key | base64 -w 0)
  rm -rf ${CERTS_PATH}
}

###
# --delete flag is used in the cleanup hook to remove the secret
###
if [ "$1" == "--delete" ]; then
  echo "Cleanup up - delete hook"
  # Delete the old secrets
  deleteSecret "key"
  deleteSecret "cert"
  exit 0
fi

###############################################################################################################################
# Encryption key
###############################################################################################################################

KEY=""

# Just look for the secret - if its not there, we need to create it - otherwise leave it alone

# Check whether the secret already exists
echo "Checking encryption key secret does not already exist ..."
curl -k -s \
    --fail \
    -H "Authorization: Bearer $KUBE_TOKEN" \
    -H 'Content-Type: application/json' \
    ${KUBE_API_SERVER}/api/v1/namespaces/${NAMESPACE}/secrets/${RELEASE_NAME}-key > ./key.json 2>&1

EXISTS=$?
rm -f key.json
if [ $EXISTS -eq 0 ]; then
  echo "Encryption Key secret already exists - nothing to do"
else
  echo "Fresh installation - generating a new Encryption Key secret"

  # Generate a random encryption key
  echo "Generating a new Encryption Key ..."
  KEY=$(openssl enc -aes-256-cbc -k secret -P -md sha1 | grep key | cut -d '=' -f2 | base64 -w 0)

  # We will create a new secret for the encryption key
  cat << EOF > create-key-secret.yaml
  {
    "kind": "Secret",
    "apiVersion": "v1",
    "type": "Opaque",
    "metadata": {
      "name": "@@NAME@@",
      "labels": {
        "stratos-helm-resource": "@@NAME@@",
        "app.kubernetes.io/name": "stratos",
        "app.kubernetes.io/instance": "@@RELEASE_NAME@@"
      }
    },
    "data": {
      "key": "@@KEY@@"
    }
  }
EOF

  NAME="${RELEASE_NAME}-key"
  sed -i.bak "s/@@NAME@@/${NAME}/g" create-key-secret.yaml
  sed -i.bak "s/@@KEY@@/${KEY}/g" create-key-secret.yaml
  sed -i.bak "s/@@RELEASE_NAME@@/${RELEASE_NAME}/g" create-key-secret.yaml

  echo "Creating secret for the Encryption Key: ${NAME}"

  # Create secret for the Encryption Key
  curl -k -s \
      --fail \
      -X POST \
      -d @create-key-secret.yaml \
      -H "Authorization: Bearer $KUBE_TOKEN" \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      ${KUBE_API_SERVER}/api/v1/namespaces/${NAMESPACE}/secrets > /dev/null 2>&1

  RET_CREATE=$?
  echo "Create Encryption Key secret exit code: $RET_CREATE"
  rm -rf create-key-secret.yaml
  if [ $RET_CREATE -ne 0 ]; then
    echo "Error creating Encryption Key secret"
    exit $RET_CREATE
  fi

  echo "Encryption key init complete"

fi

echo ""
echo "============================================"

###############################################################################################################################
# TLS Certificate
###############################################################################################################################

echo "Checking TLS Certificate ..."

# Start with these empty to indicate we won't create a secret for the TLS certificate
CERT_CRT=""
CERT_KEY=""

# If CONSOLE_TLS_SECRET_NAME is set, then we don't need to create a certificate
if [ -n "${CONSOLE_TLS_SECRET_NAME}" ]; then
  echo "Console is using secret ${CONSOLE_TLS_SECRET_NAME} to provide TLS certificate - nothing to do"
else
  curl -k -s \
      --fail \
      -H "Authorization: Bearer $KUBE_TOKEN" \
      -H 'Content-Type: application/json' \
      ${KUBE_API_SERVER}/api/v1/namespaces/${NAMESPACE}/secrets/${RELEASE_NAME}-cert > ./cert.json 2>&1

  EXISTS=$?
  if [ $EXISTS -eq 0 ]; then
    echo "Certificate secret already exists - nothing to do"
  else

    # Need a new certificate
    echo "New certificate needed ..."
    generateCert

    # We will create a new secret for the certificate
    cat << EOF > create-cert-secret.yaml
    {
      "kind": "Secret",
      "apiVersion": "v1",
      "type": "kubernetes.io/tls",
      "metadata": {
        "name": "@@NAME@@",
        "labels": {
          "stratos-helm-resource": "@@NAME@@",
          "app.kubernetes.io/name": "stratos",
          "app.kubernetes.io/instance": "@@RELEASE_NAME@@"
        }
      },
      "data": {
        "tls.crt": "@@CRT@@",
        "tls.key": "@@KEY@@"
      }
    }
EOF

    NAME="${RELEASE_NAME}-cert"

    sed -i.bak "s/@@NAME@@/${NAME}/g" create-cert-secret.yaml
    sed -i.bak "s/@@RELEASE_NAME@@/${RELEASE_NAME}/g" create-cert-secret.yaml
    sed -i.bak "s/@@CRT@@/${CERT_CRT}/g" create-cert-secret.yaml
    sed -i.bak "s/@@KEY@@/${CERT_KEY}/g" create-cert-secret.yaml

    # Create secret for the Certificate
    echo "Creating secret for the Certificate: ${NAME}"
    curl -k -s \
        --fail \
        -X POST \
        -d @create-cert-secret.yaml \
        -H "Authorization: Bearer $KUBE_TOKEN" \
        -H 'Accept: application/json' \
        -H 'Content-Type: application/json' \
        ${KUBE_API_SERVER}/api/v1/namespaces/${NAMESPACE}/secrets > /dev/null 2>&1

    RET_CREATE=$?
    echo ""
    echo "Create Certificate secret exit code: $RET_CREATE"
    rm -rf create-cert-secret.yaml
    if [ $RET_CREATE -ne 0 ]; then
      echo "Error creating Certificate secret"
      exit $RET_CREATE
    fi  
  fi
fi

echo ""
echo "============================================"
echo "Stratos init job complete"
echo "============================================"