4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/common.sh
8 source $SCRIPTDIR/common.sh
10 # !!!NOTE!!! THE KEYS USED BELOW ARE FOR TEST PURPOSES ONLY. DO NOT
11 # USE THESE OUTSIDE OF THIS ICN VIRTUAL TEST ENVIRONMENT.
13 function build_istio_root_certs {
14 # Create root CA certs for use by Istio in each cluster
15 clone_istio_repository
16 local -r certs_dir=${SCRIPTDIR}/secrets/certs
19 certs=${ISTIOPATH}/tools/certs
20 make -C ${certs} -f Makefile.selfsigned.mk ROOT_CN="EMCO Root CA" ROOTCA_ORG=project-emco.io root-ca
21 find ${certs}/root-* -exec cp '{}' ${certs_dir} ';'
24 function build_site_source {
26 local -r reuse_credentials=${2:-false}
28 # First decrypt the existing site YAML, otherwise we'll be
29 # attempting to encrypt it twice below
30 if [[ -f ${FLUX_SOPS_PRIVATE_KEY} ]]; then
31 gpg --import ${FLUX_SOPS_PRIVATE_KEY}
32 for yaml in ${site_dir}/cluster/*/*.yaml ${site_dir}/deployment/*.yaml; do
33 sops_decrypt ${yaml} ${site_dir}
37 if ! ${reuse_credentials}; then
38 # Generate user password and authorized key in site YAML
39 # To login to guest, ssh -i ${site_dir}/id_rsa
40 HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds 10000 "mypasswd")
41 ssh-keygen -t rsa -N "" -f ${site_dir}/id_rsa <<<y
42 SSH_AUTHORIZED_KEY=$(cat ${site_dir}/id_rsa.pub)
43 for yaml in ${site_dir}/deployment/*.yaml; do
44 sed -i -e 's!hashedPassword: .*!hashedPassword: '"${HASHED_PASSWORD}"'!' ${yaml}
45 # Use ! instead of usual / to avoid escaping / in
47 sed -i -e 's!sshAuthorizedKey: .*!sshAuthorizedKey: '"${SSH_AUTHORIZED_KEY}"'!' ${yaml}
51 # Create intermediate CA certs for use by Istio in each cluster
52 certs=${ISTIOPATH}/tools/certs
53 for yaml in ${site_dir}/deployment/*.yaml; do
54 name=$(awk '/clusterName:/ {print $2}' ${yaml})
55 if [[ ! -z "${name}" ]]; then
56 certs_dir=${SCRIPTDIR}/secrets/certs/$(basename ${site_dir})
58 make -C ${certs} -f Makefile.selfsigned.mk INTERMEDIATE_CN="EMCO Intermediate CA" INTERMEDIATE_ORG=project-emco.io ${name}-cacerts
59 cp -r ${certs}/${name} ${certs_dir}
60 kubectl create secret generic cacerts -n istio-system --dry-run=client -o yaml \
61 --from-file=${certs}/${name}/ca-cert.pem \
62 --from-file=${certs}/${name}/ca-key.pem \
63 --from-file=${certs}/${name}/root-cert.pem \
64 --from-file=${certs}/${name}/cert-chain.pem >${site_dir}/cluster/${name}/istio-cacerts.yaml
68 # Encrypt the site YAML
69 for yaml in ${site_dir}/cluster/*/*.yaml ${site_dir}/deployment/*.yaml; do
70 sops_encrypt ${yaml} ${FLUX_SOPS_KEY_NAME} ${site_dir}
74 function build_source {
75 create_gpg_key ${FLUX_SOPS_KEY_NAME}
76 # ONLY FOR TEST ENVIRONMENT: save the private key used
77 export_gpg_private_key ${FLUX_SOPS_KEY_NAME} >${FLUX_SOPS_PRIVATE_KEY}
79 build_istio_root_certs
81 build_site_source ${SCRIPTDIR}/vm-mc
82 build_site_source ${SCRIPTDIR}/vm
83 build_site_source ${SCRIPTDIR}/pod11 true # re-use existing credentials in site
87 "create-gpg-key") create_gpg_key $2 ;;
88 "sops-encrypt-site") sops_encrypt $2 $3 ;;
90 if [[ $# -eq 2 ]]; then
96 "flux-create-site") flux_create_site $2 $3 $4 $5;;
97 "build-source") build_source ;;
99 Usage: $(basename $0) COMMAND
102 build-source - Rebuild the in-tree site files
103 create-gpg-key KEY_NAME - Create GPG keypair in local keyring
104 sops-encrypt-site SITE_YAML KEY_NAME - Encrypt SITE_YAML secrets with KEY_NAME
105 sops-decrypt-site SITE_YAML [SITE_DIR] - Decrypt SITE_YAML secrets
106 flux-create-site URL BRANCH PATH KEY_NAME - Create Flux resources to deploy site