Initial commit

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*.cr]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true

.gitignore

@@ -0,0 +1,5 @@
+/docs/
+/lib/
+/bin/
+/.shards/
+*.dwarf

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Gerry
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,45 @@
+# gencert
+
+Generate simple certs simply
+
+## Installation
+
+1. [Download gencert](https://github.com/gerrywastaken/gencert/releases/tag/v0.1.0) (currently only Linux) and run it.
+2. There is no step 2
+
+## Usage
+
+Kubernetes the ummmm... hard way cert generation:
+
+```
+gencert ca /CN=KUBERNETES-CA
+gencert admin /CN=admin/O=system:masters
+gencert kube-controller-manager /CN=system:kube-controller-manager
+gencert kube-proxy /CN=system:kube-proxy
+gencert kube-scheduler /CN=system:kube-scheduler
+gencert service-account /CN=service-accounts
+
+gencert kube-apiserver /CN=kube-apiserver -c ../openssl.cnf
+gencert etcd-server /CN=etcd-server -c ../openssl-etcd.cnf
+gencert worker-1 /CN=system:node:worker-1/O=system:nodes -c ../openssl-worker-1.cnf
+```
+
+## Development
+
+1. Install Crystal: https://crystal-lang.org/install/
+2. Download this code and navigate to the directory
+3. Make your change
+4. Compile: `shards build --debug gencert`
+5. Test: `bin/gencert --help`
+
+## Contributing
+
+1. Fork it (<https://github.com/your-github-user/boo/fork>)
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request
+
+## Contributors
+
+- [Gerry](https://github.com/gerrywastaken) - creator and maintainer

examples/kuberntes_the_hard_way.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+script_name=$0
+script_full_path=$(dirname "$0")
+echo $script_full_path
+
+if [ "$script_full_path" != "." ]; then
+  echo "This script must be run fron within the \`examples\` directory"
+  exit
+fi
+
+PATH=$PATH:../bin
+
+gencert ca /CN=KUBERNETES-CA
+
+gencert admin /CN=admin/O=system:masters
+gencert kube-controller-manager /CN=system:kube-controller-manager
+gencert kube-proxy /CN=system:kube-proxy
+gencert kube-scheduler /CN=system:kube-scheduler
+gencert service-account /CN=service-accounts
+
+gencert kube-apiserver /CN=kube-apiserver \
+  --dns kubernetes \
+  --dns kubernetes.default \
+  --dns kubernetes.default.svc \
+  --dns kubernetes.default.svc.cluster.local \
+  --ip 10.96.0.1 \
+  --ip 192.168.5.11 \
+  --ip 192.168.5.12 \
+  --ip 192.168.5.30 \
+  --ip 127.0.0.1
+
+gencert etcd-server /CN=etcd-server \
+  --ip 192.168.5.11 \
+  --ip 192.168.5.12 \
+  --ip 127.0.0.1
+
+gencert worker-1 /CN=system:node:worker-1/O=system:nodes \
+  --dns worker-1 \
+  --ip 192.168.5.21

shard.lock

@@ -0,0 +1,6 @@
+version: 1.0
+shards:
+  admiral:
+    github: jwaldrip/admiral.cr
+    version: 1.9.0
+

shard.yml

@@ -0,0 +1,21 @@
+name: gencert
+version: 0.1.0
+
+authors:
+  - Gerry <[email protected]>
+
+targets:
+  gencert:
+    main: src/main.cr
+
+crystal: 0.31.1
+
+license: MIT
+
+dependencies:
+  # This just makes creating a CLI tool easy by extracting arguments.
+  admiral:
+    # Using my fork until I hear back from the author on this issue:
+    # https://github.com/jwaldrip/admiral.cr/issues/23
+    github: gerrywastaken/admiral.cr
+    # github: jwaldrip/admiral.cr

src/data.cr

@@ -0,0 +1,51 @@
+class Data
+  def self.help_text
+    <<-DOC
+      # Kubernetes the ummmm... hard way cert generation:
+
+      # This script expects a ca.crt and ca.key to exist in the current directory.
+      # If you don't have one you can just generate it:
+
+      gencert ca /CN=KUBERNETES-CA
+      
+      gencert admin /CN=admin/O=system:masters
+      gencert kube-controller-manager /CN=system:kube-controller-manager
+      gencert kube-proxy /CN=system:kube-proxy
+      gencert kube-scheduler /CN=system:kube-scheduler
+      gencert service-account /CN=service-accounts
+      
+      # Pass alternate ips or domains to associate with the certificate
+
+      gencert kube-apiserver /CN=kube-apiserver \
+        --dns kubernetes \
+        --dns kubernetes.default \
+        --dns kubernetes.default.svc \
+        --dns kubernetes.default.svc.cluster.local \
+        --ip 10.96.0.1 \
+        --ip 192.168.5.11 \
+        --ip 192.168.5.12 \
+        --ip 192.168.5.30 \
+        --ip 127.0.0.1
+
+      # Or you can just pass an openssl config file
+
+      gencert etcd-server /CN=etcd-server -c ../openssl-etcd.cnf
+      gencert worker-1 /CN=system:node:worker-1/O=system:nodes -c ../openssl-worker-1.cnf
+      DOC
+  end
+
+  def self.openssl_template
+    <<-TEMPLATE
+      [req]
+      req_extensions = v3_req
+      distinguished_name = req_distinguished_name
+      [req_distinguished_name]
+      [ v3_req ]
+      basicConstraints = CA:FALSE
+      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+      subjectAltName = @alt_names
+      [alt_names]
+
+      TEMPLATE
+  end
+end

src/kube_certs.cr

@@ -0,0 +1,51 @@
+require "./data"
+
+# Class for generating the Certs for setting up a simple kubernetes cluster
+# The goal was to make the cert generation in Kubernetes the hard way
+# much more simple.
+class KubeCerts
+  # Generate an OpenSSL config file for specifiying alternate DNS and IP
+  # entries to associate with the certificate.
+  def gen_config(dns : Array(String), ips : Array(String))
+    return if dns.empty? && ips.empty?
+
+    openssl_config = Data.openssl_template
+
+    dns.each_with_index(offset: 1) do |dns, i|
+      openssl_config += "DNS.#{i} = #{dns}\n"
+    end
+    ips.each_with_index(offset: 1) do |ip, i|
+      openssl_config += "IP.#{i} = #{ip}\n"
+    end
+
+    openssl_config
+  end
+
+  def gen_commands(name, subject, config_file = nil, gen_ca = false)
+    req_config = config_file ? " -config #{config_file}" : "" 
+    req_config_2 = config_file ? " -extensions v3_req -extfile #{config_file}" : ""
+    ca_args = gen_ca ? "-signkey ca.key" : "-CA ca.crt -CAkey ca.key"
+    # Create private key for CA
+    # Create CSR using the private key
+    # Self sign the csr using its own private key
+    <<-COMMANDS
+      openssl genrsa -out #{name}.key 2048
+      openssl req -new -key #{name}.key -subj "#{subject}" -out #{name}.csr#{req_config}
+      openssl x509 -req -in #{name}.csr #{ca_args} -CAcreateserial -out #{name}.crt#{req_config_2} -days 1000
+      COMMANDS
+  end
+
+  def gen(name, subject, ips, dns, config_file = nil, gen_ca = false, verbose = true, live = false)
+    generated_config_file = gen_config(dns, ips)
+    if generated_config_file
+      puts "---#{name}.cnf---", generated_config_file if verbose
+      config_file = "#{name}.cnf"
+
+      File.write(config_file, generated_config_file) if live
+    end
+
+    str = gen_commands(name, subject, config_file: config_file, gen_ca: gen_ca)
+    puts "---commands---", str if verbose
+    str.lines.each { |line| `#{line}` } if live
+  end
+end

src/main.cr

@@ -0,0 +1,82 @@
+require "admiral"
+require "./kube_certs"
+require "./data"
+
+class Main < Admiral::Command
+  define_help
+
+  define_argument name,
+    description: "The name of the certificate pair to generate",
+    required: true
+
+  define_argument subject,
+    description: "The subject string to set for the certificate. e.g. \"/CN=admin/O=system:masters\"",
+    required: true
+
+  define_flag config_file : String,
+    description: "A config file to pass when generating the cert",
+    default: nil,
+    long: "config",
+    short: "c"
+
+  define_flag verbose : Bool,
+    description: "Output the actual openssl commands that are to be run",
+    default: false,
+    short: "v"
+
+  define_flag dry_run : Bool,
+    description: "Don't actually generate certificates (also turns on verbose mode)",
+    default: false,
+    short: "v"
+
+  define_flag dns : Array(String),
+    description: "Alternative domain that is valid for this certificate (you can specify this command multiple times)",
+    default:  [] of String
+
+  define_flag ip : Array(String),
+    description: "Alternative IP that is valid for this certificate (you can specify this command multiple times)",
+    default: [] of String
+
+  def run
+    check_openssl unless flags.dry_run
+
+    # If dry-run is set then we automatically turn on verbose mode as this is the main
+    # reason to run in dry-run mode. Some may wish to use this as a saftey switch but
+    # they can just not call the command so I'll only cater to the common use case.
+    verbose = flags.dry_run || flags.verbose
+
+    kc = KubeCerts.new
+    kc.gen(
+      arguments.name,
+      arguments.subject,
+      config_file: flags.config_file,
+      dns: flags.dns,
+      ips: flags.ip,
+      gen_ca: (arguments.name == "ca"),
+      verbose: verbose,
+      live: !flags.dry_run
+    )
+  end
+
+  def help
+    description = "Generate simple certs simply"
+    long_description = Data.help_text
+
+    puts [
+      help_usage,
+      description,
+      long_description,
+      help_flags,
+      help_arguments,
+      help_sub_commands
+    ].reject(&.strip.empty?).join("\n")
+  end
+
+  def check_openssl
+    `which openssl`
+
+    abort("You must have `openssl` installed and available on your PATH in order to use this tool") unless $?.success?
+  end
+end
+
+Main.run