Add script to generate client certs

thejsj · thejsj · commit 8494a317b336 · 2017-05-29T20:15:54.000-07:00
diff --git a/ansible/roles/docker_client/scripts/genClientCert.sh b/ansible/roles/docker_client/scripts/genClientCert.sh
@@ -1,17 +1,26 @@
 #!/bin/bash
-CERT_PATH=/Users/anandkumarpatel/run/devops-scripts/ansible/certs
 if [[ $1 = '' ]]; then
   echo 'script requires a client name'
   exit 1
 fi
-CLIENT=./files/certs/$1
 
 echo 'WARN: hard coded alpha-api-old gamma-services and beta-services for SWARM'
-# if [[ $2 = '' ]]; then
-#   echo 'script requires a client ip address'
-#   exit 1
-# fi
+if [[ $2 = '' ]]; then
+  echo 'script requires a client ip address'
+  exit 1
+fi
+
+if [[ $3 = '' ]]; then
+  echo 'script requires a path for secrets'
+  exit 1
+fi
+
+CERT_PATH=$3
+if [ ! -d "$CERT_PATH" ]; then
+  echo 'The specified directory for certs does not exist'
+fi
 
+CLIENT=./$CERT_PATH/$1
 mkdir $CLIENT
 
 # generate key for client
@@ -28,16 +37,17 @@ openssl req \
 chmod 400 "$CLIENT/client.csr"
 
 echo extendedKeyUsage=clientAuth,serverAuth > "$CLIENT/extfile.cnf"
-echo subjectAltName=IP:127.0.0.1,DNS:localhost,DNS:swarm >> "$CLIENT/extfile.cnf"
+echo subjectAltName=IP:$2 >> "$CLIENT/extfile.cnf"
 
 # generate cert for client
 openssl x509 \
   -req \
-  -days 3650 \
+  -days 365 \
   -sha256 \
   -in "$CLIENT/client.csr" \
   -CA $CERT_PATH/ca.pem \
   -CAkey $CERT_PATH/ca-key.pem \
+  -passin file:$CERT_PATH/pass \
   -CAcreateserial \
   -out "$CLIENT/cert.pem" \
   -extfile "$CLIENT/extfile.cnf"
@@ -48,4 +58,4 @@ chmod 644 "$CLIENT/key.pem"
 
 # cleanup files we do not need
 rm $CLIENT/extfile.cnf
-rm $CLIENT/client.csr
+rm -f $CLIENT/client.csr
diff --git a/generate-all-client-certs.yml b/generate-all-client-certs.yml
@@ -0,0 +1,21 @@
+---
+- hosts: user-local
+  connection: local
+  tasks:
+  - name: generate client certs
+    shell:
+      cmd: ./roles/docker_client/scripts/genClientCert.sh "{{ item }}" "{{ groups['main'][0] }}"
+      chdir: ./
+    with_items:
+      - "api"
+      - "api-core"
+      - "socket-server"
+      - "api-socket-server"
+      - "workers"
+      - "api-worker"
+      - "khronos"
+      - "palantiri"
+      - "docker-listener"
+      - "shiva"
+      - "sauron"
+      - "swarm-manager"
