diff --git a/Makefile.ibi b/Makefile.ibi index 018f363..4fc6b57 100644 --- a/Makefile.ibi +++ b/Makefile.ibi @@ -78,15 +78,21 @@ ibi-certs: ./ibi/generate_certs.sh $(IBI_CLUSTER_NAME) $(IBI_DOMAIN) .PHONY: $(IBI_CLUSTER_CONFIG_PATH) -$(IBI_CLUSTER_CONFIG_PATH): +$(IBI_CLUSTER_CONFIG_PATH): ibi-certs mkdir -p $(shell dirname $(IBI_CLUSTER_CONFIG_PATH)) rm -rf $@ - MASTER_IP=$(shell virsh domifaddr ${IBI_VM_NAME} | grep ipv4 | awk -F " " '{print $$4}' | cut -d'/' -f1) \ + NODE_IP=$(shell virsh domifaddr ${IBI_VM_NAME} | grep ipv4 | awk -F " " '{print $$4}' | cut -d'/' -f1) \ CLUSTER_ID=$(shell uuidgen) \ VM_NAME=$(IBI_VM_NAME) \ + SEED_VERSION=$(SEED_VERSION) \ CLUSTER_NAME=$(IBI_CLUSTER_NAME) \ DOMAIN=$(IBI_DOMAIN) \ HOSTNAME=$(IBI_HOSTNAME) \ + LOCALHOST_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/localhost-serving-signer-key.pem)" \ + SERVICE_NETWORK_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/service-network-serving-signer-key.pem)" \ + LOADBALANCER_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/loadbalancer-serving-signer-key.pem)" \ + ADMIN_CA_CERT="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/admin-kubeconfig-signer.crt)" \ + INGRESS_CA_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/ingresskey-ingress-operator-key.pem)" \ envsubst < $(IBI_CLUSTER_CONFIG_TEMPLATE) > $@ .PHONY: $(IBI_CLUSTER_CONFIG_MANIFESTS) @@ -97,7 +103,7 @@ $(IBI_CLUSTER_CONFIG_MANIFESTS): ibi-config: $(IBI_CLUSTER_CONFIG_PATH) $(IBI_CLUSTER_CONFIG_MANIFESTS) .PHONY: ibi-config.iso -ibi-config.iso: ibi-certs ibi-config ## Create ibi-config.iso +ibi-config.iso: ibi-config ## Create ibi-config.iso mkisofs -o $@ -R -V "relocation-config" $(IBI_CONFIG_DIR) cp $@ $(LIBVIRT_IMAGE_PATH) diff --git a/ibi-manifest.template b/ibi-manifest.template index feac363..8ed2c86 100644 --- a/ibi-manifest.template +++ b/ibi-manifest.template @@ -1,2 +1,24 @@ -{"version":"4.14.5","domain":"${DOMAIN}","cluster_name":"${CLUSTER_NAME}","cluster_id":"${CLUSTER_ID}","master_ip":"${MASTER_IP}","release_registry":"quay.io","hostname":"${HOSTNAME}"} - +{ + "api_version": 1, + "base_domain": "${DOMAIN}", + "cluster_name": "${CLUSTER_NAME}", + "cluster_id": "${CLUSTER_ID}", + "node_ip": "${NODE_IP}", + "release_registry": "quay.io", + "hostname": "${HOSTNAME}", + "KubeconfigCryptoRetention": { + "KubeAPICrypto": { + "ServingCrypto": { + "localhost_signer_private_key": "${LOCALHOST_SIGNER_PRIVATE_KEY}", + "service_network_signer_private_key": "${SERVICE_NETWORK_SIGNER_PRIVATE_KEY}", + "loadbalancer_external_signer_private_key": "${LOADBALANCER_SIGNER_PRIVATE_KEY}" + }, + "ClientAuthCrypto": { + "admin_ca_certificate": "${ADMIN_CA_CERT}" + } + }, + "IngresssCrypto": { + "ingress_ca": "${INGRESS_CA_KEY}" + } + } +} diff --git a/ibi/generate_certs.sh b/ibi/generate_certs.sh index ebbbb31..0869fb9 100755 --- a/ibi/generate_certs.sh +++ b/ibi/generate_certs.sh @@ -58,9 +58,6 @@ openssl req -new -key "${CERT_DIR}/${USER_NAME}-key.pem" -out "${CERT_DIR}/${USE # Sign the user's CSR with the CA openssl x509 -req -in "${CERT_DIR}/${USER_NAME}-csr.pem" -CA "${CERT_DIR}/${CA_NAME}.crt" -CAkey "${CERT_DIR}/${CA_NAME}-key.pem" -CAcreateserial -out "${CERT_DIR}/${USER_NAME}-crt.pem" -days 365 -# Copy the CA certificate used to sign the system:admin-crt.pem into config/certs as the admin-kubeconfig-client-ca.crt -cp "${CERT_DIR}/${CA_NAME}.crt" ${CONFIG_CERT_DIR}/admin-kubeconfig-client-ca.crt - # Function to generate keys and self-signed certificates generate_self_signed_certs() { local SIGNER_NAME="$1" @@ -74,8 +71,6 @@ generate_self_signed_certs() { # Self-sign the CSR to generate the CA certificate openssl x509 -req -in "${CERT_DIR}/${SIGNER_NAME}-csr.pem" -signkey "${CERT_DIR}/${SIGNER_NAME}-key.pem" -out "${CERT_DIR}/${SIGNER_NAME}.crt" -days 365 -extensions v3_req -extfile "$config_file" - # Copy the signer key to the certs dir under the config directory - cp "${CERT_DIR}/${SIGNER_NAME}-key.pem" ${CONFIG_CERT_DIR}/${SIGNER_NAME}.key } # Generate serving-signer certificates