functions/SoftwareInstall/GenerateCertificates.ps1
<#
.SYNOPSIS GenerateCertificates .DESCRIPTION GenerateCertificates .INPUTS GenerateCertificates - The name of GenerateCertificates .OUTPUTS None .EXAMPLE GenerateCertificates .EXAMPLE GenerateCertificates #> function GenerateCertificates() { [CmdletBinding()] [OutputType([string])] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $CertHostName , [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $CertPassword ) Write-Verbose 'GenerateCertificates: Starting' Set-StrictMode -Version latest # stop whenever there is an error $ErrorActionPreference = "Stop" [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingCmdletAliases", "", Justification = "We're calling linux commands")] $sslsecret = $(kubectl get secret fabric-ssl-cert -n kube-system --ignore-not-found=true) if (!$sslsecret) { $certfolder = Read-Host -Prompt "Location of SSL cert files (tls.crt and tls.key): (leave empty to generate self-signed certificates)" if (!$certfolder) { $ClientCertUser = "fabricrabbitmquser" $certfolder = "/opt/healthcatalyst/certs" Write-Host "Generating self-signed SSL certificate" $u = "$(whoami)" Write-Host "Creating folder: $certfolder and giving access to $u" sudo mkdir -p "$certfolder" sudo setfacl -m u:${u}:rwx "$certfolder" cd "$certfolder" Write-Host "Cleaning out the folder" sudo rm -rf * echo "------- $certfolder ------" ls -al "$certfolder" echo "---------------------------" Write-Host "Running docker container, fabric.docker.certificategenerator, to generate certificates" sudo docker pull healthcatalyst/fabric.docker.certificategenerator sudo docker run --rm -v ${certfolder}:/opt/certs/ ` -e CERT_HOSTNAME="$CertHostName" ` -e CERT_PASSWORD="$CertPassword" ` -e CLIENT_CERT_USER="$ClientCertUser" ` --name fabric.docker.certificategenerator ` -t healthcatalyst/fabric.docker.certificategenerator # use the cert with the chain sudo cp $certfolder/server/tls.crt $certfolder/server/tls-single.crt sudo cp $certfolder/server/tlschain.crt $certfolder/server/tls.crt echo "------- $certfolder/testca ------" ls -al "$certfolder/testca" echo "---------------------------" echo "------- $certfolder/server ------" ls -al "$certfolder/server" echo "---------------------------" echo "------- $certfolder/client ------" ls -al "$certfolder/client" echo "---------------------------" # https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 kubectl delete secret fabric-ca-cert -n kube-system --ignore-not-found=true kubectl create secret tls fabric-ca-cert -n kube-system --key "testca/rootCA.key" --cert "testca/rootCA.crt" kubectl delete secret fabric-client-cert -n kube-system --ignore-not-found=true kubectl create secret tls fabric-client-cert -n kube-system --key "client/client.key" --cert "client/client.crt" sudo cp testca/rootCA.p12 fabric_ca_cert.p12 sudo cp client/client.p12 fabricrabbitmquser_client_cert.p12 kubectl delete secret fabric-ssl-download-cert -n kube-system --ignore-not-found=true kubectl create secret generic fabric-ssl-download-cert -n kube-system ` --from-file="fabric_ca_cert.p12" ` --from-file="fabricrabbitmquser_client_cert.p12" # remove *.csr, *.key, *.crt, *.srl cd "~" $certfolder = "$certfolder/server" } else { Write-Host "TLS files specified so using then" } echo "------ $certfolder ------" ls -al "$certfolder" echo "------------------------" Write-Host "Deleting any old TLS certs" kubectl delete secret fabric-ssl-cert -n kube-system --ignore-not-found=true Write-Host "Storing TLS certs as kubernetes secret" kubectl create secret tls fabric-ssl-cert -n kube-system --key "$certfolder/tls.key" --cert "$certfolder/tls.crt" # kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system CreateNamespaceIfNotExists -namespace "fabricrealtime" # copy secrets to fabricrealtime namespace [string] $secretName = "fabric-ca-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-ssl-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-client-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-ssl-download-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - } else { Write-Host "Secret fabric-ssl-cert already set so using it" } Write-Verbose 'GenerateCertificates: Done' } Export-ModuleMember -Function 'GenerateCertificates' |