functions/SoftwareInstall/GenerateCertificates.ps1
<#
.SYNOPSIS GenerateCertificates .DESCRIPTION GenerateCertificates .INPUTS GenerateCertificates - The name of GenerateCertificates .OUTPUTS None .EXAMPLE GenerateCertificates .EXAMPLE GenerateCertificates #> function GenerateCertificates() { [CmdletBinding()] [OutputType([string])] param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $CertHostName , [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $CertPassword ) Write-Verbose 'GenerateCertificates: Starting' Set-StrictMode -Version latest # stop whenever there is an error $ErrorActionPreference = "Stop" [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingCmdletAliases", "", Justification = "We're calling linux commands")] $sslsecret = $(kubectl get secret fabric-ssl-cert -n kube-system --ignore-not-found=true) if (!$sslsecret) { [string] $sslCertfolder = Read-Host -Prompt "Location of SSL cert files (tls.crt and tls.key): (leave empty to generate self-signed certificates)" # still need to generate root and client certificates even if the user is providing the ssl cert [string] $ClientCertUser = "fabricrabbitmquser" [string] $certfolder = "/opt/healthcatalyst/certs" Write-Host "Generating self-signed SSL root CA certificate" [string] $u = "$(whoami)" Write-Host "Creating folder: $certfolder and giving access to $u" sudo mkdir -p "$certfolder" sudo setfacl -m u:${u}:rwx "$certfolder" cd "$certfolder" Write-Verbose "Cleaning out the folder" sudo rm -rf * echo "------- $certfolder ------" ls -al "$certfolder" echo "---------------------------" Write-Verbose "Running docker container, fabric.docker.certificategenerator, to generate certificates" sudo docker pull healthcatalyst/fabric.docker.certificategenerator sudo docker run --rm -v ${certfolder}:/opt/certs/ ` -e CERT_HOSTNAME="$CertHostName" ` -e CERT_PASSWORD="$CertPassword" ` -e CLIENT_CERT_USER="$ClientCertUser" ` --name fabric.docker.certificategenerator ` -t healthcatalyst/fabric.docker.certificategenerator Write-Verbose "Using the cert with the chain included" sudo cp $certfolder/server/tls.crt $certfolder/server/tls-single.crt sudo cp $certfolder/server/tlschain.crt $certfolder/server/tls.crt Write-Verbose "------- $certfolder/testca ------" ls -al "$certfolder/testca" Write-Verbose "---------------------------" Write-Verbose "------- $certfolder/server ------" ls -al "$certfolder/server" Write-Verbose "---------------------------" Write-Verbose "------- $certfolder/client ------" ls -al "$certfolder/client" Write-Verbose "---------------------------" # https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 Write-Verbose "setting fabric-ca-cert secret" kubectl delete secret fabric-ca-cert -n kube-system --ignore-not-found=true kubectl create secret tls fabric-ca-cert -n kube-system --key "testca/rootCA.key" --cert "testca/rootCA.crt" Write-Verbose "Setting fabric-ssl-cert any old TLS certs" kubectl delete secret fabric-ssl-cert -n kube-system --ignore-not-found=true Write-Host "Storing TLS certs as kubernetes secret" kubectl create secret tls fabric-ssl-cert -n kube-system --key "server/tls.key" --cert "server/tls.crt" Write-Verbose "setting fabric-client-cert secret" kubectl delete secret fabric-client-cert -n kube-system --ignore-not-found=true kubectl create secret tls fabric-client-cert -n kube-system --key "client/client.key" --cert "client/client.crt" Write-Verbose "setting fabric-ssl-download-cert secret" sudo cp testca/rootCA.p12 fabric_ca_cert.p12 sudo cp client/client.p12 fabricrabbitmquser_client_cert.p12 kubectl delete secret fabric-ssl-download-cert -n kube-system --ignore-not-found=true kubectl create secret generic fabric-ssl-download-cert -n kube-system ` --from-file="fabric_ca_cert.p12" ` --from-file="fabricrabbitmquser_client_cert.p12" cd "~" Write-Verbose "Removing temporary ssl files since they have been added to kubernetes secrets" # use external command so we can use sudo sudo rm -rf ${certfolder}/* if ($sslCertfolder) { Write-Host "TLS files specified so using then" Write-Verbose "------ $sslCertfolder ------" ls -al "$sslCertfolder" Write-Verbose "------------------------" Write-Host "Deleting any old TLS certs" kubectl delete secret fabric-ssl-cert -n kube-system --ignore-not-found=true Write-Host "Storing TLS certs as kubernetes secret" kubectl create secret tls fabric-ssl-cert -n kube-system --key "$sslCertfolder/tls.key" --cert "$sslCertfolder/tls.crt" } # kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system CreateNamespaceIfNotExists -namespace "fabricrealtime" # copy secrets to fabricrealtime namespace [string] $secretName = "fabric-ca-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-ssl-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-client-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - [string] $secretName = "fabric-ssl-download-cert" kubectl get secret $secretName --namespace=kube-system --export -o yaml | kubectl apply --namespace=fabricrealtime -f - } else { Write-Host "Secret fabric-ssl-cert already set so using it" } Write-Verbose 'GenerateCertificates: Done' } Export-ModuleMember -Function 'GenerateCertificates' |