-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertificate-discovery
executable file
·131 lines (102 loc) · 3.58 KB
/
certificate-discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
if [ $# -lt 1 ]; then
echo "Usage: $0 <ROLE=controlplane|node> [ROOTDIR=/]" >&2
exit 1
fi
declare -A CERTIFICATES=()
declare -A KUBECONFIGS=()
# Role will define the daemonSet name for x509-certificate-exporter config
ROLE="$1"
ROOT="${2:-/}"
IS_OKD=false
OKD_ROOT_DIR=/etc/kubernetes/static-pod-resources
LOG_LEVEL=${LOG_LEVEL:-0}
[ $LOG_LEVEL -ge 2 ] && set -x
set -eu
# First we look for diretories where to search for files
if [ $ROLE == controlplane ]; then
# Directories where to find certificates.
# maxdepth=N defines how much deep into this directory to look for files (optional, default is 1).
CERT_DIRS=(
maxdepth=1:/etc/kubernetes
maxdepth=1:/etc/kubernetes/pki
maxdepth=1:/etc/kubernetes/ssl
)
if [ -d ${ROOT}${OKD_ROOT_DIR} ]; then
IS_OKD=true
# OKD keep all controlplane certificates inside pod-specific host directories
CERT_DIRS+=(
maxdepth=5:$OKD_ROOT_DIR/configmaps
maxdepth=5:$OKD_ROOT_DIR/etcd-certs
maxdepth=5:$OKD_ROOT_DIR/kube-apiserver-certs
maxdepth=5:$OKD_ROOT_DIR/kube-controller-manager-certs
maxdepth=5:$OKD_ROOT_DIR/kube-scheduler-certs
)
# find latest pod revision for each controlplane pod
# each CP pod has it's own set of certificates
for name in etcd kube-apiserver kube-controller-manager kube-scheduler; do
revision=$(chroot $ROOT printf "%s\n" $OKD_ROOT_DIR/${name}-pod-*/ | awk -F- '{print $NF}' | sort -n | tail -n 1)
pod_dir="$OKD_ROOT_DIR/${name}-pod-$revision"
if [ -d "$pod_dir" ]; then
CERT_DIRS+=( "maxdepth=5:$pod_dir" )
fi
done
fi
else
CERT_DIRS=(
maxdepth=1:/etc/kubernetes
maxdepth=1:/var/lib/kubelet/pki/kubelet-client-current.pem
maxdepth=1:/var/lib/kubelet/pki/kubelet-server-current.pem
)
fi
# Directories where to find kubeconfig files.
# maxdepth=N defines how much deep into this directory to look for files (optional, default is 1).
KUBECONFIG_DIRS=(
maxdepth=1:/etc/kubernetes
maxdepth=1:/var/lib/kubelet
)
if [ $LOG_LEVEL -ge 1 ]; then
echo CERT_DIRS: >&2
printf " %s\n" ${CERT_DIRS[*]} >&2
echo KUBECONFIG_DIRS: >&2
printf " %s\n" ${KUBECONFIG_DIRS[*]} >&2
fi
# Now we look inside the directories for files
## Certificates
for spec in ${CERT_DIRS[*]}; do
maxdepth=${spec%%:*}; maxdepth=${maxdepth#*=}
name=${spec#*:}
found=( $(chroot $ROOT find -L $name -maxdepth ${maxdepth:-1} -type f -regextype egrep -regex '.*\.(crt|cert|pem)$' -exec grep -q '^-----BEGIN CERTIFICATE-----' {} \; -print 2>/dev/null || true) )
if [ ${#found[*]} -eq 0 ]; then
continue
fi
for file in ${found[*]}; do
hash=$(chroot $ROOT md5sum "${file}" | cut -f 1 -d ' ')
CERTIFICATES["$hash"]="${ROOT}${file}" # avoid dup files
done
done
## Kubeconfig files
for spec in ${KUBECONFIG_DIRS[*]}; do
maxdepth=${spec%%:*}; maxdepth=${maxdepth#*=}
name=${spec#*:}
found=( $(chroot $ROOT find -L $name -maxdepth ${maxdepth:-1} -type f -exec grep -qE '^(kind: Config|contexts:|clusters:)$' {} \; -print 2>/dev/null || true) )
if [ ${#found[*]} -eq 0 ]; then
continue
fi
for file in ${found[*]}; do
hash=$(chroot ${ROOT} md5sum "${file}" | cut -f 1 -d ' ')
KUBECONFIGS["$hash"]="$file"
done
done
## Dump a valid values.yaml files for x509-certificates-exporter chart
echo 'hostPathsExporter:'
echo ' daemonSets:'
echo " ${ROLE}:"
if [ ${#CERTIFICATES[*]} -gt 0 ]; then
echo ' watchFiles:'
printf -- " - %s\n" ${CERTIFICATES[@]#$ROOT} | sort -u
fi
if [ ${#KUBECONFIGS[*]} -gt 0 ]; then
echo ' watchKubeconfFiles:'
printf -- " - %s\n" ${KUBECONFIGS[@]#$ROOT} | sort -u
fi