From ae74aa62c67487a9ff53ccb2daa6d7b6e1dd0190 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sun, 19 Apr 2020 12:00:53 +0530 Subject: [PATCH 01/25] cert verify initial commit --- vagrant/cert_verify.sh | 255 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 255 insertions(+) create mode 100644 vagrant/cert_verify.sh diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh new file mode 100644 index 0000000..6492e7a --- /dev/null +++ b/vagrant/cert_verify.sh @@ -0,0 +1,255 @@ +#!/bin/bash +set -e +set -x + +# All Cert Location + +# ca certificate location +CACERT=/var/lib/kubernetes/ca.crt +CAKEY=/var/lib/kubernetes/ca.key + +# admin certificate location +ADMINCERT=/var/lib/kubernetes/admin.crt +ADMINKEY=/var/lib/kubernetes/admin.key + +# Kube controller manager certificate location +KCMCERT=/var/lib/kubernetes/kube-controller-manager.crt +KCMKEY=/var/lib/kubernetes/kube-controller-manager.key + +# Kube proxy certificate location +KPCERT=/var/lib/kubernetes/kube-proxy.crt +KPKEY=/var/lib/kubernetes/kube-proxy.key + +# Kube scheduler certificate location +KSCERT=/var/lib/kubernetes/kube-scheduler.crt +KSKEY=/var/lib/kubernetes/kube-scheduler.key + +# Kube api certificate location +APICERT=/var/lib/kubernetes/kube-apiserver.crt +APIKEY=/var/lib/kubernetes/kube-apiserver.key + +# ETCD certificate location +ETCDCERT=/var/lib/kubernetes/etcd-server.crt +ETCDKEY=/var/lib/kubernetes/etcd-server.key + +# Service account certificate location +SACERT=/var/lib/kubernetes/service-account.crt +SAKEY=/var/lib/kubernetes/service-account.key + +check_cert_ca() +{ + if [ -z $CACERT ] && [ -z $CAKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $CACERT ] && [ -f $CAKEY ] + then + echo "CA cert and key found, verifying the authenticity" + CACERT_SUBJECT=$(openssl x509 -in $CACERT -text | grep "Subject: CN"| tr -d " ") + CACERT_ISSUER=$(openssl x509 -in $CACERT -text | grep "Issuer: CN"| tr -d " ") + CACERT_MD5=$(openssl x509 -noout -modulus -in $CACERT | openssl md5| awk '{print $2}') + CAKEY_MD5=$(openssl rsa -noout -modulus -in $CAKEY | openssl md5| awk '{print $2}') + if [ $CACERT_SUBJECT == "Subject:CN=KUBERNETES-CA" ] && [ $CACERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $CACERT_MD5 == $CAKEY_MD5 ] + then + echo "CA cert and key are correct" + else + echo "Exiting...Found mismtach in the CA certificate and keys, check subject" + exit 1 + fi + else + echo "ca.crt / ca.key is missing" + exit 1 + fi +} + + +check_cert_admin() +{ + if [ -z $ADMINCERT ] && [ -z $ADMINKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $ADMINCERT ] && [ -f $ADMINKEY ] + then + echo "admin cert and key found, verifying the authenticity" + ADMINCERT_SUBJECT=$(openssl x509 -in $ADMINCERT -text | grep "Subject: CN"| tr -d " ") + ADMINCERT_ISSUER=$(openssl x509 -in $ADMINCERT -text | grep "Issuer: CN"| tr -d " ") + ADMINCERT_MD5=$(openssl x509 -noout -modulus -in $ADMINCERT | openssl md5| awk '{print $2}') + ADMINKEY_MD5=$(openssl rsa -noout -modulus -in $ADMINKEY | openssl md5| awk '{print $2}') + if [ $ADMINCERT_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINCERT_MD5 == $ADMINKEY_MD5 ] + then + echo "admin cert and key are correct" + else + echo "Exiting...Found mismtach in the admin certificate and keys, check subject" + exit 1 + fi + else + echo "admin.crt / admin.key is missing" + exit 1 + fi +} + +check_cert_kcm() +{ + if [ -z $KCMCERT ] && [ -z $KCMKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $KCMCERT ] && [ -f $KCMKEY ] + then + echo "kube-controller-manager cert and key found, verifying the authenticity" + KCMCERT_SUBJECT=$(openssl x509 -in $KCMCERT -text | grep "Subject: CN"| tr -d " ") + KCMCERT_ISSUER=$(openssl x509 -in $KCMCERT -text | grep "Issuer: CN"| tr -d " ") + KCMCERT_MD5=$(openssl x509 -noout -modulus -in $KCMCERT | openssl md5| awk '{print $2}') + KCMKEY_MD5=$(openssl rsa -noout -modulus -in $KCMKEY | openssl md5| awk '{print $2}') + if [ $KCMCERT_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMCERT_MD5 == $KCMKEY_MD5 ] + then + echo "kube-controller-manager cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-controller-manager certificate and keys, check subject" + exit 1 + fi + else + echo "kube-controller-manager.crt / kube-controller-manager.key is missing" + exit 1 + fi +} + +check_cert_kp() +{ + if [ -z $KPCERT ] && [ -z $KPKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $KPCERT ] && [ -f $KPKEY ] + then + echo "kube-proxy cert and key found, verifying the authenticity" + KPCERT_SUBJECT=$(openssl x509 -in $KPCERT -text | grep "Subject: CN"| tr -d " ") + KPCERT_ISSUER=$(openssl x509 -in $KPCERT -text | grep "Issuer: CN"| tr -d " ") + KPCERT_MD5=$(openssl x509 -noout -modulus -in $KPCERT | openssl md5| awk '{print $2}') + KPKEY_MD5=$(openssl rsa -noout -modulus -in $KPKEY | openssl md5| awk '{print $2}') + if [ $KPCERT_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPCERT_MD5 == $KPKEY_MD5 ] + then + echo "kube-proxy cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-proxy certificate and keys, check subject" + exit 1 + fi + else + echo "kube-proxy.crt / kube-proxy.key is missing" + exit 1 + fi +} + +check_cert_ks() +{ + if [ -z $KSCERT ] && [ -z $KSKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $KSCERT ] && [ -f $KSKEY ] + then + echo "kube-scheduler cert and key found, verifying the authenticity" + KSCERT_SUBJECT=$(openssl x509 -in $KSCERT -text | grep "Subject: CN"| tr -d " ") + KSCERT_ISSUER=$(openssl x509 -in $KSCERT -text | grep "Issuer: CN"| tr -d " ") + KSCERT_MD5=$(openssl x509 -noout -modulus -in $KSCERT | openssl md5| awk '{print $2}') + KSKEY_MD5=$(openssl rsa -noout -modulus -in $KSKEY | openssl md5| awk '{print $2}') + if [ $KSCERT_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSCERT_MD5 == $KSKEY_MD5 ] + then + echo "kube-scheduler cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-scheduler certificate and keys, check subject" + exit 1 + fi + else + echo "kube-scheduler.crt / kube-scheduler.key is missing" + exit 1 + fi +} + +check_cert_api() +{ + if [ -z $APICERT ] && [ -z $APIKEY ] + then + echo "please specify kube-api cert and key location, Exiting...." + exit 1 + elif [ -f $APICERT ] && [ -f $APIKEY ] + then + echo "kube-apiserver cert and key found, verifying the authenticity" + APICERT_SUBJECT=$(openssl x509 -in $APICERT -text | grep "Subject: CN"| tr -d " ") + APICERT_ISSUER=$(openssl x509 -in $APICERT -text | grep "Issuer: CN"| tr -d " ") + APICERT_MD5=$(openssl x509 -noout -modulus -in $APICERT | openssl md5| awk '{print $2}') + APIKEY_MD5=$(openssl rsa -noout -modulus -in $APIKEY | openssl md5| awk '{print $2}') + if [ $APICERT_SUBJECT == "Subject:CN=kube-apiserver" ] && [ $APICERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $APICERT_MD5 == $APIKEY_MD5 ] + then + echo "kube-apiserver cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-apiserver certificate and keys, check subject" + exit 1 + fi + else + echo "kube-apiserver.crt / kube-apiserver.key is missing" + exit 1 + fi +} + +check_cert_etcd() +{ + if [ -z $ETCDCERT ] && [ -z $ETCDKEY ] + then + echo "please specify ETCD cert and key location, Exiting...." + exit 1 + elif [ -f $ETCDCERT ] && [ -f $ETCDKEY ] + then + echo "ETCD cert and key found, verifying the authenticity" + ETCDCERT_SUBJECT=$(openssl x509 -in $ETCDCERT -text | grep "Subject: CN"| tr -d " ") + ETCDCERT_ISSUER=$(openssl x509 -in $ETCDCERT -text | grep "Issuer: CN"| tr -d " ") + ETCDCERT_MD5=$(openssl x509 -noout -modulus -in $ETCDCERT | openssl md5| awk '{print $2}') + ETCDKEY_MD5=$(openssl rsa -noout -modulus -in $ETCDKEY | openssl md5| awk '{print $2}') + if [ $ETCDCERT_SUBJECT == "Subject:CN=etcd-server" ] && [ $ETCDCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ETCDCERT_MD5 == $ETCDKEY_MD5 ] + then + echo "etcd-server.crt / etcd-server.key are correct" + else + echo "Exiting...Found mismtach in the ETCD certificate and keys, check subject" + exit 1 + fi + else + echo "etcd-server.crt / etcd-server.key is missing" + exit 1 + fi +} + +check_cert_sa() +{ + if [ -z $SACERT ] && [ -z $SAKEY ] + then + echo "please specify Service Account cert and key location, Exiting...." + exit 1 + elif [ -f $SACERT ] && [ -f $SAKEY ] + then + echo "service account cert and key found, verifying the authenticity" + SACERT_SUBJECT=$(openssl x509 -in $SACERT -text | grep "Subject: CN"| tr -d " ") + SACERT_ISSUER=$(openssl x509 -in $SACERT -text | grep "Issuer: CN"| tr -d " ") + SACERT_MD5=$(openssl x509 -noout -modulus -in $SACERT | openssl md5| awk '{print $2}') + SAKEY_MD5=$(openssl rsa -noout -modulus -in $SAKEY | openssl md5| awk '{print $2}') + if [ $SACERT_SUBJECT == "Subject:CN=service-accounts" ] && [ $SACERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $SACERT_MD5 == $SAKEY_MD5 ] + then + echo "Service Account cert and key are correct" + else + echo "Exiting...Found mismtach in the Service Account certificate and keys, check subject" + exit 1 + fi + else + echo "service-account.crt / service-account.key is missing" + exit 1 + fi +} + +check_cert_ca +check_cert_admin +check_cert_kcm +check_cert_kp +check_cert_ks +check_cert_api +check_cert_sa +check_cert_etcd \ No newline at end of file From 84b8c9d5890a765f15b8c62322c0ede0c997415f Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Fri, 24 Apr 2020 23:13:43 +0530 Subject: [PATCH 02/25] kubeconfig verification --- vagrant/cert_verify.sh | 131 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 130 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 6492e7a..2c475f0 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -36,6 +36,20 @@ ETCDKEY=/var/lib/kubernetes/etcd-server.key SACERT=/var/lib/kubernetes/service-account.crt SAKEY=/var/lib/kubernetes/service-account.key +# All kubeconfig locations + +# kubeproxy.kubeconfig location +KPKUBECONFIG=/var/lib/kubernetes/kube-proxy.kubeconfig + +# kube-controller-manager.kubeconfig location +KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig + +# kube-scheduler.kubeconfig location +KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig + +# admin.kubeconfig location +ADMINKUBECONFIG=/var/lib/kubernetes/admin.kubeconfig + check_cert_ca() { if [ -z $CACERT ] && [ -z $CAKEY ] @@ -245,6 +259,115 @@ check_cert_sa() fi } + +# Kubeconfig verification + +check_cert_kpkubeconfig() +{ + if [ -z $KPKUBECONFIG ] + then + echo "please specify kube-proxy kubeconfig location" + exit 1 + elif [ -f $KPKUBECONFIG ] + then + echo "kube-proxy kubeconfig file found, verifying the authenticity" + KPKUBECONFIG_SUBJECT=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") + KPKUBECONFIG_ISSUER=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") + KPKUBECONFIG_CERT_MD5=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') + KPKUBECONFIG_KEY_MD5=$(cat $KPKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') + if [ $KPKUBECONFIG_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPKUBECONFIG_CERT_MD5 == $KPKUBECONFIG_KEY_MD5 ] + then + echo "kube-proxy kubeconfig cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-proxy kubeconfig certificate and keys, check subject" + exit 1 + fi + else + echo "kube-proxy kubeconfig file is missing" + exit 1 + fi +} + +check_cert_kcmkubeconfig() +{ + if [ -z $KCMKUBECONFIG ] + then + echo "please specify kube-controller-manager kubeconfig location" + exit 1 + elif [ -f $KCMKUBECONFIG ] + then + echo "kube-controller-manager kubeconfig file found, verifying the authenticity" + KCMKUBECONFIG_SUBJECT=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") + KCMKUBECONFIG_ISSUER=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") + KCMKUBECONFIG_CERT_MD5=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') + KCMKUBECONFIG_KEY_MD5=$(cat $KCMKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') + if [ $KCMKUBECONFIG_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMKUBECONFIG_CERT_MD5 == $KCMKUBECONFIG_KEY_MD5 ] + then + echo "kube-controller-manager kubeconfig cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-controller-manager kubeconfig certificate and keys, check subject" + exit 1 + fi + else + echo "kube-controller-manager kubeconfig file is missing" + exit 1 + fi +} + + +check_cert_kskubeconfig() +{ + if [ -z $KSKUBECONFIG ] + then + echo "please specify kube-scheduler kubeconfig location" + exit 1 + elif [ -f $KSKUBECONFIG ] + then + echo "kube-scheduler kubeconfig file found, verifying the authenticity" + KSKUBECONFIG_SUBJECT=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") + KSKUBECONFIG_ISSUER=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") + KSKUBECONFIG_CERT_MD5=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') + KSKUBECONFIG_KEY_MD5=$(cat $KSKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') + if [ $KSKUBECONFIG_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSKUBECONFIG_CERT_MD5 == $KSKUBECONFIG_KEY_MD5 ] + then + echo "kube-scheduler kubeconfig cert and key are correct" + else + echo "Exiting...Found mismtach in the kube-scheduler kubeconfig certificate and keys, check subject" + exit 1 + fi + else + echo "kube-scheduler kubeconfig file is missing" + exit 1 + fi +} + +check_cert_adminkubeconfig() +{ + if [ -z $ADMINKUBECONFIG ] + then + echo "please specify admin kubeconfig location" + exit 1 + elif [ -f $ADMINKUBECONFIG ] + then + echo "admin kubeconfig file found, verifying the authenticity" + ADMINKUBECONFIG_SUBJECT=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") + ADMINKUBECONFIG_ISSUER=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") + ADMINKUBECONFIG_CERT_MD5=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') + ADMINKUBECONFIG_KEY_MD5=$(cat $ADMINKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') + if [ $ADMINKUBECONFIG_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINKUBECONFIG_CERT_MD5 == $ADMINKUBECONFIG_KEY_MD5 ] + then + echo "admin kubeconfig cert and key are correct" + else + echo "Exiting...Found mismtach in the admin kubeconfig certificate and keys, check subject" + exit 1 + fi + else + echo "admin kubeconfig file is missing" + exit 1 + fi +} + +# CRT & KEY verification check_cert_ca check_cert_admin check_cert_kcm @@ -252,4 +375,10 @@ check_cert_kp check_cert_ks check_cert_api check_cert_sa -check_cert_etcd \ No newline at end of file +check_cert_etcd + +# Kubeconfig verification +check_cert_kpkubeconfig +check_cert_kcmkubeconfig +check_cert_kskubeconfig +check_cert_adminkubeconfig \ No newline at end of file From 61333adf32a48a0914a1a2eb7c823fdf861bc923 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Fri, 24 Apr 2020 23:32:00 +0530 Subject: [PATCH 03/25] kubeconfig server details --- vagrant/cert_verify.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 2c475f0..70c862b 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -275,7 +275,8 @@ check_cert_kpkubeconfig() KPKUBECONFIG_ISSUER=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KPKUBECONFIG_CERT_MD5=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') KPKUBECONFIG_KEY_MD5=$(cat $KPKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') - if [ $KPKUBECONFIG_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPKUBECONFIG_CERT_MD5 == $KPKUBECONFIG_KEY_MD5 ] + KPKUBECONFIG_SERVER=$(cat $KPKUBECONFIG | grep "server:"| awk '{print $2}') + if [ $KPKUBECONFIG_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPKUBECONFIG_CERT_MD5 == $KPKUBECONFIG_KEY_MD5 ] && [ $KPKUBECONFIG_SERVER == "https://192.168.5.30:6443" ] then echo "kube-proxy kubeconfig cert and key are correct" else @@ -301,7 +302,8 @@ check_cert_kcmkubeconfig() KCMKUBECONFIG_ISSUER=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KCMKUBECONFIG_CERT_MD5=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') KCMKUBECONFIG_KEY_MD5=$(cat $KCMKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') - if [ $KCMKUBECONFIG_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMKUBECONFIG_CERT_MD5 == $KCMKUBECONFIG_KEY_MD5 ] + KCMKUBECONFIG_SERVER=$(cat $KCMKUBECONFIG | grep "server:"| awk '{print $2}') + if [ $KCMKUBECONFIG_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMKUBECONFIG_CERT_MD5 == $KCMKUBECONFIG_KEY_MD5 ] && [ $KCMKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then echo "kube-controller-manager kubeconfig cert and key are correct" else @@ -328,7 +330,8 @@ check_cert_kskubeconfig() KSKUBECONFIG_ISSUER=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KSKUBECONFIG_CERT_MD5=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') KSKUBECONFIG_KEY_MD5=$(cat $KSKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') - if [ $KSKUBECONFIG_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSKUBECONFIG_CERT_MD5 == $KSKUBECONFIG_KEY_MD5 ] + KSKUBECONFIG_SERVER=$(cat $KSKUBECONFIG | grep "server:"| awk '{print $2}') + if [ $KSKUBECONFIG_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSKUBECONFIG_CERT_MD5 == $KSKUBECONFIG_KEY_MD5 ] && [ $KSKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then echo "kube-scheduler kubeconfig cert and key are correct" else @@ -354,7 +357,8 @@ check_cert_adminkubeconfig() ADMINKUBECONFIG_ISSUER=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") ADMINKUBECONFIG_CERT_MD5=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') ADMINKUBECONFIG_KEY_MD5=$(cat $ADMINKUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') - if [ $ADMINKUBECONFIG_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINKUBECONFIG_CERT_MD5 == $ADMINKUBECONFIG_KEY_MD5 ] + ADMINKUBECONFIG_SERVER=$(cat $ADMINKUBECONFIG | grep "server:"| awk '{print $2}') + if [ $ADMINKUBECONFIG_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINKUBECONFIG_CERT_MD5 == $ADMINKUBECONFIG_KEY_MD5 ] && [ $ADMINKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then echo "admin kubeconfig cert and key are correct" else From c0f71699bdd8facaa22e4c239822147f7beb78f3 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sat, 25 Apr 2020 14:24:21 +0530 Subject: [PATCH 04/25] check_systemd_etcd verification --- vagrant/cert_verify.sh | 61 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 70c862b..a512c21 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -29,8 +29,8 @@ APICERT=/var/lib/kubernetes/kube-apiserver.crt APIKEY=/var/lib/kubernetes/kube-apiserver.key # ETCD certificate location -ETCDCERT=/var/lib/kubernetes/etcd-server.crt -ETCDKEY=/var/lib/kubernetes/etcd-server.key +ETCDCERT=/etc/etcd/etcd-server.crt +ETCDKEY=/etc/etcd/etcd-server.key # Service account certificate location SACERT=/var/lib/kubernetes/service-account.crt @@ -371,6 +371,58 @@ check_cert_adminkubeconfig() fi } +check_systemd_etcd() +{ + if [ -z $ETCDCERT ] && [ -z $ETCDKEY ] + then + echo "please specify ETCD cert and key location, Exiting...." + exit 1 + elif [ -f $SYSTEMD_ETCD_FILE ] + then + echo "Systemd for ETCD service found, verifying the authenticity" + + # Systemd cert and key file details + ETCD_CA_CERT=/etc/etcd/ca.crt + CERT_FILE=$(systemctl cat etcd.service | grep "\--cert-file"| awk '{print $1}'| cut -d "=" -f2) + KEY_FILE=$(systemctl cat etcd.service | grep "\--key-file"| awk '{print $1}' | cut -d "=" -f2) + PEER_CERT_FILE=$(systemctl cat etcd.service | grep "\--peer-cert-file"| awk '{print $1}'| cut -d "=" -f2) + PEER_KEY_FILE=$(systemctl cat etcd.service | grep "\--peer-key-file"| awk '{print $1}'| cut -d "=" -f2) + TRUSTED_CA_FILE=$(systemctl cat etcd.service | grep "\--trusted-ca-file"| awk '{print $1}'| cut -d "=" -f2) + PEER_TRUSTED_CA_FILE=$(systemctl cat etcd.service | grep "\--peer-trusted-ca-file"| awk '{print $1}'| cut -d "=" -f2) + + # Systemd advertise , client and peer url's + INTERNAL_IP=$(ip addr show enp0s8 | grep "inet " | awk '{print $2}' | cut -d / -f 1) + IAP_URL=$(systemctl cat etcd.service | grep "\--initial-advertise-peer-urls"| awk '{print $2}') + LP_URL=$(systemctl cat etcd.service | grep "\--listen-peer-urls"| awk '{print $2}') + LC_URL=$(systemctl cat etcd.service | grep "\--listen-client-urls"| awk '{print $2}') + AC_URL=$(systemctl cat etcd.service | grep "\--advertise-client-urls"| awk '{print $2}') + + + if [ $CERT_FILE == $ETCDCERT ] && [ $KEY_FILE == $ETCDKEY ] && [ $PEER_CERT_FILE == $ETCDCERT ] && [ $PEER_KEY_FILE == $ETCDKEY ] && \ + [ $TRUSTED_CA_FILE == $ETCD_CA_CERT ] && [ $PEER_TRUSTED_CA_FILE = $ETCD_CA_CERT ] + then + echo "ETCD certificate, ca and key files are correct under systemd service" + else + echo "Exiting...Found mismtach in the ETCD certificate, ca and keys, check /etc/systemd/system/etcd.service file" + exit 1 + fi + + if [ $IAP_URL == "https://$INTERNAL_IP:2380" ] && [ $LP_URL == "https://$INTERNAL_IP:2380" ] && [ $LC_URL == "https://$INTERNAL_IP:2379,https://127.0.0.1:2379" ] && \ + [ $AC_URL == "https://$INTERNAL_IP:2379" ] + then + echo "ETCD initial-advertise-peer-urls, listen-peer-urls, listen-client-urls, advertise-client-urls are correct" + else + echo "Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file" + exit 1 + fi + + else + echo "etcd-server.crt / etcd-server.key is missing" + exit 1 + fi +} + + # CRT & KEY verification check_cert_ca check_cert_admin @@ -385,4 +437,7 @@ check_cert_etcd check_cert_kpkubeconfig check_cert_kcmkubeconfig check_cert_kskubeconfig -check_cert_adminkubeconfig \ No newline at end of file +check_cert_adminkubeconfig + +# Systemd verification +check_systemd_etcd \ No newline at end of file From 5409a1c6da8cddd52e311a839c6e2142cf3eb747 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sat, 25 Apr 2020 15:48:55 +0530 Subject: [PATCH 05/25] check_systemd_api --- vagrant/cert_verify.sh | 50 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index a512c21..f549eaa 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -50,6 +50,14 @@ KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig # admin.kubeconfig location ADMINKUBECONFIG=/var/lib/kubernetes/admin.kubeconfig +# All systemd service locations + +# etcd systemd service +SYSTEMD_ETCD_FILE=/etc/systemd/system/etcd.service + +# kub-api systemd service +SYSTEMD_API_FILE=/etc/systemd/system/kube-apiserver.service + check_cert_ca() { if [ -z $CACERT ] && [ -z $CAKEY ] @@ -422,6 +430,45 @@ check_systemd_etcd() fi } +check_systemd_api() +{ + if [ -z $APICERT ] && [ -z $APIKEY ] + then + echo "please specify kube-api cert and key location, Exiting...." + exit 1 + elif [ -f $SYSTEMD_API_FILE ] + then + echo "Systemd for kube-api service found, verifying the authenticity" + + INTERNAL_IP=$(ip addr show enp0s8 | grep "inet " | awk '{print $2}' | cut -d / -f 1) + ADVERTISE_ADDRESS=$(systemctl cat kube-apiserver.service | grep "\--advertise-address" | awk '{print $1}' | cut -d "=" -f2) + CLIENT_CA_FILE=$(systemctl cat kube-apiserver.service | grep "\--client-ca-file" | awk '{print $1}' | cut -d "=" -f2) + ETCD_CA_FILE=$(systemctl cat kube-apiserver.service | grep "\--etcd-cafile" | awk '{print $1}' | cut -d "=" -f2) + ETCD_CERT_FILE=$(systemctl cat kube-apiserver.service | grep "\--etcd-certfile" | awk '{print $1}' | cut -d "=" -f2) + ETCD_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--etcd-keyfile" | awk '{print $1}' | cut -d "=" -f2) + KUBELET_CERTIFICATE_AUTHORITY=$(systemctl cat kube-apiserver.service | grep "\--kubelet-certificate-authority" | awk '{print $1}' | cut -d "=" -f2) + KUBELET_CLIENT_CERTIFICATE=$(systemctl cat kube-apiserver.service | grep "\--kubelet-client-certificate" | awk '{print $1}' | cut -d "=" -f2) + KUBELET_CLIENT_KEY=$(systemctl cat kube-apiserver.service | grep "\--kubelet-client-key" | awk '{print $1}' | cut -d "=" -f2) + SERVICE_ACCOUNT_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--service-account-key-file" | awk '{print $1}' | cut -d "=" -f2) + TLS_CERT_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-cert-file" | awk '{print $1}' | cut -d "=" -f2) + TLS_PRIVATE_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-private-key-file" | awk '{print $1}' | cut -d "=" -f2) + + if [ $ADVERTISE_ADDRESS == $INTERNAL_IP ] && [ $CLIENT_CA_FILE == $CACERT ] && [ $ETCD_CA_FILE == $CACERT ] && \ + [ $ETCD_CERT_FILE == "/var/lib/kubernetes/etcd-server.crt" ] && [ $ETCD_KEY_FILE == "/var/lib/kubernetes/etcd-server.key" ] && \ + [ $KUBELET_CERTIFICATE_AUTHORITY == $CACERT ] && [ $KUBELET_CLIENT_CERTIFICATE == $APICERT ] && [ $KUBELET_CLIENT_KEY == $APIKEY ] && \ + [ $SERVICE_ACCOUNT_KEY_FILE == $SACERT ] && [ $TLS_CERT_FILE == $APICERT ] && [ $TLS_PRIVATE_KEY_FILE == $APIKEY ] + then + echo "kube-apiserver advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file are correct" + else + echo "Exiting...Found mismtach in the kube-apiserver systemd file, check advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file under /etc/systemd/system/kube-apiserver.service" + exit 1 + fi + else + echo "kube-apiserver.crt / kube-apiserver.key is missing" + exit 1 + fi +} + # CRT & KEY verification check_cert_ca @@ -440,4 +487,5 @@ check_cert_kskubeconfig check_cert_adminkubeconfig # Systemd verification -check_systemd_etcd \ No newline at end of file +check_systemd_etcd +check_systemd_api \ No newline at end of file From dc51d1bcf3733edde10a882ed929b21ce4a96a98 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sat, 25 Apr 2020 17:32:16 +0530 Subject: [PATCH 06/25] cert verification - master node --- vagrant/cert_verify.sh | 66 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index f549eaa..be0fdda 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -1,6 +1,6 @@ #!/bin/bash set -e -set -x +#set -x # All Cert Location @@ -58,6 +58,12 @@ SYSTEMD_ETCD_FILE=/etc/systemd/system/etcd.service # kub-api systemd service SYSTEMD_API_FILE=/etc/systemd/system/kube-apiserver.service +# kube-controller-manager systemd service +SYSTEMD_KCM_FILE=/etc/systemd/system/kube-controller-manager.service + +# kube-proxy systemd service +SYSTEMD_KP_FILE=/etc/systemd/system/kube-scheduler.service + check_cert_ca() { if [ -z $CACERT ] && [ -z $CAKEY ] @@ -469,6 +475,60 @@ check_systemd_api() fi } +check_systemd_kcm() +{ + if [ -z $KCMCERT ] && [ -z $KCMKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $SYSTEMD_KCM_FILE ] + then + echo "Systemd for kube-controller-manager service found, verifying the authenticity" + CLUSTER_SIGNING_CERT_FILE=$(systemctl cat kube-controller-manager.service | grep "\--cluster-signing-cert-file" | awk '{print $1}' | cut -d "=" -f2) + CLUSTER_SIGNING_KEY_FILE=$(systemctl cat kube-controller-manager.service | grep "\--cluster-signing-key-file" | awk '{print $1}' | cut -d "=" -f2) + KUBECONFIG=$(systemctl cat kube-controller-manager.service | grep "\--kubeconfig" | awk '{print $1}' | cut -d "=" -f2) + ROOT_CA_FILE=$(systemctl cat kube-controller-manager.service | grep "\--root-ca-file" | awk '{print $1}' | cut -d "=" -f2) + SERVICE_ACCOUNT_PRIVATE_KEY_FILE=$(systemctl cat kube-controller-manager.service | grep "\--service-account-private-key-file" | awk '{print $1}' | cut -d "=" -f2) + + if [ $CLUSTER_SIGNING_CERT_FILE == $CACERT ] && [ $CLUSTER_SIGNING_KEY_FILE == $CAKEY ] && [ $KUBECONFIG == $KCMKUBECONFIG ] && \ + [ $ROOT_CA_FILE == $CACERT ] && [ $SERVICE_ACCOUNT_PRIVATE_KEY_FILE == $SAKEY ] + then + echo "kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file are correct" + else + echo "Exiting...Found mismtach in the kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file , check /etc/systemd/system/kube-controller-manager.service file" + exit 1 + fi + else + echo "kube-controller-manager.crt / kube-controller-manager.key is missing" + exit 1 + fi +} + +check_systemd_kp() +{ + if [ -z $KPCERT ] && [ -z $KPKEY ] + then + echo "please specify cert and key location" + exit 1 + elif [ -f $SYSTEMD_KP_FILE ] + then + echo "Systemd for kube-proxy service found, verifying the authenticity" + + KUBECONFIG=$(systemctl cat kube-scheduler.service | grep "\--kubeconfig"| awk '{print $1}'| cut -d "=" -f2) + ADDRESS=$(systemctl cat kube-scheduler.service | grep "\--address"| awk '{print $1}'| cut -d "=" -f2) + + if [ $KUBECONFIG == $KSKUBECONFIG ] && [ $ADDRESS == "127.0.0.1" ] + then + echo "kube-proxy --kubeconfig, --address are correct" + else + echo "Exiting...Found mismtach in the kube-proxy --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file" + exit 1 + fi + else + echo "kube-proxy.crt / kube-proxy.key is missing" + exit 1 + fi +} # CRT & KEY verification check_cert_ca @@ -488,4 +548,6 @@ check_cert_adminkubeconfig # Systemd verification check_systemd_etcd -check_systemd_api \ No newline at end of file +check_systemd_api +check_systemd_kcm +check_systemd_kp \ No newline at end of file From 567847397b4ac76d1d741e20330a13eecb6826be Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sun, 26 Apr 2020 11:06:11 +0530 Subject: [PATCH 07/25] changes from kk --- vagrant/cert_verify.sh | 60 ++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 22 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index be0fdda..d52328a 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -5,50 +5,50 @@ set -e # All Cert Location # ca certificate location -CACERT=/var/lib/kubernetes/ca.crt -CAKEY=/var/lib/kubernetes/ca.key +CACERT=ca.crt +CAKEY=ca.key # admin certificate location -ADMINCERT=/var/lib/kubernetes/admin.crt -ADMINKEY=/var/lib/kubernetes/admin.key +ADMINCERT=admin.crt +ADMINKEY=admin.key # Kube controller manager certificate location -KCMCERT=/var/lib/kubernetes/kube-controller-manager.crt -KCMKEY=/var/lib/kubernetes/kube-controller-manager.key +KCMCERT=kube-controller-manager.crt +KCMKEY=kube-controller-manager.key # Kube proxy certificate location -KPCERT=/var/lib/kubernetes/kube-proxy.crt -KPKEY=/var/lib/kubernetes/kube-proxy.key +KPCERT=kube-proxy.crt +KPKEY=kube-proxy.key # Kube scheduler certificate location -KSCERT=/var/lib/kubernetes/kube-scheduler.crt -KSKEY=/var/lib/kubernetes/kube-scheduler.key +KSCERT=kube-scheduler.crt +KSKEY=kube-scheduler.key # Kube api certificate location -APICERT=/var/lib/kubernetes/kube-apiserver.crt -APIKEY=/var/lib/kubernetes/kube-apiserver.key +APICERT=kube-apiserver.crt +APIKEY=kube-apiserver.key # ETCD certificate location -ETCDCERT=/etc/etcd/etcd-server.crt -ETCDKEY=/etc/etcd/etcd-server.key +ETCDCERT=etcd-server.crt +ETCDKEY=etcd-server.key # Service account certificate location -SACERT=/var/lib/kubernetes/service-account.crt -SAKEY=/var/lib/kubernetes/service-account.key +SACERT=service-account.crt +SAKEY=service-account.key # All kubeconfig locations # kubeproxy.kubeconfig location -KPKUBECONFIG=/var/lib/kubernetes/kube-proxy.kubeconfig +KPKUBECONFIG=kube-proxy.kubeconfig # kube-controller-manager.kubeconfig location -KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig +KCMKUBECONFIG=kube-controller-manager.kubeconfig # kube-scheduler.kubeconfig location -KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig +KSKUBECONFIG=kube-scheduler.kubeconfig # admin.kubeconfig location -ADMINKUBECONFIG=/var/lib/kubernetes/admin.kubeconfig +ADMINKUBECONFIG=admin.kubeconfig # All systemd service locations @@ -396,7 +396,7 @@ check_systemd_etcd() echo "Systemd for ETCD service found, verifying the authenticity" # Systemd cert and key file details - ETCD_CA_CERT=/etc/etcd/ca.crt + ETCD_CA_CERT=ca.crt CERT_FILE=$(systemctl cat etcd.service | grep "\--cert-file"| awk '{print $1}'| cut -d "=" -f2) KEY_FILE=$(systemctl cat etcd.service | grep "\--key-file"| awk '{print $1}' | cut -d "=" -f2) PEER_CERT_FILE=$(systemctl cat etcd.service | grep "\--peer-cert-file"| awk '{print $1}'| cut -d "=" -f2) @@ -412,6 +412,9 @@ check_systemd_etcd() AC_URL=$(systemctl cat etcd.service | grep "\--advertise-client-urls"| awk '{print $2}') + ETCD_CA_CERT=/etc/etcd/ca.crt + ETCDCERT=/etc/etcd/etcd-server.crt + ETCDKEY=/etc/etcd/etcd-server.key if [ $CERT_FILE == $ETCDCERT ] && [ $KEY_FILE == $ETCDKEY ] && [ $PEER_CERT_FILE == $ETCDCERT ] && [ $PEER_KEY_FILE == $ETCDKEY ] && \ [ $TRUSTED_CA_FILE == $ETCD_CA_CERT ] && [ $PEER_TRUSTED_CA_FILE = $ETCD_CA_CERT ] then @@ -429,7 +432,7 @@ check_systemd_etcd() echo "Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file" exit 1 fi - + else echo "etcd-server.crt / etcd-server.key is missing" exit 1 @@ -459,6 +462,10 @@ check_systemd_api() TLS_CERT_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-cert-file" | awk '{print $1}' | cut -d "=" -f2) TLS_PRIVATE_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-private-key-file" | awk '{print $1}' | cut -d "=" -f2) + CACERT=/var/lib/kubernetes/ca.crt + APICERT=/var/lib/kubernetes/kube-apiserver.crt + APIKEY=/var/lib/kubernetes/kube-apiserver.key + SACERT=/var/lib/kubernetes/service-account.crt if [ $ADVERTISE_ADDRESS == $INTERNAL_IP ] && [ $CLIENT_CA_FILE == $CACERT ] && [ $ETCD_CA_FILE == $CACERT ] && \ [ $ETCD_CERT_FILE == "/var/lib/kubernetes/etcd-server.crt" ] && [ $ETCD_KEY_FILE == "/var/lib/kubernetes/etcd-server.key" ] && \ [ $KUBELET_CERTIFICATE_AUTHORITY == $CACERT ] && [ $KUBELET_CLIENT_CERTIFICATE == $APICERT ] && [ $KUBELET_CLIENT_KEY == $APIKEY ] && \ @@ -477,6 +484,12 @@ check_systemd_api() check_systemd_kcm() { + KCMCERT=/var/lib/kubernetes/kube-controller-manager.crt + KCMKEY=/var/lib/kubernetes/kube-controller-manager.key + CACERT=/var/lib/kubernetes/ca.crt + CAKEY=/var/lib/kubernetes/ca.key + SAKEY=/var/lib/kubernetes/service-account.key + KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig if [ -z $KCMCERT ] && [ -z $KCMKEY ] then echo "please specify cert and key location" @@ -506,6 +519,9 @@ check_systemd_kcm() check_systemd_kp() { + KPCERT=/var/lib/kubernetes/kube-proxy.crt + KPKEY=/var/lib/kubernetes/kube-proxy.key + if [ -z $KPCERT ] && [ -z $KPKEY ] then echo "please specify cert and key location" From 118243245014d0149b50f41e9354586abdcec7fd Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 00:06:07 +0530 Subject: [PATCH 08/25] fix kp to ks --- vagrant/cert_verify.sh | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index d52328a..c187f39 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -61,8 +61,8 @@ SYSTEMD_API_FILE=/etc/systemd/system/kube-apiserver.service # kube-controller-manager systemd service SYSTEMD_KCM_FILE=/etc/systemd/system/kube-controller-manager.service -# kube-proxy systemd service -SYSTEMD_KP_FILE=/etc/systemd/system/kube-scheduler.service +# kube-scheduler systemd service +SYSTEMD_KS_FILE=/etc/systemd/system/kube-scheduler.service check_cert_ca() { @@ -517,31 +517,32 @@ check_systemd_kcm() fi } -check_systemd_kp() +check_systemd_ks() { - KPCERT=/var/lib/kubernetes/kube-proxy.crt - KPKEY=/var/lib/kubernetes/kube-proxy.key + KSCERT=/var/lib/kubernetes/kube-scheduler.crt + KSKEY=/var/lib/kubernetes/kube-scheduler.key + KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig - if [ -z $KPCERT ] && [ -z $KPKEY ] + if [ -z $KSCERT ] && [ -z $KSKEY ] then echo "please specify cert and key location" exit 1 - elif [ -f $SYSTEMD_KP_FILE ] + elif [ -f $SYSTEMD_KS_FILE ] then - echo "Systemd for kube-proxy service found, verifying the authenticity" + echo "Systemd for kube-scheduler service found, verifying the authenticity" KUBECONFIG=$(systemctl cat kube-scheduler.service | grep "\--kubeconfig"| awk '{print $1}'| cut -d "=" -f2) ADDRESS=$(systemctl cat kube-scheduler.service | grep "\--address"| awk '{print $1}'| cut -d "=" -f2) if [ $KUBECONFIG == $KSKUBECONFIG ] && [ $ADDRESS == "127.0.0.1" ] then - echo "kube-proxy --kubeconfig, --address are correct" + echo "kube-scheduler --kubeconfig, --address are correct" else - echo "Exiting...Found mismtach in the kube-proxy --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file" + echo "Exiting...Found mismtach in the kube-scheduler --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file" exit 1 fi else - echo "kube-proxy.crt / kube-proxy.key is missing" + echo "kube-scheduler.crt / kube-scheduler.key is missing" exit 1 fi } @@ -566,4 +567,4 @@ check_cert_adminkubeconfig check_systemd_etcd check_systemd_api check_systemd_kcm -check_systemd_kp \ No newline at end of file +check_systemd_ks \ No newline at end of file From 74fb28b009ed6b48f1b6ab7ee6744150568ae366 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 01:05:42 +0530 Subject: [PATCH 09/25] worker1 node crt check --- vagrant/cert_verify.sh | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index c187f39..7266f32 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -547,6 +547,8 @@ check_systemd_ks() fi } +### MASTER NODES ### + # CRT & KEY verification check_cert_ca check_cert_admin @@ -567,4 +569,41 @@ check_cert_adminkubeconfig check_systemd_etcd check_systemd_api check_systemd_kcm -check_systemd_ks \ No newline at end of file +check_systemd_ks + +### END OF MASTER NODES ### + +### WORKER NODES ### + +# Worker-1 cert details +WORKER_1_CERT=worker-1.crt +WORKER_1_KEY=worker-1.key + +check_cert_worker_1() +{ + if [ -z $WORKER_1_CERT ] && [ -z $WORKER_1_KEY ] + then + echo "please specify cert and key location of worker-1 node" + exit 1 + elif [ -f $WORKER_1_CERT ] && [ -f $WORKER_1_KEY ] + then + echo "worker-1 cert and key found, verifying the authenticity" + WORKER_1_CERT_SUBJECT=$(openssl x509 -in $WORKER_1_CERT -text | grep "Subject: CN"| tr -d " ") + WORKER_1_CERT_ISSUER=$(openssl x509 -in $WORKER_1_CERT -text | grep "Issuer: CN"| tr -d " ") + WORKER_1_CERT_MD5=$(openssl x509 -noout -modulus -in $WORKER_1_CERT | openssl md5| awk '{print $2}') + WORKER_1_KEY_MD5=$(openssl rsa -noout -modulus -in $WORKER_1_KEY | openssl md5| awk '{print $2}') + if [ $WORKER_1_CERT_SUBJECT == "Subject:CN=system:node:worker-1,O=system:nodes" ] && [ $WORKER_1_CERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $WORKER_1_CERT_MD5 == $WORKER_1_KEY_MD5 ] + then + echo "worker-1 cert and key are correct" + else + echo "Exiting...Found mismtach in the worker-1 certificate and keys, check subject" + exit 1 + fi + else + echo "worker-1.crt / worker-1.key is missing" + exit 1 + fi +} + + +check_cert_worker_1 \ No newline at end of file From 188c278c00f597023060ac5eb1e7743579197fbb Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 09:31:15 +0530 Subject: [PATCH 10/25] check_cert_worker_1_kubeconfig --- vagrant/cert_verify.sh | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 7266f32..ed5423c 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -579,6 +579,9 @@ check_systemd_ks WORKER_1_CERT=worker-1.crt WORKER_1_KEY=worker-1.key +# Worker-1 kubeconfig location +WORKER_1_KUBECONFIG=worker-1.kubeconfig + check_cert_worker_1() { if [ -z $WORKER_1_CERT ] && [ -z $WORKER_1_KEY ] @@ -605,5 +608,33 @@ check_cert_worker_1() fi } +check_cert_worker_1_kubeconfig() +{ + if [ -z $WORKER_1_KUBECONFIG ] + then + echo "please specify worker-1 kubeconfig location" + exit 1 + elif [ -f $WORKER_1_KUBECONFIG ] + then + echo "worker-1 kubeconfig file found, verifying the authenticity" + WORKER_1_KUBECONFIG_SUBJECT=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") + WORKER_1_KUBECONFIG_ISSUER=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") + WORKER_1_KUBECONFIG_CERT_MD5=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') + WORKER_1_KUBECONFIG_KEY_MD5=$(cat $WORKER_1_KUBECONFIG | grep "client-key-data" | awk '{print $2}' | base64 --decode | openssl rsa -noout | openssl md5 | awk '{print $2}') + WORKER_1_KUBECONFIG_SERVER=$(cat $WORKER_1_KUBECONFIG | grep "server:"| awk '{print $2}') + if [ $WORKER_1_KUBECONFIG_SUBJECT == "Subject:CN=system:node:worker-1,O=system:nodes" ] && [ $WORKER_1_KUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && \ + [ $WORKER_1_KUBECONFIG_CERT_MD5 == $WORKER_1_KUBECONFIG_KEY_MD5 ] && [ $WORKER_1_KUBECONFIG_SERVER == "https://192.168.5.30:6443" ] + then + echo "worker-1 kubeconfig cert and key are correct" + else + echo "Exiting...Found mismtach in the worker-1 kubeconfig certificate and keys, check subject" + exit 1 + fi + else + echo "worker-1 kubeconfig file is missing" + exit 1 + fi +} -check_cert_worker_1 \ No newline at end of file +check_cert_worker_1 +check_cert_worker_1_kubeconfig \ No newline at end of file From a9559c1ed2ff4773b15418650a008f7b236dd514 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 11:34:46 +0530 Subject: [PATCH 11/25] check_cert_worker_1_kubelet systemd --- vagrant/cert_verify.sh | 57 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index ed5423c..52f896d 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -582,6 +582,13 @@ WORKER_1_KEY=worker-1.key # Worker-1 kubeconfig location WORKER_1_KUBECONFIG=worker-1.kubeconfig +# Worker-1 kubelet config location +WORKER_1_KUBELET=/var/lib/kubelet/kubelet-config.yaml + +# Systemd worker-1 kubelet +SYSTEMD_WORKER_1_KUBELET=/etc/systemd/system/kubelet.service + + check_cert_worker_1() { if [ -z $WORKER_1_CERT ] && [ -z $WORKER_1_KEY ] @@ -636,5 +643,53 @@ check_cert_worker_1_kubeconfig() fi } +check_cert_worker_1_kubelet() +{ + + CACERT=/var/lib/kubernetes/ca.crt + WORKER_1_TLSCERTFILE=/var/lib/kubelet/${HOSTNAME}.crt + WORKER_1_TLSPRIVATEKEY=/var/lib/kubelet/${HOSTNAME}.key + + if [ -z $WORKER_1_KUBELET ] && [ -z $SYSTEMD_WORKER_1_KUBELET ] + then + echo "please specify worker-1 kubelet config location" + exit 1 + elif [ -f $WORKER_1_KUBELET ] && [ -f $SYSTEMD_WORKER_1_KUBELET ] && [ -f $WORKER_1_TLSCERTFILE ] && [ -f $WORKER_1_TLSPRIVATEKEY ] + then + echo "worker-1 kubelet config file, systemd services, tls cert and key found, verifying the authenticity" + + WORKER_1_KUBELET_CA=$(cat kubelet-config.yaml | grep "clientCAFile:" | awk '{print $2}' | tr -d " \"") + WORKER_1_KUBELET_DNS=$(cat kubelet-config.yaml | grep "resolvConf:" | awk '{print $2}' | tr -d " \"") + WORKER_1_KUBELET_AUTH_MODE=$(cat kubelet-config.yaml | grep "mode:" | awk '{print $2}' | tr -d " \"") + + if [ $WORKER_1_KUBELET_CA == $CACERT ] && [ $WORKER_1_KUBELET_DNS == "/run/systemd/resolve/resolv.conf" ] && \ + [ $WORKER_1_KUBELET_AUTH_MODE == "Webhook" ] + then + echo "worker-1 kubelet config CA cert, resolvConf and Auth mode are correct" + else + echo "Exiting...Found mismtach in the worker-1 kubelet config CA cert, resolvConf and Auth mode, check /var/lib/kubelet/kubelet-config.yaml" + exit 1 + fi + + KUBELETCONFIG=$(systemctl cat kubelet.service | grep "\--config" | awk '{print $1}'| cut -d "=" -f2) + TLSCERTFILE=$(systemctl cat kubelet.service | grep "\--tls-cert-file" | awk '{print $1}'| cut -d "=" -f2) + TLSPRIVATEKEY=$(systemctl cat kubelet.service | grep "\--tls-private-key-file" | awk '{print $1}'| cut -d "=" -f2) + + if [ $KUBELETCONFIG == $WORKER_1_KUBELET ] && [ $TLSCERTFILE == $WORKER_1_TLSCERTFILE ] && \ + [ $TLSPRIVATEKEY == $WORKER_1_TLSPRIVATEKEY ] + then + echo "worker-1 kubelet systemd services are correct" + else + echo "Exiting...Found mismtach in the worker-1 kubelet systemd services, check /etc/systemd/system/kubelet.service" + exit 1 + fi + + else + echo "worker-1 kubelet config, systemd services, tls cert and key file is missing" + exit 1 + fi +} + check_cert_worker_1 -check_cert_worker_1_kubeconfig \ No newline at end of file +check_cert_worker_1_kubeconfig +check_cert_worker_1_kubelet \ No newline at end of file From 5c996d39d2f5c51ba0d3ed0d7a11b7c2dd7a5a33 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 12:14:49 +0530 Subject: [PATCH 12/25] worker 1 cert path --- vagrant/cert_verify.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 52f896d..b7e0bf4 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -576,11 +576,11 @@ check_systemd_ks ### WORKER NODES ### # Worker-1 cert details -WORKER_1_CERT=worker-1.crt -WORKER_1_KEY=worker-1.key +WORKER_1_CERT=/var/lib/kubelet/worker-1.crt +WORKER_1_KEY=/var/lib/kubelet/worker-1.key # Worker-1 kubeconfig location -WORKER_1_KUBECONFIG=worker-1.kubeconfig +WORKER_1_KUBECONFIG=/var/lib/kubelet/kubeconfig # Worker-1 kubelet config location WORKER_1_KUBELET=/var/lib/kubelet/kubelet-config.yaml @@ -610,7 +610,7 @@ check_cert_worker_1() exit 1 fi else - echo "worker-1.crt / worker-1.key is missing" + echo "/var/lib/kubelet/worker-1.crt / /var/lib/kubelet/worker-1.key is missing" exit 1 fi } @@ -638,7 +638,7 @@ check_cert_worker_1_kubeconfig() exit 1 fi else - echo "worker-1 kubeconfig file is missing" + echo "worker-1 /var/lib/kubelet/kubeconfig file is missing" exit 1 fi } From f00dbbece51936c8319e1cbeb481885622494a29 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 12:24:17 +0530 Subject: [PATCH 13/25] WORKER_1_KUBELET kubelet --- vagrant/cert_verify.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index b7e0bf4..85ce030 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -658,9 +658,9 @@ check_cert_worker_1_kubelet() then echo "worker-1 kubelet config file, systemd services, tls cert and key found, verifying the authenticity" - WORKER_1_KUBELET_CA=$(cat kubelet-config.yaml | grep "clientCAFile:" | awk '{print $2}' | tr -d " \"") - WORKER_1_KUBELET_DNS=$(cat kubelet-config.yaml | grep "resolvConf:" | awk '{print $2}' | tr -d " \"") - WORKER_1_KUBELET_AUTH_MODE=$(cat kubelet-config.yaml | grep "mode:" | awk '{print $2}' | tr -d " \"") + WORKER_1_KUBELET_CA=$(cat $WORKER_1_KUBELET | grep "clientCAFile:" | awk '{print $2}' | tr -d " \"") + WORKER_1_KUBELET_DNS=$(cat $WORKER_1_KUBELET | grep "resolvConf:" | awk '{print $2}' | tr -d " \"") + WORKER_1_KUBELET_AUTH_MODE=$(cat $WORKER_1_KUBELET | grep "mode:" | awk '{print $2}' | tr -d " \"") if [ $WORKER_1_KUBELET_CA == $CACERT ] && [ $WORKER_1_KUBELET_DNS == "/run/systemd/resolve/resolv.conf" ] && \ [ $WORKER_1_KUBELET_AUTH_MODE == "Webhook" ] From 24438edbbf13e06c74d83dc518d1e31e7b477413 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 12:56:27 +0530 Subject: [PATCH 14/25] check_cert_worker_1_kp - kubeproxy --- vagrant/cert_verify.sh | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 85ce030..6b6c7a6 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -585,9 +585,12 @@ WORKER_1_KUBECONFIG=/var/lib/kubelet/kubeconfig # Worker-1 kubelet config location WORKER_1_KUBELET=/var/lib/kubelet/kubelet-config.yaml -# Systemd worker-1 kubelet +# Systemd worker-1 kubelet location SYSTEMD_WORKER_1_KUBELET=/etc/systemd/system/kubelet.service +# kube-proxy worker-1 location +WORKER_1_KP_KUBECONFIG=/var/lib/kube-proxy/kubeconfig +SYSTEMD_WORKER_1_KP=/etc/systemd/system/kube-proxy.service check_cert_worker_1() { @@ -690,6 +693,37 @@ check_cert_worker_1_kubelet() fi } +check_cert_worker_1_kp() +{ + + WORKER_1_KP_CONFIG_YAML=/var/lib/kube-proxy/kube-proxy-config.yaml + + if [ -z $WORKER_1_KP_KUBECONFIG ] && [ -z $SYSTEMD_WORKER_1_KP ] + then + echo "please specify worker-1 kube-proxy config and systemd service path" + exit 1 + elif [ -f $WORKER_1_KP_KUBECONFIG ] && [ -f $SYSTEMD_WORKER_1_KP ] && [ -f $WORKER_1_KP_CONFIG_YAML ] + then + echo "worker-1 kube-proxy kubeconfig, systemd services and configuration files found, verifying the authenticity" + + KP_CONFIG=$(cat $WORKER_1_KP_CONFIG_YAML | grep "kubeconfig:" | awk '{print $2}' | tr -d " \"") + KP_CONFIG_YAML=$(systemctl cat kube-proxy.service | grep "\--config" | awk '{print $1}'| cut -d "=" -f2) + + if [ $KP_CONFIG == $WORKER_1_KP_KUBECONFIG ] && [ $KP_CONFIG_YAML == $WORKER_1_KP_CONFIG_YAML ] + then + echo "worker-1 kube-proxy kubeconfig and configuration files are correct" + else + echo "Exiting...Found mismtach in the worker-1 kube-proxy kubeconfig and configuration files, check /var/lib/kubelet/kubelet-config.yaml & /etc/systemd/system/kube-proxy.service" + exit 1 + fi + + else + echo "worker-1 kube-proxy kubeconfig and configuration files are missing" + exit 1 + fi +} + check_cert_worker_1 check_cert_worker_1_kubeconfig -check_cert_worker_1_kubelet \ No newline at end of file +check_cert_worker_1_kubelet +check_cert_worker_1_kp \ No newline at end of file From 4900dd558feb8d797237c04606089b8ad9f173c6 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 13:11:13 +0530 Subject: [PATCH 15/25] master and worker1 node certificate verification --- vagrant/cert_verify.sh | 105 +++++++++++++++++++++++------------------ 1 file changed, 59 insertions(+), 46 deletions(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 6b6c7a6..ef3e560 100644 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -64,6 +64,28 @@ SYSTEMD_KCM_FILE=/etc/systemd/system/kube-controller-manager.service # kube-scheduler systemd service SYSTEMD_KS_FILE=/etc/systemd/system/kube-scheduler.service +### WORKER NODES ### + +# Worker-1 cert details +WORKER_1_CERT=/var/lib/kubelet/worker-1.crt +WORKER_1_KEY=/var/lib/kubelet/worker-1.key + +# Worker-1 kubeconfig location +WORKER_1_KUBECONFIG=/var/lib/kubelet/kubeconfig + +# Worker-1 kubelet config location +WORKER_1_KUBELET=/var/lib/kubelet/kubelet-config.yaml + +# Systemd worker-1 kubelet location +SYSTEMD_WORKER_1_KUBELET=/etc/systemd/system/kubelet.service + +# kube-proxy worker-1 location +WORKER_1_KP_KUBECONFIG=/var/lib/kube-proxy/kubeconfig +SYSTEMD_WORKER_1_KP=/etc/systemd/system/kube-proxy.service + + +# Function - Master node # + check_cert_ca() { if [ -z $CACERT ] && [ -z $CAKEY ] @@ -274,8 +296,6 @@ check_cert_sa() } -# Kubeconfig verification - check_cert_kpkubeconfig() { if [ -z $KPKUBECONFIG ] @@ -547,50 +567,9 @@ check_systemd_ks() fi } -### MASTER NODES ### +# END OF Function - Master node # -# CRT & KEY verification -check_cert_ca -check_cert_admin -check_cert_kcm -check_cert_kp -check_cert_ks -check_cert_api -check_cert_sa -check_cert_etcd - -# Kubeconfig verification -check_cert_kpkubeconfig -check_cert_kcmkubeconfig -check_cert_kskubeconfig -check_cert_adminkubeconfig - -# Systemd verification -check_systemd_etcd -check_systemd_api -check_systemd_kcm -check_systemd_ks - -### END OF MASTER NODES ### - -### WORKER NODES ### - -# Worker-1 cert details -WORKER_1_CERT=/var/lib/kubelet/worker-1.crt -WORKER_1_KEY=/var/lib/kubelet/worker-1.key - -# Worker-1 kubeconfig location -WORKER_1_KUBECONFIG=/var/lib/kubelet/kubeconfig - -# Worker-1 kubelet config location -WORKER_1_KUBELET=/var/lib/kubelet/kubelet-config.yaml - -# Systemd worker-1 kubelet location -SYSTEMD_WORKER_1_KUBELET=/etc/systemd/system/kubelet.service - -# kube-proxy worker-1 location -WORKER_1_KP_KUBECONFIG=/var/lib/kube-proxy/kubeconfig -SYSTEMD_WORKER_1_KP=/etc/systemd/system/kube-proxy.service +# Function - Worker-1 node # check_cert_worker_1() { @@ -723,7 +702,41 @@ check_cert_worker_1_kp() fi } +# END OF Function - Worker-1 node # + + +### MASTER NODES ### + +# CRT & KEY verification +check_cert_ca +check_cert_admin +check_cert_kcm +check_cert_kp +check_cert_ks +check_cert_api +check_cert_sa +check_cert_etcd + +# Kubeconfig verification +check_cert_kpkubeconfig +check_cert_kcmkubeconfig +check_cert_kskubeconfig +check_cert_adminkubeconfig + +# Systemd verification +check_systemd_etcd +check_systemd_api +check_systemd_kcm +check_systemd_ks + +### END OF MASTER NODES ### + + +### WORKER-1 NODE ### + check_cert_worker_1 check_cert_worker_1_kubeconfig check_cert_worker_1_kubelet -check_cert_worker_1_kp \ No newline at end of file +check_cert_worker_1_kp + +### END OF WORKER-1 NODE ### \ No newline at end of file From d34d9075d88bc32272ac641854df3ac68cb0ad0a Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Tue, 28 Apr 2020 13:36:52 +0530 Subject: [PATCH 16/25] case interactive - cert verify --- vagrant/cert_verify.sh | 75 +++++++++++++++++++++++++++--------------- 1 file changed, 48 insertions(+), 27 deletions(-) mode change 100644 => 100755 vagrant/cert_verify.sh diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh old mode 100644 new mode 100755 index ef3e560..01ba0fe --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -704,39 +704,60 @@ check_cert_worker_1_kp() # END OF Function - Worker-1 node # +echo -e "This script will validate the certificates in master as well as worker-1 nodes. Before proceeding, make sure you ssh into the respective node for certificate validation\n" +echo -e "1. Verify certification in Master Node\n" +echo -e "2. Verify certification in Worker-1 Node\n" +echo -e "Please select either the option 1 or 2\n" +read value -### MASTER NODES ### +case $value in -# CRT & KEY verification -check_cert_ca -check_cert_admin -check_cert_kcm -check_cert_kp -check_cert_ks -check_cert_api -check_cert_sa -check_cert_etcd + 1) + echo -e "The selected option is $value, proceeding the certificate verification of Master node" -# Kubeconfig verification -check_cert_kpkubeconfig -check_cert_kcmkubeconfig -check_cert_kskubeconfig -check_cert_adminkubeconfig + ### MASTER NODES ### -# Systemd verification -check_systemd_etcd -check_systemd_api -check_systemd_kcm -check_systemd_ks + # CRT & KEY verification + check_cert_ca + check_cert_admin + check_cert_kcm + check_cert_kp + check_cert_ks + check_cert_api + check_cert_sa + check_cert_etcd -### END OF MASTER NODES ### + # Kubeconfig verification + check_cert_kpkubeconfig + check_cert_kcmkubeconfig + check_cert_kskubeconfig + check_cert_adminkubeconfig + # Systemd verification + check_systemd_etcd + check_systemd_api + check_systemd_kcm + check_systemd_ks -### WORKER-1 NODE ### + ### END OF MASTER NODES ### -check_cert_worker_1 -check_cert_worker_1_kubeconfig -check_cert_worker_1_kubelet -check_cert_worker_1_kp + ;; -### END OF WORKER-1 NODE ### \ No newline at end of file + 2) + echo -e "The selected option is $value, proceeding the certificate verification of Worker-1 node" + + ### WORKER-1 NODE ### + + check_cert_worker_1 + check_cert_worker_1_kubeconfig + check_cert_worker_1_kubelet + check_cert_worker_1_kp + + ### END OF WORKER-1 NODE ### + ;; + + *) + echo -e "Exiting.... Please select the valid option either 1 or 2\n" + exit 1 + ;; +esac \ No newline at end of file From 853fb56269dcb7b52ad4d34873d348ff4fc41c90 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Wed, 6 May 2020 11:11:07 +0530 Subject: [PATCH 17/25] tiny tweaks --- vagrant/cert_verify.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vagrant/cert_verify.sh b/vagrant/cert_verify.sh index 01ba0fe..5f5c610 100755 --- a/vagrant/cert_verify.sh +++ b/vagrant/cert_verify.sh @@ -325,6 +325,7 @@ check_cert_kpkubeconfig() check_cert_kcmkubeconfig() { + KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig if [ -z $KCMKUBECONFIG ] then echo "please specify kube-controller-manager kubeconfig location" @@ -353,6 +354,7 @@ check_cert_kcmkubeconfig() check_cert_kskubeconfig() { + KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig if [ -z $KSKUBECONFIG ] then echo "please specify kube-scheduler kubeconfig location" @@ -704,7 +706,7 @@ check_cert_worker_1_kp() # END OF Function - Worker-1 node # -echo -e "This script will validate the certificates in master as well as worker-1 nodes. Before proceeding, make sure you ssh into the respective node for certificate validation\n" +echo -e "This script will validate the certificates in master as well as worker-1 nodes. Before proceeding, make sure you ssh into the respective node [ Master or Worker-1 ] for certificate validation\n" echo -e "1. Verify certification in Master Node\n" echo -e "2. Verify certification in Worker-1 Node\n" echo -e "Please select either the option 1 or 2\n" From 23801b3006b475551b76b957c4da2586242844b0 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Wed, 6 May 2020 11:40:14 +0530 Subject: [PATCH 18/25] cert_verify.sh - vagrant home --- vagrant/Vagrantfile | 2 ++ vagrant/{ => ubuntu}/cert_verify.sh | 0 2 files changed, 2 insertions(+) rename vagrant/{ => ubuntu}/cert_verify.sh (100%) diff --git a/vagrant/Vagrantfile b/vagrant/Vagrantfile index 5b0ac3d..5490ab5 100644 --- a/vagrant/Vagrantfile +++ b/vagrant/Vagrantfile @@ -71,6 +71,7 @@ Vagrant.configure("2") do |config| end node.vm.provision "setup-dns", type: "shell", :path => "ubuntu/update-dns.sh" + node.vm.provision "file", source: "./ubuntu/cert_verify.sh", destination: "$HOME/" end end @@ -113,6 +114,7 @@ Vagrant.configure("2") do |config| node.vm.provision "setup-dns", type: "shell", :path => "ubuntu/update-dns.sh" node.vm.provision "install-docker", type: "shell", :path => "ubuntu/install-docker-2.sh" node.vm.provision "allow-bridge-nf-traffic", :type => "shell", :path => "ubuntu/allow-bridge-nf-traffic.sh" + node.vm.provision "file", source: "./ubuntu/cert_verify.sh", destination: "$HOME/" end end diff --git a/vagrant/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh similarity index 100% rename from vagrant/cert_verify.sh rename to vagrant/ubuntu/cert_verify.sh From ff55dafcad653358bb7e473f1bf6f92897220258 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Wed, 6 May 2020 15:53:31 +0530 Subject: [PATCH 19/25] skip admin crt - master2 --- vagrant/ubuntu/cert_verify.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index 5f5c610..e1afbac 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -718,10 +718,15 @@ case $value in echo -e "The selected option is $value, proceeding the certificate verification of Master node" ### MASTER NODES ### - + master_hostname=$(hostname -s) # CRT & KEY verification check_cert_ca - check_cert_admin + + if [ $master_hostname == "master-1" ] + then + check_cert_admin + fi + check_cert_kcm check_cert_kp check_cert_ks From 76fb7350f13dead1ca94388d4c76ac1f294a2526 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Wed, 6 May 2020 23:07:53 +0530 Subject: [PATCH 20/25] master 2 skipped checks combined --- vagrant/ubuntu/cert_verify.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index e1afbac..c874f51 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -725,11 +725,11 @@ case $value in if [ $master_hostname == "master-1" ] then check_cert_admin + check_cert_kcm + check_cert_kp + check_cert_ks + check_cert_adminkubeconfig fi - - check_cert_kcm - check_cert_kp - check_cert_ks check_cert_api check_cert_sa check_cert_etcd @@ -738,7 +738,6 @@ case $value in check_cert_kpkubeconfig check_cert_kcmkubeconfig check_cert_kskubeconfig - check_cert_adminkubeconfig # Systemd verification check_systemd_etcd From 7847fd097275b89ea7b3878953d28632a2ff32fb Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Thu, 7 May 2020 00:13:07 +0530 Subject: [PATCH 21/25] color output printf --- vagrant/ubuntu/cert_verify.sh | 215 +++++++++++++++++----------------- 1 file changed, 110 insertions(+), 105 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index c874f51..74a3f2c 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -2,6 +2,11 @@ set -e #set -x +# Green & Red marking for Success and Failed messages +SUCCESS='\033[0;32m' +FAILED='\033[0;31m' +NC='\033[0m' + # All Cert Location # ca certificate location @@ -90,24 +95,24 @@ check_cert_ca() { if [ -z $CACERT ] && [ -z $CAKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $CACERT ] && [ -f $CAKEY ] then - echo "CA cert and key found, verifying the authenticity" + printf "${NC}CA cert and key found, verifying the authenticity\n" CACERT_SUBJECT=$(openssl x509 -in $CACERT -text | grep "Subject: CN"| tr -d " ") CACERT_ISSUER=$(openssl x509 -in $CACERT -text | grep "Issuer: CN"| tr -d " ") CACERT_MD5=$(openssl x509 -noout -modulus -in $CACERT | openssl md5| awk '{print $2}') CAKEY_MD5=$(openssl rsa -noout -modulus -in $CAKEY | openssl md5| awk '{print $2}') if [ $CACERT_SUBJECT == "Subject:CN=KUBERNETES-CA" ] && [ $CACERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $CACERT_MD5 == $CAKEY_MD5 ] then - echo "CA cert and key are correct" + printf "${SUCCESS}CA cert and key are correct\n" else - echo "Exiting...Found mismtach in the CA certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the CA certificate and keys, check subject\n" exit 1 fi else - echo "ca.crt / ca.key is missing" + printf "${FAILED}ca.crt / ca.key is missing\n" exit 1 fi } @@ -117,24 +122,24 @@ check_cert_admin() { if [ -z $ADMINCERT ] && [ -z $ADMINKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $ADMINCERT ] && [ -f $ADMINKEY ] then - echo "admin cert and key found, verifying the authenticity" + printf "${NC}admin cert and key found, verifying the authenticity\n" ADMINCERT_SUBJECT=$(openssl x509 -in $ADMINCERT -text | grep "Subject: CN"| tr -d " ") ADMINCERT_ISSUER=$(openssl x509 -in $ADMINCERT -text | grep "Issuer: CN"| tr -d " ") ADMINCERT_MD5=$(openssl x509 -noout -modulus -in $ADMINCERT | openssl md5| awk '{print $2}') ADMINKEY_MD5=$(openssl rsa -noout -modulus -in $ADMINKEY | openssl md5| awk '{print $2}') if [ $ADMINCERT_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINCERT_MD5 == $ADMINKEY_MD5 ] then - echo "admin cert and key are correct" + printf "${SUCCESS}admin cert and key are correct\n" else - echo "Exiting...Found mismtach in the admin certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the admin certificate and keys, check subject\n" exit 1 fi else - echo "admin.crt / admin.key is missing" + printf "${FAILED}admin.crt / admin.key is missing\n" exit 1 fi } @@ -143,24 +148,24 @@ check_cert_kcm() { if [ -z $KCMCERT ] && [ -z $KCMKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $KCMCERT ] && [ -f $KCMKEY ] then - echo "kube-controller-manager cert and key found, verifying the authenticity" + printf "${NC}kube-controller-manager cert and key found, verifying the authenticity\n" KCMCERT_SUBJECT=$(openssl x509 -in $KCMCERT -text | grep "Subject: CN"| tr -d " ") KCMCERT_ISSUER=$(openssl x509 -in $KCMCERT -text | grep "Issuer: CN"| tr -d " ") KCMCERT_MD5=$(openssl x509 -noout -modulus -in $KCMCERT | openssl md5| awk '{print $2}') KCMKEY_MD5=$(openssl rsa -noout -modulus -in $KCMKEY | openssl md5| awk '{print $2}') if [ $KCMCERT_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMCERT_MD5 == $KCMKEY_MD5 ] then - echo "kube-controller-manager cert and key are correct" + printf "${SUCCESS}kube-controller-manager cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-controller-manager certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager certificate and keys, check subject\n" exit 1 fi else - echo "kube-controller-manager.crt / kube-controller-manager.key is missing" + printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing\n" exit 1 fi } @@ -169,24 +174,24 @@ check_cert_kp() { if [ -z $KPCERT ] && [ -z $KPKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $KPCERT ] && [ -f $KPKEY ] then - echo "kube-proxy cert and key found, verifying the authenticity" + printf "${NC}kube-proxy cert and key found, verifying the authenticity\n" KPCERT_SUBJECT=$(openssl x509 -in $KPCERT -text | grep "Subject: CN"| tr -d " ") KPCERT_ISSUER=$(openssl x509 -in $KPCERT -text | grep "Issuer: CN"| tr -d " ") KPCERT_MD5=$(openssl x509 -noout -modulus -in $KPCERT | openssl md5| awk '{print $2}') KPKEY_MD5=$(openssl rsa -noout -modulus -in $KPKEY | openssl md5| awk '{print $2}') if [ $KPCERT_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPCERT_MD5 == $KPKEY_MD5 ] then - echo "kube-proxy cert and key are correct" + printf "${SUCCESS}kube-proxy cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-proxy certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-proxy certificate and keys, check subject\n" exit 1 fi else - echo "kube-proxy.crt / kube-proxy.key is missing" + printf "${FAILED}kube-proxy.crt / kube-proxy.key is missing\n" exit 1 fi } @@ -195,24 +200,24 @@ check_cert_ks() { if [ -z $KSCERT ] && [ -z $KSKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $KSCERT ] && [ -f $KSKEY ] then - echo "kube-scheduler cert and key found, verifying the authenticity" + printf "${NC}kube-scheduler cert and key found, verifying the authenticity\n" KSCERT_SUBJECT=$(openssl x509 -in $KSCERT -text | grep "Subject: CN"| tr -d " ") KSCERT_ISSUER=$(openssl x509 -in $KSCERT -text | grep "Issuer: CN"| tr -d " ") KSCERT_MD5=$(openssl x509 -noout -modulus -in $KSCERT | openssl md5| awk '{print $2}') KSKEY_MD5=$(openssl rsa -noout -modulus -in $KSKEY | openssl md5| awk '{print $2}') if [ $KSCERT_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSCERT_MD5 == $KSKEY_MD5 ] then - echo "kube-scheduler cert and key are correct" + printf "${SUCCESS}kube-scheduler cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-scheduler certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler certificate and keys, check subject\n" exit 1 fi else - echo "kube-scheduler.crt / kube-scheduler.key is missing" + printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing\n" exit 1 fi } @@ -221,24 +226,24 @@ check_cert_api() { if [ -z $APICERT ] && [ -z $APIKEY ] then - echo "please specify kube-api cert and key location, Exiting...." + printf "${FAILED}please specify kube-api cert and key location, Exiting....\n" exit 1 elif [ -f $APICERT ] && [ -f $APIKEY ] then - echo "kube-apiserver cert and key found, verifying the authenticity" + printf "${NC}kube-apiserver cert and key found, verifying the authenticity\n" APICERT_SUBJECT=$(openssl x509 -in $APICERT -text | grep "Subject: CN"| tr -d " ") APICERT_ISSUER=$(openssl x509 -in $APICERT -text | grep "Issuer: CN"| tr -d " ") APICERT_MD5=$(openssl x509 -noout -modulus -in $APICERT | openssl md5| awk '{print $2}') APIKEY_MD5=$(openssl rsa -noout -modulus -in $APIKEY | openssl md5| awk '{print $2}') if [ $APICERT_SUBJECT == "Subject:CN=kube-apiserver" ] && [ $APICERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $APICERT_MD5 == $APIKEY_MD5 ] then - echo "kube-apiserver cert and key are correct" + printf "${SUCCESS}kube-apiserver cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-apiserver certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-apiserver certificate and keys, check subject\n" exit 1 fi else - echo "kube-apiserver.crt / kube-apiserver.key is missing" + printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing\n" exit 1 fi } @@ -247,24 +252,24 @@ check_cert_etcd() { if [ -z $ETCDCERT ] && [ -z $ETCDKEY ] then - echo "please specify ETCD cert and key location, Exiting...." + printf "${FAILED}please specify ETCD cert and key location, Exiting....\n" exit 1 elif [ -f $ETCDCERT ] && [ -f $ETCDKEY ] then - echo "ETCD cert and key found, verifying the authenticity" + printf "${NC}ETCD cert and key found, verifying the authenticity\n" ETCDCERT_SUBJECT=$(openssl x509 -in $ETCDCERT -text | grep "Subject: CN"| tr -d " ") ETCDCERT_ISSUER=$(openssl x509 -in $ETCDCERT -text | grep "Issuer: CN"| tr -d " ") ETCDCERT_MD5=$(openssl x509 -noout -modulus -in $ETCDCERT | openssl md5| awk '{print $2}') ETCDKEY_MD5=$(openssl rsa -noout -modulus -in $ETCDKEY | openssl md5| awk '{print $2}') if [ $ETCDCERT_SUBJECT == "Subject:CN=etcd-server" ] && [ $ETCDCERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ETCDCERT_MD5 == $ETCDKEY_MD5 ] then - echo "etcd-server.crt / etcd-server.key are correct" + printf "${SUCCESS}etcd-server.crt / etcd-server.key are correct\n" else - echo "Exiting...Found mismtach in the ETCD certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the ETCD certificate and keys, check subject\n" exit 1 fi else - echo "etcd-server.crt / etcd-server.key is missing" + printf "${FAILED}etcd-server.crt / etcd-server.key is missing\n" exit 1 fi } @@ -273,24 +278,24 @@ check_cert_sa() { if [ -z $SACERT ] && [ -z $SAKEY ] then - echo "please specify Service Account cert and key location, Exiting...." + printf "${FAILED}please specify Service Account cert and key location, Exiting....\n" exit 1 elif [ -f $SACERT ] && [ -f $SAKEY ] then - echo "service account cert and key found, verifying the authenticity" + printf "${NC}service account cert and key found, verifying the authenticity\n" SACERT_SUBJECT=$(openssl x509 -in $SACERT -text | grep "Subject: CN"| tr -d " ") SACERT_ISSUER=$(openssl x509 -in $SACERT -text | grep "Issuer: CN"| tr -d " ") SACERT_MD5=$(openssl x509 -noout -modulus -in $SACERT | openssl md5| awk '{print $2}') SAKEY_MD5=$(openssl rsa -noout -modulus -in $SAKEY | openssl md5| awk '{print $2}') if [ $SACERT_SUBJECT == "Subject:CN=service-accounts" ] && [ $SACERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $SACERT_MD5 == $SAKEY_MD5 ] then - echo "Service Account cert and key are correct" + printf "${SUCCESS}Service Account cert and key are correct\n" else - echo "Exiting...Found mismtach in the Service Account certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the Service Account certificate and keys, check subject\n" exit 1 fi else - echo "service-account.crt / service-account.key is missing" + printf "${FAILED}service-account.crt / service-account.key is missing\n" exit 1 fi } @@ -300,11 +305,11 @@ check_cert_kpkubeconfig() { if [ -z $KPKUBECONFIG ] then - echo "please specify kube-proxy kubeconfig location" + printf "${FAILED}please specify kube-proxy kubeconfig location\n" exit 1 elif [ -f $KPKUBECONFIG ] then - echo "kube-proxy kubeconfig file found, verifying the authenticity" + printf "${NC}kube-proxy kubeconfig file found, verifying the authenticity\n" KPKUBECONFIG_SUBJECT=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") KPKUBECONFIG_ISSUER=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KPKUBECONFIG_CERT_MD5=$(cat $KPKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') @@ -312,13 +317,13 @@ check_cert_kpkubeconfig() KPKUBECONFIG_SERVER=$(cat $KPKUBECONFIG | grep "server:"| awk '{print $2}') if [ $KPKUBECONFIG_SUBJECT == "Subject:CN=system:kube-proxy" ] && [ $KPKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KPKUBECONFIG_CERT_MD5 == $KPKUBECONFIG_KEY_MD5 ] && [ $KPKUBECONFIG_SERVER == "https://192.168.5.30:6443" ] then - echo "kube-proxy kubeconfig cert and key are correct" + printf "${SUCCESS}kube-proxy kubeconfig cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-proxy kubeconfig certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-proxy kubeconfig certificate and keys, check subject\n" exit 1 fi else - echo "kube-proxy kubeconfig file is missing" + printf "${FAILED}kube-proxy kubeconfig file is missing\n" exit 1 fi } @@ -328,11 +333,11 @@ check_cert_kcmkubeconfig() KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig if [ -z $KCMKUBECONFIG ] then - echo "please specify kube-controller-manager kubeconfig location" + printf "${FAILED}please specify kube-controller-manager kubeconfig location\n" exit 1 elif [ -f $KCMKUBECONFIG ] then - echo "kube-controller-manager kubeconfig file found, verifying the authenticity" + printf "${NC}kube-controller-manager kubeconfig file found, verifying the authenticity\n" KCMKUBECONFIG_SUBJECT=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") KCMKUBECONFIG_ISSUER=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KCMKUBECONFIG_CERT_MD5=$(cat $KCMKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') @@ -340,13 +345,13 @@ check_cert_kcmkubeconfig() KCMKUBECONFIG_SERVER=$(cat $KCMKUBECONFIG | grep "server:"| awk '{print $2}') if [ $KCMKUBECONFIG_SUBJECT == "Subject:CN=system:kube-controller-manager" ] && [ $KCMKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KCMKUBECONFIG_CERT_MD5 == $KCMKUBECONFIG_KEY_MD5 ] && [ $KCMKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then - echo "kube-controller-manager kubeconfig cert and key are correct" + printf "${SUCCESS}kube-controller-manager kubeconfig cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-controller-manager kubeconfig certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager kubeconfig certificate and keys, check subject\n" exit 1 fi else - echo "kube-controller-manager kubeconfig file is missing" + printf "${FAILED}kube-controller-manager kubeconfig file is missing\n" exit 1 fi } @@ -357,11 +362,11 @@ check_cert_kskubeconfig() KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig if [ -z $KSKUBECONFIG ] then - echo "please specify kube-scheduler kubeconfig location" + printf "${FAILED}please specify kube-scheduler kubeconfig location\n" exit 1 elif [ -f $KSKUBECONFIG ] then - echo "kube-scheduler kubeconfig file found, verifying the authenticity" + printf "${NC}kube-scheduler kubeconfig file found, verifying the authenticity\n" KSKUBECONFIG_SUBJECT=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") KSKUBECONFIG_ISSUER=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") KSKUBECONFIG_CERT_MD5=$(cat $KSKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') @@ -369,13 +374,13 @@ check_cert_kskubeconfig() KSKUBECONFIG_SERVER=$(cat $KSKUBECONFIG | grep "server:"| awk '{print $2}') if [ $KSKUBECONFIG_SUBJECT == "Subject:CN=system:kube-scheduler" ] && [ $KSKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $KSKUBECONFIG_CERT_MD5 == $KSKUBECONFIG_KEY_MD5 ] && [ $KSKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then - echo "kube-scheduler kubeconfig cert and key are correct" + printf "${SUCCESS}kube-scheduler kubeconfig cert and key are correct\n" else - echo "Exiting...Found mismtach in the kube-scheduler kubeconfig certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler kubeconfig certificate and keys, check subject\n" exit 1 fi else - echo "kube-scheduler kubeconfig file is missing" + printf "${FAILED}kube-scheduler kubeconfig file is missing\n" exit 1 fi } @@ -384,11 +389,11 @@ check_cert_adminkubeconfig() { if [ -z $ADMINKUBECONFIG ] then - echo "please specify admin kubeconfig location" + printf "${FAILED}please specify admin kubeconfig location\n" exit 1 elif [ -f $ADMINKUBECONFIG ] then - echo "admin kubeconfig file found, verifying the authenticity" + printf "${NC}admin kubeconfig file found, verifying the authenticity\n" ADMINKUBECONFIG_SUBJECT=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") ADMINKUBECONFIG_ISSUER=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") ADMINKUBECONFIG_CERT_MD5=$(cat $ADMINKUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') @@ -396,13 +401,13 @@ check_cert_adminkubeconfig() ADMINKUBECONFIG_SERVER=$(cat $ADMINKUBECONFIG | grep "server:"| awk '{print $2}') if [ $ADMINKUBECONFIG_SUBJECT == "Subject:CN=admin,O=system:masters" ] && [ $ADMINKUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $ADMINKUBECONFIG_CERT_MD5 == $ADMINKUBECONFIG_KEY_MD5 ] && [ $ADMINKUBECONFIG_SERVER == "https://127.0.0.1:6443" ] then - echo "admin kubeconfig cert and key are correct" + printf "${SUCCESS}admin kubeconfig cert and key are correct\n" else - echo "Exiting...Found mismtach in the admin kubeconfig certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the admin kubeconfig certificate and keys, check subject\n" exit 1 fi else - echo "admin kubeconfig file is missing" + printf "${FAILED}admin kubeconfig file is missing\n" exit 1 fi } @@ -411,11 +416,11 @@ check_systemd_etcd() { if [ -z $ETCDCERT ] && [ -z $ETCDKEY ] then - echo "please specify ETCD cert and key location, Exiting...." + printf "${FAILED}please specify ETCD cert and key location, Exiting....\n" exit 1 elif [ -f $SYSTEMD_ETCD_FILE ] then - echo "Systemd for ETCD service found, verifying the authenticity" + printf "${NC}Systemd for ETCD service found, verifying the authenticity\n" # Systemd cert and key file details ETCD_CA_CERT=ca.crt @@ -440,23 +445,23 @@ check_systemd_etcd() if [ $CERT_FILE == $ETCDCERT ] && [ $KEY_FILE == $ETCDKEY ] && [ $PEER_CERT_FILE == $ETCDCERT ] && [ $PEER_KEY_FILE == $ETCDKEY ] && \ [ $TRUSTED_CA_FILE == $ETCD_CA_CERT ] && [ $PEER_TRUSTED_CA_FILE = $ETCD_CA_CERT ] then - echo "ETCD certificate, ca and key files are correct under systemd service" + printf "${SUCCESS}ETCD certificate, ca and key files are correct under systemd service\n" else - echo "Exiting...Found mismtach in the ETCD certificate, ca and keys, check /etc/systemd/system/etcd.service file" + printf "${FAILED}Exiting...Found mismtach in the ETCD certificate, ca and keys, check /etc/systemd/system/etcd.service file\n" exit 1 fi if [ $IAP_URL == "https://$INTERNAL_IP:2380" ] && [ $LP_URL == "https://$INTERNAL_IP:2380" ] && [ $LC_URL == "https://$INTERNAL_IP:2379,https://127.0.0.1:2379" ] && \ [ $AC_URL == "https://$INTERNAL_IP:2379" ] then - echo "ETCD initial-advertise-peer-urls, listen-peer-urls, listen-client-urls, advertise-client-urls are correct" + printf "${SUCCESS}ETCD initial-advertise-peer-urls, listen-peer-urls, listen-client-urls, advertise-client-urls are correct\n" else - echo "Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file" + printf "${FAILED}Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file\n" exit 1 fi else - echo "etcd-server.crt / etcd-server.key is missing" + printf "${FAILED}etcd-server.crt / etcd-server.key is missing\n" exit 1 fi } @@ -465,11 +470,11 @@ check_systemd_api() { if [ -z $APICERT ] && [ -z $APIKEY ] then - echo "please specify kube-api cert and key location, Exiting...." + printf "${FAILED}please specify kube-api cert and key location, Exiting....\n" exit 1 elif [ -f $SYSTEMD_API_FILE ] then - echo "Systemd for kube-api service found, verifying the authenticity" + printf "${NC}Systemd for kube-api service found, verifying the authenticity\n" INTERNAL_IP=$(ip addr show enp0s8 | grep "inet " | awk '{print $2}' | cut -d / -f 1) ADVERTISE_ADDRESS=$(systemctl cat kube-apiserver.service | grep "\--advertise-address" | awk '{print $1}' | cut -d "=" -f2) @@ -493,13 +498,13 @@ check_systemd_api() [ $KUBELET_CERTIFICATE_AUTHORITY == $CACERT ] && [ $KUBELET_CLIENT_CERTIFICATE == $APICERT ] && [ $KUBELET_CLIENT_KEY == $APIKEY ] && \ [ $SERVICE_ACCOUNT_KEY_FILE == $SACERT ] && [ $TLS_CERT_FILE == $APICERT ] && [ $TLS_PRIVATE_KEY_FILE == $APIKEY ] then - echo "kube-apiserver advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file are correct" + printf "${SUCCESS}kube-apiserver advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file are correct\n" else - echo "Exiting...Found mismtach in the kube-apiserver systemd file, check advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file under /etc/systemd/system/kube-apiserver.service" + printf "${FAILED}Exiting...Found mismtach in the kube-apiserver systemd file, check advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file under /etc/systemd/system/kube-apiserver.service\n" exit 1 fi else - echo "kube-apiserver.crt / kube-apiserver.key is missing" + printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing\n" exit 1 fi } @@ -514,11 +519,11 @@ check_systemd_kcm() KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig if [ -z $KCMCERT ] && [ -z $KCMKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $SYSTEMD_KCM_FILE ] then - echo "Systemd for kube-controller-manager service found, verifying the authenticity" + printf "${NC}Systemd for kube-controller-manager service found, verifying the authenticity\n" CLUSTER_SIGNING_CERT_FILE=$(systemctl cat kube-controller-manager.service | grep "\--cluster-signing-cert-file" | awk '{print $1}' | cut -d "=" -f2) CLUSTER_SIGNING_KEY_FILE=$(systemctl cat kube-controller-manager.service | grep "\--cluster-signing-key-file" | awk '{print $1}' | cut -d "=" -f2) KUBECONFIG=$(systemctl cat kube-controller-manager.service | grep "\--kubeconfig" | awk '{print $1}' | cut -d "=" -f2) @@ -528,13 +533,13 @@ check_systemd_kcm() if [ $CLUSTER_SIGNING_CERT_FILE == $CACERT ] && [ $CLUSTER_SIGNING_KEY_FILE == $CAKEY ] && [ $KUBECONFIG == $KCMKUBECONFIG ] && \ [ $ROOT_CA_FILE == $CACERT ] && [ $SERVICE_ACCOUNT_PRIVATE_KEY_FILE == $SAKEY ] then - echo "kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file are correct" + printf "${SUCCESS}kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file are correct\n" else - echo "Exiting...Found mismtach in the kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file , check /etc/systemd/system/kube-controller-manager.service file" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file , check /etc/systemd/system/kube-controller-manager.service file\n" exit 1 fi else - echo "kube-controller-manager.crt / kube-controller-manager.key is missing" + printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing\n" exit 1 fi } @@ -547,24 +552,24 @@ check_systemd_ks() if [ -z $KSCERT ] && [ -z $KSKEY ] then - echo "please specify cert and key location" + printf "${FAILED}please specify cert and key location\n" exit 1 elif [ -f $SYSTEMD_KS_FILE ] then - echo "Systemd for kube-scheduler service found, verifying the authenticity" + printf "${NC}Systemd for kube-scheduler service found, verifying the authenticity\n" KUBECONFIG=$(systemctl cat kube-scheduler.service | grep "\--kubeconfig"| awk '{print $1}'| cut -d "=" -f2) ADDRESS=$(systemctl cat kube-scheduler.service | grep "\--address"| awk '{print $1}'| cut -d "=" -f2) if [ $KUBECONFIG == $KSKUBECONFIG ] && [ $ADDRESS == "127.0.0.1" ] then - echo "kube-scheduler --kubeconfig, --address are correct" + printf "${SUCCESS}kube-scheduler --kubeconfig, --address are correct\n" else - echo "Exiting...Found mismtach in the kube-scheduler --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file\n" exit 1 fi else - echo "kube-scheduler.crt / kube-scheduler.key is missing" + printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing\n" exit 1 fi } @@ -577,24 +582,24 @@ check_cert_worker_1() { if [ -z $WORKER_1_CERT ] && [ -z $WORKER_1_KEY ] then - echo "please specify cert and key location of worker-1 node" + printf "${FAILED}please specify cert and key location of worker-1 node\n" exit 1 elif [ -f $WORKER_1_CERT ] && [ -f $WORKER_1_KEY ] then - echo "worker-1 cert and key found, verifying the authenticity" + printf "${NC}worker-1 cert and key found, verifying the authenticity\n" WORKER_1_CERT_SUBJECT=$(openssl x509 -in $WORKER_1_CERT -text | grep "Subject: CN"| tr -d " ") WORKER_1_CERT_ISSUER=$(openssl x509 -in $WORKER_1_CERT -text | grep "Issuer: CN"| tr -d " ") WORKER_1_CERT_MD5=$(openssl x509 -noout -modulus -in $WORKER_1_CERT | openssl md5| awk '{print $2}') WORKER_1_KEY_MD5=$(openssl rsa -noout -modulus -in $WORKER_1_KEY | openssl md5| awk '{print $2}') if [ $WORKER_1_CERT_SUBJECT == "Subject:CN=system:node:worker-1,O=system:nodes" ] && [ $WORKER_1_CERT_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && [ $WORKER_1_CERT_MD5 == $WORKER_1_KEY_MD5 ] then - echo "worker-1 cert and key are correct" + printf "${SUCCESS}worker-1 cert and key are correct\n" else - echo "Exiting...Found mismtach in the worker-1 certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the worker-1 certificate and keys, check subject\n" exit 1 fi else - echo "/var/lib/kubelet/worker-1.crt / /var/lib/kubelet/worker-1.key is missing" + printf "${FAILED}/var/lib/kubelet/worker-1.crt / /var/lib/kubelet/worker-1.key is missing\n" exit 1 fi } @@ -603,11 +608,11 @@ check_cert_worker_1_kubeconfig() { if [ -z $WORKER_1_KUBECONFIG ] then - echo "please specify worker-1 kubeconfig location" + printf "${FAILED}please specify worker-1 kubeconfig location\n" exit 1 elif [ -f $WORKER_1_KUBECONFIG ] then - echo "worker-1 kubeconfig file found, verifying the authenticity" + printf "${NC}worker-1 kubeconfig file found, verifying the authenticity\n" WORKER_1_KUBECONFIG_SUBJECT=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Subject: CN" | tr -d " ") WORKER_1_KUBECONFIG_ISSUER=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 --text | grep "Issuer: CN" | tr -d " ") WORKER_1_KUBECONFIG_CERT_MD5=$(cat $WORKER_1_KUBECONFIG | grep "client-certificate-data:" | awk '{print $2}' | base64 --decode | openssl x509 -noout | openssl md5 | awk '{print $2}') @@ -616,13 +621,13 @@ check_cert_worker_1_kubeconfig() if [ $WORKER_1_KUBECONFIG_SUBJECT == "Subject:CN=system:node:worker-1,O=system:nodes" ] && [ $WORKER_1_KUBECONFIG_ISSUER == "Issuer:CN=KUBERNETES-CA" ] && \ [ $WORKER_1_KUBECONFIG_CERT_MD5 == $WORKER_1_KUBECONFIG_KEY_MD5 ] && [ $WORKER_1_KUBECONFIG_SERVER == "https://192.168.5.30:6443" ] then - echo "worker-1 kubeconfig cert and key are correct" + printf "${SUCCESS}worker-1 kubeconfig cert and key are correct\n" else - echo "Exiting...Found mismtach in the worker-1 kubeconfig certificate and keys, check subject" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubeconfig certificate and keys, check subject\n" exit 1 fi else - echo "worker-1 /var/lib/kubelet/kubeconfig file is missing" + printf "${FAILED}worker-1 /var/lib/kubelet/kubeconfig file is missing\n" exit 1 fi } @@ -636,11 +641,11 @@ check_cert_worker_1_kubelet() if [ -z $WORKER_1_KUBELET ] && [ -z $SYSTEMD_WORKER_1_KUBELET ] then - echo "please specify worker-1 kubelet config location" + printf "${FAILED}please specify worker-1 kubelet config location\n" exit 1 elif [ -f $WORKER_1_KUBELET ] && [ -f $SYSTEMD_WORKER_1_KUBELET ] && [ -f $WORKER_1_TLSCERTFILE ] && [ -f $WORKER_1_TLSPRIVATEKEY ] then - echo "worker-1 kubelet config file, systemd services, tls cert and key found, verifying the authenticity" + printf "${NC}worker-1 kubelet config file, systemd services, tls cert and key found, verifying the authenticity\n" WORKER_1_KUBELET_CA=$(cat $WORKER_1_KUBELET | grep "clientCAFile:" | awk '{print $2}' | tr -d " \"") WORKER_1_KUBELET_DNS=$(cat $WORKER_1_KUBELET | grep "resolvConf:" | awk '{print $2}' | tr -d " \"") @@ -649,9 +654,9 @@ check_cert_worker_1_kubelet() if [ $WORKER_1_KUBELET_CA == $CACERT ] && [ $WORKER_1_KUBELET_DNS == "/run/systemd/resolve/resolv.conf" ] && \ [ $WORKER_1_KUBELET_AUTH_MODE == "Webhook" ] then - echo "worker-1 kubelet config CA cert, resolvConf and Auth mode are correct" + printf "${SUCCESS}worker-1 kubelet config CA cert, resolvConf and Auth mode are correct\n" else - echo "Exiting...Found mismtach in the worker-1 kubelet config CA cert, resolvConf and Auth mode, check /var/lib/kubelet/kubelet-config.yaml" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet config CA cert, resolvConf and Auth mode, check /var/lib/kubelet/kubelet-config.yaml\n" exit 1 fi @@ -662,14 +667,14 @@ check_cert_worker_1_kubelet() if [ $KUBELETCONFIG == $WORKER_1_KUBELET ] && [ $TLSCERTFILE == $WORKER_1_TLSCERTFILE ] && \ [ $TLSPRIVATEKEY == $WORKER_1_TLSPRIVATEKEY ] then - echo "worker-1 kubelet systemd services are correct" + printf "${SUCCESS}worker-1 kubelet systemd services are correct\n" else - echo "Exiting...Found mismtach in the worker-1 kubelet systemd services, check /etc/systemd/system/kubelet.service" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet systemd services, check /etc/systemd/system/kubelet.service\n" exit 1 fi else - echo "worker-1 kubelet config, systemd services, tls cert and key file is missing" + printf "${FAILED}worker-1 kubelet config, systemd services, tls cert and key file is missing\n" exit 1 fi } @@ -681,25 +686,25 @@ check_cert_worker_1_kp() if [ -z $WORKER_1_KP_KUBECONFIG ] && [ -z $SYSTEMD_WORKER_1_KP ] then - echo "please specify worker-1 kube-proxy config and systemd service path" + printf "${FAILED}please specify worker-1 kube-proxy config and systemd service path\n" exit 1 elif [ -f $WORKER_1_KP_KUBECONFIG ] && [ -f $SYSTEMD_WORKER_1_KP ] && [ -f $WORKER_1_KP_CONFIG_YAML ] then - echo "worker-1 kube-proxy kubeconfig, systemd services and configuration files found, verifying the authenticity" + printf "${NC}worker-1 kube-proxy kubeconfig, systemd services and configuration files found, verifying the authenticity\n" KP_CONFIG=$(cat $WORKER_1_KP_CONFIG_YAML | grep "kubeconfig:" | awk '{print $2}' | tr -d " \"") KP_CONFIG_YAML=$(systemctl cat kube-proxy.service | grep "\--config" | awk '{print $1}'| cut -d "=" -f2) if [ $KP_CONFIG == $WORKER_1_KP_KUBECONFIG ] && [ $KP_CONFIG_YAML == $WORKER_1_KP_CONFIG_YAML ] then - echo "worker-1 kube-proxy kubeconfig and configuration files are correct" + printf "${SUCCESS}worker-1 kube-proxy kubeconfig and configuration files are correct\n" else - echo "Exiting...Found mismtach in the worker-1 kube-proxy kubeconfig and configuration files, check /var/lib/kubelet/kubelet-config.yaml & /etc/systemd/system/kube-proxy.service" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kube-proxy kubeconfig and configuration files, check /var/lib/kubelet/kubelet-config.yaml & /etc/systemd/system/kube-proxy.service\n" exit 1 fi else - echo "worker-1 kube-proxy kubeconfig and configuration files are missing" + printf "${FAILED}worker-1 kube-proxy kubeconfig and configuration files are missing\n" exit 1 fi } @@ -763,7 +768,7 @@ case $value in ;; *) - echo -e "Exiting.... Please select the valid option either 1 or 2\n" + printf "${FAILED}Exiting.... Please select the valid option either 1 or 2\n" exit 1 ;; esac \ No newline at end of file From 337932989ad63717a06c9db54d4a7c3244699ae8 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Thu, 7 May 2020 13:10:50 +0530 Subject: [PATCH 22/25] master cert validation with github links --- vagrant/ubuntu/cert_verify.sh | 66 +++++++++++++++++------------------ 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index 74a3f2c..fce3f26 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -108,11 +108,11 @@ check_cert_ca() then printf "${SUCCESS}CA cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the CA certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the CA certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#certificate-authority\n" exit 1 fi else - printf "${FAILED}ca.crt / ca.key is missing\n" + printf "${FAILED}ca.crt / ca.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#certificate-authority\n" exit 1 fi } @@ -135,11 +135,11 @@ check_cert_admin() then printf "${SUCCESS}admin cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the admin certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the admin certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-admin-client-certificate\n" exit 1 fi else - printf "${FAILED}admin.crt / admin.key is missing\n" + printf "${FAILED}admin.crt / admin.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-admin-client-certificate\n" exit 1 fi } @@ -161,11 +161,11 @@ check_cert_kcm() then printf "${SUCCESS}kube-controller-manager cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-controller-manager-client-certificate\n" exit 1 fi else - printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing\n" + printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-controller-manager-client-certificate\n" exit 1 fi } @@ -187,11 +187,11 @@ check_cert_kp() then printf "${SUCCESS}kube-proxy cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-proxy certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-proxy certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-kube-proxy-client-certificate\n" exit 1 fi else - printf "${FAILED}kube-proxy.crt / kube-proxy.key is missing\n" + printf "${FAILED}kube-proxy.crt / kube-proxy.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-kube-proxy-client-certificate\n" exit 1 fi } @@ -213,11 +213,11 @@ check_cert_ks() then printf "${SUCCESS}kube-scheduler cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-scheduler certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-scheduler-client-certificate\n" exit 1 fi else - printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing\n" + printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-scheduler-client-certificate\n" exit 1 fi } @@ -239,11 +239,11 @@ check_cert_api() then printf "${SUCCESS}kube-apiserver cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-apiserver certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-apiserver certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-kubernetes-api-server-certificate\n" exit 1 fi else - printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing\n" + printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-kubernetes-api-server-certificate\n" exit 1 fi } @@ -265,11 +265,11 @@ check_cert_etcd() then printf "${SUCCESS}etcd-server.crt / etcd-server.key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the ETCD certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the ETCD certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-etcd-server-certificate\n" exit 1 fi else - printf "${FAILED}etcd-server.crt / etcd-server.key is missing\n" + printf "${FAILED}etcd-server.crt / etcd-server.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-etcd-server-certificate\n" exit 1 fi } @@ -291,11 +291,11 @@ check_cert_sa() then printf "${SUCCESS}Service Account cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the Service Account certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the Service Account certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-service-account-key-pair\n" exit 1 fi else - printf "${FAILED}service-account.crt / service-account.key is missing\n" + printf "${FAILED}service-account.crt / service-account.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md#the-service-account-key-pair\n" exit 1 fi } @@ -319,11 +319,11 @@ check_cert_kpkubeconfig() then printf "${SUCCESS}kube-proxy kubeconfig cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-proxy kubeconfig certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-proxy kubeconfig certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-proxy-kubernetes-configuration-file\n" exit 1 fi else - printf "${FAILED}kube-proxy kubeconfig file is missing\n" + printf "${FAILED}kube-proxy kubeconfig file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-proxy-kubernetes-configuration-file\n" exit 1 fi } @@ -347,11 +347,11 @@ check_cert_kcmkubeconfig() then printf "${SUCCESS}kube-controller-manager kubeconfig cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager kubeconfig certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager kubeconfig certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-controller-manager-kubernetes-configuration-file\n" exit 1 fi else - printf "${FAILED}kube-controller-manager kubeconfig file is missing\n" + printf "${FAILED}kube-controller-manager kubeconfig file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-controller-manager-kubernetes-configuration-file\n" exit 1 fi } @@ -376,11 +376,11 @@ check_cert_kskubeconfig() then printf "${SUCCESS}kube-scheduler kubeconfig cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-scheduler kubeconfig certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler kubeconfig certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-scheduler-kubernetes-configuration-file\n" exit 1 fi else - printf "${FAILED}kube-scheduler kubeconfig file is missing\n" + printf "${FAILED}kube-scheduler kubeconfig file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-kube-scheduler-kubernetes-configuration-file\n" exit 1 fi } @@ -403,11 +403,11 @@ check_cert_adminkubeconfig() then printf "${SUCCESS}admin kubeconfig cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the admin kubeconfig certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the admin kubeconfig certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-admin-kubernetes-configuration-file\n" exit 1 fi else - printf "${FAILED}admin kubeconfig file is missing\n" + printf "${FAILED}admin kubeconfig file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/05-kubernetes-configuration-files.md#the-admin-kubernetes-configuration-file\n" exit 1 fi } @@ -447,7 +447,7 @@ check_systemd_etcd() then printf "${SUCCESS}ETCD certificate, ca and key files are correct under systemd service\n" else - printf "${FAILED}Exiting...Found mismtach in the ETCD certificate, ca and keys, check /etc/systemd/system/etcd.service file\n" + printf "${FAILED}Exiting...Found mismtach in the ETCD certificate, ca and keys. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/07-bootstrapping-etcd.md#configure-the-etcd-server\n" exit 1 fi @@ -456,12 +456,12 @@ check_systemd_etcd() then printf "${SUCCESS}ETCD initial-advertise-peer-urls, listen-peer-urls, listen-client-urls, advertise-client-urls are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file\n" + printf "${FAILED}Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/07-bootstrapping-etcd.md#configure-the-etcd-server\n" exit 1 fi else - printf "${FAILED}etcd-server.crt / etcd-server.key is missing\n" + printf "${FAILED}etcd-server.crt / etcd-server.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/07-bootstrapping-etcd.md#configure-the-etcd-server\n" exit 1 fi } @@ -500,11 +500,11 @@ check_systemd_api() then printf "${SUCCESS}kube-apiserver advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-apiserver systemd file, check advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file under /etc/systemd/system/kube-apiserver.service\n" + printf "${FAILED}Exiting...Found mismtach in the kube-apiserver systemd file, check advertise-address/ client-ca-file/ etcd-cafile/ etcd-certfile/ etcd-keyfile/ kubelet-certificate-authority/ kubelet-client-certificate/ kubelet-client-key/ service-account-key-file/ tls-cert-file/ tls-private-key-file. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-api-server\n" exit 1 fi else - printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing\n" + printf "${FAILED}kube-apiserver.crt / kube-apiserver.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-api-server\n" exit 1 fi } @@ -535,11 +535,11 @@ check_systemd_kcm() then printf "${SUCCESS}kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file , check /etc/systemd/system/kube-controller-manager.service file\n" + printf "${FAILED}Exiting...Found mismtach in the kube-controller-manager cluster-signing-cert-file, cluster-signing-key-file, kubeconfig, root-ca-file, service-account-private-key-file ,More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-controller-manager\n" exit 1 fi else - printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing\n" + printf "${FAILED}kube-controller-manager.crt / kube-controller-manager.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-controller-manager\n" exit 1 fi } @@ -565,11 +565,11 @@ check_systemd_ks() then printf "${SUCCESS}kube-scheduler --kubeconfig, --address are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the kube-scheduler --kubeconfig, --address, check /etc/systemd/system/kube-scheduler.service file\n" + printf "${FAILED}Exiting...Found mismtach in the kube-scheduler --kubeconfig, --address, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-scheduler\n" exit 1 fi else - printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing\n" + printf "${FAILED}kube-scheduler.crt / kube-scheduler.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/08-bootstrapping-kubernetes-controllers.md#configure-the-kubernetes-scheduler\n" exit 1 fi } From a4db3dbf137ae65468a8f641ad67b50466857153 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Thu, 7 May 2020 14:09:41 +0530 Subject: [PATCH 23/25] worker-1 cert validation with github links --- vagrant/ubuntu/cert_verify.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index fce3f26..14cd072 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -595,11 +595,11 @@ check_cert_worker_1() then printf "${SUCCESS}worker-1 cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the worker-1 certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the worker-1 certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#provisioning--kubelet-client-certificates\n" exit 1 fi else - printf "${FAILED}/var/lib/kubelet/worker-1.crt / /var/lib/kubelet/worker-1.key is missing\n" + printf "${FAILED}/var/lib/kubelet/worker-1.crt / /var/lib/kubelet/worker-1.key is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#provisioning--kubelet-client-certificates\n" exit 1 fi } @@ -623,11 +623,11 @@ check_cert_worker_1_kubeconfig() then printf "${SUCCESS}worker-1 kubeconfig cert and key are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the worker-1 kubeconfig certificate and keys, check subject\n" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubeconfig certificate and keys, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#the-kubelet-kubernetes-configuration-file\n" exit 1 fi else - printf "${FAILED}worker-1 /var/lib/kubelet/kubeconfig file is missing\n" + printf "${FAILED}worker-1 /var/lib/kubelet/kubeconfig file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#the-kubelet-kubernetes-configuration-file\n" exit 1 fi } @@ -656,7 +656,7 @@ check_cert_worker_1_kubelet() then printf "${SUCCESS}worker-1 kubelet config CA cert, resolvConf and Auth mode are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet config CA cert, resolvConf and Auth mode, check /var/lib/kubelet/kubelet-config.yaml\n" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet config CA cert, resolvConf and Auth mode, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#configure-the-kubelet\n" exit 1 fi @@ -669,12 +669,12 @@ check_cert_worker_1_kubelet() then printf "${SUCCESS}worker-1 kubelet systemd services are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet systemd services, check /etc/systemd/system/kubelet.service\n" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kubelet systemd services, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#configure-the-kubelet\n" exit 1 fi else - printf "${FAILED}worker-1 kubelet config, systemd services, tls cert and key file is missing\n" + printf "${FAILED}worker-1 kubelet config, systemd services, tls cert and key file is missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md\n" exit 1 fi } @@ -699,12 +699,12 @@ check_cert_worker_1_kp() then printf "${SUCCESS}worker-1 kube-proxy kubeconfig and configuration files are correct\n" else - printf "${FAILED}Exiting...Found mismtach in the worker-1 kube-proxy kubeconfig and configuration files, check /var/lib/kubelet/kubelet-config.yaml & /etc/systemd/system/kube-proxy.service\n" + printf "${FAILED}Exiting...Found mismtach in the worker-1 kube-proxy kubeconfig and configuration files, More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#configure-the-kubernetes-proxy\n" exit 1 fi else - printf "${FAILED}worker-1 kube-proxy kubeconfig and configuration files are missing\n" + printf "${FAILED}worker-1 kube-proxy kubeconfig and configuration files are missing. More details: https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md#configure-the-kubernetes-proxy\n" exit 1 fi } From 49579afaa04392cf4d9760e848f37d700c73d7c3 Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sun, 10 May 2020 14:40:31 +0530 Subject: [PATCH 24/25] kube-proxy config skip master2 --- vagrant/ubuntu/cert_verify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index 14cd072..6ede5c4 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -734,13 +734,13 @@ case $value in check_cert_kp check_cert_ks check_cert_adminkubeconfig + check_cert_kpkubeconfig fi check_cert_api check_cert_sa check_cert_etcd # Kubeconfig verification - check_cert_kpkubeconfig check_cert_kcmkubeconfig check_cert_kskubeconfig From b1c7cf9cecfa7a0eee8b56f7f0f6301c1421e03c Mon Sep 17 00:00:00 2001 From: Sujith Abdul Rahim Date: Sun, 17 May 2020 15:29:56 +0530 Subject: [PATCH 25/25] kcm & ks kubeconfig - path fix --- vagrant/ubuntu/cert_verify.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/vagrant/ubuntu/cert_verify.sh b/vagrant/ubuntu/cert_verify.sh index 6ede5c4..705a53f 100755 --- a/vagrant/ubuntu/cert_verify.sh +++ b/vagrant/ubuntu/cert_verify.sh @@ -330,7 +330,6 @@ check_cert_kpkubeconfig() check_cert_kcmkubeconfig() { - KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig if [ -z $KCMKUBECONFIG ] then printf "${FAILED}please specify kube-controller-manager kubeconfig location\n" @@ -359,7 +358,6 @@ check_cert_kcmkubeconfig() check_cert_kskubeconfig() { - KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig if [ -z $KSKUBECONFIG ] then printf "${FAILED}please specify kube-scheduler kubeconfig location\n"