#!/bin/bash set -xe # Enter proper cluster subdirectory cd $(dirname $0) CLUSTER="$1" if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then echo "Usage: $0 " echo "The cluster name must be the name of a subdirectory of cluster/" exit 1 fi cd cluster/$CLUSTER mkdir -p secrets/pki cd secrets/pki # Do actual stuff YEAR=$(date +%Y) for APP in consul nomad; do # 1. Create certificate authority if [ ! -f $APP-ca.key ]; then echo "Generating $APP CA keys..." #openssl genpkey -algorithm ED25519 -out $APP-ca.key openssl genrsa -out $APP-ca.key 4096 openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP" fi CERT="${APP}${YEAR}" # 2. Create and sign certificates for inter-node communication if [ ! -f $CERT.crt ]; then echo "Generating $CERT agent keys..." if [ ! -f $CERT.key ]; then #openssl genpkey -algorithm ED25519 -out $CERT.key openssl genrsa -out $CERT.key 4096 fi openssl req -new -sha256 -key $CERT.key \ -subj "/C=FR/O=Deuxfleurs/CN=$APP" \ -out $CERT.csr openssl req -in $CERT.csr -noout -text openssl x509 -req -in $CERT.csr \ -extensions v3_req \ -extfile <(cat <