k8s expects tls.crt not ssl_crt

Author: paulczar

generate-certs

@@ -26,6 +26,8 @@ export SSL_IP=${SSL_IP}
 export K8S_NAME=${K8S_NAME:-"omgwtfssl"}
 export K8S_NAMESPACE=${K8S_NAMESPACE:-"default"}
 export K8S_SAVE_CA_KEY=${K8S_SAVE_CA_KEY}
+export K8S_SAVE_CA_CRT=${K8S_SAVE_CA_CRT}
+export K8S_SHOW_SECRET=${K8S_SHOW_SECRET}
 
 export OUTPUT=${OUTPUT:-"yaml"}
 
@@ -88,15 +90,8 @@ openssl req -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/CN=${SSL_SUBJECT}" -con
 openssl x509 -req -in ${SSL_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
     -days ${SSL_EXPIRE} -extensions v3_req -extfile ${SSL_CONFIG} > /dev/null || exit 1
 
-if [[ -z $SILENT ]]; then
-echo "====> Complete"
-echo "keys can be found in volume mapped to $(pwd)"
-echo
-
-if [[ ${OUTPUT} == "k8s" ]]; then
-  echo "====> Output results as base64 k8s secrets"
-  echo "---"
-  cat << EOM | tee /certs/secret.yaml
+# create k8s secret file
+cat << EOM > /certs/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
@@ -106,19 +101,31 @@ type: kubernetes.io/tls
 data:
 EOM
 if [[ -n $K8S_SAVE_CA_KEY ]]; then
-  echo -n "  ca_key: " | tee -a /certs/secret.yaml
-  cat $CA_KEY | base64 | tr '\n' ',' | sed 's/,//g' | tee -a /certs/secret.yaml
-  echo | tee -a /certs/secret.yaml
+    echo -n "  ca.key: " >> /certs/secret.yaml
+    cat $CA_KEY | base64 | tr '\n' ',' | sed 's/,//g' >> /certs/secret.yaml
+    echo >> /certs/secret.yaml
+fi
+if [[ -n $K8S_SAVE_CA_CRT ]]; then
+    echo -n "  ca.crt: " >> /certs/secret.yaml
+    cat $CA_CERT | base64 | tr '\n' ',' | sed 's/,//g' >> /certs/secret.yaml
+    echo >> /certs/secret.yaml
 fi
-  echo -n "  ca_crt: " | tee -a /certs/secret.yaml
-  cat $CA_CERT | base64 | tr '\n' ',' | sed 's/,//g' | tee -a /certs/secret.yaml
-  echo | tee -a /certs/secret.yaml
-  echo -n "  ssl_key: " | tee -a /certs/secret.yaml
-  cat $SSL_KEY | base64 | tr '\n' ',' | sed 's/,//g' | tee -a /certs/secret.yaml
-  echo | tee -a /certs/secret.yaml
-  echo -n "  ssl_crt: " | tee -a /certs/secret.yaml
-  cat $SSL_CERT | base64 | tr '\n' ',' | sed 's/,//g' | tee -a /certs/secret.yaml
-  echo | tee -a /certs/secret.yaml
+echo -n "  tls.key: " >> /certs/secret.yaml
+cat $SSL_KEY | base64 | tr '\n' ',' | sed 's/,//g' >> /certs/secret.yaml
+echo >> /certs/secret.yaml
+echo -n "  tls.crt: " >> /certs/secret.yaml
+cat $SSL_CERT | base64 | tr '\n' ',' | sed 's/,//g' >> /certs/secret.yaml
+echo >> /certs/secret.yaml
+
+if [[ -z $SILENT ]]; then
+echo "====> Complete"
+echo "keys can be found in volume mapped to $(pwd)"
+echo
+
+if [[ ${OUTPUT} == "k8s" ]]; then
+  echo "====> Output results as base64 k8s secrets"
+  echo "---"
+  cat /certs/secret.yaml
 
 else
   echo "====> Output results as YAML"

kubernetes/omgwtfssl.yaml

@@ -1,3 +1,13 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: omgwtfssl
+data:
+  SSL_SUBJECT: "*.192.168.99.100.xip.io"
+  SSL_IP: "192.168.99.100"
+  SSL_EXPIRE: "3600"
+  SILENT: "true"
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -6,26 +16,22 @@ spec:
   template:
     spec:
       restartPolicy: Never
-      containers:
+      initContainers:
       - name: omgwtfssl
-        image: paulczar/omgwtfssl
-        env:
-        - name: SSL_SUBJECT
-          value: "*.192.168.99.100.xip.io"
-        - name: SSL_IP
-          value: "192.168.99.100"
-        - name: SSL_EXPIRE
-          value: "3600"
-        - name: OUTPUT
-          value: "k8s"
+        image: paulczar/omgwtfssl:latest
+        envFrom:
+        - configMapRef:
+            name: omgwtfssl
         volumeMounts:
-        - name: secret-path
-          mountPath: /k8s
+        - name: certs-path
+          mountPath: /certs
+      containers:
       - name: kubectl
-        image: lachlanevenson/k8s-kubectl:v.1.9.3
+        image: lachlanevenson/k8s-kubectl:v1.9.3
+        command: ["kubectl", "apply", "-f", "/certs/secret.yaml"]
         volumeMounts:
-        - name: secret-path
-          mountPath: /k8s
+        - name: certs-path
+          mountPath: /certs
       volumes:
-      - name: secret-path
+      - name: certs-path
         emptyDir: {}