|
| 1 | +#!/bin/bash |
| 2 | +set -e |
| 3 | + |
| 4 | +echo "This script will regenerate the TLS certificates in tls-certificate.yaml" |
| 5 | +echo "Prerequisites:" |
| 6 | +echo " - oc configured with an OpenShift cluster" |
| 7 | +echo " - cert-manager installed in the cluster" |
| 8 | +echo " - openstack namespace/project exists" |
| 9 | +echo "" |
| 10 | + |
| 11 | +# Extract the commented cert-manager resources |
| 12 | +TEMP_FILE=$(mktemp) |
| 13 | +sed -n '5,69s/^# //p' tls-certificate.yaml > "$TEMP_FILE" |
| 14 | + |
| 15 | +echo "Extracted cert-manager resources to $TEMP_FILE" |
| 16 | +echo "" |
| 17 | +echo "Deleting any existing secrets..." |
| 18 | +oc delete secret root-secret galera-cert -n openstack --ignore-not-found=true |
| 19 | + |
| 20 | +echo "" |
| 21 | +echo "Applying cert-manager resources..." |
| 22 | + |
| 23 | +# Apply the resources |
| 24 | +oc apply -f "$TEMP_FILE" |
| 25 | + |
| 26 | +echo "Waiting for certificates to be ready..." |
| 27 | +echo " - Waiting for root-secret (CA certificate)..." |
| 28 | +oc wait --for=condition=ready certificate/selfsigned-ca -n openstack --timeout=60s |
| 29 | + |
| 30 | +echo " - Waiting for galera-cert certificate..." |
| 31 | +oc wait --for=condition=ready certificate/galera-cert -n openstack --timeout=60s |
| 32 | + |
| 33 | +echo "" |
| 34 | +echo "Certificates are ready! Extracting secret data..." |
| 35 | + |
| 36 | +# Get the secret data |
| 37 | +CA_CRT=$(oc get secret root-secret -n openstack -o jsonpath='{.data.ca\.crt}') |
| 38 | +TLS_CRT=$(oc get secret galera-cert -n openstack -o jsonpath='{.data.tls\.crt}') |
| 39 | +TLS_KEY=$(oc get secret galera-cert -n openstack -o jsonpath='{.data.tls\.key}') |
| 40 | + |
| 41 | +echo "" |
| 42 | +echo "Certificate validity periods:" |
| 43 | +echo " CA Certificate:" |
| 44 | +echo "$CA_CRT" | base64 -d | openssl x509 -noout -dates | sed 's/^/ /' |
| 45 | +echo "" |
| 46 | +echo " Galera Certificate:" |
| 47 | +echo "$TLS_CRT" | base64 -d | openssl x509 -noout -dates | sed 's/^/ /' |
| 48 | +echo "" |
| 49 | + |
| 50 | +echo "" |
| 51 | +echo "Creating new hardcoded secret..." |
| 52 | +echo "---" |
| 53 | +cat <<EOF |
| 54 | +apiVersion: v1 |
| 55 | +kind: Secret |
| 56 | +metadata: |
| 57 | + name: galera-cert |
| 58 | +data: |
| 59 | + tls-ca-bundle.pem: $CA_CRT |
| 60 | + tls.crt: $TLS_CRT |
| 61 | + tls.key: $TLS_KEY # notsecret |
| 62 | +EOF |
| 63 | + |
| 64 | +echo "" |
| 65 | +echo "---" |
| 66 | +echo "" |
| 67 | +echo "To update tls-certificate.yaml:" |
| 68 | +echo "1. Copy the secret output above" |
| 69 | +echo "2. Replace the existing Secret resource (lines 71-78) in tls-certificate.yaml" |
| 70 | +echo "" |
| 71 | +echo "Cleaning up cert-manager resources..." |
| 72 | +oc delete -f "$TEMP_FILE" --ignore-not-found=true |
| 73 | + |
| 74 | +rm "$TEMP_FILE" |
| 75 | +echo "Done!" |
0 commit comments