-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathams-k8s-ssl.sh
143 lines (118 loc) · 5 KB
/
ams-k8s-ssl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
#
# This script automatically installs Let's Encrypt certificate to your Ant Media Server Cluster.
# If you use different namespace or deployment/ingress etc. names, you must make the changes manually.
#
namespace="antmedia"
#ingress_controller_name="antmedia-ingress-nginx-controller"
#get_ingress=`kubectl get -n $namespace svc $ingress_controller_name -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
origin_ingress_ip=`kubectl get ingress -n antmedia ant-media-server-origin -o json 2> /dev/null | jq -r '.status.loadBalancer.ingress[0].ip'`
origin_hostname=`kubectl get ingress -n antmedia ant-media-server-origin -o json 2> /dev/null | jq -r '.spec.rules[0].host'`
edge_ingress_ip=`kubectl get ingress -n antmedia ant-media-server-edge -o json 2> /dev/null | jq -r '.status.loadBalancer.ingress[0].ip'`
edge_hostname=`kubectl get ingress -n antmedia ant-media-server-edge -o json 2> /dev/null | jq -r '.spec.rules[0].host'`
origin_ssl="kubectl get certificate antmedia-cert-origin -o jsonpath='{.status.conditions[].status}' -n $namespace --ignore-not-found=true"
edge_ssl="kubectl get certificate antmedia-cert-edge -o jsonpath='{.status.conditions[].status}' -n $namespace --ignore-not-found=true"
check() {
OUT=$?
if [ $OUT -ne 0 ]; then
echo "There is a problem with installing the cert-manager. Please check the output.log file to debug it."
exit $OUT
fi
}
# check if cert-manager is installed
cert_manager() {
log_file="output.log"
certbot_manager_installed=$(helm list -n cert-manager --short | grep cert-manager)
if [ -n "$certbot_manager_installed" ]; then
# If certbot-manager is installed
helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.9.1 --set installCRDs=true &> $log_file
check
else
# If certbot-manager is not installed
helm repo add jetstack https://charts.jetstack.io &> $log_file
helm repo update &> $log_file
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.9.1 --set installCRDs=true &> $log_file
check
fi
}
declare -A hostname
check_edge=`kubectl get -n $namespace ingress ant-media-server-edge 2> /dev/null | wc -l`
if [ "$check_edge" != "0" ]; then
hostname[edge]=`kubectl get -n $namespace ingress ant-media-server-edge -o jsonpath='{.spec.rules[0].host}'`
hostname[origin]=`kubectl get -n $namespace ingress ant-media-server-origin -o jsonpath='{.spec.rules[0].host}'`
else
hostname[origin]=`kubectl get -n $namespace ingress ant-media-server-origin -o jsonpath='{.spec.rules[0].host}'`
fi
echo -e "\033[0;31mYou must have the kubectl tool installed and accessing the Kubernetes cluster.\033[0m"
# Check DNS record
if ! [ -x "$(which dig)" ]; then
sudo apt-get install bind9-dnsutils -y -qq
fi
if [ `dig @8.8.8.8 $origin_hostname +short` != "$origin_ingress_ip" ]; then
echo "Please make sure your DNS record is correct then run the script again later."
exit 1
fi
if [ "$check_edge" != "0" ]; then
if [ `dig @8.8.8.8 $edge_hostname +short` != "$edge_ingress_ip" ]; then
echo "Please make sure your DNS record is correct then run the script again later."
exit 1
fi
fi
# Install cert-manager
cert_manager
# Create letsencrypt-production ClusterIssuer
kubectl create -f - &> /dev/null <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
---
EOF
# Delete Self-Signed certificates
if [ "$check_edge" != "0" ]; then
kubectl delete -n $namespace secret antmedia-cert-edge --ignore-not-found=true
kubectl delete -n $namespace secret antmedia-cert-origin --ignore-not-found=true
echo "Self-Signed certificates have been deleted."
else
kubectl delete -n $namespace secret antmedia-cert-origin --ignore-not-found=true
echo "The self-Signed certificate has been deleted."
fi
# Update annotates for Let's Encrypt
kubectl annotate -n $namespace ingress cert-manager.io/cluster-issuer=letsencrypt-production --all
attempt=1
max_attempts=5
while [ $attempt -le $max_attempts ]; do
if [ $(eval $origin_ssl) == "True" ]; then
echo "Origin certificate installed."
exit 0
fi
attempt=$((attempt + 1))
if [ $attempt -gt $max_attempts ]; then
echo "Origin certificate is not installed. Run this command for debugging: kubectl describe cert antmedia-cert-origin -n $namespace"
exit 1
fi
sleep 5
done
while [ $attempt -le $max_attempts ]; do
if [ "$check_edge" != "0" ]; then
if [ $(eval $edge_ssl) == "True" ]; then
echo "Edge certificate installed."
exit 0
fi
attempt=$((attempt + 1))
if [ $attempt -gt $max_attempts ]; then
echo "Edge certificate is not installed. Run this command for debugging: kubectl describe cert antmedia-cert-edge -n $namespace"
exit 1
fi
sleep 5
done