github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 19:23:40 +00:00
Code Issues Projects Releases Wiki Activity

Extract kubernetes-keygen to its own repo: mesosphere/kubernetes-keygen

Browse Source 
- Move keygen image mesosphere/kubernetes-mesos-keygen -> mesosphere/kubernetes-keygen:v1.0.0
- Remove resolveip in favor of github.com/karlkfi/resolveip (resolveip.sh)
- Remove util-temp-dir.sh in favor of github.com/karlkfi/intemp (intemp.sh)
- Refactor bash code to use intemp (extract functions to scripts)
- Remove util-ssl.sh in favor of mesosphere/kubernetes-keygen
This commit is contained in:
Karl Isenberg 2016-01-03 09:40:40 -08:00
parent e0eac06f64
commit 1938414706
12 changed files with 131 additions and 414 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
cluster/mesos/docker/common/bin/resolveip
View File

@ -1,29 +0,0 @@
#!/usr/bin/env bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Resolve an IP from a hostname (using getent)
# Usage: resolveip <hostname>
# Requires: getent
# TODO: Mac support
set -o errexit
set -o nounset
set -o pipefail
hostname=$1
[ -z "${hostname}" ] && echo "No hostname supplied" && exit 1
getent hosts "${hostname}" | cut -d' ' -f1 | sort -u | tail -1

169
cluster/mesos/docker/common/bin/util-ssl.sh
View File

@ -1,169 +0,0 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Sourcable SSL functions
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)"
source "${bin}/util-temp-dir.sh"
function cluster::mesos::docker::find_openssl_config {
for candidate in "/etc/ssl/openssl.cnf" "/System/Library/OpenSSL/openssl.cnf"; do
if [ -f "${candidate}" ]; then
echo "${candidate}"
return 0
fi
done
echo "ERROR: cannot find openssl.cnf" 1>&2
return 1
}
function cluster::mesos::docker::create_root_certificate_authority {
local out_dir="$1"
# TODO(karlkfi): extract config
local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com"
echo "Creating private key" 1>&2
openssl genrsa -out "${out_dir}/root-ca.key" 2048
echo "Creating certificate sign request" 1>&2
openssl req -nodes -new -utf8 \
-key "${out_dir}/root-ca.key" \
-out "${out_dir}/root-ca.csr" \
-subj "${subject}"
echo "Signing new certificate with private key" 1>&2
openssl x509 -req -days 3650 \
-in "${out_dir}/root-ca.csr" \
-out "${out_dir}/root-ca.crt" \
-signkey "${out_dir}/root-ca.key"
echo "Key: ${out_dir}/root-ca.key" 1>&2
echo "Cert: ${out_dir}/root-ca.crt" 1>&2
}
# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names.
# Uses the current dir for scratch work.
function cluster::mesos::docker::create_apiserver_cert_inner {
local in_dir="$1"
local out_dir="$2"
local apiserver_ip="$3"
local service_ip="$4"
local workspace="$(pwd)"
if [ ! -f "${in_dir}/root-ca.key" ]; then
echo "Signing key not found: ${in_dir}/root-ca.key"
return 1
fi
if [ ! -f "${in_dir}/root-ca.crt" ]; then
echo "Root certificate not found: ${in_dir}/root-ca.key"
return 1
fi
mkdir -p "${out_dir}"
local openssl_cnf=$(cluster::mesos::docker::find_openssl_config)
# TODO(karlkfi): extract config
local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com"
local cluster_domain="cluster.local"
local service_name="kubernetes"
local service_namespace="default"
local subject_alt_name="IP:${apiserver_ip},IP:${service_ip},DNS:${service_name},DNS:${service_name}.${service_namespace},DNS:${service_name}.${service_namespace}.svc,DNS:${service_name}.${service_namespace}.svc.${cluster_domain}"
echo "Creating private key" 1>&2
openssl genrsa -out "${workspace}/apiserver.key" 2048
echo "Creating certificate sign request" 1>&2
openssl req -nodes -new -utf8 \
-key "${workspace}/apiserver.key" \
-out "${workspace}/apiserver.csr" \
-reqexts SAN \
-config <(cat "${openssl_cnf}"; echo -e "[SAN]\nsubjectAltName=${subject_alt_name}") \
-subj "${subject}"
echo "Validating certificate sign request" 1>&2
openssl req -text -noout -in "${workspace}/apiserver.csr" | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}"
echo "Signing new certificate with root certificate authority key" 1>&2
mkdir -p "${workspace}/demoCA/newcerts"
touch "${workspace}/demoCA/index.txt"
echo 1000 > "${workspace}/demoCA/serial"
openssl ca -batch \
-days 3650 \
-in "${workspace}/apiserver.csr" \
-cert "${in_dir}/root-ca.crt" \
-keyfile "${in_dir}/root-ca.key" \
-config <(sed 's/.*\(copy_extensions = copy\)/\1/' ${openssl_cnf})
echo "Validating signed certificate" 1>&2
openssl x509 -in "${workspace}/demoCA/newcerts/1000.pem" -text -noout | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}"
echo "Key: ${out_dir}/apiserver.key" 1>&2
cp "${workspace}/apiserver.key" "${out_dir}/apiserver.key"
echo "Cert: ${out_dir}/apiserver.crt" 1>&2
cp "${workspace}/demoCA/newcerts/1000.pem" "${out_dir}/apiserver.crt"
}
# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names.
function cluster::mesos::docker::create_apiserver_cert {
local in_dir="$1" # must contain root-ca.crt & root-ca.key
local out_dir="$2"
local apiserver_ip="$3"
local service_ip="$4"
cluster::mesos::docker::run_in_temp_dir "k8sm-certs" \
"cluster::mesos::docker::create_apiserver_cert_inner" \
"${in_dir}" "${out_dir}" "${apiserver_ip}" "${service_ip}"
}
# Creates an rsa key (for signing service accounts).
function cluster::mesos::docker::create_rsa_key {
local key_file_path="$1"
# buffer output until failure
local output=$((
openssl genrsa -out "${key_file_path}" 2048 || exit $?
) 2>&1)
local exit_status="$?"
if [ "${exit_status}" != 0 ]; then
echo "${output}" 1>&2
return "${exit_status}"
fi
echo "Key: ${key_file_path}" 1>&2
}
# Creates a k8s token auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_token_user {
local user_name="$1"
echo "$(openssl rand -hex 32),${user_name},${user_name}"
}
# Creates a k8s basic auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_basic_user {
local user_name="$1"
local password="$2"
echo "${password},${user_name},${user_name}"
}

47
cluster/mesos/docker/common/bin/util-temp-dir.sh
View File

@ -1,47 +0,0 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Sourcable temp directory functions
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
# Runs the supplied command string in a temporary workspace directory.
function cluster::mesos::docker::run_in_temp_dir {
prefix="$1"
shift
cmd="$@"
# create temp WORKSPACE dir in current dir to avoid permission issues of TMPDIR on mac os x
local -r workspace=$(env TMPDIR=$(pwd) mktemp -d -t "${prefix}-XXXXXX")
echo "Workspace created: ${workspace}" 1>&2
cleanup() {
local -r workspace="$1"
rm -rf "${workspace}"
echo "Workspace deleted: ${workspace}" 1>&2
}
trap "cleanup '${workspace}'" EXIT
pushd "${workspace}" > /dev/null
${cmd}
popd > /dev/null
trap - EXIT
cleanup "${workspace}"
}

35
cluster/mesos/docker/deploy-addons.sh
View File

@ -27,39 +27,20 @@ set -o errtrace
KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd)
source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}"
source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/common/bin/util-temp-dir.sh"
kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
function deploy_dns {
echo "Deploying DNS Addon" 1>&2
local workspace=$(pwd)
# Process salt pillar templates manually
sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml"
sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml"
# Use kubectl to create skydns rc and service
"${kubectl}" create -f "${workspace}/skydns-rc.yaml"
"${kubectl}" create -f "${workspace}/skydns-svc.yaml"
}
function deploy_ui {
echo "Deploying UI Addon" 1>&2
# Use kubectl to create ui rc and service
"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml"
"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml"
}
bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)"
# create the kube-system and static-pods namespaces
"${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/kube-system-ns.yaml"
"${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/static-pods-ns.yaml"
if [ "${ENABLE_CLUSTER_DNS}" == true ]; then
cluster::mesos::docker::run_in_temp_dir 'k8sm-dns' 'deploy_dns'
if [ "${ENABLE_CLUSTER_DNS}" == "true" ]; then
echo "Deploying DNS Addon" 1>&2
#TODO: curling to get a script to make a tempdir is a bit overkill...
curl -o- https://raw.githubusercontent.com/karlkfi/intemp/v1.0.0/intemp.sh | bash -s -- -t 'kube-dns' "${bin}/deploy-dns.sh"
fi
if [ "${ENABLE_CLUSTER_UI}" == true ]; then
deploy_ui
if [ "${ENABLE_CLUSTER_UI}" == "true" ]; then
echo "Deploying UI Addon" 1>&2
"${bin}/deploy-ui.sh"
fi

36
cluster/mesos/docker/deploy-dns.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
# Copyright 2016 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Deploy the Kube-DNS addon
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd)
source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}"
kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
workspace=$(pwd)
# Process salt pillar templates manually
sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml"
sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml"
# Use kubectl to create skydns rc and service
"${kubectl}" create -f "${workspace}/skydns-rc.yaml"
"${kubectl}" create -f "${workspace}/skydns-svc.yaml"

17
cluster/mesos/docker/keygen/bin/kube-cagen.sh → cluster/mesos/docker/deploy-ui.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
# Copyright 2016 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -14,19 +14,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Generates root certificate authority crt and key.
# Writes to <out_dir> (use docker volume or docker export to retrieve files).
# Params:
# out_dir - dir to write crt and key to
# Deploy the Kube-UI addon
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
source "util-ssl.sh"
KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd)
source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}"
kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
out_dir="${1:-}"
[ -z "${out_dir}" ] && echo "No out_dir supplied (param 1)" && exit 1
cluster::mesos::docker::create_root_certificate_authority "${out_dir}"
"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml"
"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml"

18
cluster/mesos/docker/docker-compose.yml
View File

@ -67,13 +67,13 @@ apiserver:
- /bin/bash
- "-ceu"
- >
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" &&
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" &&
(grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) &&
await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health &&
await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health &&
await-file "-t=${KUBE_KEYGEN_TIMEOUT}" /var/run/kubernetes/auth/apiserver.crt &&
km apiserver
--address=$$(resolveip apiserver)
--address=$$(resolveip.sh apiserver)
--external-hostname=apiserver
--etcd-servers=http://etcd:4001
--port=8888
@ -104,12 +104,12 @@ controller:
- /bin/bash
- "-ceu"
- >
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" &&
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" &&
(grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) &&
await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health &&
await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz &&
km controller-manager
--address=$$(resolveip controller)
--address=$$(resolveip.sh controller)
--master=http://apiserver:8888
--cloud-config=/opt/mesos-cloud.conf
--service-account-private-key-file=/var/run/kubernetes/auth/service-accounts.key
@ -127,13 +127,13 @@ scheduler:
- /bin/bash
- "-ceu"
- >
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" &&
echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" &&
(grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) &&
await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health &&
await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health &&
await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz &&
km scheduler
--address=$$(resolveip scheduler)
--address=$$(resolveip.sh scheduler)
--hostname-override=scheduler
--etcd-servers=http://etcd:4001
--mesos-user=root
@ -157,10 +157,12 @@ scheduler:
volumes:
- ./static-pod.json:/opt/static-pods/static-pod.json
keygen:
image: mesosphere/kubernetes-mesos-keygen
image: mesosphere/kubernetes-keygen:v1.0.0
command:
- apiserver
- certgen
- /var/run/kubernetes/auth
- /var/run/kubernetes/auth
- apiserver
volumes:
- ${MESOS_DOCKER_WORK_DIR}/auth:/var/run/kubernetes/auth
links:

18
cluster/mesos/docker/keygen/Dockerfile
View File

@ -1,18 +0,0 @@
FROM ubuntu:14.04.3
MAINTAINER Mesosphere <support@mesosphere.io>
RUN locale-gen en_US.UTF-8
RUN dpkg-reconfigure locales
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
RUN apt-get update -qq && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \
curl \
openssl \
&& \
apt-get clean
COPY ./bin/* /usr/local/bin/
ENTRYPOINT ["kube-keygen.sh"]

45
cluster/mesos/docker/keygen/bin/kube-keygen.sh
View File

@ -1,45 +0,0 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Generates apiserver crt and key.
# Requires provided hostname to be resolvable (use docker link).
# Requires root certificate in <in_dir> (use docker volume).
# Writes to <out_dir> (use docker volume or docker export to retrieve files).
# Params:
# hostname - host name of the Kubernetes API Server to resolve into an IP
# in_dir - dir to read root certificate from
# out_dir - (Optional) dir to write crt and key to (default=<in_dir>)
set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
source "util-ssl.sh"
hostname="${1:-}"
[ -z "${hostname}" ] && echo "No hostname supplied (param 1)" && exit 1
in_dir="${2:-}"
[ -z "${in_dir}" ] && echo "No in_dir supplied (param 2)" && exit 1
out_dir="${3:-${in_dir}}"
# Certificate generation depends on IP being resolvable from the provided hostname.
apiserver_ip="$(resolveip ${hostname})"
apiservice_ip="10.10.10.1" #TODO(karlkfi): extract config
cluster::mesos::docker::create_apiserver_cert "${in_dir}" "${out_dir}" "${apiserver_ip}" "${apiservice_ip}"

54
cluster/mesos/docker/keygen/build.sh
View File

@ -1,54 +0,0 @@
#!/bin/bash
# Copyright 2015 The Kubernetes Authors All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Builds a docker image that generates ssl certificates/keys/tokens required by kubernetes
set -o errexit
set -o nounset
set -o pipefail
IMAGE_REPO=${IMAGE_REPO:-mesosphere/kubernetes-mesos-keygen}
IMAGE_TAG=${IMAGE_TAG:-latest}
script_dir=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
common_bin_path=$(cd ${script_dir}/../common/bin && pwd -P)
KUBE_ROOT=$(cd ${script_dir}/../../../.. && pwd -P)
source "${common_bin_path}/util-temp-dir.sh"
cd "${KUBE_ROOT}"
function build_image {
local -r workspace="$(pwd)"
echo "Copying files to workspace"
# binaries & scripts
mkdir -p "${workspace}/bin"
cp -a "${common_bin_path}/"* "${workspace}/bin/"
cp -a "${script_dir}/bin/"* "${workspace}/bin/"
# docker
cp -a "${script_dir}/Dockerfile" "${workspace}/"
echo "Building docker image ${IMAGE_REPO}:${IMAGE_TAG}"
set -o xtrace
docker build -t ${IMAGE_REPO}:${IMAGE_TAG} "$@" .
set +o xtrace
echo "Built docker image ${IMAGE_REPO}:${IMAGE_TAG}"
}
cluster::mesos::docker::run_in_temp_dir 'k8sm-keygen' 'build_image'

3
cluster/mesos/docker/km/Dockerfile
View File

@ -8,10 +8,13 @@ ENV LC_ALL en_US.UTF-8
RUN apt-get update -qq && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \
ca-certificates \
wget \
curl \
&& \
apt-get clean
RUN curl -o- https://raw.githubusercontent.com/karlkfi/resolveip/v1.0.2/install.sh | bash
COPY ./bin/* /usr/local/bin/
COPY ./opt/* /opt/

74
cluster/mesos/docker/util.sh
View File

@ -30,7 +30,6 @@ provider_root="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}"
source "${provider_root}/${KUBE_CONFIG_FILE-"config-default.sh"}"
source "${KUBE_ROOT}/cluster/common.sh"
source "${provider_root}/common/bin/util-ssl.sh"
# Execute a docker-compose command with the default environment and compose file.
function cluster::mesos::docker::docker_compose {
@ -129,8 +128,8 @@ function cluster::mesos::docker::run_in_docker_cagen {
docker run \
-d \
-v "${out_dir}:/var/run/kubernetes/auth" \
--entrypoint="kube-cagen.sh" \
mesosphere/kubernetes-mesos-keygen \
mesosphere/kubernetes-keygen:v1.0.0 \
"cagen" \
"/var/run/kubernetes/auth"
)
@ -150,6 +149,37 @@ function cluster::mesos::docker::run_in_docker_cagen {
return "${exit_status}"
}
# Run kube-keygen.sh inside docker.
function cluster::mesos::docker::run_in_docker_keygen {
local out_file_path="$1"
local out_dir="$(dirname "${out_file_path}")"
local out_file="$(basename "${out_file_path}")"
container_id=$(
docker run \
-d \
-v "${out_dir}:/var/run/kubernetes/auth" \
mesosphere/kubernetes-keygen:v1.0.0 \
"keygen" \
"/var/run/kubernetes/auth/${out_file}"
)
docker logs -f "${container_id}" &
# trap and kill for better signal handing
trap 'echo "Killing container ${container_id}" 1>&2 && docker kill ${container_id}' INT TERM
exit_status=$(docker wait "${container_id}")
trap - INT TERM
if [ "$exit_status" != 0 ]; then
echo "Exited ${exit_status}" 1>&2
fi
docker rm -f "${container_id}" > /dev/null
return "${exit_status}"
}
# Generate kubeconfig data for the created cluster.
function create-kubeconfig {
local -r auth_dir="${MESOS_DOCKER_WORK_DIR}/auth"
@ -238,10 +268,13 @@ function cluster::mesos::docker::init_auth {
rm -rf "${auth_dir}"/*
echo "Creating Certificate Authority" 1>&2
cluster::mesos::docker::run_in_docker_cagen "${auth_dir}"
cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_cagen "${auth_dir}"
echo "Certificate Authority Key: ${auth_dir}/root-ca.key" 1>&2
echo "Certificate Authority Cert: ${auth_dir}/root-ca.crt" 1>&2
echo "Creating Service-Account RSA Key" 1>&2
cluster::mesos::docker::create_rsa_key "${auth_dir}/service-accounts.key"
echo "Creating Service Account RSA Key" 1>&2
cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_keygen "${auth_dir}/service-accounts.key"
echo "Service Account Key: ${auth_dir}/service-accounts.key" 1>&2
echo "Creating User Accounts" 1>&2
cluster::mesos::docker::create_token_user "cluster-admin" > "${auth_dir}/token-users"
@ -272,7 +305,6 @@ function kube-up {
# TODO: version images (k8s version, git sha, and dirty state) to avoid re-building them every time.
"${provider_root}/km/build.sh"
"${provider_root}/test/build.sh"
"${provider_root}/keygen/build.sh"
fi
cluster::mesos::docker::init_auth
@ -390,3 +422,31 @@ function cluster::mesos::docker::dump_logs {
docker logs "${name}" &> "${out_dir}/${name}.log"
done < <(cluster::mesos::docker::docker_compose ps -q | xargs docker inspect --format '{{.Name}}')
}
# Creates a k8s token auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_token_user {
local user_name="$1"
echo "$(openssl rand -hex 32),${user_name},${user_name}"
}
# Creates a k8s basic auth user file.
# See /docs/admin/authentication.md
function cluster::mesos::docker::create_basic_user {
local user_name="$1"
local password="$2"
echo "${password},${user_name},${user_name}"
}
# Buffers command output to memory, prints on failure.
function cluster::mesos::docker::buffer_output {
local cmd="$@"
# buffer output until failure
local output=$((${cmd} || exit $?) 2>&1)
local exit_status="$?"
if [ "${exit_status}" != 0 ]; then
echo "${output}" 1>&2
return "${exit_status}"
fi
}