From 1938414706a57c9b2f95cf20511f2e7f2f9802b2 Mon Sep 17 00:00:00 2001 From: Karl Isenberg Date: Sun, 3 Jan 2016 09:40:40 -0800 Subject: [PATCH] Extract kubernetes-keygen to its own repo: mesosphere/kubernetes-keygen - Move keygen image mesosphere/kubernetes-mesos-keygen -> mesosphere/kubernetes-keygen:v1.0.0 - Remove resolveip in favor of github.com/karlkfi/resolveip (resolveip.sh) - Remove util-temp-dir.sh in favor of github.com/karlkfi/intemp (intemp.sh) - Refactor bash code to use intemp (extract functions to scripts) - Remove util-ssl.sh in favor of mesosphere/kubernetes-keygen --- cluster/mesos/docker/common/bin/resolveip | 29 --- cluster/mesos/docker/common/bin/util-ssl.sh | 169 ------------------ .../mesos/docker/common/bin/util-temp-dir.sh | 47 ----- cluster/mesos/docker/deploy-addons.sh | 35 +--- cluster/mesos/docker/deploy-dns.sh | 36 ++++ .../bin/kube-cagen.sh => deploy-ui.sh} | 17 +- cluster/mesos/docker/docker-compose.yml | 18 +- cluster/mesos/docker/keygen/Dockerfile | 18 -- .../mesos/docker/keygen/bin/kube-keygen.sh | 45 ----- cluster/mesos/docker/keygen/build.sh | 54 ------ cluster/mesos/docker/km/Dockerfile | 3 + cluster/mesos/docker/util.sh | 74 +++++++- 12 files changed, 131 insertions(+), 414 deletions(-) delete mode 100755 cluster/mesos/docker/common/bin/resolveip delete mode 100644 cluster/mesos/docker/common/bin/util-ssl.sh delete mode 100644 cluster/mesos/docker/common/bin/util-temp-dir.sh create mode 100755 cluster/mesos/docker/deploy-dns.sh rename cluster/mesos/docker/{keygen/bin/kube-cagen.sh => deploy-ui.sh} (58%) delete mode 100644 cluster/mesos/docker/keygen/Dockerfile delete mode 100755 cluster/mesos/docker/keygen/bin/kube-keygen.sh delete mode 100755 cluster/mesos/docker/keygen/build.sh diff --git a/cluster/mesos/docker/common/bin/resolveip b/cluster/mesos/docker/common/bin/resolveip deleted file mode 100755 index 334884c1285..00000000000 --- a/cluster/mesos/docker/common/bin/resolveip +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Resolve an IP from a hostname (using getent) -# Usage: resolveip -# Requires: getent -# TODO: Mac support - -set -o errexit -set -o nounset -set -o pipefail - -hostname=$1 -[ -z "${hostname}" ] && echo "No hostname supplied" && exit 1 - -getent hosts "${hostname}" | cut -d' ' -f1 | sort -u | tail -1 diff --git a/cluster/mesos/docker/common/bin/util-ssl.sh b/cluster/mesos/docker/common/bin/util-ssl.sh deleted file mode 100644 index 5caa56c8c85..00000000000 --- a/cluster/mesos/docker/common/bin/util-ssl.sh +++ /dev/null @@ -1,169 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Sourcable SSL functions - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)" -source "${bin}/util-temp-dir.sh" - -function cluster::mesos::docker::find_openssl_config { - for candidate in "/etc/ssl/openssl.cnf" "/System/Library/OpenSSL/openssl.cnf"; do - if [ -f "${candidate}" ]; then - echo "${candidate}" - return 0 - fi - done - echo "ERROR: cannot find openssl.cnf" 1>&2 - return 1 -} - -function cluster::mesos::docker::create_root_certificate_authority { - local out_dir="$1" - - # TODO(karlkfi): extract config - local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com" - - echo "Creating private key" 1>&2 - openssl genrsa -out "${out_dir}/root-ca.key" 2048 - - echo "Creating certificate sign request" 1>&2 - openssl req -nodes -new -utf8 \ - -key "${out_dir}/root-ca.key" \ - -out "${out_dir}/root-ca.csr" \ - -subj "${subject}" - - echo "Signing new certificate with private key" 1>&2 - openssl x509 -req -days 3650 \ - -in "${out_dir}/root-ca.csr" \ - -out "${out_dir}/root-ca.crt" \ - -signkey "${out_dir}/root-ca.key" - - echo "Key: ${out_dir}/root-ca.key" 1>&2 - echo "Cert: ${out_dir}/root-ca.crt" 1>&2 -} - -# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names. -# Uses the current dir for scratch work. -function cluster::mesos::docker::create_apiserver_cert_inner { - local in_dir="$1" - local out_dir="$2" - local apiserver_ip="$3" - local service_ip="$4" - local workspace="$(pwd)" - - if [ ! -f "${in_dir}/root-ca.key" ]; then - echo "Signing key not found: ${in_dir}/root-ca.key" - return 1 - fi - if [ ! -f "${in_dir}/root-ca.crt" ]; then - echo "Root certificate not found: ${in_dir}/root-ca.key" - return 1 - fi - - mkdir -p "${out_dir}" - - local openssl_cnf=$(cluster::mesos::docker::find_openssl_config) - - # TODO(karlkfi): extract config - local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com" - local cluster_domain="cluster.local" - local service_name="kubernetes" - local service_namespace="default" - local subject_alt_name="IP:${apiserver_ip},IP:${service_ip},DNS:${service_name},DNS:${service_name}.${service_namespace},DNS:${service_name}.${service_namespace}.svc,DNS:${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Creating private key" 1>&2 - openssl genrsa -out "${workspace}/apiserver.key" 2048 - - echo "Creating certificate sign request" 1>&2 - openssl req -nodes -new -utf8 \ - -key "${workspace}/apiserver.key" \ - -out "${workspace}/apiserver.csr" \ - -reqexts SAN \ - -config <(cat "${openssl_cnf}"; echo -e "[SAN]\nsubjectAltName=${subject_alt_name}") \ - -subj "${subject}" - - echo "Validating certificate sign request" 1>&2 - openssl req -text -noout -in "${workspace}/apiserver.csr" | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Signing new certificate with root certificate authority key" 1>&2 - mkdir -p "${workspace}/demoCA/newcerts" - touch "${workspace}/demoCA/index.txt" - echo 1000 > "${workspace}/demoCA/serial" - openssl ca -batch \ - -days 3650 \ - -in "${workspace}/apiserver.csr" \ - -cert "${in_dir}/root-ca.crt" \ - -keyfile "${in_dir}/root-ca.key" \ - -config <(sed 's/.*\(copy_extensions = copy\)/\1/' ${openssl_cnf}) - - echo "Validating signed certificate" 1>&2 - openssl x509 -in "${workspace}/demoCA/newcerts/1000.pem" -text -noout | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Key: ${out_dir}/apiserver.key" 1>&2 - cp "${workspace}/apiserver.key" "${out_dir}/apiserver.key" - - echo "Cert: ${out_dir}/apiserver.crt" 1>&2 - cp "${workspace}/demoCA/newcerts/1000.pem" "${out_dir}/apiserver.crt" -} - -# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names. -function cluster::mesos::docker::create_apiserver_cert { - local in_dir="$1" # must contain root-ca.crt & root-ca.key - local out_dir="$2" - local apiserver_ip="$3" - local service_ip="$4" - - cluster::mesos::docker::run_in_temp_dir "k8sm-certs" \ - "cluster::mesos::docker::create_apiserver_cert_inner" \ - "${in_dir}" "${out_dir}" "${apiserver_ip}" "${service_ip}" -} - -# Creates an rsa key (for signing service accounts). -function cluster::mesos::docker::create_rsa_key { - local key_file_path="$1" - - # buffer output until failure - local output=$(( - openssl genrsa -out "${key_file_path}" 2048 || exit $? - ) 2>&1) - local exit_status="$?" - if [ "${exit_status}" != 0 ]; then - echo "${output}" 1>&2 - return "${exit_status}" - fi - - echo "Key: ${key_file_path}" 1>&2 -} - -# Creates a k8s token auth user file. -# See /docs/admin/authentication.md -function cluster::mesos::docker::create_token_user { - local user_name="$1" - echo "$(openssl rand -hex 32),${user_name},${user_name}" -} - -# Creates a k8s basic auth user file. -# See /docs/admin/authentication.md -function cluster::mesos::docker::create_basic_user { - local user_name="$1" - local password="$2" - echo "${password},${user_name},${user_name}" -} diff --git a/cluster/mesos/docker/common/bin/util-temp-dir.sh b/cluster/mesos/docker/common/bin/util-temp-dir.sh deleted file mode 100644 index d44d4e2ae33..00000000000 --- a/cluster/mesos/docker/common/bin/util-temp-dir.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Sourcable temp directory functions - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -# Runs the supplied command string in a temporary workspace directory. -function cluster::mesos::docker::run_in_temp_dir { - prefix="$1" - shift - cmd="$@" - - # create temp WORKSPACE dir in current dir to avoid permission issues of TMPDIR on mac os x - local -r workspace=$(env TMPDIR=$(pwd) mktemp -d -t "${prefix}-XXXXXX") - echo "Workspace created: ${workspace}" 1>&2 - - cleanup() { - local -r workspace="$1" - rm -rf "${workspace}" - echo "Workspace deleted: ${workspace}" 1>&2 - } - trap "cleanup '${workspace}'" EXIT - - pushd "${workspace}" > /dev/null - ${cmd} - popd > /dev/null - - trap - EXIT - cleanup "${workspace}" -} diff --git a/cluster/mesos/docker/deploy-addons.sh b/cluster/mesos/docker/deploy-addons.sh index 81572346eef..314d5c44b7e 100755 --- a/cluster/mesos/docker/deploy-addons.sh +++ b/cluster/mesos/docker/deploy-addons.sh @@ -27,39 +27,20 @@ set -o errtrace KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" -source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/common/bin/util-temp-dir.sh" kubectl="${KUBE_ROOT}/cluster/kubectl.sh" - - -function deploy_dns { - echo "Deploying DNS Addon" 1>&2 - local workspace=$(pwd) - - # Process salt pillar templates manually - sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml" - sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml" - - # Use kubectl to create skydns rc and service - "${kubectl}" create -f "${workspace}/skydns-rc.yaml" - "${kubectl}" create -f "${workspace}/skydns-svc.yaml" -} - -function deploy_ui { - echo "Deploying UI Addon" 1>&2 - - # Use kubectl to create ui rc and service - "${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml" - "${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml" -} +bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)" # create the kube-system and static-pods namespaces "${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/kube-system-ns.yaml" "${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/static-pods-ns.yaml" -if [ "${ENABLE_CLUSTER_DNS}" == true ]; then - cluster::mesos::docker::run_in_temp_dir 'k8sm-dns' 'deploy_dns' +if [ "${ENABLE_CLUSTER_DNS}" == "true" ]; then + echo "Deploying DNS Addon" 1>&2 + #TODO: curling to get a script to make a tempdir is a bit overkill... + curl -o- https://raw.githubusercontent.com/karlkfi/intemp/v1.0.0/intemp.sh | bash -s -- -t 'kube-dns' "${bin}/deploy-dns.sh" fi -if [ "${ENABLE_CLUSTER_UI}" == true ]; then - deploy_ui +if [ "${ENABLE_CLUSTER_UI}" == "true" ]; then + echo "Deploying UI Addon" 1>&2 + "${bin}/deploy-ui.sh" fi diff --git a/cluster/mesos/docker/deploy-dns.sh b/cluster/mesos/docker/deploy-dns.sh new file mode 100755 index 00000000000..1f623ec5c3f --- /dev/null +++ b/cluster/mesos/docker/deploy-dns.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2016 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Deploy the Kube-DNS addon + +set -o errexit +set -o nounset +set -o pipefail +set -o errtrace + +KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) +source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" +kubectl="${KUBE_ROOT}/cluster/kubectl.sh" + +workspace=$(pwd) + +# Process salt pillar templates manually +sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml" +sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml" + +# Use kubectl to create skydns rc and service +"${kubectl}" create -f "${workspace}/skydns-rc.yaml" +"${kubectl}" create -f "${workspace}/skydns-svc.yaml" diff --git a/cluster/mesos/docker/keygen/bin/kube-cagen.sh b/cluster/mesos/docker/deploy-ui.sh similarity index 58% rename from cluster/mesos/docker/keygen/bin/kube-cagen.sh rename to cluster/mesos/docker/deploy-ui.sh index a68ad432761..b117a49b7d0 100755 --- a/cluster/mesos/docker/keygen/bin/kube-cagen.sh +++ b/cluster/mesos/docker/deploy-ui.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2015 The Kubernetes Authors All rights reserved. +# Copyright 2016 The Kubernetes Authors All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,19 +14,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Generates root certificate authority crt and key. -# Writes to (use docker volume or docker export to retrieve files). -# Params: -# out_dir - dir to write crt and key to +# Deploy the Kube-UI addon set -o errexit set -o nounset set -o pipefail set -o errtrace -source "util-ssl.sh" +KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) +source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" +kubectl="${KUBE_ROOT}/cluster/kubectl.sh" -out_dir="${1:-}" -[ -z "${out_dir}" ] && echo "No out_dir supplied (param 1)" && exit 1 - -cluster::mesos::docker::create_root_certificate_authority "${out_dir}" +"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml" +"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml" diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml index f337c8b0233..072aed889e2 100644 --- a/cluster/mesos/docker/docker-compose.yml +++ b/cluster/mesos/docker/docker-compose.yml @@ -67,13 +67,13 @@ apiserver: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-file "-t=${KUBE_KEYGEN_TIMEOUT}" /var/run/kubernetes/auth/apiserver.crt && km apiserver - --address=$$(resolveip apiserver) + --address=$$(resolveip.sh apiserver) --external-hostname=apiserver --etcd-servers=http://etcd:4001 --port=8888 @@ -104,12 +104,12 @@ controller: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz && km controller-manager - --address=$$(resolveip controller) + --address=$$(resolveip.sh controller) --master=http://apiserver:8888 --cloud-config=/opt/mesos-cloud.conf --service-account-private-key-file=/var/run/kubernetes/auth/service-accounts.key @@ -127,13 +127,13 @@ scheduler: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz && km scheduler - --address=$$(resolveip scheduler) + --address=$$(resolveip.sh scheduler) --hostname-override=scheduler --etcd-servers=http://etcd:4001 --mesos-user=root @@ -157,10 +157,12 @@ scheduler: volumes: - ./static-pod.json:/opt/static-pods/static-pod.json keygen: - image: mesosphere/kubernetes-mesos-keygen + image: mesosphere/kubernetes-keygen:v1.0.0 command: - - apiserver + - certgen - /var/run/kubernetes/auth + - /var/run/kubernetes/auth + - apiserver volumes: - ${MESOS_DOCKER_WORK_DIR}/auth:/var/run/kubernetes/auth links: diff --git a/cluster/mesos/docker/keygen/Dockerfile b/cluster/mesos/docker/keygen/Dockerfile deleted file mode 100644 index 2b332935878..00000000000 --- a/cluster/mesos/docker/keygen/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM ubuntu:14.04.3 -MAINTAINER Mesosphere - -RUN locale-gen en_US.UTF-8 -RUN dpkg-reconfigure locales -ENV LANG en_US.UTF-8 -ENV LC_ALL en_US.UTF-8 - -RUN apt-get update -qq && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \ - curl \ - openssl \ - && \ - apt-get clean - -COPY ./bin/* /usr/local/bin/ - -ENTRYPOINT ["kube-keygen.sh"] diff --git a/cluster/mesos/docker/keygen/bin/kube-keygen.sh b/cluster/mesos/docker/keygen/bin/kube-keygen.sh deleted file mode 100755 index b990950bc18..00000000000 --- a/cluster/mesos/docker/keygen/bin/kube-keygen.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Generates apiserver crt and key. -# Requires provided hostname to be resolvable (use docker link). -# Requires root certificate in (use docker volume). -# Writes to (use docker volume or docker export to retrieve files). -# Params: -# hostname - host name of the Kubernetes API Server to resolve into an IP -# in_dir - dir to read root certificate from -# out_dir - (Optional) dir to write crt and key to (default=) - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -source "util-ssl.sh" - -hostname="${1:-}" -[ -z "${hostname}" ] && echo "No hostname supplied (param 1)" && exit 1 - -in_dir="${2:-}" -[ -z "${in_dir}" ] && echo "No in_dir supplied (param 2)" && exit 1 - -out_dir="${3:-${in_dir}}" - -# Certificate generation depends on IP being resolvable from the provided hostname. -apiserver_ip="$(resolveip ${hostname})" -apiservice_ip="10.10.10.1" #TODO(karlkfi): extract config - -cluster::mesos::docker::create_apiserver_cert "${in_dir}" "${out_dir}" "${apiserver_ip}" "${apiservice_ip}" diff --git a/cluster/mesos/docker/keygen/build.sh b/cluster/mesos/docker/keygen/build.sh deleted file mode 100755 index d753d539c60..00000000000 --- a/cluster/mesos/docker/keygen/build.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Builds a docker image that generates ssl certificates/keys/tokens required by kubernetes - -set -o errexit -set -o nounset -set -o pipefail - -IMAGE_REPO=${IMAGE_REPO:-mesosphere/kubernetes-mesos-keygen} -IMAGE_TAG=${IMAGE_TAG:-latest} - -script_dir=$(cd $(dirname "${BASH_SOURCE}") && pwd -P) -common_bin_path=$(cd ${script_dir}/../common/bin && pwd -P) -KUBE_ROOT=$(cd ${script_dir}/../../../.. && pwd -P) - -source "${common_bin_path}/util-temp-dir.sh" - -cd "${KUBE_ROOT}" - -function build_image { - local -r workspace="$(pwd)" - - echo "Copying files to workspace" - - # binaries & scripts - mkdir -p "${workspace}/bin" - cp -a "${common_bin_path}/"* "${workspace}/bin/" - cp -a "${script_dir}/bin/"* "${workspace}/bin/" - - # docker - cp -a "${script_dir}/Dockerfile" "${workspace}/" - - echo "Building docker image ${IMAGE_REPO}:${IMAGE_TAG}" - set -o xtrace - docker build -t ${IMAGE_REPO}:${IMAGE_TAG} "$@" . - set +o xtrace - echo "Built docker image ${IMAGE_REPO}:${IMAGE_TAG}" -} - -cluster::mesos::docker::run_in_temp_dir 'k8sm-keygen' 'build_image' diff --git a/cluster/mesos/docker/km/Dockerfile b/cluster/mesos/docker/km/Dockerfile index 857153c23a2..af475408d5e 100644 --- a/cluster/mesos/docker/km/Dockerfile +++ b/cluster/mesos/docker/km/Dockerfile @@ -8,10 +8,13 @@ ENV LC_ALL en_US.UTF-8 RUN apt-get update -qq && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \ + ca-certificates \ wget \ curl \ && \ apt-get clean +RUN curl -o- https://raw.githubusercontent.com/karlkfi/resolveip/v1.0.2/install.sh | bash + COPY ./bin/* /usr/local/bin/ COPY ./opt/* /opt/ diff --git a/cluster/mesos/docker/util.sh b/cluster/mesos/docker/util.sh index f1fd2277a82..3470a397d5e 100644 --- a/cluster/mesos/docker/util.sh +++ b/cluster/mesos/docker/util.sh @@ -30,7 +30,6 @@ provider_root="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}" source "${provider_root}/${KUBE_CONFIG_FILE-"config-default.sh"}" source "${KUBE_ROOT}/cluster/common.sh" -source "${provider_root}/common/bin/util-ssl.sh" # Execute a docker-compose command with the default environment and compose file. function cluster::mesos::docker::docker_compose { @@ -129,8 +128,8 @@ function cluster::mesos::docker::run_in_docker_cagen { docker run \ -d \ -v "${out_dir}:/var/run/kubernetes/auth" \ - --entrypoint="kube-cagen.sh" \ - mesosphere/kubernetes-mesos-keygen \ + mesosphere/kubernetes-keygen:v1.0.0 \ + "cagen" \ "/var/run/kubernetes/auth" ) @@ -150,6 +149,37 @@ function cluster::mesos::docker::run_in_docker_cagen { return "${exit_status}" } +# Run kube-keygen.sh inside docker. +function cluster::mesos::docker::run_in_docker_keygen { + local out_file_path="$1" + local out_dir="$(dirname "${out_file_path}")" + local out_file="$(basename "${out_file_path}")" + + container_id=$( + docker run \ + -d \ + -v "${out_dir}:/var/run/kubernetes/auth" \ + mesosphere/kubernetes-keygen:v1.0.0 \ + "keygen" \ + "/var/run/kubernetes/auth/${out_file}" + ) + + docker logs -f "${container_id}" & + + # trap and kill for better signal handing + trap 'echo "Killing container ${container_id}" 1>&2 && docker kill ${container_id}' INT TERM + exit_status=$(docker wait "${container_id}") + trap - INT TERM + + if [ "$exit_status" != 0 ]; then + echo "Exited ${exit_status}" 1>&2 + fi + + docker rm -f "${container_id}" > /dev/null + + return "${exit_status}" +} + # Generate kubeconfig data for the created cluster. function create-kubeconfig { local -r auth_dir="${MESOS_DOCKER_WORK_DIR}/auth" @@ -238,10 +268,13 @@ function cluster::mesos::docker::init_auth { rm -rf "${auth_dir}"/* echo "Creating Certificate Authority" 1>&2 - cluster::mesos::docker::run_in_docker_cagen "${auth_dir}" + cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_cagen "${auth_dir}" + echo "Certificate Authority Key: ${auth_dir}/root-ca.key" 1>&2 + echo "Certificate Authority Cert: ${auth_dir}/root-ca.crt" 1>&2 - echo "Creating Service-Account RSA Key" 1>&2 - cluster::mesos::docker::create_rsa_key "${auth_dir}/service-accounts.key" + echo "Creating Service Account RSA Key" 1>&2 + cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_keygen "${auth_dir}/service-accounts.key" + echo "Service Account Key: ${auth_dir}/service-accounts.key" 1>&2 echo "Creating User Accounts" 1>&2 cluster::mesos::docker::create_token_user "cluster-admin" > "${auth_dir}/token-users" @@ -272,7 +305,6 @@ function kube-up { # TODO: version images (k8s version, git sha, and dirty state) to avoid re-building them every time. "${provider_root}/km/build.sh" "${provider_root}/test/build.sh" - "${provider_root}/keygen/build.sh" fi cluster::mesos::docker::init_auth @@ -390,3 +422,31 @@ function cluster::mesos::docker::dump_logs { docker logs "${name}" &> "${out_dir}/${name}.log" done < <(cluster::mesos::docker::docker_compose ps -q | xargs docker inspect --format '{{.Name}}') } + +# Creates a k8s token auth user file. +# See /docs/admin/authentication.md +function cluster::mesos::docker::create_token_user { + local user_name="$1" + echo "$(openssl rand -hex 32),${user_name},${user_name}" +} + +# Creates a k8s basic auth user file. +# See /docs/admin/authentication.md +function cluster::mesos::docker::create_basic_user { + local user_name="$1" + local password="$2" + echo "${password},${user_name},${user_name}" +} + +# Buffers command output to memory, prints on failure. +function cluster::mesos::docker::buffer_output { + local cmd="$@" + + # buffer output until failure + local output=$((${cmd} || exit $?) 2>&1) + local exit_status="$?" + if [ "${exit_status}" != 0 ]; then + echo "${output}" 1>&2 + return "${exit_status}" + fi +}