Adding cert and basic auth files for federation-apiserver

2025-07-23 19:56:01 +00:00 · 2016-08-16 00:57:13 -07:00 · 2016-08-16 00:57:13 -07:00 · 56a2458d29
commit 56a2458d29
parent 3de3452cea
5 changed files with 87 additions and 18 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -785,6 +785,7 @@ function sha1sum-file() {
 #
 # Assumed vars
 #   KUBE_TEMP
+#   MASTER_NAME
 #
 # Vars set:
 #   CERT_DIR
@ -812,24 +813,8 @@ function create-certs {

  echo "Generating certs for alternate-names: ${sans}"

-  local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX")
-  # Note: This was heavily cribbed from make-ca-cert.sh
-  (set -x
-    cd "${KUBE_TEMP}"
-    curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
-    tar xzf easy-rsa.tar.gz
-    cd easy-rsa-master/easyrsa3
-    ./easyrsa init-pki
-    ./easyrsa --batch "--req-cn=${primary_cn}@$(date +%s)" build-ca nopass
-    ./easyrsa --subject-alt-name="${sans}" build-server-full "${MASTER_NAME}" nopass
-    ./easyrsa build-client-full kubelet nopass
-    ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
-    # If there was an error in the subshell, just die.
-    # TODO(roberthbailey): add better error handling here
-    cat "${cert_create_debug_output}" >&2
-    echo "=== Failed to generate certificates: Aborting ===" >&2
-    exit 2
-  }
+  PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs
+
  CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3"
  # By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
  # Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
@ -842,6 +827,37 @@ function create-certs {
  KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
 }

+# Runs the easy RSA commands to generate certificate files.
+# The generated files are at ${KUBE_TEMP}/easy-rsa-master/easyrsa3
+#
+# Assumed vars
+#   KUBE_TEMP
+#   MASTER_NAME
+#   PRIMARY_CN: Primary canonical name
+#   SANS: Subject alternate names
+#
+#
+function generate-certs {
+  local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX")
+  # Note: This was heavily cribbed from make-ca-cert.sh
+  (set -x
+    cd "${KUBE_TEMP}"
+    curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
+    tar xzf easy-rsa.tar.gz
+    cd easy-rsa-master/easyrsa3
+    ./easyrsa init-pki
+    ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
+    ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
+    ./easyrsa build-client-full kubelet nopass
+    ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
+    # If there was an error in the subshell, just die.
+    # TODO(roberthbailey): add better error handling here
+    cat "${cert_create_debug_output}" >&2
+    echo "=== Failed to generate certificates: Aborting ===" >&2
+    exit 2
+  }
+}
+
 #
 # Using provided master env, extracts value from provided key.
 #
--- a/federation/cluster/common.sh
+++ b/federation/cluster/common.sh
@ -144,6 +144,8 @@ function create-federation-api-objects {

    FEDERATION_API_TOKEN="$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)"
    export FEDERATION_API_KNOWN_TOKENS="${FEDERATION_API_TOKEN},admin,admin"
+    gen-kube-basicauth
+    export FEDERATION_API_BASIC_AUTH="${KUBE_PASSWORD},${KUBE_USER},admin"

    # Create a kubeconfig with credentails for federation-apiserver. We will
    # then use this kubeconfig to create a secret which the federation
@ -152,6 +154,8 @@ function create-federation-api-objects {
    KUBECONFIG_DIR=$(dirname ${KUBECONFIG:-$DEFAULT_KUBECONFIG})
    CONTEXT=federation-cluster \
 	   KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \
+           KUBE_USER="${KUBE_USER}" \
+           KUBE_PASSWORD="${KUBE_PASSWORD}" \
           KUBECONFIG="${KUBECONFIG_DIR}/federation/federation-apiserver/kubeconfig" \
 	   create-kubeconfig

@ -174,6 +178,14 @@ function create-federation-api-objects {
      $host_kubectl create secret generic ${name} --from-file="${dir}/kubeconfig" --namespace="${FEDERATION_NAMESPACE}"
    done

+    # Create server certificates.
+    ensure-temp-dir
+    echo "Creating federation apiserver certs for IP: $FEDERATION_API_HOST"
+    MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST}
+    export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}"
+    export FEDERATION_APISERVER_CERT_BASE64="${FEDERATION_APISERVER_CERT_BASE64}"
+    export FEDERATION_APISERVER_KEY_BASE64="${FEDERATION_APISERVER_KEY_BASE64}"
+
    for file in federation-etcd-pvc.yaml federation-apiserver-{deployment,secrets}.yaml federation-controller-manager-deployment.yaml; do
      $template "${manifests_root}/${file}" | $host_kubectl create -f -
    done
@ -181,6 +193,8 @@ function create-federation-api-objects {
    # Update the users kubeconfig to include federation-apiserver credentials.
    CONTEXT=federation-cluster \
 	   KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \
+           KUBE_USER="${KUBE_USER}" \
+           KUBE_PASSWORD="${KUBE_PASSWORD}" \
 	   SECONDARY_KUBECONFIG=true \
 	   create-kubeconfig

@ -222,6 +236,32 @@ function create-federation-api-objects {
 )
 }

+# Creates the required certificates for federation apiserver.
+# $1: The public IP for the master.
+#
+# Assumed vars
+#   KUBE_TEMP
+#   MASTER_NAME
+#
+function create-federation-apiserver-certs {
+  local -r primary_cn="${1}"
+  local sans="IP:${1},DNS:${MASTER_NAME}"
+
+  echo "Generating certs for alternate-names: ${sans}"
+
+  local kube_temp="${KUBE_TEMP}/federation"
+  mkdir -p "${kube_temp}"
+  KUBE_TEMP="${kube_temp}" PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs
+
+  local cert_dir="${kube_temp}/easy-rsa-master/easyrsa3"
+  # By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
+  # Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
+  FEDERATION_APISERVER_CA_CERT_BASE64=$(cat "${cert_dir}/pki/ca.crt" | base64 | tr -d '\r\n')
+  FEDERATION_APISERVER_CERT_BASE64=$(cat "${cert_dir}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n')
+  FEDERATION_APISERVER_KEY_BASE64=$(cat "${cert_dir}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n')
+}
+
+
 # Required
 # FEDERATION_PUSH_REPO_BASE: the docker repo where federated images will be pushed

--- a/federation/manifests/federation-apiserver-deployment.yaml
+++ b/federation/manifests/federation-apiserver-deployment.yaml
@ -23,6 +23,10 @@ spec:
        - --service-cluster-ip-range={{.FEDERATION_SERVICE_CIDR}}
        - --secure-port=443
        - --advertise-address={{.FEDERATION_API_HOST}}
+        - --client-ca-file=/srv/kubernetes/ca.crt
+        - --basic-auth-file=/srv/kubernetes/basic_auth.csv
+        - --tls-cert-file=/srv/kubernetes/server.cert
+        - --tls-private-key-file=/srv/kubernetes/server.key
        # TODO: --admission-control values must be set when support is added for each type of control.
        - --token-auth-file=/srv/kubernetes/known-tokens.csv
        ports:
--- a/federation/manifests/federation-apiserver-secrets.yaml
+++ b/federation/manifests/federation-apiserver-secrets.yaml
@ -7,3 +7,7 @@ metadata:
 type: Opaque
 data:
  known-tokens.csv: {{.FEDERATION_API_KNOWN_TOKENS_BASE64}}
+  basic_auth.csv: {{.FEDERATION_API_BASIC_AUTH_BASE64}}
+  ca.crt: {{.FEDERATION_APISERVER_CA_CERT_BASE64}}
+  server.cert: {{.FEDERATION_APISERVER_CERT_BASE64}}
+  server.key: {{.FEDERATION_APISERVER_KEY_BASE64}}
--- a/hack/verify-flags/exceptions.txt
+++ b/hack/verify-flags/exceptions.txt
@ -71,6 +71,7 @@ cluster/vsphere/templates/salt-minion.sh:  hostname_override: $(ip route get 1.1
 examples/cluster-dns/images/frontend/client.py:  service_address = socket.gethostbyname(hostname)
 examples/storage/cassandra/image/run.sh:	cluster_name \
 examples/storage/vitess/env.sh:    node_ip=$(get_node_ip)
+federation/cluster/common.sh:  local cert_dir="${kube_temp}/easy-rsa-master/easyrsa3"
 federation/config.default.json:      "cloud_provider": "gce",
 federation/config.default.json:      "cloud_provider": "gce",
 federation/config.default.json:      "cloud_provider": "gce",
@ -83,6 +84,10 @@ federation/config.default.json:      "cluster_name": "cluster3-kubernetes",
 federation/config.default.json:      "num_nodes": 3,
 federation/config.default.json:      "num_nodes": 3,
 federation/config.default.json:      "num_nodes": 3,
+hack/fed-up-cluster.sh:        advertise_address="--advertise_address=${API_HOST}"
+hack/fed-up-cluster.sh:      runtime_config="--runtime-config=${RUNTIME_CONFIG}"
+hack/fed-up-cluster.sh:    advertise_address=""
+hack/fed-up-cluster.sh:    runtime_config=""
 hack/local-up-cluster.sh:        advertise_address="--advertise_address=${API_HOST}"
 hack/local-up-cluster.sh:      runtime_config="--runtime-config=${RUNTIME_CONFIG}"
 hack/local-up-cluster.sh:    advertise_address=""