From 56a2458d29fb37ff05f91206b6a45126d316b831 Mon Sep 17 00:00:00 2001 From: nikhiljindal Date: Tue, 16 Aug 2016 00:57:13 -0700 Subject: [PATCH] Adding cert and basic auth files for federation-apiserver --- cluster/common.sh | 52 ++++++++++++------- federation/cluster/common.sh | 40 ++++++++++++++ .../federation-apiserver-deployment.yaml | 4 ++ .../federation-apiserver-secrets.yaml | 4 ++ hack/verify-flags/exceptions.txt | 5 ++ 5 files changed, 87 insertions(+), 18 deletions(-) diff --git a/cluster/common.sh b/cluster/common.sh index 45f76c81614..070cee01db4 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -785,6 +785,7 @@ function sha1sum-file() { # # Assumed vars # KUBE_TEMP +# MASTER_NAME # # Vars set: # CERT_DIR @@ -812,24 +813,8 @@ function create-certs { echo "Generating certs for alternate-names: ${sans}" - local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX") - # Note: This was heavily cribbed from make-ca-cert.sh - (set -x - cd "${KUBE_TEMP}" - curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz - tar xzf easy-rsa.tar.gz - cd easy-rsa-master/easyrsa3 - ./easyrsa init-pki - ./easyrsa --batch "--req-cn=${primary_cn}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="${sans}" build-server-full "${MASTER_NAME}" nopass - ./easyrsa build-client-full kubelet nopass - ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || { - # If there was an error in the subshell, just die. - # TODO(roberthbailey): add better error handling here - cat "${cert_create_debug_output}" >&2 - echo "=== Failed to generate certificates: Aborting ===" >&2 - exit 2 - } + PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs + CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3" # By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces. # Note 'base64 -w0' doesn't work on Mac OS X, which has different flags. @@ -842,6 +827,37 @@ function create-certs { KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n') } +# Runs the easy RSA commands to generate certificate files. +# The generated files are at ${KUBE_TEMP}/easy-rsa-master/easyrsa3 +# +# Assumed vars +# KUBE_TEMP +# MASTER_NAME +# PRIMARY_CN: Primary canonical name +# SANS: Subject alternate names +# +# +function generate-certs { + local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX") + # Note: This was heavily cribbed from make-ca-cert.sh + (set -x + cd "${KUBE_TEMP}" + curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz + tar xzf easy-rsa.tar.gz + cd easy-rsa-master/easyrsa3 + ./easyrsa init-pki + ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass + ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass + ./easyrsa build-client-full kubelet nopass + ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || { + # If there was an error in the subshell, just die. + # TODO(roberthbailey): add better error handling here + cat "${cert_create_debug_output}" >&2 + echo "=== Failed to generate certificates: Aborting ===" >&2 + exit 2 + } +} + # # Using provided master env, extracts value from provided key. # diff --git a/federation/cluster/common.sh b/federation/cluster/common.sh index e93fa9757f3..98322891011 100644 --- a/federation/cluster/common.sh +++ b/federation/cluster/common.sh @@ -144,6 +144,8 @@ function create-federation-api-objects { FEDERATION_API_TOKEN="$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)" export FEDERATION_API_KNOWN_TOKENS="${FEDERATION_API_TOKEN},admin,admin" + gen-kube-basicauth + export FEDERATION_API_BASIC_AUTH="${KUBE_PASSWORD},${KUBE_USER},admin" # Create a kubeconfig with credentails for federation-apiserver. We will # then use this kubeconfig to create a secret which the federation @@ -152,6 +154,8 @@ function create-federation-api-objects { KUBECONFIG_DIR=$(dirname ${KUBECONFIG:-$DEFAULT_KUBECONFIG}) CONTEXT=federation-cluster \ KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \ + KUBE_USER="${KUBE_USER}" \ + KUBE_PASSWORD="${KUBE_PASSWORD}" \ KUBECONFIG="${KUBECONFIG_DIR}/federation/federation-apiserver/kubeconfig" \ create-kubeconfig @@ -174,6 +178,14 @@ function create-federation-api-objects { $host_kubectl create secret generic ${name} --from-file="${dir}/kubeconfig" --namespace="${FEDERATION_NAMESPACE}" done + # Create server certificates. + ensure-temp-dir + echo "Creating federation apiserver certs for IP: $FEDERATION_API_HOST" + MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST} + export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}" + export FEDERATION_APISERVER_CERT_BASE64="${FEDERATION_APISERVER_CERT_BASE64}" + export FEDERATION_APISERVER_KEY_BASE64="${FEDERATION_APISERVER_KEY_BASE64}" + for file in federation-etcd-pvc.yaml federation-apiserver-{deployment,secrets}.yaml federation-controller-manager-deployment.yaml; do $template "${manifests_root}/${file}" | $host_kubectl create -f - done @@ -181,6 +193,8 @@ function create-federation-api-objects { # Update the users kubeconfig to include federation-apiserver credentials. CONTEXT=federation-cluster \ KUBE_BEARER_TOKEN="$FEDERATION_API_TOKEN" \ + KUBE_USER="${KUBE_USER}" \ + KUBE_PASSWORD="${KUBE_PASSWORD}" \ SECONDARY_KUBECONFIG=true \ create-kubeconfig @@ -222,6 +236,32 @@ function create-federation-api-objects { ) } +# Creates the required certificates for federation apiserver. +# $1: The public IP for the master. +# +# Assumed vars +# KUBE_TEMP +# MASTER_NAME +# +function create-federation-apiserver-certs { + local -r primary_cn="${1}" + local sans="IP:${1},DNS:${MASTER_NAME}" + + echo "Generating certs for alternate-names: ${sans}" + + local kube_temp="${KUBE_TEMP}/federation" + mkdir -p "${kube_temp}" + KUBE_TEMP="${kube_temp}" PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs + + local cert_dir="${kube_temp}/easy-rsa-master/easyrsa3" + # By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces. + # Note 'base64 -w0' doesn't work on Mac OS X, which has different flags. + FEDERATION_APISERVER_CA_CERT_BASE64=$(cat "${cert_dir}/pki/ca.crt" | base64 | tr -d '\r\n') + FEDERATION_APISERVER_CERT_BASE64=$(cat "${cert_dir}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n') + FEDERATION_APISERVER_KEY_BASE64=$(cat "${cert_dir}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n') +} + + # Required # FEDERATION_PUSH_REPO_BASE: the docker repo where federated images will be pushed diff --git a/federation/manifests/federation-apiserver-deployment.yaml b/federation/manifests/federation-apiserver-deployment.yaml index 1b21dbb999b..f26c60d5638 100644 --- a/federation/manifests/federation-apiserver-deployment.yaml +++ b/federation/manifests/federation-apiserver-deployment.yaml @@ -23,6 +23,10 @@ spec: - --service-cluster-ip-range={{.FEDERATION_SERVICE_CIDR}} - --secure-port=443 - --advertise-address={{.FEDERATION_API_HOST}} + - --client-ca-file=/srv/kubernetes/ca.crt + - --basic-auth-file=/srv/kubernetes/basic_auth.csv + - --tls-cert-file=/srv/kubernetes/server.cert + - --tls-private-key-file=/srv/kubernetes/server.key # TODO: --admission-control values must be set when support is added for each type of control. - --token-auth-file=/srv/kubernetes/known-tokens.csv ports: diff --git a/federation/manifests/federation-apiserver-secrets.yaml b/federation/manifests/federation-apiserver-secrets.yaml index 13a8853d32c..75e75e18cca 100644 --- a/federation/manifests/federation-apiserver-secrets.yaml +++ b/federation/manifests/federation-apiserver-secrets.yaml @@ -7,3 +7,7 @@ metadata: type: Opaque data: known-tokens.csv: {{.FEDERATION_API_KNOWN_TOKENS_BASE64}} + basic_auth.csv: {{.FEDERATION_API_BASIC_AUTH_BASE64}} + ca.crt: {{.FEDERATION_APISERVER_CA_CERT_BASE64}} + server.cert: {{.FEDERATION_APISERVER_CERT_BASE64}} + server.key: {{.FEDERATION_APISERVER_KEY_BASE64}} diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index bb813f35b3c..0b9e7ea0825 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -71,6 +71,7 @@ cluster/vsphere/templates/salt-minion.sh: hostname_override: $(ip route get 1.1 examples/cluster-dns/images/frontend/client.py: service_address = socket.gethostbyname(hostname) examples/storage/cassandra/image/run.sh: cluster_name \ examples/storage/vitess/env.sh: node_ip=$(get_node_ip) +federation/cluster/common.sh: local cert_dir="${kube_temp}/easy-rsa-master/easyrsa3" federation/config.default.json: "cloud_provider": "gce", federation/config.default.json: "cloud_provider": "gce", federation/config.default.json: "cloud_provider": "gce", @@ -83,6 +84,10 @@ federation/config.default.json: "cluster_name": "cluster3-kubernetes", federation/config.default.json: "num_nodes": 3, federation/config.default.json: "num_nodes": 3, federation/config.default.json: "num_nodes": 3, +hack/fed-up-cluster.sh: advertise_address="--advertise_address=${API_HOST}" +hack/fed-up-cluster.sh: runtime_config="--runtime-config=${RUNTIME_CONFIG}" +hack/fed-up-cluster.sh: advertise_address="" +hack/fed-up-cluster.sh: runtime_config="" hack/local-up-cluster.sh: advertise_address="--advertise_address=${API_HOST}" hack/local-up-cluster.sh: runtime_config="--runtime-config=${RUNTIME_CONFIG}" hack/local-up-cluster.sh: advertise_address=""