Update routing readme and script to set up TLS

fabianofranz · Jan 23, 2015 · f21c42b · f21c42b
1 parent dfe12ec
commit f21c42b
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 111 deletions.
diff --git a/docs/routing.md b/docs/routing.md
@@ -30,16 +30,24 @@ Once it is pulled it will start and be visible in the `docker ps` list of contai
     [vagrant@openshiftdev origin]$ make clean && make
     [vagrant@openshiftdev origin]$ export PATH=/data/src/github.com/openshift/origin/_output/local/bin/linux/amd64:$PATH
     [vagrant@openshiftdev origin]$ sudo /data/src/github.com/openshift/origin/_output/local/bin/linux/amd64/openshift start &
-    [vagrant@openshiftdev origin]$ hack/install-router.sh {router_id} {master ip}
-    [vagrant@openshiftdev origin]$ openshift kubectl get pods
+
+    If running in https mode, ensure openshift cli can authenticate
+    [vagrant@openshiftdev origin]$ sudo chmod a+r openshift.local.certificates/admin/*
+    [vagrant@openshiftdev origin]$ export KUBECONFIG=/data/src/github.com/openshift/origin/openshift.local.certificates/admin/.kubeconfig
+
+    If running in https mode, ensure install-router.sh has root certificates for the master
+    [vagrant@openshiftdev origin]$ export OPENSHIFT_CA_DATA=$(<$CERT_DIR/master/root.crt)
+
+    [vagrant@openshiftdev origin]$ hack/install-router.sh {router_id} {master_url}
+    [vagrant@openshiftdev origin]$ openshift cli get pods
 
 #### Clustered vagrant environment
 
 
     $ export OPENSHIFT_DEV_CLUSTER=true
     $ vagrant up
     $ vagrant ssh master
-    [vagrant@openshift-master ~]$ hack/install-router.sh {router_id} {master ip}
+    [vagrant@openshift-master ~]$ hack/install-router.sh {router_id} {master_url}
 
 
 
@@ -51,10 +59,10 @@ In order to run the router in a deployed environment the following conditions mu
 * The machine may or may not be registered with the master.  Optimally it will not serve pods while also serving as the router
 * The machine must not have services running on it that bind to host port 80 since this is what the router uses for traffic
 
-To install the router pod you use the `hack/install-router.sh` script, passing it the router id, master ip, and, optionally,
+To install the router pod you use the `hack/install-router.sh` script, passing it the router id, master url, and, optionally,
 the OpenShift executable.  If the executable is not passed the script will try to find it via the `PATH`.  If the
 script is still unable to find the OpenShift executable then it will simply create the `/tmp/router.json` file and stop.
-It is then up to the user to issue the `openshift kubectl create` command manually.
+It is then up to the user to issue the `openshift cli create` command manually.
 
 ### Manually   
 
@@ -64,9 +72,9 @@ that the router is run on must not have any other services that are bound to tha
 used by a DNS server for incoming traffic.
 
 
-	$ docker run --rm -it -p 80:80 openshift/origin-haproxy-router -master $kube-master-url
+	$ docker run --rm -it -p 80:80 openshift/origin-haproxy-router --master $kube-master-url
 
-example of kube-master-url : http://10.0.2.15:8080
+example of kube-master-url : https://10.0.2.15:8443
 
 ## Monitoring the router
 
@@ -78,19 +86,19 @@ To test your route independent of DNS you can send a host header to the router.
 
     $ ..... vagrant up with single machine instructions .......
     $ ..... create config files listed below in ~ ........
-    [vagrant@openshiftdev origin]$ openshift kubectl create -f ~/pod.json
-    [vagrant@openshiftdev origin]$ openshift kubectl create -f ~/service.json
-    [vagrant@openshiftdev origin]$ openshift kubectl create -f ~/route.json
+    [vagrant@openshiftdev origin]$ openshift cli create -f ~/pod.json
+    [vagrant@openshiftdev origin]$ openshift cli create -f ~/service.json
+    [vagrant@openshiftdev origin]$ openshift cli create -f ~/route.json
     [vagrant@openshiftdev origin]$ curl -H "Host:hello-openshift.v3.rhcloud.com" <vm ip>
     Hello OpenShift!
 
     $ ..... vagrant up with cluster instructions .....
     $ ..... create config files listed below in ~ ........
-    [vagrant@openshift-master ~]$ openshift kubectl create -f ~/pod.json
-    [vagrant@openshift-master ~]$ openshift kubectl create -f ~/service.json
-    [vagrant@openshift-master ~]$ openshift kubectl create -f ~/route.json
+    [vagrant@openshift-master ~]$ openshift cli create -f ~/pod.json
+    [vagrant@openshift-master ~]$ openshift cli create -f ~/service.json
+    [vagrant@openshift-master ~]$ openshift cli create -f ~/route.json
     # take note of what minion number the router is deployed on
-    [vagrant@openshift-master ~]$ openshift kubectl get pods
+    [vagrant@openshift-master ~]$ openshift cli get pods
     [vagrant@openshift-master ~]$ curl -H "Host:hello-openshift.v3.rhcloud.com" openshift-minion-<1,2>
     Hello OpenShift!
 

diff --git a/hack/install-router.sh b/hack/install-router.sh
@@ -1,34 +1,68 @@
 #!/bin/bash
 set -e
 
-echo "Creating router file and starting pod..."
-
-# ID to be used as the k8s id and also appended to the container name
+# ID to be used as the k8s id and also appended to the container name. Defaults to router1
 ROUTER_ID="${1}"
-# IP address to connect to the master, :8080 will be automatically appended
-MASTER_IP="${2}"
+# Full address to connect to the master.
+MASTER_URL="${2}"
 # openshift executable - optional, will try to find it on the path if not specified
 OPENSHIFT="${3}"
 
 OS_ROOT=$(dirname "${BASH_SOURCE}")/..
 
+if [[ "${ROUTER_ID}" == "" ]]; then
+	echo "No router id provided, cannot create router..."
+	exit
+fi
+
+if [[ "${MASTER_URL}" == "" ]]; then
+	echo "No master url provided, cannot create router..."
+	exit
+fi
+if [[ "${MASTER_URL}" != "http"* ]]; then
+	echo "Master url must include protocol, e.g. https://localhost:8443"
+	exit
+fi
+
 if [[ "${OPENSHIFT}" == "" ]]; then
     if [[ "$(which osc)" != "" ]]; then
         OPENSHIFT=$(which osc)
     fi
 fi
 
-# update the template file
-cp ${OS_ROOT}/images/router/haproxy/pod.json /tmp/router.json
-sed -i s/MASTER_IP/${MASTER_IP}/ /tmp/router.json
-sed -i s/ROUTER_ID/${ROUTER_ID}/g /tmp/router.json
+OPENSHIFT_INSECURE="${OPENSHIFT_INSECURE:-false}"
+OPENSHIFT_CA_DATA="${OPENSHIFT_CA_DATA:-}"
+
+if [[ "${MASTER_URL}" == "https"* ]]; then
+	if [[ "$OPENSHIFT_CA_DATA" == "" ]]; then
+		echo "Running against an HTTPS master (${MASTER_URL}) without a trusted certificate bundle."
+		echo "Set \$OPENSHIFT_CA_DATA to the contents of the root certificate bundle to start securely next time."
+		echo "Starting insecurely..."
+		OPENSHIFT_INSECURE=true
+	fi
 
+	# TODO: remove this once services can provide root cert data to pods
+	# Escape cert data for json
+	OPENSHIFT_CA_DATA="${OPENSHIFT_CA_DATA//$'\n'/\\\\n}"
+else
+	OPENSHIFT_INSECURE=""
+	OPENSHIFT_CA_DATA=""
+fi
+
+# update the template file
+echo "Creating router file and starting pod..."
+cp "${OS_ROOT}/images/router/haproxy/pod.json" /tmp/router.json
+sed -i "s|ROUTER_ID|${ROUTER_ID}|g" /tmp/router.json
+sed -i "s|\${OPENSHIFT_MASTER}|${MASTER_URL}|"       /tmp/router.json
+sed -i "s|\${OPENSHIFT_INSECURE}|${OPENSHIFT_INSECURE}|"   /tmp/router.json
+sed -i "s|\${OPENSHIFT_CA_DATA}|${OPENSHIFT_CA_DATA}|"     /tmp/router.json
+# TODO: provide security context to client inside router pod
 
 # create the pod if we can find openshift
 if [ "${OPENSHIFT}" == "" ]; then
-    echo "unable to find openshift binary"
+    echo "Unable to find openshift binary"
     echo "/tmp/router.json has been created.  In order to start the router please run:"
-    echo "openshift kubectl create -f /tmp/router.json"
+    echo "openshift cli create -f /tmp/router.json"
 else
     "${OPENSHIFT}" create -f /tmp/router.json
 fi
diff --git a/hack/test-end-to-end.sh b/hack/test-end-to-end.sh
@@ -161,17 +161,17 @@ export KUBERNETES_MASTER="${API_SCHEME}://${API_HOST}:${API_PORT}"
 if [[ "${API_SCHEME}" == "https" ]]; then
 	# Read client cert data in to send to containerized components
 	sudo chmod -R a+rX "${CERT_DIR}/openshift-client/"
-	OPENSHIFT_CA_DATA="$(cat "${CERT_DIR}/openshift-client/root.crt")"
+	export OPENSHIFT_CA_DATA="$(cat "${CERT_DIR}/openshift-client/root.crt")"
 	OPENSHIFT_CERT_DATA="$(cat "${CERT_DIR}/openshift-client/cert.crt")"
 	OPENSHIFT_KEY_DATA="$(cat "${CERT_DIR}/openshift-client/key.key")"
 
 	# Make osc use ${CERT_DIR}/admin/.kubeconfig, and ignore anything in the running user's $HOME dir
 	sudo chmod -R a+rwX "${CERT_DIR}/admin/"
 	export HOME="${CERT_DIR}/admin"
 	export KUBECONFIG="${CERT_DIR}/admin/.kubeconfig"
-  echo "[INFO] To debug: export KUBECONFIG=$KUBECONFIG"
+	echo "[INFO] To debug: export KUBECONFIG=$KUBECONFIG"
 else
-	OPENSHIFT_CA_DATA=""
+	export OPENSHIFT_CA_DATA=""
 	OPENSHIFT_CERT_DATA=""
 	OPENSHIFT_KEY_DATA=""
 fi
@@ -236,20 +236,10 @@ if [[ "$ROUTER_TESTS_ENABLED" == "true" ]]; then
     echo "{'id':'route', 'kind': 'Route', 'apiVersion': 'v1beta1', 'serviceName': 'frontend', 'host': 'end-to-end'}" > "${ARTIFACT_DIR}/route.json"
     osc create -n test routes -f "${ARTIFACT_DIR}/route.json"
 
-    echo "[INFO] Installing router with master ip of ${CONTAINER_ACCESSIBLE_API_HOST} and starting pod..."
+    echo "[INFO] Installing router with master url of ${API_SCHEME}://${CONTAINER_ACCESSIBLE_API_HOST}:${API_PORT} and starting pod..."
     echo "[INFO] To disable router testing set ROUTER_TESTS_ENABLED=false..."
-
-    # update the template file
-    cp ${OS_ROOT}/images/router/haproxy/template.json $ARTIFACT_DIR/router-template.json
-    sed -i s/ROUTER_ID/router1/g $ARTIFACT_DIR/router-template.json
-
-    echo "[INFO] Submitting router pod template file for processing"
-    osc process -n test -f $ARTIFACT_DIR/router-template.json -v "OPENSHIFT_MASTER=$API_SCHEME://${CONTAINER_ACCESSIBLE_API_HOST}:$API_PORT,OPENSHIFT_CA_DATA=${OPENSHIFT_CA_DATA},OPENSHIFT_CERT_DATA=${OPENSHIFT_CERT_DATA},OPENSHIFT_KEY_DATA=${OPENSHIFT_KEY_DATA}" > "$ARTIFACT_DIR/router.json"
-
-    echo "[INFO] Applying router pod config"
-    osc apply -n test -f "$ARTIFACT_DIR/router.json"
-
-    wait_for_command "osc get -n test pods | grep router | grep -i Running" $((5*TIME_MIN))
+    "${OS_ROOT}/hack/install-router.sh" "router1" "${API_SCHEME}://${CONTAINER_ACCESSIBLE_API_HOST}:${API_PORT}"
+    wait_for_command "osc get pods | grep router1 | grep -i Running" $((5*TIME_MIN))
 
     echo "[INFO] Validating routed app response..."
     validate_response "-H Host:end-to-end http://${CONTAINER_ACCESSIBLE_API_HOST}" "Hello from OpenShift" 0.2 50

diff --git a/images/router/haproxy/pod.json b/images/router/haproxy/pod.json
@@ -13,7 +13,20 @@
                         "containerPort": 80,
                         "hostPort": 80
                     }],
-                    "command": ["--master=MASTER_IP:8080"],
+                    "env": [
+                        {
+                            "name": "OPENSHIFT_MASTER",
+                            "value": "${OPENSHIFT_MASTER}"
+                        },
+                        {
+                            "name": "OPENSHIFT_CA_DATA",
+                            "value": "${OPENSHIFT_CA_DATA}"
+                        },
+                        {
+                            "name": "OPENSHIFT_INSECURE",
+                            "value": "${OPENSHIFT_INSECURE}"
+                        }
+                    ],
                     "imagePullPolicy": "PullIfNotPresent"
                 }
             ],

diff --git a/images/router/haproxy/template.json b/images/router/haproxy/template.json