Skip to content

Commit

Permalink
Adding cert and basic auth files for federation-apiserver
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikhiljindal
nikhiljindal committed Aug 16, 2016
1 parent fa6bd4b commit 6e5c02d
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 12 deletions.
41 changes: 29 additions & 12 deletions cluster/common.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,7 @@ function sha1sum-file() {
#
# Assumed vars
# KUBE_TEMP
# MASTER_NAME
#
# Vars set:
# CERT_DIR
Expand Down Expand Up @@ -806,6 +807,31 @@ function create-certs {

echo "Generating certs for alternate-names: ${sans}"

PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs

CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3"
# By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
# Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
CA_CERT_BASE64=$(cat "${CERT_DIR}/pki/ca.crt" | base64 | tr -d '\r\n')
MASTER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n')
MASTER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n')
KUBELET_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubelet.crt" | base64 | tr -d '\r\n')
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
}

# Runs the easy RSA commands to generate certificate files.
# The generated files are at ${KUBE_TEMP}/easy-rsa-master/easyrsa3
#
# Assumed vars
# KUBE_TEMP
# MASTER_NAME
# PRIMARY_CN: Primary canonical name
# SANS: Subject alternate names
#
#
function generate-certs {
local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX")
# Note: This was heavily cribbed from make-ca-cert.sh
(set -x
Expand All @@ -814,8 +840,8 @@ function create-certs {
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
./easyrsa --batch "--req-cn=${primary_cn}@$(date +%s)" build-ca nopass
./easyrsa --subject-alt-name="${sans}" build-server-full "${MASTER_NAME}" nopass
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
./easyrsa build-client-full kubelet nopass
./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
# If there was an error in the subshell, just die.
Expand All @@ -824,18 +850,9 @@ function create-certs {
echo "=== Failed to generate certificates: Aborting ===" >&2
exit 2
}
CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3"
# By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
# Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
CA_CERT_BASE64=$(cat "${CERT_DIR}/pki/ca.crt" | base64 | tr -d '\r\n')
MASTER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n')
MASTER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n')
KUBELET_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubelet.crt" | base64 | tr -d '\r\n')
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
}


#
# Using provided master env, extracts value from provided key.
#
Expand Down
35 changes: 35 additions & 0 deletions federation/cluster/common.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ function create-federation-api-objects {

FEDERATION_API_TOKEN="$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)"
export FEDERATION_API_KNOWN_TOKENS="${FEDERATION_API_TOKEN},admin,admin"
export FEDERATION_API_BASIC_AUTH="admin,admin,admin"

# Create a kubeconfig with credentails for federation-apiserver. We will
# then use this kubeconfig to create a secret which the federation
Expand Down Expand Up @@ -174,6 +175,14 @@ function create-federation-api-objects {
$host_kubectl create secret generic ${name} --from-file="${dir}/kubeconfig" --namespace="${FEDERATION_NAMESPACE}"
done

# Create server certificates.
ensure-temp-dir
echo "Creating federation apiserver certs for IP: $FEDERATION_API_HOST"
MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST}
export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}"
export FEDERATION_APISERVER_CERT_BASE64="${FEDERATION_APISERVER_CERT_BASE64}"
export FEDERATION_APISERVER_KEY_BASE64="${FEDERATION_APISERVER_KEY_BASE64}"

for file in federation-etcd-pvc.yaml federation-apiserver-{deployment,secrets}.yaml federation-controller-manager-deployment.yaml; do
$template "${manifests_root}/${file}" | $host_kubectl create -f -
done
Expand Down Expand Up @@ -222,6 +231,32 @@ function create-federation-api-objects {
)
}

# Creates the required certificates for federation apiserver.
# $1: The public IP for the master.
#
# Assumed vars
# KUBE_TEMP
# MASTER_NAME
#
function create-federation-apiserver-certs {
local -r primary_cn="${1}"
local sans="DNS:${MASTER_NAME}"

echo "Generating certs for alternate-names: ${sans}"

local kube_temp="${KUBE_TEMP}/federation"
mkdir "${kube_temp}"
KUBE_TEMP="${kube_temp}" PRIMARY_CN="${primary_cn}" SANS="${sans}" generate-certs

local cert_dir="${kube_temp}/easy-rsa-master/easyrsa3"
# By default, linux wraps base64 output every 76 cols, so we use 'tr -d' to remove whitespaces.
# Note 'base64 -w0' doesn't work on Mac OS X, which has different flags.
FEDERATION_APISERVER_CA_CERT_BASE64=$(cat "${cert_dir}/pki/ca.crt" | base64 | tr -d '\r\n')
FEDERATION_APISERVER_CERT_BASE64=$(cat "${cert_dir}/pki/issued/${MASTER_NAME}.crt" | base64 | tr -d '\r\n')
FEDERATION_APISERVER_KEY_BASE64=$(cat "${cert_dir}/pki/private/${MASTER_NAME}.key" | base64 | tr -d '\r\n')
}


# Required
# FEDERATION_PUSH_REPO_BASE: the docker repo where federated images will be pushed

Expand Down
4 changes: 4 additions & 0 deletions federation/manifests/federation-apiserver-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ spec:
- --service-cluster-ip-range={{.FEDERATION_SERVICE_CIDR}}
- --secure-port=443
- --advertise-address={{.FEDERATION_API_HOST}}
- --client-ca-file=/srv/kubernetes/ca.crt
- --basic-auth-file=/srv/kubernetes/basic_auth.csv
- --tls-cert-file=/srv/kubernetes/server.cert
- --tls-private-key-file=/srv/kubernetes/server.key
# TODO: --admission-control values must be set when support is added for each type of control.
- --token-auth-file=/srv/kubernetes/known-tokens.csv
ports:
Expand Down
4 changes: 4 additions & 0 deletions federation/manifests/federation-apiserver-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,7 @@ metadata:
type: Opaque
data:
known-tokens.csv: {{.FEDERATION_API_KNOWN_TOKENS_BASE64}}
basic_auth.csv: {{.FEDERATION_API_BASIC_AUTH_BASE64}}
ca.crt: {{.FEDERATION_APISERVER_CA_CERT_BASE64}}
server.cert: {{.FEDERATION_APISERVER_CERT_BASE64}}
server.key: {{.FEDERATION_APISERVER_KEY_BASE64}}

0 comments on commit 6e5c02d

Please sign in to comment.