From b3705b6e3580de196edd0d5bfd89e077e02bf10b Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Sat, 11 Mar 2017 00:18:38 -0600 Subject: [PATCH 1/2] hack/cluster: consolidate cluster/ utils to hack/lib/util.sh Per Clayton's suggestion, move stuff from cluster/lib/util.sh to hack/lib/util.sh. Also consolidate ensure-temp-dir and use the hack/lib/util.sh implementation rather than cluster/common.sh. --- cluster/aws/util.sh | 2 +- cluster/common.sh | 13 +-------- cluster/gce/upgrade.sh | 2 +- cluster/gce/util.sh | 6 ++-- cluster/gke/util.sh | 2 +- cluster/lib/util.sh | 46 ------------------------------- cluster/photon-controller/util.sh | 2 +- cluster/vagrant/util.sh | 2 +- cluster/validate-cluster.sh | 2 +- federation/cluster/common.sh | 2 +- hack/lib/init.sh | 1 - hack/lib/util.sh | 29 +++++++++++++++++++ hack/make-rules/verify.sh | 2 +- hack/update-all.sh | 1 - test/kubemark/start-kubemark.sh | 2 +- 15 files changed, 42 insertions(+), 72 deletions(-) delete mode 100644 cluster/lib/util.sh diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh index 483bda04cb..39830b9be8 100755 --- a/cluster/aws/util.sh +++ b/cluster/aws/util.sh @@ -15,7 +15,7 @@ # limitations under the License. KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" echo -e "${color_red}WARNING${color_norm}: The bash deployment for AWS is obsolete. The" >&2 echo -e "v1.5.x releases are the last to support cluster/kube-up.sh with AWS." >&2 diff --git a/cluster/common.sh b/cluster/common.sh index 6514657d06..3adaf1559f 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -24,7 +24,7 @@ KUBE_ROOT=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd) DEFAULT_KUBECONFIG="${HOME}/.kube/config" -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" source "${KUBE_ROOT}/cluster/lib/logging.sh" # KUBE_RELEASE_VERSION_REGEX matches things like "v1.2.3" or "v1.2.3-alpha.4" # @@ -308,17 +308,6 @@ function load-or-gen-kube-bearertoken() { fi } -# Create a temp dir that'll be deleted at the end of this bash session. -# -# Vars set: -# KUBE_TEMP -function ensure-temp-dir { - if [[ -z ${KUBE_TEMP-} ]]; then - export KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX) - trap 'rm -rf "${KUBE_TEMP}"' EXIT - fi -} - # Get the master IP for the current-context in kubeconfig if one exists. # # Assumed vars: diff --git a/cluster/gce/upgrade.sh b/cluster/gce/upgrade.sh index 0013af1f28..61e774eb1b 100755 --- a/cluster/gce/upgrade.sh +++ b/cluster/gce/upgrade.sh @@ -192,7 +192,7 @@ function wait-for-master() { # Assumed vars # KUBE_VERSION function prepare-upgrade() { - ensure-temp-dir + kube::util::ensure-temp-dir detect-project detect-node-names # sets INSTANCE_GROUPS write-cluster-name diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 39b9e5bc76..2fe05f6c13 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -21,7 +21,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. source "${KUBE_ROOT}/cluster/gce/${KUBE_CONFIG_FILE-"config-default.sh"}" source "${KUBE_ROOT}/cluster/common.sh" -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" if [[ "${NODE_OS_DISTRIBUTION}" == "debian" || "${NODE_OS_DISTRIBUTION}" == "container-linux" || "${NODE_OS_DISTRIBUTION}" == "trusty" || "${NODE_OS_DISTRIBUTION}" == "gci" ]]; then source "${KUBE_ROOT}/cluster/gce/${NODE_OS_DISTRIBUTION}/node-helper.sh" @@ -581,7 +581,7 @@ function add-instance-metadata-from-file() { # KUBE_ROOT # function kube-up() { - ensure-temp-dir + kube::util::ensure-temp-dir detect-project load-or-gen-kube-basicauth @@ -1620,7 +1620,7 @@ function prepare-push() { OUTPUT=${KUBE_ROOT}/_output/logs mkdir -p ${OUTPUT} - ensure-temp-dir + kube::util::ensure-temp-dir detect-project detect-master detect-node-names diff --git a/cluster/gke/util.sh b/cluster/gke/util.sh index ecdd36bd1b..95f91efb4c 100755 --- a/cluster/gke/util.sh +++ b/cluster/gke/util.sh @@ -22,7 +22,7 @@ KUBE_PROMPT_FOR_UPDATE=${KUBE_PROMPT_FOR_UPDATE:-"n"} KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. source "${KUBE_ROOT}/cluster/gke/${KUBE_CONFIG_FILE:-config-default.sh}" source "${KUBE_ROOT}/cluster/common.sh" -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" function with-retry() { local retry_limit=$1 diff --git a/cluster/lib/util.sh b/cluster/lib/util.sh deleted file mode 100644 index 7082fb7ce2..0000000000 --- a/cluster/lib/util.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Wait for background jobs to finish. Return with -# an error status if any of the jobs failed. -kube::util::wait-for-jobs() { - local fail=0 - local job - for job in $(jobs -p); do - wait "${job}" || fail=$((fail + 1)) - done - return ${fail} -} - -# kube::util::join -# Concatenates the list elements with the delimiter passed as first parameter -# -# Ex: kube::util::join , a b c -# -> a,b,c -function kube::util::join { - local IFS="$1" - shift - echo "$*" -} - -# Some useful colors. -if [[ -z "${color_start-}" ]]; then - declare -r color_start="\033[" - declare -r color_red="${color_start}0;31m" - declare -r color_yellow="${color_start}0;33m" - declare -r color_green="${color_start}0;32m" - declare -r color_norm="${color_start}0m" -fi diff --git a/cluster/photon-controller/util.sh b/cluster/photon-controller/util.sh index bc9d0b572a..0b05cac9cd 100755 --- a/cluster/photon-controller/util.sh +++ b/cluster/photon-controller/util.sh @@ -156,7 +156,7 @@ function kube-up { verify-prereqs verify-ssh-prereqs verify-photon-config - ensure-temp-dir + kube::util::ensure-temp-dir find-release-tars find-image-id diff --git a/cluster/vagrant/util.sh b/cluster/vagrant/util.sh index 0b4be7fd84..64efdfddda 100755 --- a/cluster/vagrant/util.sh +++ b/cluster/vagrant/util.sh @@ -106,7 +106,7 @@ function verify-prereqs { # Create a set of provision scripts for the master and each of the nodes function create-provision-scripts { - ensure-temp-dir + kube::util::ensure-temp-dir ( echo "#! /bin/bash" diff --git a/cluster/validate-cluster.sh b/cluster/validate-cluster.sh index d696178a5d..a94587bb65 100755 --- a/cluster/validate-cluster.sh +++ b/cluster/validate-cluster.sh @@ -30,7 +30,7 @@ if [ -f "${KUBE_ROOT}/cluster/env.sh" ]; then source "${KUBE_ROOT}/cluster/env.sh" fi -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" source "${KUBE_ROOT}/cluster/kube-util.sh" # Run kubectl and retry upon failure. diff --git a/federation/cluster/common.sh b/federation/cluster/common.sh index 3d4755062d..4efb5b7986 100644 --- a/federation/cluster/common.sh +++ b/federation/cluster/common.sh @@ -250,7 +250,7 @@ function create-federation-api-objects { done # Create server certificates. - ensure-temp-dir + kube::util::ensure-temp-dir echo "Creating federation apiserver certs for federation api host: ${FEDERATION_API_HOST} ( is this a dns name?: ${IS_DNS_NAME} )" MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST} export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}" diff --git a/hack/lib/init.sh b/hack/lib/init.sh index a07f6f2e12..4eadc166b2 100644 --- a/hack/lib/init.sh +++ b/hack/lib/init.sh @@ -37,7 +37,6 @@ export no_proxy=127.0.0.1,localhost THIS_PLATFORM_BIN="${KUBE_ROOT}/_output/bin" source "${KUBE_ROOT}/hack/lib/util.sh" -source "${KUBE_ROOT}/cluster/lib/util.sh" source "${KUBE_ROOT}/cluster/lib/logging.sh" kube::log::install_errexit diff --git a/hack/lib/util.sh b/hack/lib/util.sh index 6a0386a341..fafd9a62e0 100755 --- a/hack/lib/util.sh +++ b/hack/lib/util.sh @@ -694,6 +694,35 @@ EOF fi } +# Wait for background jobs to finish. Return with +# an error status if any of the jobs failed. +kube::util::wait-for-jobs() { + local fail=0 + local job + for job in $(jobs -p); do + wait "${job}" || fail=$((fail + 1)) + done + return ${fail} +} +# kube::util::join +# Concatenates the list elements with the delimiter passed as first parameter +# +# Ex: kube::util::join , a b c +# -> a,b,c +function kube::util::join { + local IFS="$1" + shift + echo "$*" +} + +# Some useful colors. +if [[ -z "${color_start-}" ]]; then + declare -r color_start="\033[" + declare -r color_red="${color_start}0;31m" + declare -r color_yellow="${color_start}0;33m" + declare -r color_green="${color_start}0;32m" + declare -r color_norm="${color_start}0m" +fi # ex: ts=2 sw=2 et filetype=sh diff --git a/hack/make-rules/verify.sh b/hack/make-rules/verify.sh index 4c91ffddbe..eeff8c78a0 100755 --- a/hack/make-rules/verify.sh +++ b/hack/make-rules/verify.sh @@ -19,7 +19,7 @@ set -o nounset set -o pipefail KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. -source "${KUBE_ROOT}/cluster/lib/util.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" # Excluded checks are always skipped. EXCLUDED_CHECKS=( diff --git a/hack/update-all.sh b/hack/update-all.sh index 7e4d130655..ab70a809bf 100755 --- a/hack/update-all.sh +++ b/hack/update-all.sh @@ -22,7 +22,6 @@ set -o pipefail KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. source "${KUBE_ROOT}/hack/lib/init.sh" source "${KUBE_ROOT}/hack/lib/util.sh" -source "${KUBE_ROOT}/cluster/lib/util.sh" SILENT=true ALL=false diff --git a/test/kubemark/start-kubemark.sh b/test/kubemark/start-kubemark.sh index e1615b8803..bce8d3dc31 100755 --- a/test/kubemark/start-kubemark.sh +++ b/test/kubemark/start-kubemark.sh @@ -74,7 +74,7 @@ EOF # Generate certs/keys for CA, master, kubelet and kubecfg, and tokens for kubelet # and kubeproxy. function generate-pki-config { - ensure-temp-dir + kube::util::ensure-temp-dir gen-kube-bearertoken gen-kube-basicauth create-certs ${MASTER_IP} From f20437a8225539e1922b8961bec55728929f018c Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Wed, 8 Mar 2017 14:01:36 -0600 Subject: [PATCH 2/2] hack/cluster: download cfssl if not present hack/local-up-cluster.sh uses cfssl to generate certificates and will exit it cfssl is not already installed. But other cluster-up mechanisms (GCE) that generate certs just download cfssl if not present. Make local-up-cluster.sh do that too. --- cluster/common.sh | 55 +++------------ cluster/gce/upgrade.sh | 7 +- hack/lib/util.sh | 70 +++++++++++++++---- hack/local-up-cluster.sh | 2 +- .../hack/local-up-kube-aggregator.sh | 2 +- 5 files changed, 72 insertions(+), 64 deletions(-) diff --git a/cluster/common.sh b/cluster/common.sh index 3adaf1559f..a46cb1f27a 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -890,38 +890,6 @@ function sha1sum-file() { fi } -# Downloads cfssl into $1 directory -# -# Assumed vars: -# $1 (cfssl directory) -# -function download-cfssl { - mkdir -p "$1" - pushd "$1" - - kernel=$(uname -s) - case "${kernel}" in - Linux) - curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 - curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 - ;; - Darwin) - curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 - curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 - ;; - *) - echo "Unknown, unsupported platform: ${kernel}." >&2 - echo "Supported platforms: Linux, Darwin." >&2 - exit 2 - esac - - chmod +x cfssl - chmod +x cfssljson - - popd -} - - # Create certificate pairs for the cluster. # $1: The public IP for the master. # @@ -1012,12 +980,12 @@ function generate-certs { ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass ./easyrsa build-client-full kube-apiserver nopass - download-cfssl "${KUBE_TEMP}/cfssl" + kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" # make the config for the signer echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json" # create the kubelet client cert with the correct groups - echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${KUBE_TEMP}/cfssl/cfssl" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${KUBE_TEMP}/cfssl/cfssljson" -bare kubelet + echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet mv "kubelet-key.pem" "pki/private/kubelet.key" mv "kubelet.pem" "pki/issued/kubelet.crt" rm -f "kubelet.csr" @@ -1061,10 +1029,7 @@ function generate-etcd-cert() { mkdir -p "${cert_dir}" pushd "${cert_dir}" - if [ ! -x cfssl ] || [ ! -x cfssljson ]; then - echo "Download cfssl & cfssljson ..." - download-cfssl . - fi + kube::util::ensure-cfssl . if [ ! -r "ca-config.json" ]; then cat >ca-config.json <&2 diff --git a/cluster/gce/upgrade.sh b/cluster/gce/upgrade.sh index 61e774eb1b..4425e99c53 100755 --- a/cluster/gce/upgrade.sh +++ b/cluster/gce/upgrade.sh @@ -28,6 +28,7 @@ if [[ "${KUBERNETES_PROVIDER:-gce}" != "gce" ]]; then fi KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. +source "${KUBE_ROOT}/hack/lib/util.sh" source "${KUBE_ROOT}/cluster/kube-util.sh" function usage() { @@ -130,7 +131,7 @@ function backfile-kubeletauth-certs() { echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key" echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt" (cd "${KUBE_TEMP}/pki" - download-cfssl "${KUBE_TEMP}/cfssl" + kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" cat < ca-config.json { "signing": { @@ -149,13 +150,13 @@ EOF # subpaths required for the apiserver to hit proxy # endpoints on the kubelet's handler. cat </dev/null || ! command -v cfssljson &>/dev/null; then - echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH." - echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..." - exit 1 - fi - CFSSL_BIN=$(command -v cfssl) - CFSSLJSON_BIN=$(command -v cfssljson) -} - # Test whether openssl is installed. # Sets: # OPENSSL_BIN: The path to the openssl binary to use @@ -716,6 +702,62 @@ function kube::util::join { echo "$*" } +# Downloads cfssl/cfssljson into $1 directory if they do not already exist in PATH +# +# Assumed vars: +# $1 (cfssl directory) (optional) +# +# Sets: +# CFSSL_BIN: The path of the installed cfssl binary +# CFSSLJSON_BIN: The path of the installed cfssljson binary +# +function kube::util::ensure-cfssl { + if command -v cfssl &>/dev/null && command -v cfssljson &>/dev/null; then + CFSSL_BIN=$(command -v cfssl) + CFSSLJSON_BIN=$(command -v cfssljson) + return 0 + fi + + # Create a temp dir for cfssl if no directory was given + local cfssldir=${1:-} + if [[ -z "${cfssldir}" ]]; then + kube::util::ensure-temp-dir + cfssldir="${KUBE_TEMP}/cfssl" + fi + + mkdir -p "${cfssldir}" + pushd "${cfssldir}" > /dev/null + + echo "Unable to successfully run 'cfssl' from $PATH; downloading instead..." + kernel=$(uname -s) + case "${kernel}" in + Linux) + curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 + curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 + ;; + Darwin) + curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 + curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 + ;; + *) + echo "Unknown, unsupported platform: ${kernel}." >&2 + echo "Supported platforms: Linux, Darwin." >&2 + exit 2 + esac + + chmod +x cfssl || true + chmod +x cfssljson || true + + CFSSL_BIN="${cfssldir}/cfssl" + CFSSLJSON_BIN="${cfssldir}/cfssljson" + if [[ ! -x ${CFSSL_BIN} || ! -x ${CFSSLJSON_BIN} ]]; then + echo "Failed to download 'cfssl'. Please install cfssl and cfssljson and verify they are in \$PATH." + echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..." + exit 1 + fi + popd > /dev/null +} + # Some useful colors. if [[ -z "${color_start-}" ]]; then declare -r color_start="\033[" diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index f80a02c2ef..2d84aa7e10 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -792,7 +792,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then fi kube::util::test_openssl_installed -kube::util::test_cfssl_installed +kube::util::ensure-cfssl ### IF the user didn't supply an output/ for the build... Then we detect. if [ "$GO_OUT" == "" ]; then diff --git a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh index 3be9dfc0a1..f060e22d0a 100755 --- a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh +++ b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh @@ -86,7 +86,7 @@ function start_kube-aggregator { } kube::util::test_openssl_installed -kube::util::test_cfssl_installed +kube::util::ensure-cfssl start_kube-aggregator