Merge pull request #42748 from dcbw/cfssl-localup

Automatic merge from submit-queue (batch tested with PRs 43866, 42748) hack/cluster: download cfssl if not present hack/local-up-cluster.sh uses cfssl to generate certificates and will exit it cfssl is not already installed. But other cluster-up mechanisms (GCE) that generate certs just download cfssl if not present. Make local-up-cluster.sh do that too so users don't have to bother installing it from somewhere.
2017-04-10 14:27:11 -07:00 · 2017-04-10 14:27:11 -07:00 · b9a5a5c9b3
parent 5962b849f1 f20437a822
commit b9a5a5c9b3
17 changed files with 114 additions and 136 deletions
--- a/cluster/aws/util.sh
+++ b/cluster/aws/util.sh
@ -15,7 +15,7 @@
 # limitations under the License.

 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"

 echo -e "${color_red}WARNING${color_norm}: The bash deployment for AWS is obsolete. The" >&2
 echo -e "v1.5.x releases are the last to support cluster/kube-up.sh with AWS." >&2
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -24,7 +24,7 @@ KUBE_ROOT=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd)

 DEFAULT_KUBECONFIG="${HOME}/.kube/config"

-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/lib/logging.sh"
 # KUBE_RELEASE_VERSION_REGEX matches things like "v1.2.3" or "v1.2.3-alpha.4"
 #
@ -308,17 +308,6 @@ function load-or-gen-kube-bearertoken() {
  fi
 }

-# Create a temp dir that'll be deleted at the end of this bash session.
-#
-# Vars set:
-#   KUBE_TEMP
-function ensure-temp-dir {
-  if [[ -z ${KUBE_TEMP-} ]]; then
-    export KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX)
-    trap 'rm -rf "${KUBE_TEMP}"' EXIT
-  fi
-}
-
 # Get the master IP for the current-context in kubeconfig if one exists.
 #
 # Assumed vars:
@ -896,38 +885,6 @@ function sha1sum-file() {
  fi
 }

-# Downloads cfssl into $1 directory
-#
-# Assumed vars:
-#   $1 (cfssl directory)
-#
-function download-cfssl {
-  mkdir -p "$1"
-  pushd "$1"
-
-  kernel=$(uname -s)
-  case "${kernel}" in
-    Linux)
-      curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
-      curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
-      ;;
-    Darwin)
-      curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
-      curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
-      ;;
-    *)
-      echo "Unknown, unsupported platform: ${kernel}." >&2
-      echo "Supported platforms: Linux, Darwin." >&2
-      exit 2
-  esac
-
-  chmod +x cfssl
-  chmod +x cfssljson
-
-  popd
-}
-
-
 # Create certificate pairs for the cluster.
 # $1: The public IP for the master.
 #
@ -1018,12 +975,12 @@ function generate-certs {
    ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
    ./easyrsa build-client-full kube-apiserver nopass

-    download-cfssl "${KUBE_TEMP}/cfssl"
+    kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"

    # make the config for the signer
    echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
    # create the kubelet client cert with the correct groups
-    echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${KUBE_TEMP}/cfssl/cfssl" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${KUBE_TEMP}/cfssl/cfssljson" -bare kubelet
+    echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet
    mv "kubelet-key.pem" "pki/private/kubelet.key"
    mv "kubelet.pem" "pki/issued/kubelet.crt"
    rm -f "kubelet.csr"
@ -1067,10 +1024,7 @@ function generate-etcd-cert() {
  mkdir -p "${cert_dir}"
  pushd "${cert_dir}"

-  if [ ! -x cfssl ] || [ ! -x cfssljson ]; then
-    echo "Download cfssl & cfssljson ..."
-    download-cfssl .
-  fi
+  kube::util::ensure-cfssl .

  if [ ! -r "ca-config.json" ]; then
    cat >ca-config.json <<EOF
@ -1136,27 +1090,27 @@ EOF
  fi

  if [[ ! -r "ca.pem" || ! -r "ca-key.pem" ]]; then
-    ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca -
+    ${CFSSL_BIN} gencert -initca ca-csr.json | ${CFSSLJSON_BIN} -bare ca -
  fi

  case "${type_cert}" in
    client)
      echo "Generate client certificates..."
      echo '{"CN":"client","hosts":["*"],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
      ;;
    server)
      echo "Generate server certificates..."
      echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
      ;;
    peer)
      echo "Generate peer certificates..."
      echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
-       | ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
-       | ./cfssljson -bare "${prefix}"
+       | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
+       | ${CFSSLJSON_BIN} -bare "${prefix}"
      ;;
    *)
      echo "Unknow, unsupported etcd certs type: ${type_cert}" >&2
--- a/cluster/gce/upgrade.sh
+++ b/cluster/gce/upgrade.sh
@ -28,6 +28,7 @@ if [[ "${KUBERNETES_PROVIDER:-gce}" != "gce" ]]; then
 fi

 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/kube-util.sh"

 function usage() {
@ -130,7 +131,7 @@ function backfile-kubeletauth-certs() {
  echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key"
  echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt"
  (cd "${KUBE_TEMP}/pki"
-    download-cfssl "${KUBE_TEMP}/cfssl"
+    kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
    cat <<EOF > ca-config.json
 {
  "signing": {
@ -149,13 +150,13 @@ EOF
    # subpaths required for the apiserver to hit proxy
    # endpoints on the kubelet's handler.
    cat <<EOF \
-      | "${KUBE_TEMP}/cfssl/cfssl" gencert \
+      | "${CFSSL_BIN}" gencert \
        -ca=ca.crt \
        -ca-key=ca.key \
        -config=ca-config.json \
        -profile=client \
        - \
-      | "${KUBE_TEMP}/cfssl/cfssljson" -bare kube-apiserver
+      | "${CFSSLJSON_BIN}" -bare kube-apiserver
 {
  "CN": "kube-apiserver"
 }
@ -192,7 +193,7 @@ function wait-for-master() {
 # Assumed vars
 #   KUBE_VERSION
 function prepare-upgrade() {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
  detect-project
  detect-node-names # sets INSTANCE_GROUPS
  write-cluster-name
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -21,7 +21,7 @@
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
 source "${KUBE_ROOT}/cluster/gce/${KUBE_CONFIG_FILE-"config-default.sh"}"
 source "${KUBE_ROOT}/cluster/common.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"

 if [[ "${NODE_OS_DISTRIBUTION}" == "debian" || "${NODE_OS_DISTRIBUTION}" == "container-linux" || "${NODE_OS_DISTRIBUTION}" == "trusty" || "${NODE_OS_DISTRIBUTION}" == "gci" ]]; then
  source "${KUBE_ROOT}/cluster/gce/${NODE_OS_DISTRIBUTION}/node-helper.sh"
@ -581,7 +581,7 @@ function add-instance-metadata-from-file() {
 #   KUBE_ROOT
 #   <Various vars set in config file>
 function kube-up() {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
  detect-project

  load-or-gen-kube-basicauth
@ -1620,7 +1620,7 @@ function prepare-push() {
  OUTPUT=${KUBE_ROOT}/_output/logs
  mkdir -p ${OUTPUT}

-  ensure-temp-dir
+  kube::util::ensure-temp-dir
  detect-project
  detect-master
  detect-node-names
--- a/cluster/gke/util.sh
+++ b/cluster/gke/util.sh
@ -22,7 +22,7 @@ KUBE_PROMPT_FOR_UPDATE=${KUBE_PROMPT_FOR_UPDATE:-"n"}
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
 source "${KUBE_ROOT}/cluster/gke/${KUBE_CONFIG_FILE:-config-default.sh}"
 source "${KUBE_ROOT}/cluster/common.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"

 function with-retry() {
  local retry_limit=$1
--- a/cluster/lib/util.sh
+++ b/cluster/lib/util.sh
@ -1,46 +0,0 @@
-#!/bin/bash
-
-# Copyright 2015 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Wait for background jobs to finish. Return with
-# an error status if any of the jobs failed.
-kube::util::wait-for-jobs() {
-  local fail=0
-  local job
-  for job in $(jobs -p); do
-    wait "${job}" || fail=$((fail + 1))
-  done
-  return ${fail}
-}
-
-# kube::util::join <delim> <list...>
-# Concatenates the list elements with the delimiter passed as first parameter
-#
-# Ex: kube::util::join , a b c
-#  -> a,b,c
-function kube::util::join {
-  local IFS="$1"
-  shift
-  echo "$*"
-}
-
-# Some useful colors.
-if [[ -z "${color_start-}" ]]; then
-  declare -r color_start="\033["
-  declare -r color_red="${color_start}0;31m"
-  declare -r color_yellow="${color_start}0;33m"
-  declare -r color_green="${color_start}0;32m"
-  declare -r color_norm="${color_start}0m"
-fi
--- a/cluster/photon-controller/util.sh
+++ b/cluster/photon-controller/util.sh
@ -156,7 +156,7 @@ function kube-up {
  verify-prereqs
  verify-ssh-prereqs
  verify-photon-config
-  ensure-temp-dir
+  kube::util::ensure-temp-dir

  find-release-tars
  find-image-id
--- a/cluster/vagrant/util.sh
+++ b/cluster/vagrant/util.sh
@ -106,7 +106,7 @@ function verify-prereqs {

 # Create a set of provision scripts for the master and each of the nodes
 function create-provision-scripts {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir

  (
    echo "#! /bin/bash"
--- a/cluster/validate-cluster.sh
+++ b/cluster/validate-cluster.sh
@ -30,7 +30,7 @@ if [ -f "${KUBE_ROOT}/cluster/env.sh" ]; then
  source "${KUBE_ROOT}/cluster/env.sh"
 fi

-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"
 source "${KUBE_ROOT}/cluster/kube-util.sh"

 # Run kubectl and retry upon failure.
--- a/federation/cluster/common.sh
+++ b/federation/cluster/common.sh
@ -250,7 +250,7 @@ function create-federation-api-objects {
    done

    # Create server certificates.
-    ensure-temp-dir
+    kube::util::ensure-temp-dir
    echo "Creating federation apiserver certs for federation api host: ${FEDERATION_API_HOST} ( is this a dns name?: ${IS_DNS_NAME} )"
    MASTER_NAME="federation-apiserver" create-federation-apiserver-certs ${FEDERATION_API_HOST}
    export FEDERATION_APISERVER_CA_CERT_BASE64="${FEDERATION_APISERVER_CA_CERT_BASE64}"
--- a/hack/lib/init.sh
+++ b/hack/lib/init.sh
@ -37,7 +37,6 @@ export no_proxy=127.0.0.1,localhost
 THIS_PLATFORM_BIN="${KUBE_ROOT}/_output/bin"

 source "${KUBE_ROOT}/hack/lib/util.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"
 source "${KUBE_ROOT}/cluster/lib/logging.sh"

 kube::log::install_errexit
--- a/hack/lib/util.sh
+++ b/hack/lib/util.sh
@ -537,20 +537,6 @@ kube::util::download_file() {
  return 1
 }

-# Test whether cfssl and cfssljson are installed.
-# Sets:
-#  CFSSL_BIN: The path of the installed cfssl binary
-#  CFSSLJSON_BIN: The path of the installed cfssljson binary
-function kube::util::test_cfssl_installed {
-    if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
-      echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
-      echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
-      exit 1
-    fi
-    CFSSL_BIN=$(command -v cfssl)
-    CFSSLJSON_BIN=$(command -v cfssljson)
-}
-
 # Test whether openssl is installed.
 # Sets:
 #  OPENSSL_BIN: The path to the openssl binary to use
@ -694,6 +680,91 @@ EOF
  fi
 }

+# Wait for background jobs to finish. Return with
+# an error status if any of the jobs failed.
+kube::util::wait-for-jobs() {
+  local fail=0
+  local job
+  for job in $(jobs -p); do
+    wait "${job}" || fail=$((fail + 1))
+  done
+  return ${fail}
+}

+# kube::util::join <delim> <list...>
+# Concatenates the list elements with the delimiter passed as first parameter
+#
+# Ex: kube::util::join , a b c
+#  -> a,b,c
+function kube::util::join {
+  local IFS="$1"
+  shift
+  echo "$*"
+}
+
+# Downloads cfssl/cfssljson into $1 directory if they do not already exist in PATH
+#
+# Assumed vars:
+#   $1 (cfssl directory) (optional)
+#
+# Sets:
+#  CFSSL_BIN: The path of the installed cfssl binary
+#  CFSSLJSON_BIN: The path of the installed cfssljson binary
+#
+function kube::util::ensure-cfssl {
+  if command -v cfssl &>/dev/null && command -v cfssljson &>/dev/null; then
+    CFSSL_BIN=$(command -v cfssl)
+    CFSSLJSON_BIN=$(command -v cfssljson)
+    return 0
+  fi
+
+  # Create a temp dir for cfssl if no directory was given
+  local cfssldir=${1:-}
+  if [[ -z "${cfssldir}" ]]; then
+    kube::util::ensure-temp-dir
+    cfssldir="${KUBE_TEMP}/cfssl"
+  fi
+
+  mkdir -p "${cfssldir}"
+  pushd "${cfssldir}" > /dev/null
+
+    echo "Unable to successfully run 'cfssl' from $PATH; downloading instead..."
+    kernel=$(uname -s)
+    case "${kernel}" in
+      Linux)
+        curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+        curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
+        ;;
+      Darwin)
+        curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
+        curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
+        ;;
+      *)
+        echo "Unknown, unsupported platform: ${kernel}." >&2
+        echo "Supported platforms: Linux, Darwin." >&2
+        exit 2
+    esac
+
+    chmod +x cfssl || true
+    chmod +x cfssljson || true
+
+    CFSSL_BIN="${cfssldir}/cfssl"
+    CFSSLJSON_BIN="${cfssldir}/cfssljson"
+    if [[ ! -x ${CFSSL_BIN} || ! -x ${CFSSLJSON_BIN} ]]; then
+      echo "Failed to download 'cfssl'. Please install cfssl and cfssljson and verify they are in \$PATH."
+      echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
+      exit 1
+    fi
+  popd > /dev/null
+}
+
+# Some useful colors.
+if [[ -z "${color_start-}" ]]; then
+  declare -r color_start="\033["
+  declare -r color_red="${color_start}0;31m"
+  declare -r color_yellow="${color_start}0;33m"
+  declare -r color_green="${color_start}0;32m"
+  declare -r color_norm="${color_start}0m"
+fi

 # ex: ts=2 sw=2 et filetype=sh
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@ -805,7 +805,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
 fi

 kube::util::test_openssl_installed
-kube::util::test_cfssl_installed
+kube::util::ensure-cfssl

 ### IF the user didn't supply an output/ for the build... Then we detect.
 if [ "$GO_OUT" == "" ]; then
--- a/hack/make-rules/verify.sh
+++ b/hack/make-rules/verify.sh
@ -19,7 +19,7 @@ set -o nounset
 set -o pipefail

 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
-source "${KUBE_ROOT}/cluster/lib/util.sh"
+source "${KUBE_ROOT}/hack/lib/util.sh"

 # Excluded checks are always skipped.
 EXCLUDED_CHECKS=(
--- a/hack/update-all.sh
+++ b/hack/update-all.sh
@ -22,7 +22,6 @@ set -o pipefail
 KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
 source "${KUBE_ROOT}/hack/lib/init.sh"
 source "${KUBE_ROOT}/hack/lib/util.sh"
-source "${KUBE_ROOT}/cluster/lib/util.sh"

 SILENT=true
 ALL=false
--- a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
+++ b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
@ -86,7 +86,7 @@ function start_kube-aggregator {
 }

 kube::util::test_openssl_installed
-kube::util::test_cfssl_installed
+kube::util::ensure-cfssl

 start_kube-aggregator

--- a/test/kubemark/start-kubemark.sh
+++ b/test/kubemark/start-kubemark.sh
@ -74,7 +74,7 @@ EOF
 # Generate certs/keys for CA, master, kubelet and kubecfg, and tokens for kubelet
 # and kubeproxy.
 function generate-pki-config {
-  ensure-temp-dir
+  kube::util::ensure-temp-dir
  gen-kube-bearertoken
  gen-kube-basicauth
  create-certs ${MASTER_IP}