github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

hack/cluster: download cfssl if not present 

hack/local-up-cluster.sh uses cfssl to generate certificates and
will exit it cfssl is not already installed.  But other cluster-up
mechanisms (GCE) that generate certs just download cfssl if not
present.  Make local-up-cluster.sh do that too.
pull/6/head
Dan Williams 2017-03-08 14:01:36 -06:00
parent b3705b6e35
commit f20437a822
5 changed files with 72 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
cluster/common.sh
View File

@ -890,38 +890,6 @@ function sha1sum-file() {
fi fi
} }
# Downloads cfssl into $1 directory
#
# Assumed vars:
# $1 (cfssl directory)
#
function download-cfssl {
mkdir -p "$1"
pushd "$1"
kernel=$(uname -s)
case "${kernel}" in
Linux)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
;;
Darwin)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
;;
*)
echo "Unknown, unsupported platform: ${kernel}." >&2
echo "Supported platforms: Linux, Darwin." >&2
exit 2
esac
chmod +x cfssl
chmod +x cfssljson
popd
}
# Create certificate pairs for the cluster. # Create certificate pairs for the cluster.
# $1: The public IP for the master. # $1: The public IP for the master.
# #
@ -1012,12 +980,12 @@ function generate-certs {
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
./easyrsa build-client-full kube-apiserver nopass ./easyrsa build-client-full kube-apiserver nopass
download-cfssl "${KUBE_TEMP}/cfssl" kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
# make the config for the signer # make the config for the signer
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json" echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
# create the kubelet client cert with the correct groups # create the kubelet client cert with the correct groups
echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${KUBE_TEMP}/cfssl/cfssl" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${KUBE_TEMP}/cfssl/cfssljson" -bare kubelet echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet
mv "kubelet-key.pem" "pki/private/kubelet.key" mv "kubelet-key.pem" "pki/private/kubelet.key"
mv "kubelet.pem" "pki/issued/kubelet.crt" mv "kubelet.pem" "pki/issued/kubelet.crt"
rm -f "kubelet.csr" rm -f "kubelet.csr"
@ -1061,10 +1029,7 @@ function generate-etcd-cert() {
mkdir -p "${cert_dir}" mkdir -p "${cert_dir}"
pushd "${cert_dir}" pushd "${cert_dir}"
if [ ! -x cfssl ] || [ ! -x cfssljson ]; then kube::util::ensure-cfssl .
echo "Download cfssl & cfssljson ..."
download-cfssl .
fi
if [ ! -r "ca-config.json" ]; then if [ ! -r "ca-config.json" ]; then
cat >ca-config.json <<EOF cat >ca-config.json <<EOF
@ -1130,27 +1095,27 @@ EOF
fi fi
if [[ ! -r "ca.pem" || ! -r "ca-key.pem" ]]; then if [[ ! -r "ca.pem" || ! -r "ca-key.pem" ]]; then
./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca - ${CFSSL_BIN} gencert -initca ca-csr.json | ${CFSSLJSON_BIN} -bare ca -
fi fi
case "${type_cert}" in case "${type_cert}" in
client) client)
echo "Generate client certificates..." echo "Generate client certificates..."
echo '{"CN":"client","hosts":["*"],"key":{"algo":"ecdsa","size":256}}' \ echo '{"CN":"client","hosts":["*"],"key":{"algo":"ecdsa","size":256}}' \
| ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \ | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - \
| ./cfssljson -bare "${prefix}" | ${CFSSLJSON_BIN} -bare "${prefix}"
;; ;;
server) server)
echo "Generate server certificates..." echo "Generate server certificates..."
echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \ echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
| ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \ | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
| ./cfssljson -bare "${prefix}" | ${CFSSLJSON_BIN} -bare "${prefix}"
;; ;;
peer) peer)
echo "Generate peer certificates..." echo "Generate peer certificates..."
echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \ echo '{"CN":"'${member_ip}'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
| ./cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \ | ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
| ./cfssljson -bare "${prefix}" | ${CFSSLJSON_BIN} -bare "${prefix}"
;; ;;
*) *)
echo "Unknow, unsupported etcd certs type: ${type_cert}" >&2 echo "Unknow, unsupported etcd certs type: ${type_cert}" >&2

7
cluster/gce/upgrade.sh
View File

@ -28,6 +28,7 @@ if [[ "${KUBERNETES_PROVIDER:-gce}" != "gce" ]]; then
fi fi
KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
source "${KUBE_ROOT}/hack/lib/util.sh"
source "${KUBE_ROOT}/cluster/kube-util.sh" source "${KUBE_ROOT}/cluster/kube-util.sh"
function usage() { function usage() {
@ -130,7 +131,7 @@ function backfile-kubeletauth-certs() {
echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key" echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key"
echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt" echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt"
(cd "${KUBE_TEMP}/pki" (cd "${KUBE_TEMP}/pki"
download-cfssl "${KUBE_TEMP}/cfssl" kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl"
cat <<EOF > ca-config.json cat <<EOF > ca-config.json
{ {
"signing": { "signing": {
@ -149,13 +150,13 @@ EOF
# subpaths required for the apiserver to hit proxy # subpaths required for the apiserver to hit proxy
# endpoints on the kubelet's handler. # endpoints on the kubelet's handler.
cat <<EOF \ cat <<EOF \
| "${KUBE_TEMP}/cfssl/cfssl" gencert \ | "${CFSSL_BIN}" gencert \
-ca=ca.crt \ -ca=ca.crt \
-ca-key=ca.key \ -ca-key=ca.key \
-config=ca-config.json \ -config=ca-config.json \
-profile=client \ -profile=client \
- \ - \
| "${KUBE_TEMP}/cfssl/cfssljson" -bare kube-apiserver | "${CFSSLJSON_BIN}" -bare kube-apiserver
{ {
"CN": "kube-apiserver" "CN": "kube-apiserver"
} }

70
hack/lib/util.sh
View File

@ -537,20 +537,6 @@ kube::util::download_file() {
return 1 return 1
} }
# Test whether cfssl and cfssljson are installed.
# Sets:
# CFSSL_BIN: The path of the installed cfssl binary
# CFSSLJSON_BIN: The path of the installed cfssljson binary
function kube::util::test_cfssl_installed {
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
exit 1
fi
CFSSL_BIN=$(command -v cfssl)
CFSSLJSON_BIN=$(command -v cfssljson)
}
# Test whether openssl is installed. # Test whether openssl is installed.
# Sets: # Sets:
# OPENSSL_BIN: The path to the openssl binary to use # OPENSSL_BIN: The path to the openssl binary to use
@ -716,6 +702,62 @@ function kube::util::join {
echo "$*" echo "$*"
} }
# Downloads cfssl/cfssljson into $1 directory if they do not already exist in PATH
#
# Assumed vars:
# $1 (cfssl directory) (optional)
#
# Sets:
# CFSSL_BIN: The path of the installed cfssl binary
# CFSSLJSON_BIN: The path of the installed cfssljson binary
#
function kube::util::ensure-cfssl {
if command -v cfssl &>/dev/null && command -v cfssljson &>/dev/null; then
CFSSL_BIN=$(command -v cfssl)
CFSSLJSON_BIN=$(command -v cfssljson)
return 0
fi
# Create a temp dir for cfssl if no directory was given
local cfssldir=${1:-}
if [[ -z "${cfssldir}" ]]; then
kube::util::ensure-temp-dir
cfssldir="${KUBE_TEMP}/cfssl"
fi
mkdir -p "${cfssldir}"
pushd "${cfssldir}" > /dev/null
echo "Unable to successfully run 'cfssl' from $PATH; downloading instead..."
kernel=$(uname -s)
case "${kernel}" in
Linux)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
;;
Darwin)
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
;;
*)
echo "Unknown, unsupported platform: ${kernel}." >&2
echo "Supported platforms: Linux, Darwin." >&2
exit 2
esac
chmod +x cfssl || true
chmod +x cfssljson || true
CFSSL_BIN="${cfssldir}/cfssl"
CFSSLJSON_BIN="${cfssldir}/cfssljson"
if [[ ! -x ${CFSSL_BIN} || ! -x ${CFSSLJSON_BIN} ]]; then
echo "Failed to download 'cfssl'. Please install cfssl and cfssljson and verify they are in \$PATH."
echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
exit 1
fi
popd > /dev/null
}
# Some useful colors. # Some useful colors.
if [[ -z "${color_start-}" ]]; then if [[ -z "${color_start-}" ]]; then
declare -r color_start="\033[" declare -r color_start="\033["

2
hack/local-up-cluster.sh
View File

@ -792,7 +792,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
fi fi
kube::util::test_openssl_installed kube::util::test_openssl_installed
kube::util::test_cfssl_installed kube::util::ensure-cfssl
### IF the user didn't supply an output/ for the build... Then we detect. ### IF the user didn't supply an output/ for the build... Then we detect.
if [ "$GO_OUT" == "" ]; then if [ "$GO_OUT" == "" ]; then

2
staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
View File

@ -86,7 +86,7 @@ function start_kube-aggregator {
} }
kube::util::test_openssl_installed kube::util::test_openssl_installed
kube::util::test_cfssl_installed kube::util::ensure-cfssl
start_kube-aggregator start_kube-aggregator