diff --git a/cluster/mesos/docker/common/bin/await-file b/cluster/mesos/docker/common/bin/await-file index 1ac9f7a3a756f..d0997c39cd49d 100755 --- a/cluster/mesos/docker/common/bin/await-file +++ b/cluster/mesos/docker/common/bin/await-file @@ -16,7 +16,7 @@ # Wait for a file to exist in the filesystem. # Block up to the timeout duration in seconds (default: 10). -# Usage: await-health-check [-t=]
+# Usage: await-file [-t=]
# Requires: timeout, file set -o errexit diff --git a/cluster/mesos/docker/common/bin/resolveip b/cluster/mesos/docker/common/bin/resolveip deleted file mode 100755 index 334884c12859b..0000000000000 --- a/cluster/mesos/docker/common/bin/resolveip +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Resolve an IP from a hostname (using getent) -# Usage: resolveip -# Requires: getent -# TODO: Mac support - -set -o errexit -set -o nounset -set -o pipefail - -hostname=$1 -[ -z "${hostname}" ] && echo "No hostname supplied" && exit 1 - -getent hosts "${hostname}" | cut -d' ' -f1 | sort -u | tail -1 diff --git a/cluster/mesos/docker/common/bin/util-ssl.sh b/cluster/mesos/docker/common/bin/util-ssl.sh deleted file mode 100644 index 5caa56c8c8515..0000000000000 --- a/cluster/mesos/docker/common/bin/util-ssl.sh +++ /dev/null @@ -1,169 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Sourcable SSL functions - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)" -source "${bin}/util-temp-dir.sh" - -function cluster::mesos::docker::find_openssl_config { - for candidate in "/etc/ssl/openssl.cnf" "/System/Library/OpenSSL/openssl.cnf"; do - if [ -f "${candidate}" ]; then - echo "${candidate}" - return 0 - fi - done - echo "ERROR: cannot find openssl.cnf" 1>&2 - return 1 -} - -function cluster::mesos::docker::create_root_certificate_authority { - local out_dir="$1" - - # TODO(karlkfi): extract config - local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com" - - echo "Creating private key" 1>&2 - openssl genrsa -out "${out_dir}/root-ca.key" 2048 - - echo "Creating certificate sign request" 1>&2 - openssl req -nodes -new -utf8 \ - -key "${out_dir}/root-ca.key" \ - -out "${out_dir}/root-ca.csr" \ - -subj "${subject}" - - echo "Signing new certificate with private key" 1>&2 - openssl x509 -req -days 3650 \ - -in "${out_dir}/root-ca.csr" \ - -out "${out_dir}/root-ca.crt" \ - -signkey "${out_dir}/root-ca.key" - - echo "Key: ${out_dir}/root-ca.key" 1>&2 - echo "Cert: ${out_dir}/root-ca.crt" 1>&2 -} - -# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names. -# Uses the current dir for scratch work. -function cluster::mesos::docker::create_apiserver_cert_inner { - local in_dir="$1" - local out_dir="$2" - local apiserver_ip="$3" - local service_ip="$4" - local workspace="$(pwd)" - - if [ ! -f "${in_dir}/root-ca.key" ]; then - echo "Signing key not found: ${in_dir}/root-ca.key" - return 1 - fi - if [ ! -f "${in_dir}/root-ca.crt" ]; then - echo "Root certificate not found: ${in_dir}/root-ca.key" - return 1 - fi - - mkdir -p "${out_dir}" - - local openssl_cnf=$(cluster::mesos::docker::find_openssl_config) - - # TODO(karlkfi): extract config - local subject="/C=GB/ST=London/L=London/O=example/OU=IT/CN=example.com" - local cluster_domain="cluster.local" - local service_name="kubernetes" - local service_namespace="default" - local subject_alt_name="IP:${apiserver_ip},IP:${service_ip},DNS:${service_name},DNS:${service_name}.${service_namespace},DNS:${service_name}.${service_namespace}.svc,DNS:${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Creating private key" 1>&2 - openssl genrsa -out "${workspace}/apiserver.key" 2048 - - echo "Creating certificate sign request" 1>&2 - openssl req -nodes -new -utf8 \ - -key "${workspace}/apiserver.key" \ - -out "${workspace}/apiserver.csr" \ - -reqexts SAN \ - -config <(cat "${openssl_cnf}"; echo -e "[SAN]\nsubjectAltName=${subject_alt_name}") \ - -subj "${subject}" - - echo "Validating certificate sign request" 1>&2 - openssl req -text -noout -in "${workspace}/apiserver.csr" | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Signing new certificate with root certificate authority key" 1>&2 - mkdir -p "${workspace}/demoCA/newcerts" - touch "${workspace}/demoCA/index.txt" - echo 1000 > "${workspace}/demoCA/serial" - openssl ca -batch \ - -days 3650 \ - -in "${workspace}/apiserver.csr" \ - -cert "${in_dir}/root-ca.crt" \ - -keyfile "${in_dir}/root-ca.key" \ - -config <(sed 's/.*\(copy_extensions = copy\)/\1/' ${openssl_cnf}) - - echo "Validating signed certificate" 1>&2 - openssl x509 -in "${workspace}/demoCA/newcerts/1000.pem" -text -noout | grep -q "${service_name}.${service_namespace}.svc.${cluster_domain}" - - echo "Key: ${out_dir}/apiserver.key" 1>&2 - cp "${workspace}/apiserver.key" "${out_dir}/apiserver.key" - - echo "Cert: ${out_dir}/apiserver.crt" 1>&2 - cp "${workspace}/demoCA/newcerts/1000.pem" "${out_dir}/apiserver.crt" -} - -# Creates an apiserver key and certificate with the given IPs & kubernetes.* domain names. -function cluster::mesos::docker::create_apiserver_cert { - local in_dir="$1" # must contain root-ca.crt & root-ca.key - local out_dir="$2" - local apiserver_ip="$3" - local service_ip="$4" - - cluster::mesos::docker::run_in_temp_dir "k8sm-certs" \ - "cluster::mesos::docker::create_apiserver_cert_inner" \ - "${in_dir}" "${out_dir}" "${apiserver_ip}" "${service_ip}" -} - -# Creates an rsa key (for signing service accounts). -function cluster::mesos::docker::create_rsa_key { - local key_file_path="$1" - - # buffer output until failure - local output=$(( - openssl genrsa -out "${key_file_path}" 2048 || exit $? - ) 2>&1) - local exit_status="$?" - if [ "${exit_status}" != 0 ]; then - echo "${output}" 1>&2 - return "${exit_status}" - fi - - echo "Key: ${key_file_path}" 1>&2 -} - -# Creates a k8s token auth user file. -# See /docs/admin/authentication.md -function cluster::mesos::docker::create_token_user { - local user_name="$1" - echo "$(openssl rand -hex 32),${user_name},${user_name}" -} - -# Creates a k8s basic auth user file. -# See /docs/admin/authentication.md -function cluster::mesos::docker::create_basic_user { - local user_name="$1" - local password="$2" - echo "${password},${user_name},${user_name}" -} diff --git a/cluster/mesos/docker/common/bin/util-temp-dir.sh b/cluster/mesos/docker/common/bin/util-temp-dir.sh deleted file mode 100644 index d44d4e2ae3309..0000000000000 --- a/cluster/mesos/docker/common/bin/util-temp-dir.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Sourcable temp directory functions - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -# Runs the supplied command string in a temporary workspace directory. -function cluster::mesos::docker::run_in_temp_dir { - prefix="$1" - shift - cmd="$@" - - # create temp WORKSPACE dir in current dir to avoid permission issues of TMPDIR on mac os x - local -r workspace=$(env TMPDIR=$(pwd) mktemp -d -t "${prefix}-XXXXXX") - echo "Workspace created: ${workspace}" 1>&2 - - cleanup() { - local -r workspace="$1" - rm -rf "${workspace}" - echo "Workspace deleted: ${workspace}" 1>&2 - } - trap "cleanup '${workspace}'" EXIT - - pushd "${workspace}" > /dev/null - ${cmd} - popd > /dev/null - - trap - EXIT - cleanup "${workspace}" -} diff --git a/cluster/mesos/docker/deploy-addons.sh b/cluster/mesos/docker/deploy-addons.sh index 81572346eef0e..6ab378b89aeb0 100755 --- a/cluster/mesos/docker/deploy-addons.sh +++ b/cluster/mesos/docker/deploy-addons.sh @@ -27,39 +27,19 @@ set -o errtrace KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" -source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/common/bin/util-temp-dir.sh" kubectl="${KUBE_ROOT}/cluster/kubectl.sh" - - -function deploy_dns { - echo "Deploying DNS Addon" 1>&2 - local workspace=$(pwd) - - # Process salt pillar templates manually - sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml" - sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml" - - # Use kubectl to create skydns rc and service - "${kubectl}" create -f "${workspace}/skydns-rc.yaml" - "${kubectl}" create -f "${workspace}/skydns-svc.yaml" -} - -function deploy_ui { - echo "Deploying UI Addon" 1>&2 - - # Use kubectl to create ui rc and service - "${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml" - "${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml" -} +bin="$(cd "$(dirname "${BASH_SOURCE}")" && pwd -P)" # create the kube-system and static-pods namespaces "${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/kube-system-ns.yaml" "${kubectl}" create -f "${KUBE_ROOT}/cluster/mesos/docker/static-pods-ns.yaml" -if [ "${ENABLE_CLUSTER_DNS}" == true ]; then - cluster::mesos::docker::run_in_temp_dir 'k8sm-dns' 'deploy_dns' +if [ "${ENABLE_CLUSTER_DNS}" == "true" ]; then + echo "Deploying DNS Addon" 1>&2 + "${KUBE_ROOT}/third_party/intemp/intemp.sh" -t 'kube-dns' "${bin}/deploy-dns.sh" fi -if [ "${ENABLE_CLUSTER_UI}" == true ]; then - deploy_ui +if [ "${ENABLE_CLUSTER_UI}" == "true" ]; then + echo "Deploying UI Addon" 1>&2 + "${bin}/deploy-ui.sh" fi diff --git a/cluster/mesos/docker/deploy-dns.sh b/cluster/mesos/docker/deploy-dns.sh new file mode 100755 index 0000000000000..1f623ec5c3fd9 --- /dev/null +++ b/cluster/mesos/docker/deploy-dns.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2016 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Deploy the Kube-DNS addon + +set -o errexit +set -o nounset +set -o pipefail +set -o errtrace + +KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) +source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" +kubectl="${KUBE_ROOT}/cluster/kubectl.sh" + +workspace=$(pwd) + +# Process salt pillar templates manually +sed -e "s/{{ pillar\['dns_replicas'\] }}/${DNS_REPLICAS}/g;s/{{ pillar\['dns_domain'\] }}/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-rc.yaml.in" > "${workspace}/skydns-rc.yaml" +sed -e "s/{{ pillar\['dns_server'\] }}/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/skydns-svc.yaml.in" > "${workspace}/skydns-svc.yaml" + +# Use kubectl to create skydns rc and service +"${kubectl}" create -f "${workspace}/skydns-rc.yaml" +"${kubectl}" create -f "${workspace}/skydns-svc.yaml" diff --git a/cluster/mesos/docker/keygen/bin/kube-cagen.sh b/cluster/mesos/docker/deploy-ui.sh similarity index 58% rename from cluster/mesos/docker/keygen/bin/kube-cagen.sh rename to cluster/mesos/docker/deploy-ui.sh index a68ad43276170..b117a49b7d01c 100755 --- a/cluster/mesos/docker/keygen/bin/kube-cagen.sh +++ b/cluster/mesos/docker/deploy-ui.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2015 The Kubernetes Authors All rights reserved. +# Copyright 2016 The Kubernetes Authors All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,19 +14,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Generates root certificate authority crt and key. -# Writes to (use docker volume or docker export to retrieve files). -# Params: -# out_dir - dir to write crt and key to +# Deploy the Kube-UI addon set -o errexit set -o nounset set -o pipefail set -o errtrace -source "util-ssl.sh" +KUBE_ROOT=$(cd "$(dirname "${BASH_SOURCE}")/../../.." && pwd) +source "${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/${KUBE_CONFIG_FILE-"config-default.sh"}" +kubectl="${KUBE_ROOT}/cluster/kubectl.sh" -out_dir="${1:-}" -[ -z "${out_dir}" ] && echo "No out_dir supplied (param 1)" && exit 1 - -cluster::mesos::docker::create_root_certificate_authority "${out_dir}" +"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-rc.yaml" +"${kubectl}" create -f "${KUBE_ROOT}/cluster/addons/kube-ui/kube-ui-svc.yaml" diff --git a/cluster/mesos/docker/docker-compose.yml b/cluster/mesos/docker/docker-compose.yml index f337c8b02334d..072aed889e2f7 100644 --- a/cluster/mesos/docker/docker-compose.yml +++ b/cluster/mesos/docker/docker-compose.yml @@ -67,13 +67,13 @@ apiserver: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-file "-t=${KUBE_KEYGEN_TIMEOUT}" /var/run/kubernetes/auth/apiserver.crt && km apiserver - --address=$$(resolveip apiserver) + --address=$$(resolveip.sh apiserver) --external-hostname=apiserver --etcd-servers=http://etcd:4001 --port=8888 @@ -104,12 +104,12 @@ controller: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz && km controller-manager - --address=$$(resolveip controller) + --address=$$(resolveip.sh controller) --master=http://apiserver:8888 --cloud-config=/opt/mesos-cloud.conf --service-account-private-key-file=/var/run/kubernetes/auth/service-accounts.key @@ -127,13 +127,13 @@ scheduler: - /bin/bash - "-ceu" - > - echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip))" && + echo "Hostname: $$(hostname -f) ($$(hostname -f | xargs resolveip.sh))" && (grep "mesos-master\s*=" /opt/mesos-cloud.conf || echo " mesos-master = mesosmaster1:5050" >> /opt/mesos-cloud.conf) && await-health-check "-t=${MESOS_DOCKER_ETCD_TIMEOUT}" http://etcd:4001/health && await-health-check "-t=${MESOS_DOCKER_MESOS_TIMEOUT}" http://mesosmaster1:5050/health && await-health-check "-t=${MESOS_DOCKER_API_TIMEOUT}" http://apiserver:8888/healthz && km scheduler - --address=$$(resolveip scheduler) + --address=$$(resolveip.sh scheduler) --hostname-override=scheduler --etcd-servers=http://etcd:4001 --mesos-user=root @@ -157,10 +157,12 @@ scheduler: volumes: - ./static-pod.json:/opt/static-pods/static-pod.json keygen: - image: mesosphere/kubernetes-mesos-keygen + image: mesosphere/kubernetes-keygen:v1.0.0 command: - - apiserver + - certgen + - /var/run/kubernetes/auth - /var/run/kubernetes/auth + - apiserver volumes: - ${MESOS_DOCKER_WORK_DIR}/auth:/var/run/kubernetes/auth links: diff --git a/cluster/mesos/docker/keygen/Dockerfile b/cluster/mesos/docker/keygen/Dockerfile deleted file mode 100644 index 2b332935878c0..0000000000000 --- a/cluster/mesos/docker/keygen/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM ubuntu:14.04.3 -MAINTAINER Mesosphere - -RUN locale-gen en_US.UTF-8 -RUN dpkg-reconfigure locales -ENV LANG en_US.UTF-8 -ENV LC_ALL en_US.UTF-8 - -RUN apt-get update -qq && \ - DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \ - curl \ - openssl \ - && \ - apt-get clean - -COPY ./bin/* /usr/local/bin/ - -ENTRYPOINT ["kube-keygen.sh"] diff --git a/cluster/mesos/docker/keygen/bin/kube-keygen.sh b/cluster/mesos/docker/keygen/bin/kube-keygen.sh deleted file mode 100755 index b990950bc181f..0000000000000 --- a/cluster/mesos/docker/keygen/bin/kube-keygen.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Generates apiserver crt and key. -# Requires provided hostname to be resolvable (use docker link). -# Requires root certificate in (use docker volume). -# Writes to (use docker volume or docker export to retrieve files). -# Params: -# hostname - host name of the Kubernetes API Server to resolve into an IP -# in_dir - dir to read root certificate from -# out_dir - (Optional) dir to write crt and key to (default=) - -set -o errexit -set -o nounset -set -o pipefail -set -o errtrace - -source "util-ssl.sh" - -hostname="${1:-}" -[ -z "${hostname}" ] && echo "No hostname supplied (param 1)" && exit 1 - -in_dir="${2:-}" -[ -z "${in_dir}" ] && echo "No in_dir supplied (param 2)" && exit 1 - -out_dir="${3:-${in_dir}}" - -# Certificate generation depends on IP being resolvable from the provided hostname. -apiserver_ip="$(resolveip ${hostname})" -apiservice_ip="10.10.10.1" #TODO(karlkfi): extract config - -cluster::mesos::docker::create_apiserver_cert "${in_dir}" "${out_dir}" "${apiserver_ip}" "${apiservice_ip}" diff --git a/cluster/mesos/docker/keygen/build.sh b/cluster/mesos/docker/keygen/build.sh deleted file mode 100755 index d753d539c60f1..0000000000000 --- a/cluster/mesos/docker/keygen/build.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Builds a docker image that generates ssl certificates/keys/tokens required by kubernetes - -set -o errexit -set -o nounset -set -o pipefail - -IMAGE_REPO=${IMAGE_REPO:-mesosphere/kubernetes-mesos-keygen} -IMAGE_TAG=${IMAGE_TAG:-latest} - -script_dir=$(cd $(dirname "${BASH_SOURCE}") && pwd -P) -common_bin_path=$(cd ${script_dir}/../common/bin && pwd -P) -KUBE_ROOT=$(cd ${script_dir}/../../../.. && pwd -P) - -source "${common_bin_path}/util-temp-dir.sh" - -cd "${KUBE_ROOT}" - -function build_image { - local -r workspace="$(pwd)" - - echo "Copying files to workspace" - - # binaries & scripts - mkdir -p "${workspace}/bin" - cp -a "${common_bin_path}/"* "${workspace}/bin/" - cp -a "${script_dir}/bin/"* "${workspace}/bin/" - - # docker - cp -a "${script_dir}/Dockerfile" "${workspace}/" - - echo "Building docker image ${IMAGE_REPO}:${IMAGE_TAG}" - set -o xtrace - docker build -t ${IMAGE_REPO}:${IMAGE_TAG} "$@" . - set +o xtrace - echo "Built docker image ${IMAGE_REPO}:${IMAGE_TAG}" -} - -cluster::mesos::docker::run_in_temp_dir 'k8sm-keygen' 'build_image' diff --git a/cluster/mesos/docker/km/Dockerfile b/cluster/mesos/docker/km/Dockerfile index 857153c23a28a..af475408d5e1d 100644 --- a/cluster/mesos/docker/km/Dockerfile +++ b/cluster/mesos/docker/km/Dockerfile @@ -8,10 +8,13 @@ ENV LC_ALL en_US.UTF-8 RUN apt-get update -qq && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qqy \ + ca-certificates \ wget \ curl \ && \ apt-get clean +RUN curl -o- https://raw.githubusercontent.com/karlkfi/resolveip/v1.0.2/install.sh | bash + COPY ./bin/* /usr/local/bin/ COPY ./opt/* /opt/ diff --git a/cluster/mesos/docker/util.sh b/cluster/mesos/docker/util.sh index f1fd2277a8205..0e6ec563c496c 100644 --- a/cluster/mesos/docker/util.sh +++ b/cluster/mesos/docker/util.sh @@ -30,7 +30,6 @@ provider_root="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}" source "${provider_root}/${KUBE_CONFIG_FILE-"config-default.sh"}" source "${KUBE_ROOT}/cluster/common.sh" -source "${provider_root}/common/bin/util-ssl.sh" # Execute a docker-compose command with the default environment and compose file. function cluster::mesos::docker::docker_compose { @@ -90,34 +89,20 @@ function cluster::mesos::docker::run_in_docker_test { kube_config_mount="-v \"$(dirname ${KUBECONFIG}):/root/.kube\"" fi - container_id=$( - docker run \ - -d \ - -e "KUBERNETES_PROVIDER=${KUBERNETES_PROVIDER}" \ - -v "${KUBE_ROOT}:/go/src/github.com/GoogleCloudPlatform/kubernetes" \ - ${kube_config_mount} \ - -v "/var/run/docker.sock:/var/run/docker.sock" \ - --link docker_mesosmaster1_1:mesosmaster1 \ - --link docker_apiserver_1:apiserver \ - --entrypoint="${entrypoint}" \ - mesosphere/kubernetes-mesos-test \ - ${args} - ) - - docker logs -f "${container_id}" & - - # trap and kill for better signal handing - trap 'echo "Killing container ${container_id}" 1>&2 && docker kill ${container_id}' INT TERM - exit_status=$(docker wait "${container_id}") - trap - INT TERM - - if [ "$exit_status" != 0 ]; then - echo "Exited ${exit_status}" 1>&2 - fi - - docker rm -f "${container_id}" > /dev/null - - return "${exit_status}" + docker run \ + --rm \ + -t $(tty &>/dev/null && echo "-i") \ + -e "KUBERNETES_PROVIDER=${KUBERNETES_PROVIDER}" \ + -v "${KUBE_ROOT}:/go/src/github.com/GoogleCloudPlatform/kubernetes" \ + ${kube_config_mount} \ + -v "/var/run/docker.sock:/var/run/docker.sock" \ + --link docker_mesosmaster1_1:mesosmaster1 \ + --link docker_apiserver_1:apiserver \ + --entrypoint="${entrypoint}" \ + mesosphere/kubernetes-mesos-test \ + ${args} + + return "$?" } # Run kube-cagen.sh inside docker. @@ -125,29 +110,32 @@ function cluster::mesos::docker::run_in_docker_test { function cluster::mesos::docker::run_in_docker_cagen { local out_dir="$1" - container_id=$( - docker run \ - -d \ - -v "${out_dir}:/var/run/kubernetes/auth" \ - --entrypoint="kube-cagen.sh" \ - mesosphere/kubernetes-mesos-keygen \ - "/var/run/kubernetes/auth" - ) - - docker logs -f "${container_id}" & - - # trap and kill for better signal handing - trap 'echo "Killing container ${container_id}" 1>&2 && docker kill ${container_id}' INT TERM - exit_status=$(docker wait "${container_id}") - trap - INT TERM + docker run \ + --rm \ + -t $(tty &>/dev/null && echo "-i") \ + -v "${out_dir}:/var/run/kubernetes/auth" \ + mesosphere/kubernetes-keygen:v1.0.0 \ + "cagen" \ + "/var/run/kubernetes/auth" - if [ "$exit_status" != 0 ]; then - echo "Exited ${exit_status}" 1>&2 - fi - - docker rm -f "${container_id}" > /dev/null + return "$?" +} - return "${exit_status}" +# Run kube-keygen.sh inside docker. +function cluster::mesos::docker::run_in_docker_keygen { + local out_file_path="$1" + local out_dir="$(dirname "${out_file_path}")" + local out_file="$(basename "${out_file_path}")" + + docker run \ + --rm \ + -t $(tty &>/dev/null && echo "-i") \ + -v "${out_dir}:/var/run/kubernetes/auth" \ + mesosphere/kubernetes-keygen:v1.0.0 \ + "keygen" \ + "/var/run/kubernetes/auth/${out_file}" + + return "$?" } # Generate kubeconfig data for the created cluster. @@ -238,10 +226,13 @@ function cluster::mesos::docker::init_auth { rm -rf "${auth_dir}"/* echo "Creating Certificate Authority" 1>&2 - cluster::mesos::docker::run_in_docker_cagen "${auth_dir}" + cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_cagen "${auth_dir}" + echo "Certificate Authority Key: ${auth_dir}/root-ca.key" 1>&2 + echo "Certificate Authority Cert: ${auth_dir}/root-ca.crt" 1>&2 - echo "Creating Service-Account RSA Key" 1>&2 - cluster::mesos::docker::create_rsa_key "${auth_dir}/service-accounts.key" + echo "Creating Service Account RSA Key" 1>&2 + cluster::mesos::docker::buffer_output cluster::mesos::docker::run_in_docker_keygen "${auth_dir}/service-accounts.key" + echo "Service Account Key: ${auth_dir}/service-accounts.key" 1>&2 echo "Creating User Accounts" 1>&2 cluster::mesos::docker::create_token_user "cluster-admin" > "${auth_dir}/token-users" @@ -272,7 +263,6 @@ function kube-up { # TODO: version images (k8s version, git sha, and dirty state) to avoid re-building them every time. "${provider_root}/km/build.sh" "${provider_root}/test/build.sh" - "${provider_root}/keygen/build.sh" fi cluster::mesos::docker::init_auth @@ -390,3 +380,38 @@ function cluster::mesos::docker::dump_logs { docker logs "${name}" &> "${out_dir}/${name}.log" done < <(cluster::mesos::docker::docker_compose ps -q | xargs docker inspect --format '{{.Name}}') } + +# Creates a k8s token auth user file. +# See /docs/admin/authentication.md +function cluster::mesos::docker::create_token_user { + local user_name="$1" + echo "$(openssl rand -hex 32),${user_name},${user_name}" +} + +# Creates a k8s basic auth user file. +# See /docs/admin/authentication.md +function cluster::mesos::docker::create_basic_user { + local user_name="$1" + local password="$2" + echo "${password},${user_name},${user_name}" +} + +# Buffers command output to file, prints output on failure. +function cluster::mesos::docker::buffer_output { + local cmd="$@" + local tempfile="$(mktemp "${TMPDIR:-/tmp}/buffer.XXXXXX")" + trap "kill -TERM \${PID}; rm '${tempfile}'" TERM INT + set +e + ${cmd} &> "${tempfile}" & + PID=$! + wait ${PID} + trap - TERM INT + wait ${PID} + local exit_status="$?" + set -e + if [ "${exit_status}" != 0 ]; then + cat "${tempfile}" 1>&2 + fi + rm "${tempfile}" + return "${exit_status}" +} diff --git a/contrib/mesos/ci/run-with-cluster.sh b/contrib/mesos/ci/run-with-cluster.sh index 8b11e6f6975d9..ab7211d3e25b8 100755 --- a/contrib/mesos/ci/run-with-cluster.sh +++ b/contrib/mesos/ci/run-with-cluster.sh @@ -56,7 +56,7 @@ echo "${DOCKER_BIN_PATH}" # Clean (k8s output & images), Build, Kube-Up, Test, Kube-Down cd "${KUBE_ROOT}" -exec docker run \ +docker run \ --rm \ -v "${KUBE_ROOT}:/go/src/github.com/GoogleCloudPlatform/kubernetes" \ -v "/var/run/docker.sock:/var/run/docker.sock" \ diff --git a/third_party/intemp/LICENSE b/third_party/intemp/LICENSE new file mode 100644 index 0000000000000..d645695673349 --- /dev/null +++ b/third_party/intemp/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/third_party/intemp/Makefile b/third_party/intemp/Makefile new file mode 100644 index 0000000000000..596b70941bc93 --- /dev/null +++ b/third_party/intemp/Makefile @@ -0,0 +1,12 @@ +prefix=/usr/local/bin + +default: build + +build: + @echo "Nothing to build. Use make install" + +install: intemp.sh + install intemp.sh $(DESTDIR)$(prefix) + +uninstall: + -rm $(DESTDIR)$(prefix)/intemp.sh diff --git a/third_party/intemp/README.md b/third_party/intemp/README.md new file mode 100644 index 0000000000000..c5d9fe95bb82e --- /dev/null +++ b/third_party/intemp/README.md @@ -0,0 +1,52 @@ +# intemp + +A bash script to execute a command within a temporary work directory. + + +## Dependencies + +Requires: mktemp + + +## Install + +``` +git clone https://github.com/karlkfi/intemp +cd intemp +make install +``` + +or + +``` +curl -o- https://raw.githubusercontent.com/karlkfi/intemp/master/install.sh | bash +``` + +## Usage + +``` +intemp.sh [-t prefix] "" +``` + +Example (install intemp using intemp): + +``` +intemp.sh -t intemp "git clone https://github.com/karlkfi/intemp . && make install" +``` + + +## License + +Copyright 2015 Karl Isenberg + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/third_party/intemp/install.sh b/third_party/intemp/install.sh new file mode 100755 index 0000000000000..1f6feb561dbda --- /dev/null +++ b/third_party/intemp/install.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +# Install intemp from the internet +# Usage: install.sh [version] +# Alt Usage: curl -o- https://raw.githubusercontent.com/karlkfi/intemp/master/install.sh | bash +# Requires: curl + +set -o errexit +set -o nounset +set -o pipefail + +prefix="/usr/local/bin" + +version=${1:-} +if [ -z "${version}" ]; then + version=$(curl -s https://api.github.com/repos/karlkfi/intemp/releases/latest | grep 'tag_name' | cut -d\" -f4) +fi + +echo "Installing intemp ${version} -> ${prefix}/intemp.sh" +curl -o- "https://raw.githubusercontent.com/karlkfi/intemp/${version}/intemp.sh" > "${prefix}/intemp.sh" +chmod a+x "${prefix}/intemp.sh" diff --git a/third_party/intemp/intemp.sh b/third_party/intemp/intemp.sh new file mode 100755 index 0000000000000..fd2926a924333 --- /dev/null +++ b/third_party/intemp/intemp.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +# Runs the supplied bash command string in a temporary workspace directory. +# Usage: intemp.sh [-t prefix] +# Requires: mktemp + +set -o errexit +set -o nounset +set -o pipefail + +opt_flag=${1:-} +[ -z "${opt_flag}" ] && echo "No command supplied" >&2 && exit 1 + +if [ "${opt_flag}" == "-t" ]; then + shift + prefix=${1:-} + [ -z "${prefix}" ] && echo "No prefix supplied" >&2 && exit 1 + shift +else + prefix='temp' +fi + +cmd="$1" +[ -z "${cmd}" ] && echo "No command supplied" >&2 && exit 1 + +workspace=$(mktemp -d "${TMPDIR:-/tmp}/${prefix}.XXXXXX") +echo "Workspace created: ${workspace}" 1>&2 + +cleanup() { + local -r workspace="$1" + rm -rf "${workspace}" + echo "Workspace deleted: ${workspace}" 1>&2 +} +trap "cleanup '${workspace}'" EXIT + +pushd "${workspace}" > /dev/null +bash -ceu "${cmd}" +popd > /dev/null + +trap - EXIT +cleanup "${workspace}"