porkadot 0.1.0

data/lib/porkadot/assets/certs/k8s.rb

@@ -0,0 +1,90 @@
+
+class Porkadot::Assets::Certs::Kubernetes
+  include Porkadot::Assets::CertsUtils
+  attr_reader :global_config
+  attr_reader :config
+  attr_reader :logger
+
+  def initialize global_config
+    @config = Porkadot::Configs::Certs::Kubernetes.new(global_config)
+    @logger = config.logger
+    @global_config = config.config
+  end
+
+  def ca_name
+    '/CN=kube-ca'
+  end
+
+  def client_name
+    '/O=system:masters/CN=admin'
+  end
+
+  def apiserver_key
+    @apiserver_key ||= private_key(config.apiserver_key_path)
+    return @apiserver_key
+  end
+
+  def apiserver_cert(refresh=false)
+    return @apiserver_cert if defined?(@apiserver_cert)
+    if File.file?(config.apiserver_cert_path) and !refresh
+      self.logger.debug("--> APIserver cert already exists, skipping: #{config.apiserver_cert_path}")
+      @apiserver_cert = OpenSSL::X509::Certificate.new(File.read(config.apiserver_cert_path))
+    else
+      @apiserver_cert = _apiserver_cert(config.apiserver_cert_path, self.apiserver_key, self.ca_cert, self.ca_key)
+    end
+    return @apiserver_cert
+  end
+
+  def kubelet_client_key
+    @kubelet_client_key ||= private_key(config.kubelet_client_key_path)
+    return @kubelet_client_key
+  end
+
+  def kubelet_client_cert(refresh=false)
+    return @kubelet_client_cert if defined?(@kubelet_client_cert)
+    if File.file?(config.kubelet_client_cert_path) and !refresh
+      self.logger.debug("--> Kubelet client cert already exists, skipping: #{config.kubelet_client_cert_path}")
+      @kubelet_client_cert = OpenSSL::X509::Certificate.new(File.read(config.kubelet_client_cert_path))
+    else
+      @kubelet_client_cert = _client_cert(
+        config.kubelet_client_cert_path,
+        '/O=system:masters/CN=kube-kubelet-client',
+        self.kubelet_client_key,
+        self.ca_cert(false),
+        self.ca_key
+      )
+    end
+    return @kubelet_client_cert
+  end
+
+  def sa_private_key
+    @sa_private_key ||= private_key(config.sa_private_key_path)
+    return @sa_private_key
+  end
+
+  def sa_public_key
+    @sa_public_key ||= public_key(config.sa_public_key_path, self.sa_private_key)
+    return @sa_public_key
+  end
+
+  def _apiserver_cert(path, client_key, ca_cert, ca_key)
+    cert = unsigned_cert('/CN=apiserver', client_key, ca_cert, 1 * 365 * 24 * 60 * 60)
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = ca_cert
+    cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
+    cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
+    cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth, serverAuth",true))
+
+    cert.add_extension(ef.create_extension("subjectAltName", self.config.additional_sans.join(','), true))
+    cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
+
+    File.open path, 'wb' do |f|
+      f.write cert.to_pem
+    end
+
+    return cert
+  end
+
+end

data/lib/porkadot/assets/certs.rb

@@ -0,0 +1,175 @@
+require 'openssl'
+require 'fileutils'
+require 'base64'
+#OpenSSL::Random.seed File.read('/dev/random', 16)
+
+module Porkadot; module Assets
+
+  module CertsUtils
+
+    def to_pem(key_or_cert)
+      self.send(key_or_cert.to_sym).to_pem
+    end
+
+    def to_base64(key_or_cert)
+      Base64.strict_encode64(self.to_pem(key_or_cert))
+    end
+
+    def ca_name
+      raise "Not implemented"
+    end
+
+    def ca_key
+      @ca_key ||= private_key(config.ca_key_path)
+      return @ca_key
+    end
+
+    def ca_cert(refresh=false)
+      return @ca_cert if defined?(@ca_cert)
+      if File.file?(config.ca_cert_path) and !refresh
+        self.logger.debug("--> CA cert already exists, skipping: #{config.ca_cert_path}")
+        @ca_cert = OpenSSL::X509::Certificate.new(File.read(config.ca_cert_path))
+      else
+        @ca_cert = _ca_cert(config.ca_cert_path, self.ca_name, self.ca_key)
+      end
+      return @ca_cert
+    end
+
+    def client_name
+      raise "Not implemented"
+    end
+
+    def client_key
+      @client_key ||= private_key(config.client_key_path)
+      return @client_key
+    end
+
+    def client_cert(refresh=false)
+      return @client_cert if defined?(@client_cert)
+      if File.file?(config.client_cert_path) and !refresh
+        self.logger.debug("--> Client cert already exists, skipping: #{config.client_cert_path}")
+        @client_cert = OpenSSL::X509::Certificate.new(File.read(config.client_cert_path))
+      else
+        @client_cert = _client_cert(config.client_cert_path, self.client_name, self.client_key, self.ca_cert(false), self.ca_key)
+      end
+      return @client_cert
+    end
+
+    def private_key(path)
+      if File.file?(path)
+        self.logger.debug("--> Private key already exists, skipping: #{path}")
+        key = OpenSSL::PKey::RSA.new File.read(path)
+      else
+        dir = File.dirname(path)
+        FileUtils.mkdir_p(dir)
+        key = OpenSSL::PKey::RSA.new 2048
+        File.open path, 'wb' do |f|
+          f.write key.export(nil, nil)
+        end
+      end
+      return key
+    end
+
+    def public_key(path, key)
+      public_key = key.public_key
+      if File.file?(path)
+        self.logger.debug("--> Public key already exists, skipping: #{path}")
+      else
+        dir = File.dirname(path)
+        FileUtils.mkdir_p(dir)
+        File.open path, 'wb' do |f|
+          f.write public_key.export(nil, nil)
+        end
+      end
+      return public_key
+    end
+
+    def random_number
+      return (0...8).map{ (0 + rand(10)) }.join.to_i
+    end
+
+    def unsigned_cert(name, key, ca_cert=nil, expire=(1 * 365 * 24 * 60 * 60))
+      cert = OpenSSL::X509::Certificate.new
+
+      cert.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+      cert.serial = self.random_number
+      cert.subject = OpenSSL::X509::Name.parse name
+      if ca_cert
+        cert.issuer = ca_cert.subject
+      else
+        cert.issuer = cert.subject # root CA's are "self-signed"
+      end
+      cert.public_key = key.public_key
+      cert.not_before = Time.now
+      cert.not_after = cert.not_before + expire
+      return cert
+    end
+
+    def _ca_cert(path, name, root_key)
+      root_ca = unsigned_cert(name, root_key, nil, 2 * 365 * 24 * 60 * 60)
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = root_ca
+      ef.issuer_certificate = root_ca
+      root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
+      root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+      root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+      root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+      root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+
+      File.open path, 'wb' do |f|
+        f.write root_ca.to_pem
+      end
+
+      return root_ca
+    end
+
+    def _client_cert(path, name, client_key, ca_cert, ca_key)
+      cert = unsigned_cert(name, client_key, ca_cert, 1 * 365 * 24 * 60 * 60)
+
+      ef = OpenSSL::X509::ExtensionFactory.new
+      ef.subject_certificate = cert
+      ef.issuer_certificate = ca_cert
+      cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
+      cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
+      cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth",true))
+      cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
+
+      File.open path, 'wb' do |f|
+        f.write cert.to_pem
+      end
+
+      return cert
+    end
+
+  end
+
+end; end
+
+class Porkadot::Assets::Certs
+  attr_reader :global_config
+
+  def initialize config
+    @global_config = config
+  end
+
+  def etcd
+    @etcd ||= Porkadot::Assets::Certs::Etcd.new(self.global_config)
+    return @etcd
+  end
+
+  def kubernetes
+    @kubernetes ||= Porkadot::Assets::Certs::Kubernetes.new(self.global_config)
+    return @kubernetes
+  end
+
+  def front_proxy
+    @front_proxy ||= Porkadot::Assets::Certs::FrontProxy.new(self.global_config)
+    return @front_proxy
+  end
+
+end
+
+require 'porkadot/assets/certs/etcd'
+require 'porkadot/assets/certs/k8s'
+require 'porkadot/assets/certs/front_proxy'

data/lib/porkadot/assets/etcd/etcd-server.yaml.erb

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: etcd
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: etcd
+spec:
+  hostNetwork: true
+  containers:
+  - name: etcd
+    image: <%= etcd.image_repository %>:<%= etcd.image_tag %>
+    command:
+    - /usr/local/bin/etcd
+    - --name=<%= config.member_name %>
+    - --advertise-client-urls=<%= config.advertise_client_urls.join(',') %>
+    - --initial-advertise-peer-urls=<%= config.advertise_peer_urls.join(',') %>
+    - --initial-cluster=<%= config.initial_cluster.map{|k,v| "#{k}=#{v}"}.join(',') %>
+    - --listen-client-urls=<%= config.listen_client_urls.join(',') %>
+    - --listen-peer-urls=<%= config.listen_peer_urls.join(',') %>
+    - --client-cert-auth=true
+    - --cert-file=/etc/etcd/pki/etcd.crt
+    - --key-file=/etc/etcd/pki/etcd.key
+    - --trusted-ca-file=/etc/etcd/pki/ca.crt
+    - --peer-client-cert-auth=true
+    - --peer-cert-file=/etc/etcd/pki/etcd.crt
+    - --peer-key-file=/etc/etcd/pki/etcd.key
+    - --peer-trusted-ca-file=/etc/etcd/pki/ca.crt
+    - --data-dir=/var/lib/etcd
+    - --heartbeat-interval=1000
+    - --election-timeout=10000
+    volumeMounts:
+    - mountPath: /var/lib/etcd
+      name: etcd
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+    - mountPath: /usr/share/ca-certificates
+      name: ca-certs-host
+      readOnly: true
+    - mountPath: /etc/etcd/pki
+      name: etcd-certs-host
+      readOnly: true
+  volumes:
+  - hostPath:
+      path: /var/lib/etcd
+    name: etcd
+  - hostPath:
+      path: /etc/ssl/certs
+    name: ssl-certs-host
+  - hostPath:
+      path: /usr/share/ca-certificates
+    name: ca-certs-host
+  - hostPath:
+      path: /etc/etcd/pki
+    name: etcd-certs-host

data/lib/porkadot/assets/etcd/install.sh.erb

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+mkdir -p /etc/etcd/pki
+cp ${ROOT}/etcd.crt /etc/etcd/pki/
+cp ${ROOT}/etcd.key /etc/etcd/pki/
+cp ${ROOT}/ca.crt /etc/etcd/pki/
+mkdir -p /etc/kubernetes/manifests
+cp ${ROOT}/etcd-server.yaml /etc/kubernetes/manifests/

data/lib/porkadot/assets/etcd.rb

@@ -0,0 +1,109 @@
+require 'openssl'
+require 'fileutils'
+require 'erb'
+require 'base64'
+
+module Porkadot; module Assets
+  class EtcdList
+    attr_reader :global_config
+    attr_reader :logger
+    attr_reader :nodes
+
+    def initialize global_config
+      @global_config = global_config
+      @logger = global_config.logger
+      @nodes = {}
+      global_config.etcd_nodes.each do |k, config|
+        @nodes[k] = EtcdNode.new(config)
+      end
+    end
+
+    def render
+      self.nodes.each do |_, v|
+        v.render
+      end
+    end
+
+    def [](name)
+      self.nodes[name]
+    end
+  end
+
+  class EtcdNode
+    include Porkadot::Assets
+    TEMPLATE_DIR = File.join(File.dirname(__FILE__), "etcd")
+
+    attr_reader :global_config
+    attr_reader :config
+    attr_reader :logger
+    attr_reader :certs
+
+    def initialize config
+      @config = config
+      @logger = config.logger
+      @global_config = config.config
+      @certs = Porkadot::Assets::Certs::Etcd.new(global_config)
+    end
+
+    def render
+      logger.info "--> Rendering #{config.name} node"
+      unless File.directory?(config.target_path)
+        FileUtils.mkdir_p(config.target_path)
+      end
+      render_ca_crt
+      render_etcd_crt
+      render_erb 'etcd-server.yaml', etcd: global_config.etcd
+      render_erb 'install.sh', etcd: global_config.etcd
+    end
+
+    def render_ca_crt
+      logger.info "----> ca.crt"
+      open(config.ca_crt_path, 'w') do |out|
+        out.write self.certs.ca_cert(false).to_pem
+      end
+    end
+
+    def render_etcd_crt
+      logger.info "----> etcd.crt"
+      self.etcd_key
+      self.etcd_cert(true)
+    end
+
+    def etcd_key
+      @etcd_key ||= certs.private_key(config.etcd_key_path)
+      return @etcd_key
+    end
+
+    def etcd_cert(refresh=false)
+      return @etcd_cert if defined?(@etcd_cert)
+      if File.file?(config.etcd_crt_path) and !refresh
+        self.logger.debug("--> Etcd cert already exists, skipping: #{config.etcd_cert_path}")
+        @etcd_cert = OpenSSL::X509::Certificate.new(File.read(config.etcd_cert_path))
+      else
+        ca_key = self.certs.ca_key
+        ca_cert = self.certs.ca_cert(false)
+        @etcd_cert = certs.unsigned_cert(
+          "/O=porkadot:etcd-servers/CN=porkadot:etcd-server-#{config.member_name}",
+          self.etcd_key, ca_cert,
+          1 * 365 * 24 * 60 * 60
+        )
+
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.subject_certificate = @etcd_cert
+        ef.issuer_certificate = ca_cert
+        @etcd_cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
+        @etcd_cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
+        @etcd_cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth, serverAuth",true))
+
+        @etcd_cert.add_extension(ef.create_extension("subjectAltName", self.config.additional_sans.join(','), true))
+        @etcd_cert.sign(ca_key, OpenSSL::Digest::SHA256.new)
+
+        File.open config.etcd_crt_path, 'wb' do |f|
+          f.write @etcd_cert.to_pem
+        end
+      end
+      return @etcd_cert
+    end
+
+  end
+end; end

data/lib/porkadot/assets/kubelet/bootstrap-kubelet.conf.erb

@@ -0,0 +1,21 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: <%= ca_data %>
+    server: https://<%= config.control_plane_endpoint %>
+  name: bootstrap
+contexts:
+- context:
+    cluster: bootstrap
+    user: kubelet-bootstrap
+  name: bootstrap
+current-context: bootstrap
+kind: Config
+preferences: {}
+users:
+- name: kubelet-bootstrap
+  user:
+    client-certificate: /etc/kubernetes/pki/bootstrap.crt
+    client-key: /etc/kubernetes/pki/bootstrap.key
+
+# vim:filetype=yaml

data/lib/porkadot/assets/kubelet/config.yaml.erb

@@ -0,0 +1,36 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    cacheTTL: 0s
+    enabled: true
+  x509:
+    clientCAFile: /etc/kubernetes/pki/ca.crt
+authorization:
+  mode: Webhook
+  webhook:
+    cacheAuthorizedTTL: 0s
+    cacheUnauthorizedTTL: 0s
+clusterDNS:
+  - <%= global_config.k8s.networking.dns_ip %>
+clusterDomain: <%= global_config.k8s.networking.dns_domain %>
+cpuManagerReconcilePeriod: 0s
+evictionPressureTransitionPeriod: 0s
+fileCheckFrequency: 0s
+healthzBindAddress: 127.0.0.1
+healthzPort: 10248
+httpCheckFrequency: 0s
+imageMinimumGCAge: 0s
+kind: KubeletConfiguration
+nodeStatusReportFrequency: 0s
+nodeStatusUpdateFrequency: 0s
+rotateCertificates: true
+runtimeRequestTimeout: 0s
+staticPodPath: /etc/kubernetes/manifests
+streamingConnectionIdleTimeout: 0s
+syncFrequency: 0s
+volumeStatsAggPeriod: 0s
+serverTLSBootstrap: true
+
+# vim:filetype=yaml

data/lib/porkadot/assets/kubelet/install-deps.sh.erb

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+CNI_VERSION="<%= global_config.k8s.networking.cni_version %>"
+mkdir -p /opt/cni/bin
+curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
+
+RELEASE="<%= global_config.k8s.kubernetes_version %>"
+
+mkdir -p /opt/bin
+
+curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/kubectl \
+  -o /opt/bin/kubectl-${RELEASE}
+chmod +x /opt/bin/kubectl-${RELEASE}
+rm -f /opt/bin/kubectl
+ln -s /opt/bin/kubectl-${RELEASE} /opt/bin/kubectl
+
+curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/kubelet \
+  -o /opt/bin/kubelet-${RELEASE}
+chmod +x /opt/bin/kubelet-${RELEASE}
+rm -f /opt/bin/kubelet
+ln -s /opt/bin/kubelet-${RELEASE} /opt/bin/kubelet

data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+if type apt-get > /dev/null 2>&1 ;then
+  apt-get update
+  apt-get install -y \
+      ca-certificates \
+      conntrack \
+      e2fsprogs \
+      xfsprogs \
+      ebtables \
+      ethtool \
+      git \
+      iptables \
+      ipset \
+      jq \
+      kmod \
+      openssh-client \
+      netbase \
+      nfs-common \
+      socat \
+      udev \
+      util-linux
+fi
+
+cat <<EOF >  /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+EOF
+
+sysctl --system

data/lib/porkadot/assets/kubelet/install.sh.erb

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+export KUBERNETES_PATH="/etc/kubernetes"
+export KUBERNETES_PKI_PATH="${KUBERNETES_PATH}/pki"
+export KUBERNETES_MANIFESTS_PATH="${KUBERNETES_PATH}/manifests"
+export KUBELET_PATH="/var/lib/kubelet"
+
+mkdir -p ${KUBERNETES_PATH}
+mkdir -p ${KUBERNETES_PKI_PATH}
+mkdir -p ${KUBERNETES_MANIFESTS_PATH}
+mkdir -p ${KUBELET_PATH}
+
+cp ${ROOT}/bootstrap-kubelet.conf ${KUBERNETES_PATH}/
+cp ${ROOT}/bootstrap.* ${KUBERNETES_PKI_PATH}/
+cp ${ROOT}/ca.crt ${KUBERNETES_PKI_PATH}/
+cp ${ROOT}/config.yaml ${KUBELET_PATH}/
+cp ${ROOT}/kubelet.service /etc/systemd/system/
+
+# Install addons
+for addon in $(ls ${ROOT}/addons/); do
+  install_sh="${ROOT}/addons/${addon}/install.sh"
+  if [[ -f ${install_sh} ]]; then
+    echo "Install: ${install_sh}"
+    bash ${install_sh}
+  fi
+done
+
+rm -f ${KUBERNETES_PATH}/kubelet.conf
+systemctl daemon-reload
+systemctl enable kubelet
+systemctl restart kubelet

data/lib/porkadot/assets/kubelet/kubelet.service.erb

@@ -0,0 +1,22 @@
+[Unit]
+Description=kubelet: The Kubernetes Node Agent
+Documentation=http://kubernetes.io/docs/
+
+[Service]
+EnvironmentFile=-/etc/default/kubelet
+ExecStart=/opt/bin/kubelet \
+    --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
+    --kubeconfig=/etc/kubernetes/kubelet.conf \
+    --config=/var/lib/kubelet/config.yaml \
+    --network-plugin=cni \
+    --pod-infra-container-image=k8s.gcr.io/pause:3.1 \
+    --hostname-override=<%= config.hostname %> \
+    --node-labels=<%= config.labels_string %> \
+    --register-with-taints=<%= config.taints_string %> \
+    --resolv-conf=/run/systemd/resolve/resolv.conf
+Restart=always
+StartLimitInterval=0
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target