project userspace part 1

2020-05-22 21:27:19 -04:00
commit b720b73218
14 changed files with 397 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,5 @@
 *.crt
 *.key
 *.srl
 *.csr
 users/
--- a/README.md
+++ b/README.md
@@ -0,0 +1,150 @@
 # Project Userspace
 ## One provisioner to rule them all
 ### Quickstart
 ```bash
 kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
 kubectl apply -f cluster
 kubectl apply -f certsigner
 ./adduser.sh tester
 ./userspace.sh tester
 ```
 ### Objectives
 1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart
 2. Create an easy way for users to sign their certificates
 3. Create a cleanup script without deleting user data
 4. profit
 ### Userspace
 1. Namespace
 ```yaml
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ .Release.Name }}
 ```
 1. Rolebinding
 ```yaml
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  namespace: {{ .Release.Name }}
  name: namespace-manager
 subjects:
 - kind: User
  name: {{ .Release.Name }}
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: namespace-manager
  apiGroup: ""
 ```
 ### Create a kubernetes certsigner pod
 This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod
 #### Create the certsigner secret
 ```bash
 kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
 ```
 #### Set up the certsigner pod
 ```bash
 kubectl --context admin apply -f certsigner
 ```
 #### Generate a cert
 ```bash
 export USER=<user>
 docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
 docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
 ```
 #### Create a new Userspace
 ```bash
 helm template $USER ./namespace | kubectl --context admin apply -f -
 ```
 #### Sign the cert
 ```bash
 export USER=<user>
 kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr
 kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000
 kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt
 ```
 #### Add to the config
 ```bash
 kubectl config set-credentials $USER --client-certificate=$USER.crt  --client-key=$USER.key
 kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
 ```
 #### Delete
 ```bash
 kubectl config delete-context $USER
 helm template $USER ./namespace | kubectl --context admin delete -f -
 ```
 ### Signing a user cert - detailed notes
 NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.*
 ```bash
 # First we create the credentials
 # /CN=<username> - the user
 # /O=<group> - the group
 # Navigate to the user directory
 export USER=<username>
 cd $USER
 # Generate a private key
 openssl genrsa -out $USER.key 2048
 # Check the key
 # openssl pkey -in ca.key -noout -text
 # Generate and send me the CSR
 # The "user" group is my default group
 openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
 # Check the CSR
 # openssl req -in $USER.csr -noout -text
 # If satisfactory, sign the CSR
 # Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key
 openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000
 # Review the certificate
 # openssl x509 -in $USER.crt -text -noout
 # Send back the crt
 # cp $USER.crt $USER.key ../server-ca.crt ~/.kube/
 kubectl config set-credentials $USER --client-certificate=$USER.crt  --client-key=$USER.key
 kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
 # Now we create the namespace, rolebindings, and resource quotas
 # kubectl apply -f k8s/
 # Add the cluster
 # CA file can be found at https://3.14.3.100:6443/cacerts
 - cluster:
    certificate-authority: server-ca.crt
    server: https://3.14.3.100:6443
  name: mainframe
 # Test if everything worked
 kubectl --context=$USER-context get pods
 ```
--- a/certsigner/pod.yaml
+++ b/certsigner/pod.yaml
@@ -0,0 +1,31 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: certsigner
  namespace: kube-system
 spec:
  containers:
  - name: certsigner
    image: python:latest
    command: ["cat"]
    tty: true
    resources:
      requests:
        memory: 1Mi
        cpu: 1m
      limits:
        memory: 100Mi
        cpu: 100m
    volumeMounts:
      - mountPath: /certs
        name: certs
      - mountPath: /keys
        name: keys
  volumes:
    - name: certs
      persistentVolumeClaim:
        claimName: certsigner-certs
    - name: keys
      secret:
        secretName: certsigner
  restartPolicy: Always
--- a/certsigner/pvc.yaml
+++ b/certsigner/pvc.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: certsigner-certs
  namespace: kube-system
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/cluster/clusterrole.yaml
+++ b/cluster/clusterrole.yaml
@@ -0,0 +1,15 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: cluster-readonly
 rules:
 - apiGroups:
    - ""
    - rbac.authorization.k8s.io
    - storage.k8s.io
    - networking.k8s.io
    - traefik.containo.us
  resources: 
    - storageclasses
  verbs: 
    - list
--- a/cluster/clusterrolebinding.yaml
+++ b/cluster/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: cluster-readonly
 subjects:
 - kind: Group
  name: user
  apiGroup: ""
 roleRef:
  kind: ClusterRole
  name: cluster-readonly
  apiGroup: ""
--- a/createuser.sh
+++ b/createuser.sh
@@ -0,0 +1,5 @@
 #!/bin/bash
 export USER=$1
 docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
 docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
--- a/namespace/.helmignore
+++ b/namespace/.helmignore
@@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/namespace/Chart.yaml
+++ b/namespace/Chart.yaml
@@ -0,0 +1,23 @@
 apiVersion: v2
 name: helm
 description: A Helm chart for Kubernetes
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 appVersion: 1.16.0
--- a/namespace/templates/namespace.yaml
+++ b/namespace/templates/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ .Release.Name }}
--- a/namespace/templates/role.yaml
+++ b/namespace/templates/role.yaml
@@ -0,0 +1,96 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: namespace-manager
  namespace: {{ .Release.Name }}
 rules:
 - apiGroups:
    - ""
    - extensions
    - apps
    - batch
    - autoscaling
    - networking.k8s.io
    - traefik.containo.us
    - rbac.authorization.k8s.io
    - metrics.k8s.io
  resources: 
    - deployments
    - replicasets
    - pods
    - pods/exec
    - pods/log
    - pods/attach
    - daemonsets
    - statefulsets
    - replicationcontrollers
    - horizontalpodautoscalers
    - services
    - ingresses
    - persistentvolumeclaims
    - jobs
    - cronjobs
    - secrets
    - configmaps
    - serviceaccounts
    - rolebindings
    - ingressroutes
    - middlewares
    - endpoints
  verbs: 
    - "*"
 - apiGroups:
    - ""
    - metrics.k8s.io
    - rbac.authorization.k8s.io
  resources:
    - resourcequotas
    - roles
  verbs:
    - list
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: namespace-readonly
  namespace: {{ .Release.Name }}
 rules:
 - apiGroups:
    - ""
    - extensions
    - apps
    - batch
    - autoscaling
    - networking.k8s.io
    - traefik.containo.us
    - rbac.authorization.k8s.io
    - metrics.k8s.io
    - storage.k8s.io
  resources: 
    - deployments
    - replicasets
    - pods
    - pods/exec
    - pods/log
    - pods/attach
    - daemonsets
    - statefulsets
    - replicationcontrollers
    - horizontalpodautoscalers
    - services
    - ingresses
    - persistentvolumeclaims
    - jobs
    - cronjobs
    - secrets
    - configmaps
    - serviceaccounts
    - rolebindings
    - ingressroutes
    - middlewares
    - resourcequotas
    - roles
    - endpoints
  verbs: 
    - list
    - watch
--- a/namespace/templates/rolebinding.yaml
+++ b/namespace/templates/rolebinding.yaml
@@ -0,0 +1,13 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: namespace-manager
  namespace: {{ .Release.Name }}
 subjects:
 - kind: User
  name: {{ .Release.Name }}
  apiGroup: ""
 roleRef:
  kind: Role
  name: namespace-manager
  apiGroup: ""
--- a/namespace/values.yaml
+++ b/namespace/values.yaml
--- a/userspace.sh
+++ b/userspace.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 export USER=$1
 helm template $USER ./namespace | kubectl --context admin apply -f -
 kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr
 kubectl --context admin exec --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
 kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt
 kubectl config set-credentials $USER --client-certificate=$(pwd)/users/$USER/$USER.crt  --client-key=$(pwd)/users/$USER/$USER.key
 kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER