diff --git a/.gitignore b/.gitignore index f913501..ccfefb7 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ *.key *.srl *.csr -users/ \ No newline at end of file +users/ +charts/ \ No newline at end of file diff --git a/certsigner/.helmignore b/certsigner/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/certsigner/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/certsigner/Chart.yaml b/certsigner/Chart.yaml new file mode 100644 index 0000000..bcf2b17 --- /dev/null +++ b/certsigner/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: certsigner +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 1.16.0 diff --git a/certsigner/pod.yaml b/certsigner/pod.yaml deleted file mode 100644 index eaf9908..0000000 --- a/certsigner/pod.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: certsigner - namespace: kube-system -spec: - containers: - - name: certsigner - image: python:latest - command: ["cat"] - tty: true - resources: - requests: - memory: 1Mi - cpu: 1m - limits: - memory: 100Mi - cpu: 100m - volumeMounts: - - mountPath: /keys - name: keys - - mountPath: /certs - name: certs - volumes: - - name: keys - secret: - secretName: certsigner - - name: certs - emptyDir: {} - - restartPolicy: Always \ No newline at end of file diff --git a/cluster/clusterrole.yaml b/certsigner/templates/clusterrole.yaml similarity index 83% rename from cluster/clusterrole.yaml rename to certsigner/templates/clusterrole.yaml index 4eeb642..bee03a6 100644 --- a/cluster/clusterrole.yaml +++ b/certsigner/templates/clusterrole.yaml @@ -1,5 +1,5 @@ kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cluster-readonly rules: diff --git a/cluster/clusterrolebinding.yaml b/certsigner/templates/clusterrolebinding.yaml similarity index 100% rename from cluster/clusterrolebinding.yaml rename to certsigner/templates/clusterrolebinding.yaml diff --git a/certsigner/templates/deploy.yaml b/certsigner/templates/deploy.yaml new file mode 100644 index 0000000..6ae7b73 --- /dev/null +++ b/certsigner/templates/deploy.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: certsigner + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + containers: + - name: certsigner + image: python:latest + command: ["cat"] + tty: true + resources: + requests: + memory: 1Mi + cpu: 1m + limits: + memory: 100Mi + cpu: 100m + volumeMounts: + - mountPath: /keys + name: keys + - mountPath: /certs + name: certs + volumes: + - name: keys + secret: + secretName: certsigner + - name: certs + emptyDir: {} + restartPolicy: Always \ No newline at end of file diff --git a/certsigner/values.yaml b/certsigner/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/genuserspace.sh b/genuserspace.sh index ae67276..6820bb4 100755 --- a/genuserspace.sh +++ b/genuserspace.sh @@ -1,18 +1,25 @@ #!/bin/bash export USER=$1 -echo "setting up certsigner" -kubectl apply -f ./certsigner -sleep 5 +export SERVER=$2 +export CERT_DIR=$HOME/.kube/$SERVER/users/$USER + echo "generating certs" -mkdir $HOME/.kube/users/$USER -docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048 -docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user" +mkdir -p $CERT_DIR +docker run -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048 +docker run -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user" echo "creating userspace" -helm template $USER ./namespace | kubectl apply -f - -echo "copying and signing certs" -kubectl cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr -kubectl exec certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000 -kubectl cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt -echo "deleting certsigner" -kubectl delete -f ./certsigner \ No newline at end of file +rsync -av ./namespace $SERVER:~/ +ssh $SERVER "/usr/local/bin/helm template $USER ./namespace | kubectl apply -f -" +echo "copying csr" +ssh $SERVER "mkdir -p ~/.kube/users/$USER" +scp $CERT_DIR/$USER.csr $SERVER:/tmp/$USER.csr +echo "signing cert" +export CERT_POD=$(ssh k3os-alpha "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}") +ssh $SERVER "kubectl -n kube-system cp /tmp/$USER.csr $CERT_POD:/certs/$USER.csr" +ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000" +ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt" +echo "retrieving signed cert" +scp $SERVER:~/.kube/users/$USER/$USER.crt $CERT_DIR/$USER.crt +wget --no-check-certificate https://$SERVER:6443/cacerts -O $CERT_DIR/server-ca.pem +echo "done" \ No newline at end of file diff --git a/namespace/Chart.yaml b/namespace/Chart.yaml index cf7bc40..635f42d 100644 --- a/namespace/Chart.yaml +++ b/namespace/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: helm +name: namespace description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. diff --git a/namespace/templates/role.yaml b/namespace/templates/role.yaml index 3aa92c7..3c92cda 100644 --- a/namespace/templates/role.yaml +++ b/namespace/templates/role.yaml @@ -1,5 +1,5 @@ kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: namespace-manager namespace: {{ .Release.Name }} diff --git a/namespace/templates/rolebinding.yaml b/namespace/templates/rolebinding.yaml index 4a89339..dd3b627 100644 --- a/namespace/templates/rolebinding.yaml +++ b/namespace/templates/rolebinding.yaml @@ -1,5 +1,5 @@ kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: namespace-manager namespace: {{ .Release.Name }}