genuserspace working

2021-01-21 16:10:40 -05:00
parent 0b469da892
commit f3df9fd707
12 changed files with 111 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 *.srl
 *.csr
 users/
+charts/
--- a/certsigner/.helmignore
+++ b/certsigner/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/certsigner/Chart.yaml
+++ b/certsigner/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: certsigner
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.16.0
--- a/certsigner/pod.yaml
+++ b/certsigner/pod.yaml
@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: certsigner
-  namespace: kube-system
-spec:
-  containers:
-  - name: certsigner
-    image: python:latest
-    command: ["cat"]
-    tty: true
-    resources:
-      requests:
-        memory: 1Mi
-        cpu: 1m
-      limits:
-        memory: 100Mi
-        cpu: 100m
-    volumeMounts:
-      - mountPath: /keys
-        name: keys
-      - mountPath: /certs
-        name: certs
-  volumes:
-    - name: keys
-      secret:
-        secretName: certsigner
-    - name: certs
-      emptyDir: {}
-
-  restartPolicy: Always
--- a/certsigner/templates/clusterrole.yaml
+++ b/certsigner/templates/clusterrole.yaml
@@ -1,5 +1,5 @@
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: cluster-readonly
 rules:
--- a/certsigner/templates/clusterrolebinding.yaml
+++ b/certsigner/templates/clusterrolebinding.yaml
--- a/certsigner/templates/deploy.yaml
+++ b/certsigner/templates/deploy.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: certsigner
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      containers:
+      - name: certsigner
+        image: python:latest
+        command: ["cat"]
+        tty: true
+        resources:
+          requests:
+            memory: 1Mi
+            cpu: 1m
+          limits:
+            memory: 100Mi
+            cpu: 100m
+        volumeMounts:
+          - mountPath: /keys
+            name: keys
+          - mountPath: /certs
+            name: certs
+      volumes:
+        - name: keys
+          secret:
+            secretName: certsigner
+        - name: certs
+          emptyDir: {}
+      restartPolicy: Always
--- a/certsigner/values.yaml
+++ b/certsigner/values.yaml
--- a/genuserspace.sh
+++ b/genuserspace.sh
@@ -1,18 +1,25 @@
 #!/bin/bash

 export USER=$1
-echo "setting up certsigner"
-kubectl apply -f ./certsigner
-sleep 5
+export SERVER=$2
+export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
+
 echo "generating certs"
-mkdir $HOME/.kube/users/$USER
-docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
-docker run -it -v $HOME/.kube/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
+mkdir -p $CERT_DIR
+docker run -it -v $CERT_DIR:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
+docker run -it -v $CERT_DIR:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
 echo "creating userspace"
-helm template $USER ./namespace | kubectl apply -f -
-echo "copying and signing certs"
-kubectl cp $HOME/.kube/users/$USER/$USER.csr certsigner:/certs/$USER.csr
-kubectl exec certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c "import random; print(random.randint(1000000000, 9999999999))") -out /certs/$USER.crt -days 5000
-kubectl cp certsigner:/certs/$USER.crt $HOME/.kube/users/$USER/$USER.crt
-echo "deleting certsigner"
-kubectl delete -f ./certsigner
+rsync -av ./namespace $SERVER:~/
+ssh $SERVER "/usr/local/bin/helm template $USER ./namespace | kubectl apply -f -"
+echo "copying csr"
+ssh $SERVER "mkdir -p ~/.kube/users/$USER"
+scp $CERT_DIR/$USER.csr $SERVER:/tmp/$USER.csr
+echo "signing cert"
+export CERT_POD=$(ssh k3os-alpha "kubectl get pod -n kube-system --selector=app=certsigner --output=jsonpath={.items..metadata.name}")
+ssh $SERVER "kubectl -n kube-system cp /tmp/$USER.csr $CERT_POD:/certs/$USER.csr"
+ssh $SERVER "kubectl -n kube-system exec $CERT_POD -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -set_serial $(python -c 'import random; print(random.randint(1000000000, 9999999999))') -out /certs/$USER.crt -days 5000"
+ssh $SERVER "kubectl -n kube-system cp $CERT_POD:/certs/$USER.crt ~/.kube/users/$USER/$USER.crt"
+echo "retrieving signed cert"
+scp $SERVER:~/.kube/users/$USER/$USER.crt $CERT_DIR/$USER.crt
+wget --no-check-certificate https://$SERVER:6443/cacerts -O $CERT_DIR/server-ca.pem
+echo "done"
--- a/namespace/Chart.yaml
+++ b/namespace/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: helm
+name: namespace
 description: A Helm chart for Kubernetes

 # A chart can be either an 'application' or a 'library' chart.
--- a/namespace/templates/role.yaml
+++ b/namespace/templates/role.yaml
@@ -1,5 +1,5 @@
 kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: namespace-manager
  namespace: {{ .Release.Name }}
--- a/namespace/templates/rolebinding.yaml
+++ b/namespace/templates/rolebinding.yaml
@@ -1,5 +1,5 @@
 kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: namespace-manager
  namespace: {{ .Release.Name }}