From 595e0ef4a986034f6c318a51400c002fdf4dfd9f Mon Sep 17 00:00:00 2001 From: Mark Burnett Date: Thu, 22 Jun 2017 16:29:32 -0500 Subject: [PATCH] add configuration bundle for drydock export --- promenade/config.py | 10 ++++- promenade/generator.py | 41 ++++++++++++++++--- promenade/pki.py | 18 +++++--- .../kubernetes/kubelet/pki/kubelet-key.pem | 2 +- .../etc/kubernetes/kubelet/pki/kubelet.pem | 2 +- .../etc/kubernetes/proxy/pki/proxy-key.pem | 2 +- .../common/etc/kubernetes/proxy/pki/proxy.pem | 2 +- .../apiserver/pki/apiserver-key.pem | 2 +- .../kubernetes/apiserver/pki/apiserver.pem | 2 +- .../apiserver/pki/etcd-client-key.pem | 2 +- .../kubernetes/apiserver/pki/etcd-client.pem | 2 +- .../pki/controller-manager-key.pem | 2 +- .../pki/controller-manager.pem | 2 +- .../kubernetes/etcd/pki/etcd-client-key.pem | 2 +- .../etc/kubernetes/etcd/pki/etcd-client.pem | 2 +- .../etc/kubernetes/etcd/pki/etcd-peer-key.pem | 2 +- .../etc/kubernetes/etcd/pki/etcd-peer.pem | 2 +- .../scheduler/pki/scheduler-key.pem | 2 +- .../kubernetes/scheduler/pki/scheduler.pem | 2 +- 19 files changed, 72 insertions(+), 29 deletions(-) diff --git a/promenade/config.py b/promenade/config.py index 05bdba68..95a204c1 100644 --- a/promenade/config.py +++ b/promenade/config.py @@ -53,6 +53,10 @@ class Document: def name(self): return self.metadata['name'] + @property + def alias(self): + return self.metadata.get('alias') + @property def target(self): return self.metadata.get('target') @@ -91,9 +95,11 @@ class Configuration: else: return results[0] - def get(self, *, kind, name): + def get(self, *, kind, alias=None, name=None): for document in self.documents: - if document.kind == kind and document.name == name: + if (document.kind == kind + and (not alias or document.alias == alias) + and (not name or document.name == name)) : return document def iterate(self, *, kind=None, target=None): diff --git a/promenade/generator.py b/promenade/generator.py index 8f5e274d..0c05a95d 100644 --- a/promenade/generator.py +++ b/promenade/generator.py @@ -66,6 +66,8 @@ class Generator: ) config.Configuration([ + admin_cert, + admin_cert_key, cluster_ca, cluster_ca_key, etcd_client_ca, @@ -76,6 +78,19 @@ class Generator: sa_priv, ]).write(os.path.join(output_dir, 'admin-bundle.yaml')) + complete_configuration = [ + admin_cert, + admin_cert_key, + cluster_ca, + cluster_ca_key, + etcd_client_ca, + etcd_client_ca_key, + etcd_peer_ca, + etcd_peer_ca_key, + sa_pub, + sa_priv, + ] + for hostname, data in cluster['nodes'].items(): if 'genesis' in data.get('roles', []): genesis_hostname = hostname @@ -99,6 +114,7 @@ class Generator: proxy_cert, proxy_cert_key = keys.generate_certificate( alias='proxy', + config_name='system:kube-proxy:%s' % hostname, name='system:kube-proxy', ca_name='cluster', hosts=[ @@ -107,6 +123,14 @@ class Generator: ], target=hostname) + complete_configuration.extend([ + kubelet_cert, + kubelet_cert_key, + node, + proxy_cert, + proxy_cert_key, + ]) + common_documents = [ cluster_ca, kubelet_cert, @@ -130,12 +154,14 @@ class Generator: sa_pub, ]) if 'genesis' not in data.get('roles', []): - role_specific_documents.append( - _master_etcd_config(cluster_name, genesis_hostname, - hostname, masters) - ) - role_specific_documents.extend(_master_config(hostname, data, - masters, network, keys)) + etcd_config = _master_etcd_config( + cluster_name, genesis_hostname, hostname, masters) + complete_configuration.append(etcd_config) + role_specific_documents.append(etcd_config) + master_documents = _master_config(hostname, data, + masters, network, keys) + complete_configuration.extend(master_documents) + role_specific_documents.extend(master_documents) if 'genesis' in data.get('roles', []): role_specific_documents.extend(_genesis_config(hostname, data, @@ -146,6 +172,9 @@ class Generator: c = config.Configuration(common_documents + role_specific_documents) c.write(os.path.join(output_dir, hostname + '.yaml')) + config.Configuration(complete_configuration).write( + os.path.join(output_dir, 'complete-bundle.yaml')) + def construct_masters(self, cluster_name): masters = [] for hostname, data in self.input_config['Cluster']['nodes'].items(): diff --git a/promenade/pki.py b/promenade/pki.py index 41adc0d6..cec73300 100644 --- a/promenade/pki.py +++ b/promenade/pki.py @@ -61,14 +61,17 @@ class PKI: alias = name return (self._wrap('PublicKey', pub_result['pub.pem'], - name=alias, + alias=alias, + name=name, target=target), self._wrap('PrivateKey', priv_result['priv.pem'], - name=alias, + alias=alias, + name=name, target=target)) - def generate_certificate(self, *, alias=None, ca_name, groups=[], hosts=[], name, target): + def generate_certificate(self, *, alias=None, config_name=None, + ca_name, groups=[], hosts=[], name, target): result = self._cfssl( ['gencert', '-ca', 'ca.pem', @@ -85,11 +88,16 @@ class PKI: if not alias: alias = name + if not config_name: + config_name = name + return (self._wrap('Certificate', result['cert'], - name=alias, + alias=alias, + name=config_name, target=target), self._wrap('CertificateKey', result['key'], - name=alias, + alias=alias, + name=config_name, target=target)) def csr(self, *, name, groups=[], hosts=[], key={'algo': 'rsa', 'size': 2048}): diff --git a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem index 4292cfb7..4d4655bf 100644 --- a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem +++ b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='kubelet')['data'] }} +{{ config.get(kind='CertificateKey', alias='kubelet')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem index 2cf83517..2926699d 100644 --- a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem +++ b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='kubelet')['data'] }} +{{ config.get(kind='Certificate', alias='kubelet')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem index 2e388910..22ad08f9 100644 --- a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem +++ b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='proxy')['data'] }} +{{ config.get(kind='CertificateKey', alias='proxy')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem index 7841403a..0587e040 100644 --- a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem +++ b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='proxy')['data'] }} +{{ config.get(kind='Certificate', alias='proxy')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem index 6b161631..ae8acae8 100644 --- a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='apiserver')['data'] }} +{{ config.get(kind='CertificateKey', alias='apiserver')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem index ef52b8c3..04e82c2c 100644 --- a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='apiserver')['data'] }} +{{ config.get(kind='Certificate', alias='apiserver')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem index 71669eac..9f75cf77 100644 --- a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='etcd-apiserver-client')['data'] }} +{{ config.get(kind='CertificateKey', alias='etcd-apiserver-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem index eb432bfd..42619185 100644 --- a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='etcd-apiserver-client')['data'] }} +{{ config.get(kind='Certificate', alias='etcd-apiserver-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem index 994f3871..807fa87f 100644 --- a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='controller-manager')['data'] }} +{{ config.get(kind='CertificateKey', alias='controller-manager')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem index c4a560c5..523bdfcf 100644 --- a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='controller-manager')['data'] }} +{{ config.get(kind='Certificate', alias='controller-manager')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem index 9dc5c126..55efdb25 100644 --- a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='etcd-client')['data'] }} +{{ config.get(kind='CertificateKey', alias='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem index 82f9534d..3f39bbf6 100644 --- a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='etcd-client')['data'] }} +{{ config.get(kind='Certificate', alias='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem index 38e507e7..e1b1bdcc 100644 --- a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='etcd-peer')['data'] }} +{{ config.get(kind='CertificateKey', alias='etcd-peer')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem index 12e325b6..88794cbf 100644 --- a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='etcd-peer')['data'] }} +{{ config.get(kind='Certificate', alias='etcd-peer')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem index 2aa13e4d..6b59f0af 100644 --- a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem +++ b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem @@ -1 +1 @@ -{{ config.get(kind='CertificateKey', name='scheduler')['data'] }} +{{ config.get(kind='CertificateKey', alias='scheduler')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem index d5f8d631..9fe7e480 100644 --- a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem +++ b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem @@ -1 +1 @@ -{{ config.get(kind='Certificate', name='scheduler')['data'] }} +{{ config.get(kind='Certificate', alias='scheduler')['data'] }}