Last active
July 23, 2019 11:12
-
-
Save superseb/2088db263401076ea84a5ec94f093100 to your computer and use it in GitHub Desktop.
Configure wrong cacerts in Rancher 2 to simulate failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script puts a static CA certificate which invalidates any certificate connections to Rancher | |
| # Used for testing only | |
| # Static CA certificate | |
| CACERTS="-----BEGIN CERTIFICATE-----\nMIIDLzCCAhegAwIBAgIJAPRzXYsKEAGmMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV\nBAMMDk15IG93biByb290IENBMB4XDTE5MDcyMTEyMDU1N1oXDTI5MDcxODEyMDU1\nN1owGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDi1EiWf8mpCx/z+xA92efHcn1V12/Lv2le82mlvxX8kRL1\n8KZKw95K6TL3iAUT+p2fPPd3Gq33uXhqwlJN2Mrg4Qi0vH0bX/wN38uoY4lGXYhz\nHD8XwrurG32sHLHYrDyJIxZGrerZu0RoQ3sNxKKzkPf4wi3fYByVkXXkfmeSngEM\n2rTBMei6KPBlRxyzL1DAu0Hs3EzmKE65+Z3FgH75z1NUzZNtUcjZNt5ZSFx2/OuX\n059EVu+wlylbJ9iXMXUCcyr1UeWzPlivkktc37sX8IlQIfoi4PB05j7o+y80YmjD\nOdThuYRIJIuXxl1I4wE2lUbVP5GQk3vTGfUHtPmpAgMBAAGjejB4MB0GA1UdDgQW\nBBRcmI0PcldXvOSdYN6kJuB2pLkYWDBJBgNVHSMEQjBAgBRcmI0PcldXvOSdYN6k\nJuB2pLkYWKEdpBswGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0GCCQD0c12LChAB\npjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBWJBHgsLwrrz2XOCbr\nsUCuzJWskW5W8c3hRieGptRnFoF//M/WmcvX9W/eBHg1lBWuAorUmF3Nz74xnwm4\n4U5AX2R4deWUl7YSBEIpJ5nXbznAhodl1WFKBEbcGFSWC44Yg/skgMkmz/Khe0JJ\nOeb8yfQVl0Pos1lUvQhUBxYlqlVjOy5QO/iI6Ll8LIHPUjMi0Ye/7LqNHZE1kCnk\n46yR9dYL+/9+cCbGuT3U+xFO7h4tSiz3YfdXSg22paqxcZwwhnCBLlZOnFkcIaV1\nnJufoVoHgrciRYf1+LlVzmDd8SKC66OveZxn4q7ONXCB1JT62I6DzAsj342VpWX2\nra2X\n-----END CERTIFICATE-----" | |
| # Comment CACERTS and uncomment CACERTSDOUBLE to simulate more than 1 certificates in cacerts | |
| #CACERTSDOUBLE="-----BEGIN CERTIFICATE-----\nMIIDLzCCAhegAwIBAgIJAPRzXYsKEAGmMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV\nBAMMDk15IG93biByb290IENBMB4XDTE5MDcyMTEyMDU1N1oXDTI5MDcxODEyMDU1\nN1owGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDi1EiWf8mpCx/z+xA92efHcn1V12/Lv2le82mlvxX8kRL1\n8KZKw95K6TL3iAUT+p2fPPd3Gq33uXhqwlJN2Mrg4Qi0vH0bX/wN38uoY4lGXYhz\nHD8XwrurG32sHLHYrDyJIxZGrerZu0RoQ3sNxKKzkPf4wi3fYByVkXXkfmeSngEM\n2rTBMei6KPBlRxyzL1DAu0Hs3EzmKE65+Z3FgH75z1NUzZNtUcjZNt5ZSFx2/OuX\n059EVu+wlylbJ9iXMXUCcyr1UeWzPlivkktc37sX8IlQIfoi4PB05j7o+y80YmjD\nOdThuYRIJIuXxl1I4wE2lUbVP5GQk3vTGfUHtPmpAgMBAAGjejB4MB0GA1UdDgQW\nBBRcmI0PcldXvOSdYN6kJuB2pLkYWDBJBgNVHSMEQjBAgBRcmI0PcldXvOSdYN6k\nJuB2pLkYWKEdpBswGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0GCCQD0c12LChAB\npjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBWJBHgsLwrrz2XOCbr\nsUCuzJWskW5W8c3hRieGptRnFoF//M/WmcvX9W/eBHg1lBWuAorUmF3Nz74xnwm4\n4U5AX2R4deWUl7YSBEIpJ5nXbznAhodl1WFKBEbcGFSWC44Yg/skgMkmz/Khe0JJ\nOeb8yfQVl0Pos1lUvQhUBxYlqlVjOy5QO/iI6Ll8LIHPUjMi0Ye/7LqNHZE1kCnk\n46yR9dYL+/9+cCbGuT3U+xFO7h4tSiz3YfdXSg22paqxcZwwhnCBLlZOnFkcIaV1\nnJufoVoHgrciRYf1+LlVzmDd8SKC66OveZxn4q7ONXCB1JT62I6DzAsj342VpWX2\nra2X\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDLzCCAhegAwIBAgIJAPRzXYsKEAGmMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV\nBAMMDk15IG93biByb290IENBMB4XDTE5MDcyMTEyMDU1N1oXDTI5MDcxODEyMDU1\nN1owGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDi1EiWf8mpCx/z+xA92efHcn1V12/Lv2le82mlvxX8kRL1\n8KZKw95K6TL3iAUT+p2fPPd3Gq33uXhqwlJN2Mrg4Qi0vH0bX/wN38uoY4lGXYhz\nHD8XwrurG32sHLHYrDyJIxZGrerZu0RoQ3sNxKKzkPf4wi3fYByVkXXkfmeSngEM\n2rTBMei6KPBlRxyzL1DAu0Hs3EzmKE65+Z3FgH75z1NUzZNtUcjZNt5ZSFx2/OuX\n059EVu+wlylbJ9iXMXUCcyr1UeWzPlivkktc37sX8IlQIfoi4PB05j7o+y80YmjD\nOdThuYRIJIuXxl1I4wE2lUbVP5GQk3vTGfUHtPmpAgMBAAGjejB4MB0GA1UdDgQW\nBBRcmI0PcldXvOSdYN6kJuB2pLkYWDBJBgNVHSMEQjBAgBRcmI0PcldXvOSdYN6k\nJuB2pLkYWKEdpBswGTEXMBUGA1UEAwwOTXkgb3duIHJvb3QgQ0GCCQD0c12LChAB\npjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBWJBHgsLwrrz2XOCbr\nsUCuzJWskW5W8c3hRieGptRnFoF//M/WmcvX9W/eBHg1lBWuAorUmF3Nz74xnwm4\n4U5AX2R4deWUl7YSBEIpJ5nXbznAhodl1WFKBEbcGFSWC44Yg/skgMkmz/Khe0JJ\nOeb8yfQVl0Pos1lUvQhUBxYlqlVjOy5QO/iI6Ll8LIHPUjMi0Ye/7LqNHZE1kCnk\n46yR9dYL+/9+cCbGuT3U+xFO7h4tSiz3YfdXSg22paqxcZwwhnCBLlZOnFkcIaV1\nnJufoVoHgrciRYf1+LlVzmDd8SKC66OveZxn4q7ONXCB1JT62I6DzAsj342VpWX2\nra2X\n-----END CERTIFICATE-----" | |
| # Retrieve Docker container ID of container running `rancher/rancher` image | |
| CONTID=$(docker ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') | |
| echo "Container ID running Rancher is ${CONTID}" | |
| # Replace cacerts with the static value | |
| docker exec $CONTID kubectl patch settings cacerts --type=merge -p '{"value":"'"$CACERTS"'"}' | |
| # To run on a controlplane node of the custom clusters connected to Rancher (makes the checksum pass to other code is reached) | |
| #docker run --rm --net=host -v $(docker inspect kubelet --format '{{ range .Mounts }}{{ if eq .Destination "/etc/kubernetes" }}{{ .Source }}{{ end }}{{ end }}')/ssl:/etc/kubernetes/ssl:ro --entrypoint bash $(docker inspect $(docker images -q --filter=label=io.cattle.agent=true) --format='{{index .RepoTags 0}}' | tail -1) -c 'kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap -n kube-system full-cluster-state -o json | jq -r .data.\"full-cluster-state\" | jq -r .currentState.certificatesBundle.\"kube-admin\".config | sed -e "/^[[:space:]]*server:/ s_:.*_: \"https://127.0.0.1:6443\"_"' > kubeconfig_admin.yaml | |
| #docker run --rm --net=host -v $PWD/kubeconfig_admin.yaml:/root/.kube/config --entrypoint bash $(docker inspect $(docker images -q --filter=label=io.cattle.agent=true) --format='{{index .RepoTags 0}}' | tail -1) -c 'kubectl -n cattle-system patch daemonset/cattle-node-agent -p '"'"'{"spec": {"template": {"spec": {"containers": [{"name": "agent", "env": [{"name": "CATTLE_CA_CHECKSUM", "value": "84fb2da84dd6d1a791eae0bf09ba28ecb75f0e19357b81b3e701b353ad997a1f"}]}]}}}}'"'"'' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment