Skip to content

Instantly share code, notes, and snippets.

@svanellewee

svanellewee/Vagrantfile

Created November 13, 2019 20:10
Show Gist options
  • Save svanellewee/9c49877008f1953a3974d364001d7b74 to your computer and use it in GitHub Desktop.
Save svanellewee/9c49877008f1953a3974d364001d7b74 to your computer and use it in GitHub Desktop.
Download ZIP
hardway kube vagrant
Raw
prep-certs.sh
#!/usr/bin/env bash
#set -euo pipefail
function check-and-clear() {
local filename=${1}
if [[ -f "${filename}" ]]
then
rm -rf "${filename}"
fi
}
function make-ca-config() {
local ca_config_file="$(mktemp /tmp/BLAXXX)"
cat <<-EOF > "${ca_config_file}"
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
echo "${ca_config_file}"
}
function make-ca() {
check-and-clear "ca.pem"
check-and-clear "ca-key.pem"
check-and-clear "ca.csr"
local ca_csr_file="$(mktemp /tmp/BLAXXX)"
cat <<-EOF > "${ca_csr_file}"
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-initca "${ca_csr_file}" | cfssljson -bare ca
}
function make-cert-worker() {
rm -fr worker-*{,-key}.pem worker-*.csr
: <<-EOF
The Kubelet Client Certificates
Kubernetes uses a special-purpose authorization mode called Node Authorizer, that specifically authorizes API requests made by Kubelets. In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:<nodeName>. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements.
Generate a certificate and private key for each Kubernetes worker node:
EOF
#local worker_count="${1:-2}"
local index="${1}"
make-ca
local ca_config_file="$(make-ca-config)"
#for (( index=0; index < "${worker_count}"; index++ ))
#do
local instance="worker-${index}"
local worker_instance_json="$(mktemp /tmp/worker-XXX-csr.json)"
cat <<-EOF > "${worker_instance_json}"
{
"CN": "system:node:${instance}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-hostname="${instance}","192.168.2.3${index}" \
-profile=kubernetes \
"${worker_instance_json}" | cfssljson -bare ${instance}
#done
}
function make-cert-controller-manager() {
rm -fr kube-controller-manager{,-key}.pem
make-ca
local ca_config_file="$(make-ca-config)"
local controller_manager_csr_json="$(mktemp /tmp/controller-manager-XXX-csr.json)"
cat <<-EOF > "${controller_manager_csr_json}"
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-controller-manager",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-profile=kubernetes \
"${controller_manager_csr_json}" | cfssljson -bare kube-controller-manager
}
function make-cert-kube-proxy-client() {
rm -fr kube-proxy{,-key}.pem
local ca_config_file="$(make-ca-config)"
local kube_proxy_csr="$(mktemp /tmp/kube_proxy_XXX)"
cat <<-EOF > "${kube_proxy_csr}"
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-profile=kubernetes \
"${kube_proxy_csr}" | cfssljson -bare kube-proxy
}
function make-cert-service-account() {
rm -fr service-account{,-key}.pem
make-ca
local ca_config_file="$(make-ca-config)"
local service_account_csr="$(mktemp /tmp/BLAXXX)"
cat <<- EOF > "${service_account_csr}"
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-profile=kubernetes \
"${service_account_csr}" | cfssljson -bare service-account
}
function make-cert-admin() {
rm -fr admin{,-key}.pem
make-ca
local ca_config_file="$(make-ca-config)"
local admin_csr="$(mktemp /tmp/BLAXXX)"
cat <<- EOF > "${admin_csr}"
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:masters",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-profile=kubernetes \
"${admin_csr}" | cfssljson -bare admin
}
function make-cert-scheduler-client() {
make-ca
rm -fr kube-scheduler{,-key}.pem
local ca_config_file="$(make-ca-config)"
local kube_scheduler_csr="$(mktemp /tmp/BLAXXX)"
cat <<-EOF > "${kube_scheduler_csr}"
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:kube-scheduler",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=${ca_config_file} \
-profile=kubernetes \
"${kube_scheduler_csr}" | cfssljson -bare kube-scheduler
}
function make-cert-kubernetes-api-server() {
make-ca
local ca_config_file="$(make-ca-config)"
rm -fr kubernetes{,-key}.pem
local controller_count=${1:-2}
KUBERNETES_CONTROLLER_ADDR_STRING=$(printf "192.168.2.2%d," $(seq 1 "${controller_count}"))
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
local kubernetes_csr=$(mktemp /tmp/kube-api-server-csrXXX)
cat <<-EOF > "${kubernetes_csr}"
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config="${ca_config_file}" \
-hostname=${KUBERNETES_CONTROLLER_ADDR_STRING}127.0.0.1,${KUBERNETES_HOSTNAMES} \
-profile=kubernetes \
"${kubernetes_csr}" | cfssljson -bare kubernetes
}
function clear-workspace() {
rm -fr *.csr *.pem
}
function prep-certs() {
local max_controllers="${1:-2}"
local max_workers="${2:-2}"
make-ca-config
make-ca
for (( index=0; index < "${max_workers}"; index++ ))
do
make-cert-worker "${index}"
done
make-cert-controller-manager
make-cert-kube-proxy-client
make-cert-service-account
make-cert-admin
make-cert-scheduler-client
make-cert-kubernetes-api-server "${max_controllers}"
}
clear-workspace
Raw
prep-config.sh
#!/usr/bin/env bash
source ./prep-certs
function make-config-worker() {
local index="${1}"
make-ca
make-cert-worker "${index}"
#for (( index=0; index < "${max_workers}"; index++ ))
#do
local instance="worker-${index}"
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.2.20:6433 \
--kubeconfig="${instance}.kubeconfig"
kubectl config set-credentials system:node:${instance} \
--client-certificate=${instance}.pem \
--client-key=${instance}-key.pem \
--embed-certs=true \
--kubeconfig="${instance}.kubeconfig"
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:node:${instance} \
--kubeconfig="${instance}.kubeconfig"
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
#done
}
function make-config-kube-proxy() {
make-ca
make-cert-kube-proxy-client
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.2.20:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
function make-config-kube-controller-manager(){
make-ca
make-cert-controller-manager
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
function make-config-kube-scheduler() {
make-ca
make-cert-scheduler-client
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
function make-config-admin() {
make-ca
make-cert-admin
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
}
rm *.kubeconfig
function make-configs() {
make-config-workers
make-config-kube-proxy
make-config-kube-controller-manager
make-config-kube-scheduler
make-config-admin
}
Raw
provision.sh
#!/usr/bin/env bash
mkdir -p output
cd output
source /var/vm-shared/provision/prep-certs
source /var/vm-shared/provision/prep-config
prep-certs
make-configs
controller_count="${1:-2}"
worker_count="${2:-2}"
if [[ "${HOSTNAME}" == controller-* ]]
then
for (( index=0; index < "${controller_count}"; index++ ))
do
make-config-admin
make-config-kube-controller-manager
make-config-kube-scheduler
done
fi
if [[ "${HOSTNAME}" == worker-* ]]
then
for (( index=0; index < "${worker_count}"; index++ ))
do
make-config-worker "${index}"
make-config-kube-proxy
done
fi
Raw
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
config.vm.provider "virtualbox" do |vb|
vb.memory="512"
end
(0..1).each do |n|
config.vm.define "controller-#{n}" do |controller|
controller.vm.box = "hardway"
controller.vm.network :private_network, ip: "192.168.2.2#{n}"
controller.vm.hostname = "controller-#{n}"
controller.vm.provider "virtualbox" do |vb|
vb.memory = "640"
vb.cpus = 2
end
controller.vm.synced_folder ".", "/var/vm-shared", create: true
# controller.vm.provision "shell", path: "provision-controller.sh" , args: ["192.168.2.20"]
end
end
(0..1).each do |n|
config.vm.define "worker-#{n}" do |worker|
worker.vm.box = "hardway"
worker.vm.network :private_network, ip: "192.168.2.3#{n}"
worker.vm.hostname = "worker-#{n}"
worker.vm.provider "virtualbox" do |vb|
vb.memory = "640"
vb.cpus = 2
end
worker.vm.synced_folder ".", "/var/vm-shared", create: true
# worker.vm.provision "shell", path: "provision-worker.sh", args: ["192.168.2.30"]
end
end
config.vm.provision "shell", path: "provision.sh"
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment