From da5934ec6a44c051f720ed93859419e0e743f029 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 10:57:09 -0800 Subject: [PATCH 01/15] fix(Makefile,gen.sh,manifest_replace.sh): run generation and replace scripts in more appropriate containers --- Makefile | 4 ++-- genssl/gen.sh | 7 +++---- genssl/manifest_replace.sh | 1 + 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 2fe1425..8d4e5ac 100644 --- a/Makefile +++ b/Makefile @@ -45,9 +45,9 @@ deploy: build docker-build docker-push kube-rc ssl-cert: # generate ssl certs - docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh + docker run --rm -v "${PWD}":/pwd -w /pwd centurylink/openssl:0.0.1 ./genssl/gen.sh # replace values in ssl secrets file - docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest_replace.sh + docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 ./genssl/manifest_replace.sh kube-rc: kube-service kubectl create -f ${RC} diff --git a/genssl/gen.sh b/genssl/gen.sh index d9612e0..ea15c78 100755 --- a/genssl/gen.sh +++ b/genssl/gen.sh @@ -1,8 +1,7 @@ -# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell. -# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory. +#!/bin/sh -apk add --update-cache openssl -rm -rf /var/cache/apk/* +# this script intended to be run inside a centurylink/openssl:0.0.1 Docker container. +# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory. # these commands are adapted from the very clear and extensive Heroku documents on creating a self-signed SSL certificate: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh index df554bc..f453fe0 100755 --- a/genssl/manifest_replace.sh +++ b/genssl/manifest_replace.sh @@ -1,3 +1,4 @@ +#!/bin/ash # this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell. # it expects that its parent directory (minio/) is mounted to this container and also is its current working directory. # finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively From 3fdf840185dccfb01284338b6a80bd7eec301143 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 11:09:30 -0800 Subject: [PATCH 02/15] feat(deis-minio-rc.yaml): mount minio-ssl secret and use it in args --- manifests/deis-minio-rc.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/manifests/deis-minio-rc.yaml b/manifests/deis-minio-rc.yaml index b50d506..c9f27b7 100644 --- a/manifests/deis-minio-rc.yaml +++ b/manifests/deis-minio-rc.yaml @@ -22,7 +22,10 @@ spec: command: - boot args: - - "server /home/minio/" + - "server" + - "--cert=/var/run/secrets/deis/minio/ssl/access-cert" + - "--key=/var/run/secrets/deis/minio/ssl/access-pem" + - "/home/minio/" volumeMounts: - name: minio-admin mountPath: /var/run/secrets/deis/minio/admin @@ -30,6 +33,9 @@ spec: - name: minio-user mountPath: /var/run/secrets/deis/minio/user readOnly: true + - name: minio-ssl + mountPath: /var/run/secrets/deis/minio/ssl + readOnly: true volumes: - name: minio-admin secret: @@ -37,3 +43,6 @@ spec: - name: minio-user secret: secretName: minio-user + - name: minio-ssl + secret: + secretName: minio-ssl From b2143bc382a281bcdb9887e63bf78f1c1bebb25c Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:02:05 -0800 Subject: [PATCH 03/15] fix(manifest_replace.sh): remove newlines from ssl certs --- genssl/manifest_replace.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh index f453fe0..92fc49e 100755 --- a/genssl/manifest_replace.sh +++ b/genssl/manifest_replace.sh @@ -3,10 +3,12 @@ # it expects that its parent directory (minio/) is mounted to this container and also is its current working directory. # finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively -FILE_CONTENTS="$(cat ./manifests/deis-minio-secretssl.yaml)" -CERT="$(base64 ./genssl/server.cert)" -PEM="$(base64 ./genssl/server.key)" +CERT=$(base64 ./genssl/server.cert | tr -d '\n') +PEM=$(base64 ./genssl/server.key | tr -d '\n') -FILE_CONTENTS="${FILE_CONTENTS/ACCESS_CERT/$CERT}" -FILE_CONTENTS="${FILE_CONTENTS/ACCESS_PEM/$PEM}" -echo "$FILE_CONTENTS" > ./manifests/deis-minio-secretssl-final.yaml +FINAL_FILE=./manifests/deis-minio-secretssl-final.yaml + +FILE_CONTENTS=$(sed -e "s/ACCESS_CERT/$CERT/" ./manifests/deis-minio-secretssl.yaml) +echo "$FILE_CONTENTS" > $FINAL_FILE +FILE_CONTENTS=$(sed -e "s/ACCESS_PEM/$PEM/" $FINAL_FILE) +echo "$FILE_CONTENTS" > $FINAL_FILE From b4f502ac2de85e585da2b0989a238391c296ecd3 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:02:15 -0800 Subject: [PATCH 04/15] feat(boot.go): print mc start command --- boot.go | 1 + 1 file changed, 1 insertion(+) diff --git a/boot.go b/boot.go index 5b1cdfb..0a95bb8 100644 --- a/boot.go +++ b/boot.go @@ -115,6 +115,7 @@ func main() { checkError(err) os.Args[0] = "minio" mc := strings.Join(os.Args, " ") + fmt.Println(mc) run(mc) } From e3e71f786eb248c65440700f5c3d6760d655af4d Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:02:50 -0800 Subject: [PATCH 05/15] feat(Makefile): add ssl cert creation target --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8d4e5ac..26d2327 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ RC := manifests/deis-${SHORT_NAME}-rc.yaml SVC := manifests/deis-${SHORT_NAME}-service.yaml ADMIN_SEC := manifests/deis-${SHORT_NAME}-secretAdmin.yaml USER_SEC := manifests/deis-${SHORT_NAME}-secretUser.yaml +SSL_SEC := manifests/deis-${SHORT_NAME}-secretssl-final.yaml IMAGE := ${DEIS_REGISTRY}${SHORT_NAME}:${VERSION} MC_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc:${VERSION} MC_INTEGRATION_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc-integration:${VERSION} @@ -52,7 +53,7 @@ ssl-cert: kube-rc: kube-service kubectl create -f ${RC} -kube-secrets: +kube-secrets: ssl-cert kubectl create -f ${ADMIN_SEC} kubectl create -f ${USER_SEC} From 1f1fc82b60b1be0a5dfd5fdcb1736461e74c5871 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:03:13 -0800 Subject: [PATCH 06/15] feat(Makefile): add target to clean secrets from k8s --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 26d2327..126714c 100644 --- a/Makefile +++ b/Makefile @@ -56,6 +56,12 @@ kube-rc: kube-service kube-secrets: ssl-cert kubectl create -f ${ADMIN_SEC} kubectl create -f ${USER_SEC} + kubectl create -f ${SSL_SEC} + +kube-clean-secrets: + kubectl delete secret minio-user + kubectl delete secret minio-admin + kubectl delete secret minio-ssl kube-service: kube-secrets - kubectl create -f ${SVC} From c5f85c6842eeff68a0ccddaa38cdb14cf0061310 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:03:40 -0800 Subject: [PATCH 07/15] fix(deis-minio-secretssl.yaml): use multiline yaml string --- manifests/deis-minio-secretssl.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/deis-minio-secretssl.yaml b/manifests/deis-minio-secretssl.yaml index 2eaccc8..2162016 100644 --- a/manifests/deis-minio-secretssl.yaml +++ b/manifests/deis-minio-secretssl.yaml @@ -6,8 +6,8 @@ metadata: type: Opaque data: # generated by make ssl-cert - access-cert: | + access-cert: > ACCESS_CERT # generated by make ssl-cert - access-pem: | + access-pem: > ACCESS_PEM From c7b0b775edb3d2317dc4ddb12c34f0cc645d4e86 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:08:00 -0800 Subject: [PATCH 08/15] fix(Makefile): adding IMAGE_PREFIX --- Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 126714c..505f290 100644 --- a/Makefile +++ b/Makefile @@ -10,12 +10,14 @@ BINDIR := ./rootfs/bin DEV_REGISTRY ?= $(docker-machine ip deis):5000 DEIS_REGISTRY ?= ${DEV_REGISTRY} +IMAGE_PREFIX ?= deis + RC := manifests/deis-${SHORT_NAME}-rc.yaml SVC := manifests/deis-${SHORT_NAME}-service.yaml ADMIN_SEC := manifests/deis-${SHORT_NAME}-secretAdmin.yaml USER_SEC := manifests/deis-${SHORT_NAME}-secretUser.yaml SSL_SEC := manifests/deis-${SHORT_NAME}-secretssl-final.yaml -IMAGE := ${DEIS_REGISTRY}${SHORT_NAME}:${VERSION} +IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/${SHORT_NAME}:${VERSION} MC_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc:${VERSION} MC_INTEGRATION_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc-integration:${VERSION} From d675ccc5dae67b48d44a5dbb312afbede9a6f598 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:11:35 -0800 Subject: [PATCH 09/15] fix(manifests/deis-minio-rc.yaml): add imagePullPolicy: Always and add the v2-alpha tag --- manifests/deis-minio-rc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/deis-minio-rc.yaml b/manifests/deis-minio-rc.yaml index c9f27b7..e8a097c 100644 --- a/manifests/deis-minio-rc.yaml +++ b/manifests/deis-minio-rc.yaml @@ -15,8 +15,8 @@ spec: app: deis-minio spec: containers: - - name: deis-minio - image: quay.io/deis/minio + - imagePullPolicy: Always + name: deis-minio ports: - containerPort: 9000 command: From ce2e5da074275fd585359d380d973745e6d693b7 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:20:28 -0800 Subject: [PATCH 10/15] fix(Makefile): remove dependency from kube-rc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit kube-service tries to create secrets, which fails much of the time. in standard development, we’ll likely be starting up the rc more than creating new secrets --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 505f290..6190051 100644 --- a/Makefile +++ b/Makefile @@ -52,7 +52,7 @@ ssl-cert: # replace values in ssl secrets file docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 ./genssl/manifest_replace.sh -kube-rc: kube-service +kube-rc: kubectl create -f ${RC} kube-secrets: ssl-cert From 344cb5a42c66f93764b4ecde54e96ee2d5c9e054 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:21:01 -0800 Subject: [PATCH 11/15] fix(deis-minio-rc.yaml): set release and image name correctly to v2-alpha --- manifests/deis-minio-rc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/deis-minio-rc.yaml b/manifests/deis-minio-rc.yaml index e8a097c..52514b2 100644 --- a/manifests/deis-minio-rc.yaml +++ b/manifests/deis-minio-rc.yaml @@ -4,7 +4,7 @@ metadata: name: deis-minio labels: heritage: deis - release: 0.0.1-20151125145149 + release: v2-alpha spec: replicas: 1 selector: @@ -17,6 +17,7 @@ spec: containers: - imagePullPolicy: Always name: deis-minio + image: quay.io/deisci/minio:v2-alpha ports: - containerPort: 9000 command: From 895f8a40e9306c711d408f2f18003e590ee4e9f2 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:25:11 -0800 Subject: [PATCH 12/15] fix(deis-minio-rc.yaml): start minio with correct cert and key flags --- manifests/deis-minio-rc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/deis-minio-rc.yaml b/manifests/deis-minio-rc.yaml index 52514b2..faf913c 100644 --- a/manifests/deis-minio-rc.yaml +++ b/manifests/deis-minio-rc.yaml @@ -23,9 +23,9 @@ spec: command: - boot args: - - "server" - "--cert=/var/run/secrets/deis/minio/ssl/access-cert" - "--key=/var/run/secrets/deis/minio/ssl/access-pem" + - "server" - "/home/minio/" volumeMounts: - name: minio-admin From 2f6b70013a1ed6b2f427adec48703aef5be1e206 Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 13:25:25 -0800 Subject: [PATCH 13/15] fix(boot.go): remove errant command log --- boot.go | 1 - 1 file changed, 1 deletion(-) diff --git a/boot.go b/boot.go index 0a95bb8..5b1cdfb 100644 --- a/boot.go +++ b/boot.go @@ -115,7 +115,6 @@ func main() { checkError(err) os.Args[0] = "minio" mc := strings.Join(os.Args, " ") - fmt.Println(mc) run(mc) } From bb8ebe1ceb3c8097d5bf68f7bd7b9ef4dfb21c0b Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 14:08:33 -0800 Subject: [PATCH 14/15] fix(Makefile,manifest_replace): porting manifest replace script to go all the newline handling was making the sed command very complex. I believe the move to Go is justified here --- Makefile | 2 +- genssl/manifest_replace.go | 56 +++++++++++++++++++ genssl/manifest_replace.sh | 14 ----- ...ssl.yaml => deis-minio-secretssl-tpl.yaml} | 8 +-- 4 files changed, 61 insertions(+), 19 deletions(-) create mode 100755 genssl/manifest_replace.go delete mode 100755 genssl/manifest_replace.sh rename manifests/{deis-minio-secretssl.yaml => deis-minio-secretssl-tpl.yaml} (68%) diff --git a/Makefile b/Makefile index 6190051..17740b5 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,7 @@ ssl-cert: # generate ssl certs docker run --rm -v "${PWD}":/pwd -w /pwd centurylink/openssl:0.0.1 ./genssl/gen.sh # replace values in ssl secrets file - docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 ./genssl/manifest_replace.sh + docker run --rm -v "${PWD}":/pwd -w /pwd golang:1.5.1-alpine go run ./genssl/manifest_replace.go --cert=./genssl/server.cert --key=./genssl/server.key --tpl=./manifests/deis-minio-secretssl-tpl.yaml --out=./manifests/deis-minio-secretssl-final.yaml kube-rc: kubectl create -f ${RC} diff --git a/genssl/manifest_replace.go b/genssl/manifest_replace.go new file mode 100755 index 0000000..555807c --- /dev/null +++ b/genssl/manifest_replace.go @@ -0,0 +1,56 @@ +package main + +import ( + "encoding/base64" + "flag" + "fmt" + "io/ioutil" + "os" + "text/template" +) + +const ( + defaultAccessCertName = "./genssl/server.cert" + defaultAccessKeyName = "./genssl/server.key" + defaultTplName = "./manifests/deis-minio-secretssl-tpl.yaml" + defaultOutName = "./manifests/deis-minio-secretssl-final.yaml" +) + +func main() { + accessCertName := flag.String("cert", defaultAccessCertName, "the path to the SSL certificate file") + accessKeyName := flag.String("key", defaultAccessKeyName, "the path to the SSL key file") + tplName := flag.String("tpl", defaultTplName, "the path to the template name") + outName := flag.String("out", defaultOutName, "the path to the output file") + + certBytes, err := ioutil.ReadFile(*accessCertName) + if err != nil { + fmt.Printf("ERROR: reading cert file (%s)\n", err) + os.Exit(1) + } + keyBytes, err := ioutil.ReadFile(*accessKeyName) + if err != nil { + fmt.Printf("ERROR: reading key file (%s)\n", err) + os.Exit(1) + } + tpl, err := template.ParseFiles(*tplName) + if err != nil { + fmt.Printf("ERROR: parsing template (%s)\n", err) + os.Exit(1) + } + + outFile, err := os.Create(*outName) + if err != nil { + fmt.Printf("ERROR: creating new out file (%s)\n", err) + os.Exit(1) + } + + accessCertEncoded := base64.StdEncoding.EncodeToString(certBytes) + accessKeyEncoded := base64.StdEncoding.EncodeToString(keyBytes) + + s := map[string]string{"AccessCert": accessCertEncoded, "AccessPem": accessKeyEncoded} + + if err := tpl.Execute(outFile, s); err != nil { + fmt.Printf("ERROR: executing template (%s)\n", err) + os.Exit(1) + } +} diff --git a/genssl/manifest_replace.sh b/genssl/manifest_replace.sh deleted file mode 100755 index 92fc49e..0000000 --- a/genssl/manifest_replace.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/ash -# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell. -# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory. -# finally, it also expects that a 'server.cert' and 'server.key' in ./genssl. it uses those as the SSL cert and private key (AKA .pem) files, respectively - -CERT=$(base64 ./genssl/server.cert | tr -d '\n') -PEM=$(base64 ./genssl/server.key | tr -d '\n') - -FINAL_FILE=./manifests/deis-minio-secretssl-final.yaml - -FILE_CONTENTS=$(sed -e "s/ACCESS_CERT/$CERT/" ./manifests/deis-minio-secretssl.yaml) -echo "$FILE_CONTENTS" > $FINAL_FILE -FILE_CONTENTS=$(sed -e "s/ACCESS_PEM/$PEM/" $FINAL_FILE) -echo "$FILE_CONTENTS" > $FINAL_FILE diff --git a/manifests/deis-minio-secretssl.yaml b/manifests/deis-minio-secretssl-tpl.yaml similarity index 68% rename from manifests/deis-minio-secretssl.yaml rename to manifests/deis-minio-secretssl-tpl.yaml index 2162016..c11cb3d 100644 --- a/manifests/deis-minio-secretssl.yaml +++ b/manifests/deis-minio-secretssl-tpl.yaml @@ -6,8 +6,8 @@ metadata: type: Opaque data: # generated by make ssl-cert - access-cert: > - ACCESS_CERT + access-cert: | + {{.AccessCert}} # generated by make ssl-cert - access-pem: > - ACCESS_PEM + access-pem: | + {{.AccessPem}} From a914242563b01cf77ff3f5b572a8f3b28d84897d Mon Sep 17 00:00:00 2001 From: Aaron Schlesinger Date: Tue, 8 Dec 2015 14:13:52 -0800 Subject: [PATCH 15/15] doc(Makefile): add TODO to plug Go :) --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index 17740b5..b1843a1 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,8 @@ docker-push: docker-build deploy: build docker-build docker-push kube-rc +# TODO: would be nice to refactor all of this code into a single binary. 1/2 of it is already written in genssl/manifest_replace.go. +# the other 1/2 is in gen.sh, and should be refactored as a few 'exec.Command' calls... ssl-cert: # generate ssl certs docker run --rm -v "${PWD}":/pwd -w /pwd centurylink/openssl:0.0.1 ./genssl/gen.sh