Skip to content

feat(*): configuring minio with SSL certs #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arschles merged 15 commits into from
Dec 9, 2015
Merged

feat(*): configuring minio with SSL certs #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
da5934e
fix(Makefile,gen.sh,manifest_replace.sh): run generation and replace …
arschles Dec 8, 2015
3fdf840
feat(deis-minio-rc.yaml): mount minio-ssl secret and use it in args
arschles Dec 8, 2015
b2143bc
fix(manifest_replace.sh): remove newlines from ssl certs
arschles Dec 8, 2015
b4f502a
feat(boot.go): print mc start command
arschles Dec 8, 2015
e3e71f7
feat(Makefile): add ssl cert creation target
arschles Dec 8, 2015
1f1fc82
feat(Makefile): add target to clean secrets from k8s
arschles Dec 8, 2015
c5f85c6
fix(deis-minio-secretssl.yaml): use multiline yaml string
arschles Dec 8, 2015
c7b0b77
fix(Makefile): adding IMAGE_PREFIX
arschles Dec 8, 2015
d675ccc
fix(manifests/deis-minio-rc.yaml): add imagePullPolicy: Always
arschles Dec 8, 2015
ce2e5da
fix(Makefile): remove dependency from kube-rc
arschles Dec 8, 2015
344cb5a
fix(deis-minio-rc.yaml): set release and image name correctly
arschles Dec 8, 2015
895f8a4
fix(deis-minio-rc.yaml): start minio with correct cert and key flags
arschles Dec 8, 2015
2f6b700
fix(boot.go): remove errant command log
arschles Dec 8, 2015
bb8ebe1
fix(Makefile,manifest_replace): porting manifest replace script to go
arschles Dec 8, 2015
a914242
doc(Makefile): add TODO to plug Go :)
arschles Dec 8, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,14 @@ BINDIR := ./rootfs/bin
DEV_REGISTRY ?= $(docker-machine ip deis):5000
DEIS_REGISTRY ?= ${DEV_REGISTRY}

IMAGE_PREFIX ?= deis

RC := manifests/deis-${SHORT_NAME}-rc.yaml
SVC := manifests/deis-${SHORT_NAME}-service.yaml
ADMIN_SEC := manifests/deis-${SHORT_NAME}-secretAdmin.yaml
USER_SEC := manifests/deis-${SHORT_NAME}-secretUser.yaml
IMAGE := ${DEIS_REGISTRY}${SHORT_NAME}:${VERSION}
SSL_SEC := manifests/deis-${SHORT_NAME}-secretssl-final.yaml
IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/${SHORT_NAME}:${VERSION}
MC_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc:${VERSION}
MC_INTEGRATION_IMAGE := ${DEIS_REGISTRY}${IMAGE_PREFIX}/mc-integration:${VERSION}

Expand Down Expand Up @@ -43,18 +46,26 @@ docker-push: docker-build

deploy: build docker-build docker-push kube-rc

# TODO: would be nice to refactor all of this code into a single binary. 1/2 of it is already written in genssl/manifest_replace.go.
# the other 1/2 is in gen.sh, and should be refactored as a few 'exec.Command' calls...
ssl-cert:
# generate ssl certs
docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/gen.sh && ./genssl/manifest-replace.sh
docker run --rm -v "${PWD}":/pwd -w /pwd centurylink/openssl:0.0.1 ./genssl/gen.sh
# replace values in ssl secrets file
docker run --rm -v "${PWD}":/pwd -w /pwd alpine:3.2 /bin/ash ./genssl/manifest_replace.sh
docker run --rm -v "${PWD}":/pwd -w /pwd golang:1.5.1-alpine go run ./genssl/manifest_replace.go --cert=./genssl/server.cert --key=./genssl/server.key --tpl=./manifests/deis-minio-secretssl-tpl.yaml --out=./manifests/deis-minio-secretssl-final.yaml

kube-rc: kube-service
kube-rc:
kubectl create -f ${RC}

kube-secrets:
kube-secrets: ssl-cert
kubectl create -f ${ADMIN_SEC}
kubectl create -f ${USER_SEC}
kubectl create -f ${SSL_SEC}

kube-clean-secrets:
kubectl delete secret minio-user
kubectl delete secret minio-admin
kubectl delete secret minio-ssl

kube-service: kube-secrets
- kubectl create -f ${SVC}
Expand Down
7 changes: 3 additions & 4 deletions genssl/gen.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# this script intended to be run inside an alpine:3.2 Docker container, inside a /bin/ash shell.
# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.
#!/bin/sh

apk add --update-cache openssl
rm -rf /var/cache/apk/*
# this script intended to be run inside a centurylink/openssl:0.0.1 Docker container.
# it expects that its parent directory (minio/) is mounted to this container and also is its current working directory.

# these commands are adapted from the very clear and extensive Heroku documents on creating a self-signed SSL certificate: https://devcenter.heroku.com/articles/ssl-certificate-self#generate-private-key-and-certificate-signing-request

Expand Down
56 changes: 56 additions & 0 deletions genssl/manifest_replace.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package main

import (
"encoding/base64"
"flag"
"fmt"
"io/ioutil"
"os"
"text/template"
)

const (
defaultAccessCertName = "./genssl/server.cert"
defaultAccessKeyName = "./genssl/server.key"
defaultTplName = "./manifests/deis-minio-secretssl-tpl.yaml"
defaultOutName = "./manifests/deis-minio-secretssl-final.yaml"
)

func main() {
accessCertName := flag.String("cert", defaultAccessCertName, "the path to the SSL certificate file")
accessKeyName := flag.String("key", defaultAccessKeyName, "the path to the SSL key file")
tplName := flag.String("tpl", defaultTplName, "the path to the template name")
outName := flag.String("out", defaultOutName, "the path to the output file")

certBytes, err := ioutil.ReadFile(*accessCertName)
if err != nil {
fmt.Printf("ERROR: reading cert file (%s)\n", err)
os.Exit(1)
}
keyBytes, err := ioutil.ReadFile(*accessKeyName)
if err != nil {
fmt.Printf("ERROR: reading key file (%s)\n", err)
os.Exit(1)
}
tpl, err := template.ParseFiles(*tplName)
if err != nil {
fmt.Printf("ERROR: parsing template (%s)\n", err)
os.Exit(1)
}

outFile, err := os.Create(*outName)
if err != nil {
fmt.Printf("ERROR: creating new out file (%s)\n", err)
os.Exit(1)
}

accessCertEncoded := base64.StdEncoding.EncodeToString(certBytes)
accessKeyEncoded := base64.StdEncoding.EncodeToString(keyBytes)

s := map[string]string{"AccessCert": accessCertEncoded, "AccessPem": accessKeyEncoded}

if err := tpl.Execute(outFile, s); err != nil {
fmt.Printf("ERROR: executing template (%s)\n", err)
os.Exit(1)
}
}
11 changes: 0 additions & 11 deletions genssl/manifest_replace.sh
View file
Open in desktop

This file was deleted.

18 changes: 14 additions & 4 deletions manifests/deis-minio-rc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: deis-minio
labels:
heritage: deis
release: 0.0.1-20151125145149
release: v2-alpha
spec:
replicas: 1
selector:
Expand All @@ -15,25 +15,35 @@ spec:
app: deis-minio
spec:
containers:
- name: deis-minio
image: quay.io/deis/minio
- imagePullPolicy: Always
name: deis-minio
image: quay.io/deisci/minio:v2-alpha
ports:
- containerPort: 9000
command:
- boot
args:
- "server /home/minio/"
- "--cert=/var/run/secrets/deis/minio/ssl/access-cert"
- "--key=/var/run/secrets/deis/minio/ssl/access-pem"
- "server"
- "/home/minio/"
volumeMounts:
- name: minio-admin
mountPath: /var/run/secrets/deis/minio/admin
readOnly: true
- name: minio-user
mountPath: /var/run/secrets/deis/minio/user
readOnly: true
- name: minio-ssl
mountPath: /var/run/secrets/deis/minio/ssl
readOnly: true
volumes:
- name: minio-admin
secret:
secretName: minio-admin
- name: minio-user
secret:
secretName: minio-user
- name: minio-ssl
secret:
secretName: minio-ssl
4 changes: 2 additions & 2 deletions manifests/deis-minio-secretssl.yaml → manifests/deis-minio-secretssl-tpl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ type: Opaque
data:
# generated by make ssl-cert
access-cert: |
ACCESS_CERT
{{.AccessCert}}
# generated by make ssl-cert
access-pem: |
ACCESS_PEM
{{.AccessPem}}