From 952f3b1a3b0c477f4d799ecbb7a6ce6f1e9a0eaa Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Fri, 1 Dec 2017 15:54:19 -0800 Subject: [PATCH 1/2] hack/scripts-dev/docker-dns-srv: add "certs-gateway" test case Signed-off-by: Gyuho Lee --- .../docker-dns-srv/certs-gateway/Procfile | 7 +++ .../docker-dns-srv/certs-gateway/ca-csr.json | 19 ++++++++ .../docker-dns-srv/certs-gateway/ca.crt | 22 +++++++++ .../docker-dns-srv/certs-gateway/gencert.json | 13 +++++ .../docker-dns-srv/certs-gateway/gencerts.sh | 26 ++++++++++ .../docker-dns-srv/certs-gateway/run.sh | 47 +++++++++++++++++++ .../certs-gateway/server-ca-csr.json | 23 +++++++++ .../docker-dns-srv/certs-gateway/server.crt | 25 ++++++++++ .../certs-gateway/server.key.insecure | 27 +++++++++++ 9 files changed, 209 insertions(+) create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json create mode 100755 hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile b/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile new file mode 100644 index 000000000..7c5d07e28 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile @@ -0,0 +1,7 @@ +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +gateway: ./etcd gateway start --discovery-srv etcd.local --trusted-ca-file /certs-gateway/ca.crt --listen-addr 127.0.0.1:23790 diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt new file mode 100644 index 000000000..19b26c455 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUbQA3lX1hcR1W8D5wmmAwaLp4AWQwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTI5MDBaFw0yNzExMjkxOTI5 +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDdZjG+dJixdUuZLIlPVE/qvqNqbgIQy3Hrgq9OlPevLu3FAKIgTHoSKugq +jOuBjzAtmbGTky3PPmkjWrOUWKEUYMuJJzXA1fO2NALXle47NVyVVfuwCmDnaAAL +Sw4QTZKREoe3EwswbeYguQinCqazRwbXMzzfypIfaHAyGrqFCq12IvarrjfDcamm +egtPkxNNdj1QHbkeYXcp76LOSBRjD2B3bzZvyVv/wPORaGTFXQ0feGz/93/Y/E0z +BL5TdZ84qmgKxW04hxkhhuuxsL5zDNpbXcGm//Zw9qzO/AvtEux6ag9t0JziiEtj +zLz5M7yXivfG4oxEeLKTieS/1ZkbAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBR7XtZP3fc6ElgHl6hdSHLmrFWj +MzANBgkqhkiG9w0BAQsFAAOCAQEAPy3ol3CPyFxuWD0IGKde26p1mT8cdoaeRbOa +2Z3GMuRrY2ojaKMfXuroOi+5ZbR9RSvVXhVX5tEMOSy81tb5OGPZP24Eroh4CUfK +bw7dOeBNCm9tcmHkV+5frJwOgjN2ja8W8jBlV1flLx+Jpyk2PSGun5tQPsDlqzor +E8QQ2FzCzxoGiEpB53t5gKeX+mH6gS1c5igJ5WfsEGXBC4xJm/u8/sg30uCGP6kT +tCoQ8gnvGen2OqYJEfCIEk28/AZJvJ90TJFS3ExXJpyfImK9j5VcTohW+KvcX5xF +W7M6KCGVBQtophobt3v/Zs4f11lWck9xVFCPGn9+LI1dbJUIIQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh b/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh new file mode 100755 index 000000000..ef4c1667c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh @@ -0,0 +1,47 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-gateway/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + get abc + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + put ghi jkl + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + get ghi diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json new file mode 100644 index 000000000..72bd38082 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json @@ -0,0 +1,23 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt new file mode 100644 index 000000000..ef591cc7c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAx2gAwIBAgIUcviGEkA57QgUUFUIuB23kO/jHWIwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTI5MDBaFw0yNzExMjkxOTI5 +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6rB1Kh08Fo +FieWqzB4WvKxSFjLWlNfAXbSC1IEPEc/2JOSTF/VfsEX7Xf4eDlTUIZ/TpMS4nUE +Jn0rOIxDJWieQgF99a88CKCwVeqyiQ1iGlI/Ls78P7712QJ1QvcYPBRCvAFo2VLg +TSNhq4taRtAnP690TJVKMSxHg7qtMIpiBLc8ryNbtNUkQHl7/puiBZVVFwHQZm6d +ZRkfMqXWs4+VKLTx0pqJaM0oWVISQlLWQV83buVsuDVyLAZu2MjRYZwBj9gQwZDO +15VGvacjMU+l1+nLRuODrpGeGlxwfT57jqipbUtTsoZFsGxPdIWn14M6Pzw/mML4 +guYLKv3UqkkCAwEAAaOB1TCB0jAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKYKYVPu +XPnZ2j0NORiNPUJpBnhkMB8GA1UdIwQYMBaAFHte1k/d9zoSWAeXqF1IcuasVaMz +MFMGA1UdEQRMMEqCDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0 +Y2QubG9jYWyCCmV0Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0B +AQsFAAOCAQEAK40lD6Nx/V6CaShL95fQal7mFp/LXiyrlFTqCqrCruVnntwpukSx +I864bNMxVSTStEA3NM5V4mGuYjRvdjS65LBhaS1MQDPb4ofPj0vnxDOx6fryRIsB +wYKDuT4LSQ7pV/hBfL/bPb+itvb24G4/ECbduOprrywxmZskeEm/m0WqUb1A08Hv +6vDleyt382Wnxahq8txhMU+gNLTGVne60hhfLR+ePK7MJ4oyk3yeUxsmsnBkYaOu +gYOak5nWzRa09dLq6/vHQLt6n0AB0VurMAjshzO2rsbdOkD233sdkvKiYpayAyEf +Iu7S5vNjP9jiUgmws6G95wgJOd2xv54D4Q== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure new file mode 100644 index 000000000..623457b5d --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvqsHUqHTwWgWJ5arMHha8rFIWMtaU18BdtILUgQ8Rz/Yk5JM +X9V+wRftd/h4OVNQhn9OkxLidQQmfSs4jEMlaJ5CAX31rzwIoLBV6rKJDWIaUj8u +zvw/vvXZAnVC9xg8FEK8AWjZUuBNI2Gri1pG0Cc/r3RMlUoxLEeDuq0wimIEtzyv +I1u01SRAeXv+m6IFlVUXAdBmbp1lGR8ypdazj5UotPHSmolozShZUhJCUtZBXzdu +5Wy4NXIsBm7YyNFhnAGP2BDBkM7XlUa9pyMxT6XX6ctG44OukZ4aXHB9PnuOqKlt +S1OyhkWwbE90hafXgzo/PD+YwviC5gsq/dSqSQIDAQABAoIBAEAOsb0fRUdbMuZG +BmmYZeXXjdjXKReNea5zzv3VEnNVjeu2YRZpYdZ5tXxy6+FGjm1BZCKhW5e4tz2i +QbNN88l8MezSZrJi1vs1gwgAx27JoNI1DALaWIhNjIT45HCjobuk2AkZMrpXRVM3 +wyxkPho8tXa6+efGL1MTC7yx5vb2dbhnEsjrPdUO0GLVP56bgrz7vRk+hE772uq2 +QDenZg+PcH+hOhptbY1h9CYotGWYXCpi0+yoHhsh5PTcEpyPmLWSkACsHovm3MIn +a5oU0uh28nVBfYE0Sk6I9XBERHVO/OrCvz4Y3ZbVyGpCdLcaMB5wI1P4a5ULV52+ +VPrALQkCgYEA+w85KYuL+eUjHeMqa8V8A9xgcl1+dvB8SXgfRRm5QTqxgetzurD9 +G7vgMex42nqgoW1XUx6i9roRk3Qn3D2NKvBJcpMohYcY3HcGkCsBwtNUCyOWKasS +Oj2q9LzPjVqTFII0zzarQ85XuuZyTRieFAMoYmsS8O/GcapKqYhPIDMCgYEAwmuR +ctnCNgoEj1NaLBSAcq7njONvYUFvbXO8BCyd1WeLZyz/krgXxuhQh9oXIccWAKX2 +uxIDaoWV8F5c8bNOkeebHzVHfaLpwl4IlLa/i5WTIc+IZmpBR0aiS021k/M3KkDg +KnQXAer6jEymT3lUL0AqZd+GX6DjFw61zPOFH5MCgYAnCiv6YN/IYTA/woZjMddi +Bk/dGNrEhgrdpdc++IwNL6JQsJtTaZhCSsnHGZ2FY9I8p/MPUtFGipKXGlXkcpHU +Hn9dWLLRaLud9MhJfNaORCxqewMrwZVZByPhYMbplS8P3lt16WtiZODRiGo3wN87 +/221OC8+1hpGrJNln3OmbwKBgDV8voEoY4PWcba0qcQix8vFTrK2B3hsNimYg4tq +cum5GOMDwDQvLWttkmotl9uVF/qJrj19ES+HHN8KNuvP9rexTj3hvI9V+JWepSG0 +vTG7rsTIgbAbX2Yqio/JC0Fu0ihvvLwxP/spGFDs7XxD1uNA9ekc+6znaFJ5m46N +GHy9AoGBAJmGEv5+rM3cucRyYYhE7vumXeCLXyAxxaf0f7+1mqRVO6uNGNGbNY6U +Heq6De4yc1VeAXUpkGQi/afPJNMU+fy8paCjFyzID1yLvdtFOG38KDbgMmj4t+cH +xTp2RT3MkcCWPq2+kXZeQjPdesPkzdB+nA8ckaSursV908n6AHcM +-----END RSA PRIVATE KEY----- From 49b411707740f4df10d763616d991ec98811c989 Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Fri, 1 Dec 2017 15:55:53 -0800 Subject: [PATCH 2/2] hack/scripts-dev: add "docker-dns-srv-test-certs-gateway-run" to Makefile Signed-off-by: Gyuho Lee --- hack/scripts-dev/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hack/scripts-dev/Makefile b/hack/scripts-dev/Makefile index 85211896d..6e4900ca2 100644 --- a/hack/scripts-dev/Makefile +++ b/hack/scripts-dev/Makefile @@ -228,6 +228,7 @@ docker-dns-test-certs-wildcard-run: # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com # make pull-docker-dns-srv-test -f ./hack/scripts-dev/Makefile # make docker-dns-srv-test-certs-run -f ./hack/scripts-dev/Makefile +# make docker-dns-srv-test-certs-gateway-run -f ./hack/scripts-dev/Makefile # make docker-dns-srv-test-certs-wildcard-run -f ./hack/scripts-dev/Makefile build-docker-dns-srv-test: @@ -266,6 +267,18 @@ docker-dns-srv-test-certs-run: gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" +docker-dns-srv-test-certs-gateway-run: + $(info GO_VERSION: $(_GO_VERSION)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + --volume=`pwd`/bin:/etcd \ + --volume=/tmp:/tmp \ + --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs-gateway:/certs-gateway \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-gateway/run.sh && rm -rf m*.etcd" + docker-dns-srv-test-certs-wildcard-run: $(info GO_VERSION: $(_GO_VERSION)) docker run \