diff --git a/hack/benchmark/bench.sh b/hack/benchmark/bench.sh old mode 100644 new mode 100755 index 3955d9e6e..d72efd3e2 --- a/hack/benchmark/bench.sh +++ b/hack/benchmark/bench.sh @@ -1,8 +1,8 @@ #!/bin/bash -e -leader=http://10.240.201.15:2379 +leader=http://localhost:2379 # assume three servers -servers=( http://10.240.201.15:2379 http://10.240.212.209:2379 http://10.240.95.3:2379 ) +servers=( http://localhost:2379 http://localhost:22379 http://localhost:32379 ) keyarray=( 64 256 ) diff --git a/hack/scripts-dev/Makefile b/hack/scripts-dev/Makefile index 1942da97d..c9450a4c9 100644 --- a/hack/scripts-dev/Makefile +++ b/hack/scripts-dev/Makefile @@ -1,8 +1,13 @@ # run from repository root -# + + + # Example: -# make clean -f ./hack/scripts-dev/Makefile # make build -f ./hack/scripts-dev/Makefile +# make clean -f ./hack/scripts-dev/Makefile +# make clean-docker -f ./hack/scripts-dev/Makefile +# make restart-docker -f ./hack/scripts-dev/Makefile +# make delete-docker-images -f ./hack/scripts-dev/Makefile .PHONY: build build: @@ -23,45 +28,85 @@ clean: rm -f ./clientv3/integration/127.0.0.1:* ./clientv3/integration/localhost:* rm -f ./clientv3/ordering/127.0.0.1:* ./clientv3/ordering/localhost:* -_GO_VERSION = 1.9.2 -ifdef GO_VERSION - _GO_VERSION = $(GO_VERSION) +clean-docker: + docker images + docker image prune --force + +restart-docker: + service docker restart + +delete-docker-images: + docker rm --force $(docker ps -a -q) || true + docker rmi --force $(docker images -q) || true + + + +GO_VERSION ?= 1.10 +ETCD_VERSION ?= $(shell git rev-parse --short HEAD || echo "GitNotFound") + +TEST_SUFFIX = $(shell date +%s | base64 | head -c 15) +TEST_OPTS ?= PASSES='unit' + +TMP_DIR_MOUNT_FLAG = --mount type=tmpfs,destination=/tmp +ifdef HOST_TMP_DIR + TMP_DIR_MOUNT_FLAG = --mount type=bind,source=$(HOST_TMP_DIR),destination=/tmp endif + + # Example: -# GO_VERSION=1.8.5 make build-docker-test -f ./hack/scripts-dev/Makefile +# GO_VERSION=1.8.7 make build-docker-test -f ./hack/scripts-dev/Makefile # make build-docker-test -f ./hack/scripts-dev/Makefile # gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd-development.json)" https://gcr.io -# GO_VERSION=1.8.5 make push-docker-test -f ./hack/scripts-dev/Makefile +# GO_VERSION=1.8.7 make push-docker-test -f ./hack/scripts-dev/Makefile # make push-docker-test -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com -# GO_VERSION=1.8.5 make pull-docker-test -f ./hack/scripts-dev/Makefile +# GO_VERSION=1.8.7 make pull-docker-test -f ./hack/scripts-dev/Makefile # make pull-docker-test -f ./hack/scripts-dev/Makefile build-docker-test: - $(info GO_VERSION: $(_GO_VERSION)) - @cat ./Dockerfile-test | sed s/REPLACE_ME_GO_VERSION/$(_GO_VERSION)/ \ - > ./.Dockerfile-test + $(info GO_VERSION: $(GO_VERSION)) + @sed -i.bak 's|REPLACE_ME_GO_VERSION|$(GO_VERSION)|g' ./Dockerfile-test docker build \ - --tag gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ - --file ./.Dockerfile-test . + --tag gcr.io/etcd-development/etcd-test:go$(GO_VERSION) \ + --file ./Dockerfile-test . + @mv ./Dockerfile-test.bak ./Dockerfile-test push-docker-test: - $(info GO_VERSION: $(_GO_VERSION)) - gcloud docker -- push gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd-test:go$(GO_VERSION) pull-docker-test: - $(info GO_VERSION: $(_GO_VERSION)) - docker pull gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + docker pull gcr.io/etcd-development/etcd-test:go$(GO_VERSION) + + + +# Example: +# make build-docker-test -f ./hack/scripts-dev/Makefile +# make compile-with-docker-test -f ./hack/scripts-dev/Makefile +# make compile-setup-gopath-with-docker-test -f ./hack/scripts-dev/Makefile compile-with-docker-test: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) docker run \ --rm \ - --volume=`pwd`/:/etcd \ - gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ - /bin/bash -c "cd /etcd && GO_BUILD_FLAGS=-v ./build && ./bin/etcd --version" + --mount type=bind,source=`pwd`,destination=/go/src/github.com/coreos/etcd \ + gcr.io/etcd-development/etcd-test:go$(GO_VERSION) \ + /bin/bash -c "GO_BUILD_FLAGS=-v ./build && ./bin/etcd --version" +compile-setup-gopath-with-docker-test: + $(info GO_VERSION: $(GO_VERSION)) + docker run \ + --rm \ + --mount type=bind,source=`pwd`,destination=/etcd \ + gcr.io/etcd-development/etcd-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && ETCD_SETUP_GOPATH=1 GO_BUILD_FLAGS=-v ./build && ./bin/etcd --version && rm -rf ./gopath" + + + +# Example: +# # Local machine: # TEST_OPTS="PASSES='fmt'" make test -f ./hack/scripts-dev/Makefile # TEST_OPTS="PASSES='fmt bom dep compile build unit'" make test -f ./hack/scripts-dev/Makefile @@ -78,76 +123,132 @@ compile-with-docker-test: # # Semaphore CI (test with docker): # TEST_OPTS="RELEASE_TEST=y INTEGRATION=y PASSES='build unit release integration_e2e functional'" make docker-test -f ./hack/scripts-dev/Makefile +# HOST_TMP_DIR=/tmp TEST_OPTS="RELEASE_TEST=y INTEGRATION=y PASSES='build unit release integration_e2e functional'" make docker-test -f ./hack/scripts-dev/Makefile # TEST_OPTS="GOARCH=386 PASSES='build unit integration_e2e'" make docker-test -f ./hack/scripts-dev/Makefile # # grpc-proxy tests (test with docker): # TEST_OPTS="PASSES='build grpcproxy'" make docker-test -f ./hack/scripts-dev/Makefile - -TEST_SUFFIX = $(shell date +%s | base64 | head -c 15) - -_TEST_OPTS = "PASSES='unit'" -ifdef TEST_OPTS - _TEST_OPTS = $(TEST_OPTS) -endif +# HOST_TMP_DIR=/tmp TEST_OPTS="PASSES='build grpcproxy'" make docker-test -f ./hack/scripts-dev/Makefile .PHONY: test test: - $(info TEST_OPTS: $(_TEST_OPTS)) + $(info TEST_OPTS: $(TEST_OPTS)) $(info log-file: test-$(TEST_SUFFIX).log) - $(_TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log - ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 test-$(TEST_SUFFIX).log + $(TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked)" -B50 -A10 test-$(TEST_SUFFIX).log docker-test: - $(info GO_VERSION: $(_GO_VERSION)) - $(info TEST_OPTS: $(_TEST_OPTS)) + $(info GO_VERSION: $(GO_VERSION)) + $(info ETCD_VERSION: $(ETCD_VERSION)) + $(info TEST_OPTS: $(TEST_OPTS)) $(info log-file: test-$(TEST_SUFFIX).log) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ - --volume=/tmp:/tmp \ - --volume=`pwd`:/go/src/github.com/coreos/etcd \ - gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ - /bin/bash -c "$(_TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log" - ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 test-$(TEST_SUFFIX).log + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`,destination=/go/src/github.com/coreos/etcd \ + gcr.io/etcd-development/etcd-test:go$(GO_VERSION) \ + /bin/bash -c "$(TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log" + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked)" -B50 -A10 test-$(TEST_SUFFIX).log docker-test-coverage: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info ETCD_VERSION: $(ETCD_VERSION)) $(info log-file: docker-test-coverage-$(TEST_SUFFIX).log) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ - --volume=/tmp:/tmp \ - --volume=`pwd`:/go/src/github.com/coreos/etcd \ - gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`,destination=/go/src/github.com/coreos/etcd \ + gcr.io/etcd-development/etcd-test:go$(GO_VERSION) \ /bin/bash -c "COVERDIR=covdir PASSES='build build_cov cov' ./test 2>&1 | tee docker-test-coverage-$(TEST_SUFFIX).log && /codecov -t 6040de41-c073-4d6f-bbf8-d89256ef31e1" - ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 docker-test-coverage-$(TEST_SUFFIX).log + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked)" -B50 -A10 docker-test-coverage-$(TEST_SUFFIX).log + -# build release container image with Linux -_ETCD_VERSION ?= $(shell git rev-parse --short HEAD || echo "GitNotFound") -ifdef ETCD_VERSION - _ETCD_VERSION = $(ETCD_VERSION) -endif # Example: -# ETCD_VERSION=v3.3.0-test.0 make build-docker-release-master -f ./hack/scripts-dev/Makefile -# ETCD_VERSION=v3.3.0-test.0 make push-docker-release-master -f ./hack/scripts-dev/Makefile +# make compile-with-docker-test -f ./hack/scripts-dev/Makefile +# ETCD_VERSION=v3-test make build-docker-release-master -f ./hack/scripts-dev/Makefile +# ETCD_VERSION=v3-test make push-docker-release-master -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com -build-docker-release-master: compile-with-docker-test - $(info ETCD_VERSION: $(_ETCD_VERSION)) +build-docker-release-master: + $(info ETCD_VERSION: $(ETCD_VERSION)) cp ./Dockerfile-release ./bin/Dockerfile-release docker build \ - --tag gcr.io/etcd-development/etcd:$(_ETCD_VERSION) \ + --tag gcr.io/etcd-development/etcd:$(ETCD_VERSION) \ --file ./bin/Dockerfile-release \ ./bin rm -f ./bin/Dockerfile-release docker run \ --rm \ - gcr.io/etcd-development/etcd:$(_ETCD_VERSION) \ + gcr.io/etcd-development/etcd:$(ETCD_VERSION) \ /bin/sh -c "/usr/local/bin/etcd --version && ETCDCTL_API=3 /usr/local/bin/etcdctl version" push-docker-release-master: - $(info ETCD_VERSION: $(_ETCD_VERSION)) - gcloud docker -- push gcr.io/etcd-development/etcd:$(_ETCD_VERSION) + $(info ETCD_VERSION: $(ETCD_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd:$(ETCD_VERSION) + + + +# Example: +# make build-docker-test -f ./hack/scripts-dev/Makefile +# make compile-with-docker-test -f ./hack/scripts-dev/Makefile +# make build-docker-static-ip-test -f ./hack/scripts-dev/Makefile +# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd-development.json)" https://gcr.io +# make push-docker-static-ip-test -f ./hack/scripts-dev/Makefile +# gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com +# make pull-docker-static-ip-test -f ./hack/scripts-dev/Makefile +# make docker-static-ip-test-certs-run -f ./hack/scripts-dev/Makefile +# make docker-static-ip-test-certs-metrics-proxy-run -f ./hack/scripts-dev/Makefile + +build-docker-static-ip-test: + $(info GO_VERSION: $(GO_VERSION)) + @sed -i.bak 's|REPLACE_ME_GO_VERSION|$(GO_VERSION)|g' ./hack/scripts-dev/docker-static-ip/Dockerfile + docker build \ + --tag gcr.io/etcd-development/etcd-static-ip-test:go$(GO_VERSION) \ + --file ./hack/scripts-dev/docker-static-ip/Dockerfile \ + ./hack/scripts-dev/docker-static-ip + @mv ./hack/scripts-dev/docker-static-ip/Dockerfile.bak ./hack/scripts-dev/docker-static-ip/Dockerfile + +push-docker-static-ip-test: + $(info GO_VERSION: $(GO_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd-static-ip-test:go$(GO_VERSION) + +pull-docker-static-ip-test: + $(info GO_VERSION: $(GO_VERSION)) + docker pull gcr.io/etcd-development/etcd-static-ip-test:go$(GO_VERSION) + +docker-static-ip-test-certs-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) + docker run \ + --rm \ + --tty \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-static-ip/certs,destination=/certs \ + gcr.io/etcd-development/etcd-static-ip-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" + +docker-static-ip-test-certs-metrics-proxy-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) + docker run \ + --rm \ + --tty \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-static-ip/certs-metrics-proxy,destination=/certs-metrics-proxy \ + gcr.io/etcd-development/etcd-static-ip-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-metrics-proxy/run.sh && rm -rf m*.etcd" + + # Example: # make build-docker-test -f ./hack/scripts-dev/Makefile @@ -157,70 +258,122 @@ push-docker-release-master: # make push-docker-dns-test -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com # make pull-docker-dns-test -f ./hack/scripts-dev/Makefile +# make docker-dns-test-insecure-run -f ./hack/scripts-dev/Makefile # make docker-dns-test-certs-run -f ./hack/scripts-dev/Makefile # make docker-dns-test-certs-gateway-run -f ./hack/scripts-dev/Makefile # make docker-dns-test-certs-wildcard-run -f ./hack/scripts-dev/Makefile +# make docker-dns-test-certs-common-name-auth-run -f ./hack/scripts-dev/Makefile +# make docker-dns-test-certs-common-name-multi-run -f ./hack/scripts-dev/Makefile build-docker-dns-test: - $(info GO_VERSION: $(_GO_VERSION)) - @cat ./hack/scripts-dev/docker-dns/Dockerfile | sed s/REPLACE_ME_GO_VERSION/$(_GO_VERSION)/ \ - > ./hack/scripts-dev/docker-dns/.Dockerfile - + $(info GO_VERSION: $(GO_VERSION)) + @sed -i.bak 's|REPLACE_ME_GO_VERSION|$(GO_VERSION)|g' ./hack/scripts-dev/docker-dns/Dockerfile docker build \ - --tag gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ - --file ./hack/scripts-dev/docker-dns/.Dockerfile \ + --tag gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ + --file ./hack/scripts-dev/docker-dns/Dockerfile \ ./hack/scripts-dev/docker-dns + @mv ./hack/scripts-dev/docker-dns/Dockerfile.bak ./hack/scripts-dev/docker-dns/Dockerfile docker run \ --rm \ --dns 127.0.0.1 \ - gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ /bin/bash -c "/etc/init.d/bind9 start && cat /dev/null >/etc/hosts && dig etcd.local" push-docker-dns-test: - $(info GO_VERSION: $(_GO_VERSION)) - gcloud docker -- push gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) pull-docker-dns-test: - $(info GO_VERSION: $(_GO_VERSION)) - docker pull gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + docker pull gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) -docker-dns-test-certs-run: - $(info GO_VERSION: $(_GO_VERSION)) +docker-dns-test-insecure-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns/certs:/certs \ - gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/insecure,destination=/insecure \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /insecure/run.sh && rm -rf m*.etcd" + +docker-dns-test-certs-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/certs,destination=/certs \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" docker-dns-test-certs-gateway-run: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns/certs-gateway:/certs-gateway \ - gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/certs-gateway,destination=/certs-gateway \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ /bin/bash -c "cd /etcd && /certs-gateway/run.sh && rm -rf m*.etcd" docker-dns-test-certs-wildcard-run: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns/certs-wildcard:/certs-wildcard \ - gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/certs-wildcard,destination=/certs-wildcard \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ /bin/bash -c "cd /etcd && /certs-wildcard/run.sh && rm -rf m*.etcd" +docker-dns-test-certs-common-name-auth-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/certs-common-name-auth,destination=/certs-common-name-auth \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-common-name-auth/run.sh && rm -rf m*.etcd" + +docker-dns-test-certs-common-name-multi-run: + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns/certs-common-name-multi,destination=/certs-common-name-multi \ + gcr.io/etcd-development/etcd-dns-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-common-name-multi/run.sh && rm -rf m*.etcd" + + + # Example: # make build-docker-test -f ./hack/scripts-dev/Makefile # make compile-with-docker-test -f ./hack/scripts-dev/Makefile @@ -234,61 +387,113 @@ docker-dns-test-certs-wildcard-run: # make docker-dns-srv-test-certs-wildcard-run -f ./hack/scripts-dev/Makefile build-docker-dns-srv-test: - $(info GO_VERSION: $(_GO_VERSION)) - @cat ./hack/scripts-dev/docker-dns-srv/Dockerfile | sed s/REPLACE_ME_GO_VERSION/$(_GO_VERSION)/ \ - > ./hack/scripts-dev/docker-dns-srv/.Dockerfile - + $(info GO_VERSION: $(GO_VERSION)) + @sed -i.bak 's|REPLACE_ME_GO_VERSION|$(GO_VERSION)|g' ./hack/scripts-dev/docker-dns-srv/Dockerfile docker build \ - --tag gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ - --file ./hack/scripts-dev/docker-dns-srv/.Dockerfile \ + --tag gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) \ + --file ./hack/scripts-dev/docker-dns-srv/Dockerfile \ ./hack/scripts-dev/docker-dns-srv + @mv ./hack/scripts-dev/docker-dns-srv/Dockerfile.bak ./hack/scripts-dev/docker-dns-srv/Dockerfile docker run \ --rm \ --dns 127.0.0.1 \ - gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) \ /bin/bash -c "/etc/init.d/bind9 start && cat /dev/null >/etc/hosts && dig +noall +answer SRV _etcd-client-ssl._tcp.etcd.local && dig +noall +answer SRV _etcd-server-ssl._tcp.etcd.local && dig +noall +answer m1.etcd.local m2.etcd.local m3.etcd.local" push-docker-dns-srv-test: - $(info GO_VERSION: $(_GO_VERSION)) - gcloud docker -- push gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) pull-docker-dns-srv-test: - $(info GO_VERSION: $(_GO_VERSION)) - docker pull gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) + $(info GO_VERSION: $(GO_VERSION)) + docker pull gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) docker-dns-srv-test-certs-run: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs:/certs \ - gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns-srv/certs,destination=/certs \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) \ /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" docker-dns-srv-test-certs-gateway-run: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs-gateway:/certs-gateway \ - gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns-srv/certs-gateway,destination=/certs-gateway \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) \ /bin/bash -c "cd /etcd && /certs-gateway/run.sh && rm -rf m*.etcd" docker-dns-srv-test-certs-wildcard-run: - $(info GO_VERSION: $(_GO_VERSION)) + $(info GO_VERSION: $(GO_VERSION)) + $(info HOST_TMP_DIR: $(HOST_TMP_DIR)) + $(info TMP_DIR_MOUNT_FLAG: $(TMP_DIR_MOUNT_FLAG)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ - --volume=/tmp:/tmp \ - --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs-wildcard:/certs-wildcard \ - gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ - /bin/bash -c "cd /etcd && /certs-wildcard/run.sh && rm -rf m*.etcd" \ No newline at end of file + $(TMP_DIR_MOUNT_FLAG) \ + --mount type=bind,source=`pwd`/bin,destination=/etcd \ + --mount type=bind,source=`pwd`/hack/scripts-dev/docker-dns-srv/certs-wildcard,destination=/certs-wildcard \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-wildcard/run.sh && rm -rf m*.etcd" + + + +# Example: +# make build-etcd-test-proxy -f ./hack/scripts-dev/Makefile + +build-etcd-test-proxy: + go build -v -o ./bin/etcd-test-proxy ./tools/etcd-test-proxy + + + +# Example: +# make build-docker-functional-tester -f ./hack/scripts-dev/Makefile +# make push-docker-functional-tester -f ./hack/scripts-dev/Makefile +# make pull-docker-functional-tester -f ./hack/scripts-dev/Makefile + +build-docker-functional-tester: + $(info GO_VERSION: $(GO_VERSION)) + $(info ETCD_VERSION: $(ETCD_VERSION)) + @sed -i.bak 's|REPLACE_ME_GO_VERSION|$(GO_VERSION)|g' ./Dockerfile-functional-tester + docker build \ + --tag gcr.io/etcd-development/etcd-functional-tester:go$(GO_VERSION) \ + --file ./Dockerfile-functional-tester \ + . + @mv ./Dockerfile-functional-tester.bak ./Dockerfile-functional-tester + + docker run \ + --rm \ + gcr.io/etcd-development/etcd-functional-tester:go$(GO_VERSION) \ + /bin/bash -c "/etcd --version && \ + /etcd-failpoints --version && \ + ETCDCTL_API=3 /etcdctl version && \ + /etcd-agent -help || true && \ + /etcd-tester -help || true && \ + /etcd-runner --help || true && \ + /benchmark --help || true && \ + /etcd-test-proxy -help || true" + +push-docker-functional-tester: + $(info GO_VERSION: $(GO_VERSION)) + $(info ETCD_VERSION: $(ETCD_VERSION)) + gcloud docker -- push gcr.io/etcd-development/etcd-functional-tester:go$(GO_VERSION) + +pull-docker-functional-tester: + $(info GO_VERSION: $(GO_VERSION)) + $(info ETCD_VERSION: $(ETCD_VERSION)) + docker pull gcr.io/etcd-development/etcd-functional-tester:go$(GO_VERSION) diff --git a/hack/scripts-dev/README b/hack/scripts-dev/README index 16c3e583d..2139feb7c 100644 --- a/hack/scripts-dev/README +++ b/hack/scripts-dev/README @@ -1,2 +1 @@ - -scripts for etcd development +scripts for etcd development \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns-srv/Dockerfile b/hack/scripts-dev/docker-dns-srv/Dockerfile index 07e907214..087943e1f 100644 --- a/hack/scripts-dev/docker-dns-srv/Dockerfile +++ b/hack/scripts-dev/docker-dns-srv/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:16.10 +FROM ubuntu:17.10 RUN rm /bin/sh && ln -s /bin/bash /bin/sh RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections diff --git a/hack/scripts-dev/docker-dns/Dockerfile b/hack/scripts-dev/docker-dns/Dockerfile index 07e907214..087943e1f 100644 --- a/hack/scripts-dev/docker-dns/Dockerfile +++ b/hack/scripts-dev/docker-dns/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:16.10 +FROM ubuntu:17.10 RUN rm /bin/sh && ln -s /bin/bash /bin/sh RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections diff --git a/hack/scripts-dev/docker-dns/certs-common-name-auth/Procfile b/hack/scripts-dev/docker-dns/certs-common-name-auth/Procfile new file mode 100644 index 000000000..798d8c441 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-auth/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-auth/server.crt --peer-key-file=/certs-common-name-auth/server.key.insecure --peer-trusted-ca-file=/certs-common-name-auth/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name-auth/server.crt --key-file=/certs-common-name-auth/server.key.insecure --trusted-ca-file=/certs-common-name-auth/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-auth/server.crt --peer-key-file=/certs-common-name-auth/server.key.insecure --peer-trusted-ca-file=/certs-common-name-auth/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name-auth/server.crt --key-file=/certs-common-name-auth/server.key.insecure --trusted-ca-file=/certs-common-name-auth/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-auth/server.crt --peer-key-file=/certs-common-name-auth/server.key.insecure --peer-trusted-ca-file=/certs-common-name-auth/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name-auth/server.crt --key-file=/certs-common-name-auth/server.key.insecure --trusted-ca-file=/certs-common-name-auth/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json b/hack/scripts-dev/docker-dns/certs-common-name-auth/ca-csr.json similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json rename to hack/scripts-dev/docker-dns/certs-common-name-auth/ca-csr.json diff --git a/hack/scripts-dev/docker-dns/certs-common-name/ca.crt b/hack/scripts-dev/docker-dns/certs-common-name-auth/ca.crt similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/ca.crt rename to hack/scripts-dev/docker-dns/certs-common-name-auth/ca.crt diff --git a/hack/scripts-dev/docker-dns/certs-common-name/gencert.json b/hack/scripts-dev/docker-dns/certs-common-name-auth/gencert.json similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/gencert.json rename to hack/scripts-dev/docker-dns/certs-common-name-auth/gencert.json diff --git a/hack/scripts-dev/docker-dns/certs-common-name-auth/gencerts.sh b/hack/scripts-dev/docker-dns/certs-common-name-auth/gencerts.sh new file mode 100755 index 000000000..7fcfea569 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-auth/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: m1/m2/m3.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs-common-name/run.sh b/hack/scripts-dev/docker-dns/certs-common-name-auth/run.sh similarity index 61% rename from hack/scripts-dev/docker-dns/certs-common-name/run.sh rename to hack/scripts-dev/docker-dns/certs-common-name-auth/run.sh index 6d3bb026f..d4aaaecf2 100755 --- a/hack/scripts-dev/docker-dns/certs-common-name/run.sh +++ b/hack/scripts-dev/docker-dns/certs-common-name-auth/run.sh @@ -6,65 +6,65 @@ rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data # get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost cat /dev/null >/etc/hosts -goreman -f /certs-common-name/Procfile start & +goreman -f /certs-common-name-auth/Procfile start & + +# TODO: remove random sleeps sleep 7s ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379 \ endpoint health --cluster -sleep 2s ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ put abc def -sleep 2s ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ get abc sleep 1s && printf "\n" echo "Step 1. creating root role" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ role add root sleep 1s && printf "\n" echo "Step 2. granting readwrite 'foo' permission to role 'root'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ role grant-permission root readwrite foo sleep 1s && printf "\n" echo "Step 3. getting role 'root'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ role get root sleep 1s && printf "\n" echo "Step 4. creating user 'root'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --interactive=false \ user add root:123 @@ -72,36 +72,36 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 5. granting role 'root' to user 'root'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ user grant-role root root sleep 1s && printf "\n" echo "Step 6. getting user 'root'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ user get root sleep 1s && printf "\n" echo "Step 7. enabling auth" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ auth enable sleep 1s && printf "\n" echo "Step 8. writing 'foo' with 'root:123'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ put foo bar @@ -109,9 +109,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 9. writing 'aaa' with 'root:123'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ put aaa bbb @@ -119,18 +119,18 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 10. writing 'foo' without 'root:123'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ put foo bar sleep 1s && printf "\n" echo "Step 11. reading 'foo' with 'root:123'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ get foo @@ -138,9 +138,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 12. reading 'aaa' with 'root:123'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ get aaa @@ -148,9 +148,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 13. creating a new user 'test-common-name:test-pass'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ --interactive=false \ @@ -159,9 +159,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 14. creating a role 'test-role'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ role add test-role @@ -169,9 +169,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 15. granting readwrite 'aaa' --prefix permission to role 'test-role'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ role grant-permission test-role readwrite aaa --prefix @@ -179,9 +179,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 16. getting role 'test-role'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ role get test-role @@ -189,9 +189,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 17. granting role 'test-role' to user 'test-common-name'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=root:123 \ user grant-role test-common-name test-role @@ -199,9 +199,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 18. writing 'aaa' with 'test-common-name:test-pass'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=test-common-name:test-pass \ put aaa bbb @@ -209,9 +209,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 19. writing 'bbb' with 'test-common-name:test-pass'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=test-common-name:test-pass \ put bbb bbb @@ -219,9 +219,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 20. reading 'aaa' with 'test-common-name:test-pass'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=test-common-name:test-pass \ get aaa @@ -229,9 +229,9 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 21. reading 'bbb' with 'test-common-name:test-pass'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ --user=test-common-name:test-pass \ get bbb @@ -239,17 +239,17 @@ ETCDCTL_API=3 ./etcdctl \ sleep 1s && printf "\n" echo "Step 22. writing 'aaa' with CommonName 'test-common-name'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ put aaa ccc sleep 1s && printf "\n" echo "Step 23. reading 'aaa' with CommonName 'test-common-name'" ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs-common-name/ca.crt \ - --cert=/certs-common-name/server.crt \ - --key=/certs-common-name/server.key.insecure \ + --cacert=/certs-common-name-auth/ca.crt \ + --cert=/certs-common-name-auth/server.crt \ + --key=/certs-common-name-auth/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ get aaa diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json b/hack/scripts-dev/docker-dns/certs-common-name-auth/server-ca-csr.json similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json rename to hack/scripts-dev/docker-dns/certs-common-name-auth/server-ca-csr.json diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server.crt b/hack/scripts-dev/docker-dns/certs-common-name-auth/server.crt similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/server.crt rename to hack/scripts-dev/docker-dns/certs-common-name-auth/server.crt diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure b/hack/scripts-dev/docker-dns/certs-common-name-auth/server.key.insecure similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure rename to hack/scripts-dev/docker-dns/certs-common-name-auth/server.key.insecure diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/Procfile b/hack/scripts-dev/docker-dns/certs-common-name-multi/Procfile new file mode 100644 index 000000000..faa838af5 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-multi/server-1.crt --peer-key-file=/certs-common-name-multi/server-1.key.insecure --peer-trusted-ca-file=/certs-common-name-multi/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn etcd.local --cert-file=/certs-common-name-multi/server-1.crt --key-file=/certs-common-name-multi/server-1.key.insecure --trusted-ca-file=/certs-common-name-multi/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-multi/server-2.crt --peer-key-file=/certs-common-name-multi/server-2.key.insecure --peer-trusted-ca-file=/certs-common-name-multi/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn etcd.local --cert-file=/certs-common-name-multi/server-2.crt --key-file=/certs-common-name-multi/server-2.key.insecure --trusted-ca-file=/certs-common-name-multi/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name-multi/server-3.crt --peer-key-file=/certs-common-name-multi/server-3.key.insecure --peer-trusted-ca-file=/certs-common-name-multi/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn etcd.local --cert-file=/certs-common-name-multi/server-3.crt --key-file=/certs-common-name-multi/server-3.key.insecure --trusted-ca-file=/certs-common-name-multi/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/ca-csr.json b/hack/scripts-dev/docker-dns/certs-common-name-multi/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/ca.crt b/hack/scripts-dev/docker-dns/certs-common-name-multi/ca.crt new file mode 100644 index 000000000..2e9b32003 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/ca.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0jCCArqgAwIBAgIUd3UZnVmZFo8x9MWWhUrYQvZHLrQwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODAxMjAwNjAwMDBaFw0yODAxMTgwNjAw +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCqgFTgSFl+ugXkZuiN5PXp84Zv05crwI5x2ePMnc2/3u1s7cQBvXQGCJcq +OwWD7tjcy4K2PDC0DLRa4Mkd8JpwADmf6ojbMH/3a1pXY2B3BJQwmNPFnxRJbDZL +Iti6syWKwyfLVb1KFCU08G+ZrWmGIXPWDiE+rTn/ArD/6WbQI1LYBFJm25NLpttM +mA3HnWoErNGY4Z/AR54ROdQSPL7RSUZBa0Kn1riXeOJ40/05qosR2O/hBSAGkD+m +5Rj+A6oek44zZqVzCSEncLsRJAKqgZIqsBrErAho72irEgTwv4OM0MyOCsY/9erf +hNYRSoQeX+zUvEvgToalfWGt6kT3AgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRDePNja5CK4zUfO5x1vzGvdmUF +CzAfBgNVHSMEGDAWgBRDePNja5CK4zUfO5x1vzGvdmUFCzANBgkqhkiG9w0BAQsF +AAOCAQEAZu0a3B7Ef/z5Ct99xgzPy4z9RwglqPuxk446hBWR5TYT9fzm+voHCAwb +MJEaQK3hvAz47qAjyR9/b+nBw4LRTMxg0WqB+UEEVwBGJxtfcOHx4mJHc3lgVJnR +LiEWtIND7lu5Ql0eOjSehQzkJZhUb4SnXD7yk64zukQQv9zlZYZCHPDAQ9LzR2vI +ii4yhwdWl7iiZ0lOyR4xqPB3Cx/2kjtuRiSkbpHGwWBJLng2ZqgO4K+gL3naNgqN +TRtdOSK3j/E5WtAeFUUT68Gjsg7yXxqyjUFq+piunFfQHhPB+6sPPy56OtIogOk4 +dFCfFAygYNrFKz366KY+7CbpB+4WKA== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/gencert.json b/hack/scripts-dev/docker-dns/certs-common-name-multi/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/gencerts.sh b/hack/scripts-dev/docker-dns/certs-common-name-multi/gencerts.sh new file mode 100755 index 000000000..0ddc31e58 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/gencerts.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: m1/m2/m3.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr-1.json | cfssljson --bare ./server-1 +mv server-1.pem server-1.crt +mv server-1-key.pem server-1.key.insecure + +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr-2.json | cfssljson --bare ./server-2 +mv server-2.pem server-2.crt +mv server-2-key.pem server-2.key.insecure + +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr-3.json | cfssljson --bare ./server-3 +mv server-3.pem server-3.crt +mv server-3-key.pem server-3.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/run.sh b/hack/scripts-dev/docker-dns/certs-common-name-multi/run.sh new file mode 100755 index 000000000..2ccb6b678 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/run.sh @@ -0,0 +1,33 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-common-name-multi/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name-multi/ca.crt \ + --cert=/certs-common-name-multi/server-1.crt \ + --key=/certs-common-name-multi/server-1.key.insecure \ + --endpoints=https://m1.etcd.local:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name-multi/ca.crt \ + --cert=/certs-common-name-multi/server-2.crt \ + --key=/certs-common-name-multi/server-2.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name-multi/ca.crt \ + --cert=/certs-common-name-multi/server-3.crt \ + --key=/certs-common-name-multi/server-3.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get abc diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.crt b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.crt new file mode 100644 index 000000000..f10b27277 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIUaDLXBmJpHrElwENdnVk9hvAvlKcwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODAxMjAwNjAwMDBaFw0yODAxMTgwNjAw +MDBaMHcxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTETMBEGA1UEAxMKZXRjZC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAOb5CdovL9QCdgsxnCBikTbJko6r5mrF+eA47gDLcVbWrRW5 +d8eZYV1Fyn5qe80O6LB6LKPrRftxyAGABKqIBCHR57E97UsICC4lGycBWaav6cJ+ +7Spkpf8cSSDjjgb4KC6VVPf9MCsHxBYSTfme8JEFE+6KjlG8Mqt2yv/5aIyRYITN +WzXvV7wxS9aOgDdXLbojW9FJQCuzttOPfvINTyhtvUvCM8S61La5ymCdAdPpx1U9 +m5KC23k6ZbkAC8/jcOV+68adTUuMWLefPf9Ww3qMT8382k86gJgQjZuJDGUl3Xi5 +GXmO0GfrMh+v91yiaiqjsJCDp3uVcUSeH7qSkb0CAwEAAaOBqzCBqDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFEwLLCuIHilzynJ7DlTrikyhy2TAMB8GA1UdIwQYMBaA +FEN482NrkIrjNR87nHW/Ma92ZQULMCkGA1UdEQQiMCCCDW0xLmV0Y2QubG9jYWyC +CWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAkERnrIIvkZHWsyih +mFNf/JmFHC+0/UAG9Ti9msRlr9j1fh+vBIid3FAIShX0zFXf+AtN/+Bz5SVvQHUT +tm71AK/vER1Ue059SIty+Uz5mNAjwtXy0WaUgSuF4uju7MkYD5yUnSGv1iBfm88a +q+q1Vd5m6PkOCfuyNQQm5RKUiJiO4OS+2F9/JOpyr0qqdQthOWr266CqXuvVhd+Z +oZZn5TLq5GHCaTxfngSqS3TXl55QEGl65SUgYdGqpIfaQt3QKq2dqVg/syLPkTJt +GNJVLxJuUIu0PLrfuWynUm+1mOOfwXd8NZVZITUxC7Tl5ecFbTaOzU/4a7Cyssny +Wr3dUg== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.key.insecure b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.key.insecure new file mode 100644 index 000000000..61f2da4df --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-1.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5vkJ2i8v1AJ2CzGcIGKRNsmSjqvmasX54DjuAMtxVtatFbl3 +x5lhXUXKfmp7zQ7osHoso+tF+3HIAYAEqogEIdHnsT3tSwgILiUbJwFZpq/pwn7t +KmSl/xxJIOOOBvgoLpVU9/0wKwfEFhJN+Z7wkQUT7oqOUbwyq3bK//lojJFghM1b +Ne9XvDFL1o6AN1ctuiNb0UlAK7O2049+8g1PKG29S8IzxLrUtrnKYJ0B0+nHVT2b +koLbeTpluQALz+Nw5X7rxp1NS4xYt589/1bDeoxPzfzaTzqAmBCNm4kMZSXdeLkZ +eY7QZ+syH6/3XKJqKqOwkIOne5VxRJ4fupKRvQIDAQABAoIBAQCYQsXm6kJqTbEJ +kgutIa0+48TUfqen7Zja4kyrg3HU4DI75wb6MreHqFFj4sh4FoL4i6HP8XIx3wEN +VBo/XOj0bo6BPiSm2MWjvdxXa0Fxa/f6uneYAb+YHEps/vWKzJ6YjuLzlBnj0/vE +3Q5AJzHJOAK6tuY5JYp1lBsggYcVWiQSW6wGQRReU/B/GdFgglL1chqL33Dt11Uv +Y6+oJz/PyqzPLPHcPbhqyQRMOZXnhx+8/+ooq5IojqOHfpa9JQURcHY7isBnpI/G +ZAa8tZctgTqtL4hB1rxDhdq1fS2YC12lxkBZse4jszcm0tYzy2gWmNTH480uo/0J +GOxX7eP1AoGBAO7O+aLhQWrspWQ//8YFbPWNhyscQub+t6WYjc0wn9j0dz8vkhMw +rh5O8uMcZBMDQdq185BcB3aHInw9COWZEcWNIen4ZyNJa5VCN4FY0a2GtFSSGG3f +ilKmQ7cjB950q2jl1AR3t2H7yah+i1ZChzPx+GEe+51LcJZX8mMjGvwjAoGBAPeZ +qJ2W4O2dOyupAfnKpZZclrEBqlyg7Xj85u20eBMUqtaIEcI/u2kaotQPeuaekUH0 +b1ybr3sJBTp3qzHUaNV3iMfgrnbWEOkIV2TCReWQb1Fk93o3gilMIkhGLIhxwWpM +UpQy3JTjGG/Y6gIOs7YnOBGVMA0o+RvouwooU6ifAoGAH6D6H0CGUYsWPLjdP3To +gX1FMciEc+O4nw4dede+1BVM1emPB0ujRBBgywOvnXUI+9atc6k8s84iGyJaU056 +tBeFLl/gCSRoQ1SJ1W/WFY2JxMm0wpig0WGEBnV1TVlWeoY2FoFkoG2gv9hCzCHz +lkWuB+76lFKxjrgHOmoj4NECgYB+COmbzkGQsoh8IPuwe0bu0xKh54cgv4oiHBow +xbyZedu8eGcRyf9L8RMRfw/AdNbcC+Dj8xvQNTdEG8Y5BzaV8tLda7FjLHRPKr/R +ulJ6GJuRgyO2Qqsu+mI5B/+DNOSPh2pBpeJCp5a42GHFylYQUsZnrNlY2ZJ0cnND +KGPtYQKBgQDL30+BB95FtRUvFoJIWwASCp7TIqW7N7RGWgqmsXU0EZ0Mya4dquqG +rJ1QuXQIJ+xV060ehwJR+iDUAY2xUg3/LCoDD0rwBzSdh+NEKjOmRNFRtn7WT03Q +264E80r6VTRSN4sWQwAAbd1VF1uGO5tkzZdJGWGhQhvTUZ498dE+9Q== +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.crt b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.crt new file mode 100644 index 000000000..e319fade4 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIUHXDUS+Vry/Tquc6S6OoaeuGozrEwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODAxMjAwNjAwMDBaFw0yODAxMTgwNjAw +MDBaMHcxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTETMBEGA1UEAxMKZXRjZC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAOO+FsO+6pwpv+5K+VQTYQb0lT0BjnM7Y2qSZIiTGCDp/M0P +yHSed4oTzxBeA9hEytczH/oddAUuSZNgag5sGFVgjFNdiZli4wQqJaMQRodivuUl +ZscqnWwtP3GYVAfg+t/4YdGB+dQRDQvHBl9BRYmUh2ixOA98OXKfNMr+u+3sh5Gy +dwx5ZEBRvgBcRrgCaIMsvVeIzHQBMHrNySAD1bGgm3xGdLeVPhAp24yUKZ5IbN6/ ++5hyCRARtGwLH/1Q/h10Sr5jxQi00eEXH+CNOvcerH6b2II/BxHIcqKd0u36pUfG +0KsY+ia0fvYi510V6Q0FAn45luEjHEk5ITN/LnMCAwEAAaOBqzCBqDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFE69SZun6mXZe6cd3Cb2HWrK281MMB8GA1UdIwQYMBaA +FEN482NrkIrjNR87nHW/Ma92ZQULMCkGA1UdEQQiMCCCDW0yLmV0Y2QubG9jYWyC +CWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAI5nHHULV7eUJMsvv +zk1shv826kOwXbMX10iRaf49/r7TWBq0pbPapvf5VXRsZ5wlDrDzjaNstpsaow/j +fhZ1zpU0h1bdifxE+omFSWZjpVM8kQD/yzT34VdyA+P2HuxG8ZTa8r7wTGrooD60 +TjBBM5gFV4nGVe+KbApQ26KWr+P8biKaWe6MM/jAv6TNeXiWReHqyM5v404PZQXK +cIN+fBb8bQfuaKaN1dkOUI3uSHmVmeYc5OGNJ2QKL9Uzm1VGbbM+1BOLhmF53QSm +5m2B64lPKy+vpTcRLN7oW1FHZOKts+1OEaLMCyjWFKFbdcrmJI+AP2IB+V6ODECn +RwJDtA== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.key.insecure b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.key.insecure new file mode 100644 index 000000000..57c3e78cb --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-2.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA474Ww77qnCm/7kr5VBNhBvSVPQGOcztjapJkiJMYIOn8zQ/I +dJ53ihPPEF4D2ETK1zMf+h10BS5Jk2BqDmwYVWCMU12JmWLjBColoxBGh2K+5SVm +xyqdbC0/cZhUB+D63/hh0YH51BENC8cGX0FFiZSHaLE4D3w5cp80yv677eyHkbJ3 +DHlkQFG+AFxGuAJogyy9V4jMdAEwes3JIAPVsaCbfEZ0t5U+ECnbjJQpnkhs3r/7 +mHIJEBG0bAsf/VD+HXRKvmPFCLTR4Rcf4I069x6sfpvYgj8HEchyop3S7fqlR8bQ +qxj6JrR+9iLnXRXpDQUCfjmW4SMcSTkhM38ucwIDAQABAoIBAQCHYF6N2zYAwDyL +/Ns65A4gIVF5Iyy3SM0u83h5St7j6dNRXhltYSlz1ZSXiRtF+paM16IhflKSJdKs +nXpNumm4jpy7jXWWzRZfSmJ3DNyv673H3rS6nZVYUYlOEBubV1wpuK8E5/tG2R/l +KVibVORuBPF9BSNq6RAJF6Q9KrExmvH4MmG/3Y+iYbZgn0OK1WHxzbeMzdI8OO4z +eg4gTKuMoRFt5B4rZmC5QiXGHdnUXRWfy+yPLTH3hfTek4JT98akFNS01Q4UAi9p +5cC3TOqDNiZdAkN83UKhW9TNAc/vJlq6d5oXW5R+yPt+d8yMvEch4KfpYo33j0oz +qB40pdJRAoGBAP8ZXnWXxhzLhZ4o+aKefnsUUJjaiVhhSRH/kGAAg65lc4IEnt+N +nzyNIwz/2vPv2Gq2BpStrTsTNKVSZCKgZhoBTavP60FaszDSM0bKHTWHW7zaQwc0 +bQG6YvvCiP0iwEzXw7S4BhdAl+x/5C30dUZgKMSDFzuBI187h6dQQNZpAoGBAOSL +/MBuRYBgrHIL9V1v9JGDBeawGc3j2D5c56TeDtGGv8WGeCuE/y9tn+LcKQ+bCGyi +qkW+hobro/iaXODwUZqSKaAVbxC7uBLBTRB716weMzrnD8zSTOiMWg/gh+FOnr/4 +ZfcBco2Pmm5qQ3ZKwVk2jsfLhz6ZKwMrjSaO1Zp7AoGBAJZsajPjRHI0XN0vgkyv +Mxv2lbQcoYKZE1JmpcbGZt/OePdBLEHcq/ozq2h98qmHU9FQ9r5zT0QXhiK6W8vD +U5GgFSHsH+hQyHtQZ+YlRmYLJEBPX9j+xAyR0M5uHwNNm6F0VbXaEdViRHOz0mR6 +0zClgUSnnGp9MtN0MgCqJSGJAoGAJYba3Jn+rYKyLhPKmSoN5Wq3KFbYFdeIpUzJ ++GdB1aOjj4Jx7utqn1YHv89YqqhRLM1U2hjbrAG7LdHi2Eh9jbzcOt3qG7xHEEVP +Kxq6ohdfYBean44UdMa+7wZ2KUeoh2r5CyLgtV/UArdOFnlV4Bk2PpYrwdqSlnWr +Op6PcksCgYEA6HmIHLRTGyOUzS82BEcs5an2mzhQ8XCNdYS6sDaYSiDu2qlPukyZ +jons6P4qpOxlP9Cr6DW7px2fUZrEuPUV8fRJOc+a5AtZ5TmV6N1uH/G1rKmmAMCc +jGAmTJW87QguauTpuUto5u6IhyO2CRsYEy8K1A/1HUQKl721faZBIMA= +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.crt b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.crt new file mode 100644 index 000000000..294de5332 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIURfpNMXGb1/oZVwEWyc0Ofn7IItQwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODAxMjAwNjAwMDBaFw0yODAxMTgwNjAw +MDBaMHcxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTETMBEGA1UEAxMKZXRjZC5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALgCDkDM4qayF6CFt1ZScKR8B+/7qrn1iQ/qYnzRHQ1hlkuS +b3TkQtt7amGAuoD42d8jLYYvHn2Pbmdhn0mtgYZpFfLFCg4O67ZbX54lBHi+yDEh +QhneM9Ovsc42A0EVvabINYtKR6B2YRN00QRXS5R1t+QmclpshFgY0+ITsxlJeygs +wojXthPEfjTQK04JUi5LTHP15rLVzDEd7MguCWdEWRnOu/mSfPHlyz2noUcKuy0M +awsnSMwf+KBwQMLbJhTXtA4MG2FYsm/2en3/oAc8/0Z8sMOX05F+b0MgHl+a31aQ +UHM5ykfDNm3hGQfzjQCx4y4hjDoFxbuXvsey6GMCAwEAAaOBqzCBqDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFDMydqyg/s43/dJTMt25zJubI/CUMB8GA1UdIwQYMBaA +FEN482NrkIrjNR87nHW/Ma92ZQULMCkGA1UdEQQiMCCCDW0zLmV0Y2QubG9jYWyC +CWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAVs3VQjgx9CycaWKS +P6EvMtlqOkanJEe3zr69sI66cc2ZhfJ5xK38ox4oYpMOA131WRvwq0hjKhhZoVQ8 +aQ4yALi1XBltuIyEyrTX9GWAMeDzY95MdWKhyI8ps6/OOoXN596g9ZdOdIbZAMT4 +XAXm43WccM2W2jiKCEKcE4afIF8RiMIaFwG8YU8oHtnnNvxTVa0wrpcObtEtIzC5 +RJxzX9bkHCTHTgJog4OPChU4zffn18U/AVJ7MZ8gweVwhc4gGe0kwOJE+mLHcC5G +uoFSuVmAhYrH/OPpZhSDOaCED4dsF5jN25CbR3NufEBFRXBH20ZHNkNvbbBnYCBU +4+Rx5w== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.key.insecure b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.key.insecure new file mode 100644 index 000000000..f931adb38 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-3.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAuAIOQMziprIXoIW3VlJwpHwH7/uqufWJD+pifNEdDWGWS5Jv +dORC23tqYYC6gPjZ3yMthi8efY9uZ2GfSa2BhmkV8sUKDg7rtltfniUEeL7IMSFC +Gd4z06+xzjYDQRW9psg1i0pHoHZhE3TRBFdLlHW35CZyWmyEWBjT4hOzGUl7KCzC +iNe2E8R+NNArTglSLktMc/XmstXMMR3syC4JZ0RZGc67+ZJ88eXLPaehRwq7LQxr +CydIzB/4oHBAwtsmFNe0DgwbYViyb/Z6ff+gBzz/Rnyww5fTkX5vQyAeX5rfVpBQ +cznKR8M2beEZB/ONALHjLiGMOgXFu5e+x7LoYwIDAQABAoIBAQCY54RmjprNAHKn +vlXCEpFt7W8/GXcePg2ePxuGMtKcevpEZDPgA4oXDnAxA6J3Z9LMHFRJC8Cff9+z +YqjVtatLQOmvKdMYKYfvqfBD3ujfWVHLmaJvEnkor/flrnZ30BQfkoED9T6d9aDn +ZQwHOm8gt82OdfBSeZhkCIWReOM73622qJhmLWUUY3xEucRAFF6XffOLvJAT87Vu +pXKtCnQxhzxkUsCYNIOeH/pTX+XoLkysFBKxnrlbTeM0cEgWpYMICt/vsUrp6DHs +jygxR1EnT2/4ufe81aFSO4SzUZKJrz8zj4yIyDOR0Mp6FW+xMp8S0fDOywHhLlXn +xQOevmGBAoGBAOMQaWWs2FcxWvLfX95RyWPtkQ+XvmWlL5FR427TlLhtU6EPs0xZ +eeanMtQqSRHlDkatwc0XQk+s30/UJ+5i1iz3shLwtnZort/pbnyWrxkE9pcR0fgr +IklujJ8e8kQHpY75gOLmEiADrUITqvfbvSMsaG3h1VydPNU3JYTUuYmjAoGBAM91 +Atnri0PH3UKonAcMPSdwQ5NexqAD1JUk6KUoX2poXBXO3zXBFLgbMeJaWthbe+dG +Raw/zjBET/oRfDOssh+QTD8TutI9LA2+EN7TG7Kr6NFciz4Q2pioaimv9KUhJx+8 +HH2wCANYgkv69IWUFskF0uDCW9FQVvpepcctCJJBAoGAMlWxB5kJXErUnoJl/iKj +QkOnpI0+58l2ggBlKmw8y6VwpIOWe5ZaL4dg/Sdii1T7lS9vhsdhK8hmuIuPToka +cV13XDuANz99hKV6mKPOrP0srNCGez0UnLKk+aEik3IegVNN/v6BhhdKkRtLCybr +BqERhUpKwf0ZPyq6ZnfBqYECgYEAsiD2YcctvPVPtnyv/B02JTbvzwoB4kNntOgM +GkOgKe2Ro+gNIEq5T5uKKaELf9qNePeNu2jN0gPV6BI7YuNVzmRIE6ENOJfty573 +PVxm2/Nf5ORhatlt2MZC4aiDl4Xv4f/TNth/COBmgHbqngeZyOGHQBWiYQdqp2+9 +SFgSlAECgYEA1zLhxj6f+psM5Gpx56JJIEraHfyuyR1Oxii5mo7I3PLsbF/s6YDR +q9E64GoR5PdgCQlMm09f6wfT61NVwsYrbLlLET6tAiG0eNxXe71k1hUb6aa4DpNQ +IcS3E3hb5KREXUH5d+PKeD2qrf52mtakjn9b2aH2rQw2e2YNkIDV+XA= +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-1.json b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-1.json new file mode 100644 index 000000000..ae9fe36e9 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-1.json @@ -0,0 +1,21 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "etcd.local", + "hosts": [ + "m1.etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-2.json b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-2.json new file mode 100644 index 000000000..5d938fb8a --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-2.json @@ -0,0 +1,21 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "etcd.local", + "hosts": [ + "m2.etcd.local", + "127.0.0.1", + "localhost" + ] + } diff --git a/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-3.json b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-3.json new file mode 100644 index 000000000..7b8ffcfae --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name-multi/server-ca-csr-3.json @@ -0,0 +1,21 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "etcd.local", + "hosts": [ + "m3.etcd.local", + "127.0.0.1", + "localhost" + ] + } diff --git a/hack/scripts-dev/docker-dns/certs-common-name/Procfile b/hack/scripts-dev/docker-dns/certs-common-name/Procfile deleted file mode 100644 index a0ea061ac..000000000 --- a/hack/scripts-dev/docker-dns/certs-common-name/Procfile +++ /dev/null @@ -1,6 +0,0 @@ -# Use goreman to run `go get github.com/mattn/goreman` -etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth - -etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth - -etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs/run.sh b/hack/scripts-dev/docker-dns/certs/run.sh index 7f6c31d4f..9311c618b 100755 --- a/hack/scripts-dev/docker-dns/certs/run.sh +++ b/hack/scripts-dev/docker-dns/certs/run.sh @@ -31,3 +31,52 @@ ETCDCTL_API=3 ./etcdctl \ --key=/certs/server.key.insecure \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ get abc + +printf "\nWriting v2 key...\n" +curl -L https://127.0.0.1:2379/v2/keys/queue \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -X POST \ + -d value=data + +printf "\nWriting v2 key...\n" +curl -L https://m1.etcd.local:2379/v2/keys/queue \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -X POST \ + -d value=data + +printf "\nWriting v3 key...\n" +curl -L https://127.0.0.1:2379/v3/kv/put \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -X POST \ + -d '{"key": "Zm9v", "value": "YmFy"}' + +printf "\n\nWriting v3 key...\n" +curl -L https://m1.etcd.local:2379/v3/kv/put \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -X POST \ + -d '{"key": "Zm9v", "value": "YmFy"}' + +printf "\n\nReading v3 key...\n" +curl -L https://m1.etcd.local:2379/v3/kv/range \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -X POST \ + -d '{"key": "Zm9v"}' + +printf "\n\nFetching 'curl https://m1.etcd.local:2379/metrics'...\n" +curl \ + --cacert /certs/ca.crt \ + --cert /certs/server.crt \ + --key /certs/server.key.insecure \ + -L https://m1.etcd.local:2379/metrics | grep Put | tail -3 + +printf "\n\nDone!!!\n\n" diff --git a/hack/scripts-dev/docker-dns/insecure/Procfile b/hack/scripts-dev/docker-dns/insecure/Procfile new file mode 100644 index 000000000..ad87e4191 --- /dev/null +++ b/hack/scripts-dev/docker-dns/insecure/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist "localhost,127.0.0.1,m1.etcd.local" + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist "localhost,127.0.0.1,m1.etcd.local" + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist "localhost,127.0.0.1,m1.etcd.local" \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/insecure/run.sh b/hack/scripts-dev/docker-dns/insecure/run.sh new file mode 100755 index 000000000..de7ff68a8 --- /dev/null +++ b/hack/scripts-dev/docker-dns/insecure/run.sh @@ -0,0 +1,89 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /insecure/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --endpoints=http://m1.etcd.local:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --endpoints=http://m1.etcd.local:2379,http://m2.etcd.local:22379,http://m3.etcd.local:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --endpoints=http://m1.etcd.local:2379,http://m2.etcd.local:22379,http://m3.etcd.local:32379 \ + get abc + +printf "\nWriting v2 key...\n" +curl \ + -L http://127.0.0.1:2379/v2/keys/queue \ + -X POST \ + -d value=data + +printf "\nWriting v2 key...\n" +curl \ + -L http://m1.etcd.local:2379/v2/keys/queue \ + -X POST \ + -d value=data + +printf "\nWriting v3 key...\n" +curl \ + -L http://127.0.0.1:2379/v3/kv/put \ + -X POST \ + -d '{"key": "Zm9v", "value": "YmFy"}' + +printf "\n\nWriting v3 key...\n" +curl \ + -L http://m1.etcd.local:2379/v3/kv/put \ + -X POST \ + -d '{"key": "Zm9v", "value": "YmFy"}' + +printf "\n\nReading v3 key...\n" +curl \ + -L http://m1.etcd.local:2379/v3/kv/range \ + -X POST \ + -d '{"key": "Zm9v"}' + +printf "\n\nFetching 'curl http://m1.etcd.local:2379/metrics'...\n" +curl \ + -L http://m1.etcd.local:2379/metrics | grep Put | tail -3 + +name1=$(base64 <<< "/election-prefix") +val1=$(base64 <<< "v1") +data1="{\"name\":\"${name1}\", \"value\":\"${val1}\"}" + +printf "\n\nCampaign: ${data1}\n" +result1=$(curl -L http://m1.etcd.local:2379/v3/election/campaign -X POST -d "${data1}") +echo ${result1} + +# should not panic servers +val2=$(base64 <<< "v2") +data2="{\"value\": \"${val2}\"}" +printf "\n\nProclaim (wrong-format): ${data2}\n" +curl \ + -L http://m1.etcd.local:2379/v3/election/proclaim \ + -X POST \ + -d "${data2}" + +printf "\n\nProclaim (wrong-format)...\n" +curl \ + -L http://m1.etcd.local:2379/v3/election/proclaim \ + -X POST \ + -d '}' + +printf "\n\nProclaim (wrong-format)...\n" +curl \ + -L http://m1.etcd.local:2379/v3/election/proclaim \ + -X POST \ + -d '{"value": "Zm9v"}' + +printf "\n\nDone!!!\n\n" diff --git a/hack/scripts-dev/docker-static-ip/Dockerfile b/hack/scripts-dev/docker-static-ip/Dockerfile new file mode 100644 index 000000000..bfa46b4f3 --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/Dockerfile @@ -0,0 +1,37 @@ +FROM ubuntu:17.10 + +RUN rm /bin/sh && ln -s /bin/bash /bin/sh +RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections + +RUN apt-get -y update \ + && apt-get -y install \ + build-essential \ + gcc \ + apt-utils \ + pkg-config \ + software-properties-common \ + apt-transport-https \ + libssl-dev \ + sudo \ + bash \ + curl \ + tar \ + git \ + netcat \ + bind9 \ + dnsutils \ + && apt-get -y update \ + && apt-get -y upgrade \ + && apt-get -y autoremove \ + && apt-get -y autoclean + +ENV GOROOT /usr/local/go +ENV GOPATH /go +ENV PATH ${GOPATH}/bin:${GOROOT}/bin:${PATH} +ENV GO_VERSION REPLACE_ME_GO_VERSION +ENV GO_DOWNLOAD_URL https://storage.googleapis.com/golang +RUN rm -rf ${GOROOT} \ + && curl -s ${GO_DOWNLOAD_URL}/go${GO_VERSION}.linux-amd64.tar.gz | tar -v -C /usr/local/ -xz \ + && mkdir -p ${GOPATH}/src ${GOPATH}/bin \ + && go version \ + && go get -v -u github.com/mattn/goreman diff --git a/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/Procfile b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/Procfile new file mode 100644 index 000000000..44d2278c4 --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/Procfile @@ -0,0 +1,8 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://localhost:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://localhost:2380 --initial-cluster-token tkn --initial-cluster=m1=https://localhost:2380,m2=https://localhost:22380,m3=https://localhost:32380 --initial-cluster-state new --peer-cert-file=/certs-metrics-proxy/server.crt --peer-key-file=/certs-metrics-proxy/server.key.insecure --peer-trusted-ca-file=/certs-metrics-proxy/ca.crt --peer-client-cert-auth --cert-file=/certs-metrics-proxy/server.crt --key-file=/certs-metrics-proxy/server.key.insecure --trusted-ca-file=/certs-metrics-proxy/ca.crt --client-cert-auth --listen-metrics-urls=https://localhost:2378,http://localhost:9379 + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://localhost:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://localhost:22380 --initial-cluster-token tkn --initial-cluster=m1=https://localhost:2380,m2=https://localhost:22380,m3=https://localhost:32380 --initial-cluster-state new --peer-cert-file=/certs-metrics-proxy/server.crt --peer-key-file=/certs-metrics-proxy/server.key.insecure --peer-trusted-ca-file=/certs-metrics-proxy/ca.crt --peer-client-cert-auth --cert-file=/certs-metrics-proxy/server.crt --key-file=/certs-metrics-proxy/server.key.insecure --trusted-ca-file=/certs-metrics-proxy/ca.crt --client-cert-auth --listen-metrics-urls=https://localhost:22378,http://localhost:29379 + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://localhost:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://localhost:32380 --initial-cluster-token tkn --initial-cluster=m1=https://localhost:2380,m2=https://localhost:22380,m3=https://localhost:32380 --initial-cluster-state new --peer-cert-file=/certs-metrics-proxy/server.crt --peer-key-file=/certs-metrics-proxy/server.key.insecure --peer-trusted-ca-file=/certs-metrics-proxy/ca.crt --peer-client-cert-auth --cert-file=/certs-metrics-proxy/server.crt --key-file=/certs-metrics-proxy/server.key.insecure --trusted-ca-file=/certs-metrics-proxy/ca.crt --client-cert-auth --listen-metrics-urls=https://localhost:32378,http://localhost:39379 + +proxy: ./etcd grpc-proxy start --advertise-client-url=localhost:23790 --listen-addr=localhost:23790 --endpoints=https://localhost:2379,https://localhost:22379,https://localhost:32379 --data-dir=/tmp/proxy.data --cacert=/certs-metrics-proxy/ca.crt --cert=/certs-metrics-proxy/server.crt --key=/certs-metrics-proxy/server.key.insecure --trusted-ca-file=/certs-metrics-proxy/ca.crt --cert-file=/certs-metrics-proxy/server.crt --key-file=/certs-metrics-proxy/server.key.insecure --metrics-addr=http://localhost:9378 diff --git a/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca-csr.json b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca.crt b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca.crt new file mode 100644 index 000000000..0d8dc386b --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUYWIIesEznr7VfYawvmttxxmOfeUwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDYyMTUzMDBaFw0yNzEyMDQyMTUz +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDDN/cW7rl/qz59gF3csnDhp5BAxVY7n0+inzZO+MZIdkCFuus6Klc6mWMY +/ZGvpWxVDgQvYBs310eq4BrM2BjwWNfgqIn6bHVwwGfngojcDEHlZHw1e9sdBlO5 +e/rNONpNtMUjUeukhzFwPOdsUfweAGsqj4VYJV+kkS3uGmCGIj+3wIF411FliiQP +WiyLG16BwR1Vem2qOotCRgCawKSb4/wKfF8dvv00IjP5Jcy+aXLQ4ULW1fvj3cRR +JLdZmZ/PF0Cqm75qw2IqzIhRB5b1e8HyRPeNtEZ7frNLZyFhLgHJbRFF5WooFX79 +q9py8dERBXOxCKrSdqEOre0OU/4pAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBS+CaA8UIkIJT9xhXff4p143UuW +7TANBgkqhkiG9w0BAQsFAAOCAQEAK7lScAUi+R68oxxmgZ/pdEr9wsMj4xtss+GO +UDgzxudpT1nYQ2iBudC3LIuTiaUHUSseVleXEKeNbKhKhVhlIwhmPxiOgbbFu9hr +e2Z87SjtdlbE/KcYFw0W/ukWYxYrq08BB19w2Mqd8J5CnLcj4/0iiH1uARo1swFy +GUYAJ2I147sHIDbbmLKuxbdf4dcrkf3D4inBOLcRhS/MzaXfdMFntzJDQAo5YwFI +zZ4TRGOhj8IcU1Cn5SVufryWy3qJ+sKHDYsGQQ/ArBXwQnO3NAFCpEN9rDDuQVmH ++ATHDFBQZcGfN4GDh74FGnliRjip2sO4oWTfImmgJGGAn+P2CA== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/gencert.json b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/gencerts.sh similarity index 100% rename from hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh rename to hack/scripts-dev/docker-static-ip/certs-metrics-proxy/gencerts.sh diff --git a/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/run.sh b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/run.sh new file mode 100755 index 000000000..6089f3ed9 --- /dev/null +++ b/hack/scripts-dev/docker-static-ip/certs-metrics-proxy/run.sh @@ -0,0 +1,119 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data /tmp/proxy.data + +goreman -f /certs-metrics-proxy/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-metrics-proxy/ca.crt \ + --cert=/certs-metrics-proxy/server.crt \ + --key=/certs-metrics-proxy/server.key.insecure \ + --endpoints=https://localhost:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-metrics-proxy/ca.crt \ + --cert=/certs-metrics-proxy/server.crt \ + --key=/certs-metrics-proxy/server.key.insecure \ + --endpoints=https://localhost:2379,https://localhost:22379,https://localhost:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-metrics-proxy/ca.crt \ + --cert=/certs-metrics-proxy/server.crt \ + --key=/certs-metrics-proxy/server.key.insecure \ + --endpoints=https://localhost:2379,https://localhost:22379,https://localhost:32379 \ + get abc + +################# +sleep 3s && printf "\n\n" && echo "curl https://localhost:2378/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:2378/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl https://localhost:2379/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:2379/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl http://localhost:9379/metrics" +curl -L http://localhost:9379/metrics | grep Put | tail -3 +################# + +################# +sleep 3s && printf "\n\n" && echo "curl https://localhost:22378/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:22378/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl https://localhost:22379/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:22379/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl http://localhost:29379/metrics" +curl -L http://localhost:29379/metrics | grep Put | tail -3 +################# + +################# +sleep 3s && printf "\n\n" && echo "curl https://localhost:32378/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:32378/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl https://localhost:32379/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:32379/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "curl http://localhost:39379/metrics" +curl -L http://localhost:39379/metrics | grep Put | tail -3 +################# + +################# +sleep 3s && printf "\n\n" && echo "Requests to gRPC proxy localhost:23790" +ETCDCTL_API=3 ./etcdctl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + --endpoints=localhost:23790 \ + put ghi jkl + +ETCDCTL_API=3 ./etcdctl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + --endpoints=localhost:23790 \ + get ghi + +sleep 3s && printf "\n" && echo "Requests to gRPC proxy https://localhost:23790/metrics" +curl \ + --cacert /certs-metrics-proxy/ca.crt \ + --cert /certs-metrics-proxy/server.crt \ + --key /certs-metrics-proxy/server.key.insecure \ + -L https://localhost:23790/metrics | grep Put | tail -3 + +sleep 3s && printf "\n" && echo "Requests to gRPC proxy http://localhost:9378/metrics" +curl -L http://localhost:9378/metrics | grep Put | tail -3 +<