From b9aa507f66fc9f56ff4bde2c4262adc61b295b4e Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 5 Dec 2017 11:10:36 -0800 Subject: [PATCH] hack: sync with master branch (needed for release) Signed-off-by: Gyuho Lee --- hack/patch/README.md | 37 +++ hack/patch/cherrypick.sh | 229 ++++++++++++++++ hack/scripts-dev/Makefile | 89 ++++-- hack/scripts-dev/docker-dns-srv/.Dockerfile | 48 ---- hack/scripts-dev/docker-dns-srv/Dockerfile | 8 +- hack/scripts-dev/docker-dns-srv/Procfile | 5 - .../docker-dns-srv/certs-gateway/Procfile | 7 + .../docker-dns-srv/certs-gateway/ca-csr.json | 19 ++ .../docker-dns-srv/certs-gateway/ca.crt | 22 ++ .../docker-dns-srv/certs-gateway/gencert.json | 13 + .../docker-dns-srv/certs-gateway/gencerts.sh | 26 ++ .../docker-dns-srv/certs-gateway/run.sh | 47 ++++ .../certs-gateway/server-ca-csr.json | 23 ++ .../docker-dns-srv/certs-gateway/server.crt | 25 ++ .../certs-gateway/server.key.insecure | 27 ++ .../docker-dns-srv/certs-wildcard/Procfile | 5 + .../docker-dns-srv/certs-wildcard/ca-csr.json | 19 ++ .../docker-dns-srv/certs-wildcard/ca.crt | 22 ++ .../certs-wildcard/gencert.json | 13 + .../docker-dns-srv/certs-wildcard/gencerts.sh | 26 ++ .../docker-dns-srv/certs-wildcard/run.sh | 33 +++ .../certs-wildcard/server-ca-csr.json | 21 ++ .../docker-dns-srv/certs-wildcard/server.crt | 24 ++ .../certs-wildcard/server.key.insecure | 27 ++ .../scripts-dev/docker-dns-srv/certs/Procfile | 5 + .../docker-dns-srv/certs/ca-csr.json | 19 ++ hack/scripts-dev/docker-dns-srv/certs/ca.crt | 22 ++ .../docker-dns-srv/certs/gencert.json | 13 + .../docker-dns-srv/certs/gencerts.sh | 26 ++ hack/scripts-dev/docker-dns-srv/certs/run.sh | 33 +++ .../docker-dns-srv/certs/server-ca-csr.json | 23 ++ .../docker-dns-srv/certs/server.crt | 25 ++ .../docker-dns-srv/certs/server.key.insecure | 27 ++ hack/scripts-dev/docker-dns-srv/etcd.zone | 37 +-- hack/scripts-dev/docker-dns-srv/run.sh | 16 -- hack/scripts-dev/docker-dns/Dockerfile | 8 +- hack/scripts-dev/docker-dns/Procfile.tls | 6 - .../docker-dns/certs-common-name/Procfile | 6 + .../docker-dns/certs-common-name/ca-csr.json | 19 ++ .../docker-dns/certs-common-name/ca.crt | 22 ++ .../docker-dns/certs-common-name/gencert.json | 13 + .../docker-dns/certs-common-name/gencerts.sh | 26 ++ .../docker-dns/certs-common-name/run.sh | 255 ++++++++++++++++++ .../certs-common-name/server-ca-csr.json | 23 ++ .../docker-dns/certs-common-name/server.crt | 25 ++ .../certs-common-name/server.key.insecure | 27 ++ .../docker-dns/certs-gateway/Procfile | 8 + .../docker-dns/certs-gateway/ca-csr.json | 19 ++ .../docker-dns/certs-gateway/ca.crt | 22 ++ .../docker-dns/certs-gateway/gencert.json | 13 + .../docker-dns/certs-gateway/gencerts.sh | 26 ++ .../docker-dns/certs-gateway/run.sh | 47 ++++ .../certs-gateway/server-ca-csr.json | 22 ++ .../docker-dns/certs-gateway/server.crt | 25 ++ .../certs-gateway/server.key.insecure | 27 ++ .../docker-dns/certs-wildcard/Procfile | 6 + .../docker-dns/certs-wildcard/ca-csr.json | 19 ++ .../docker-dns/certs-wildcard/ca.crt | 22 ++ .../docker-dns/certs-wildcard/gencert.json | 13 + .../docker-dns/certs-wildcard/gencerts.sh | 26 ++ .../docker-dns/certs-wildcard/run.sh | 33 +++ .../certs-wildcard/server-ca-csr.json | 20 ++ .../docker-dns/certs-wildcard/server.crt | 24 ++ .../certs-wildcard/server.key.insecure | 27 ++ hack/scripts-dev/docker-dns/certs/Procfile | 6 + hack/scripts-dev/docker-dns/certs/ca-csr.json | 19 ++ hack/scripts-dev/docker-dns/certs/ca.crt | 22 ++ .../scripts-dev/docker-dns/certs/gencert.json | 13 + hack/scripts-dev/docker-dns/certs/gencerts.sh | 26 ++ hack/scripts-dev/docker-dns/certs/run.sh | 33 +++ .../docker-dns/certs/server-ca-csr.json | 22 ++ hack/scripts-dev/docker-dns/certs/server.crt | 25 ++ .../docker-dns/certs/server.key.insecure | 27 ++ hack/scripts-dev/docker-dns/run.sh | 16 -- 74 files changed, 1961 insertions(+), 138 deletions(-) create mode 100644 hack/patch/README.md create mode 100755 hack/patch/cherrypick.sh delete mode 100644 hack/scripts-dev/docker-dns-srv/.Dockerfile delete mode 100644 hack/scripts-dev/docker-dns-srv/Procfile create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json create mode 100755 hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/Procfile create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/ca.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/gencert.json create mode 100755 hack/scripts-dev/docker-dns-srv/certs-wildcard/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns-srv/certs-wildcard/run.sh create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/server.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs-wildcard/server.key.insecure create mode 100644 hack/scripts-dev/docker-dns-srv/certs/Procfile create mode 100644 hack/scripts-dev/docker-dns-srv/certs/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs/ca.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs/gencert.json create mode 100755 hack/scripts-dev/docker-dns-srv/certs/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns-srv/certs/run.sh create mode 100644 hack/scripts-dev/docker-dns-srv/certs/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns-srv/certs/server.crt create mode 100644 hack/scripts-dev/docker-dns-srv/certs/server.key.insecure delete mode 100755 hack/scripts-dev/docker-dns-srv/run.sh delete mode 100644 hack/scripts-dev/docker-dns/Procfile.tls create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/Procfile create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/ca.crt create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/gencert.json create mode 100755 hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns/certs-common-name/run.sh create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/server.crt create mode 100644 hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/Procfile create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/ca.crt create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/gencert.json create mode 100755 hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns/certs-gateway/run.sh create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/server.crt create mode 100644 hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/Procfile create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/ca.crt create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/gencert.json create mode 100755 hack/scripts-dev/docker-dns/certs-wildcard/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns/certs-wildcard/run.sh create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/server.crt create mode 100644 hack/scripts-dev/docker-dns/certs-wildcard/server.key.insecure create mode 100644 hack/scripts-dev/docker-dns/certs/Procfile create mode 100644 hack/scripts-dev/docker-dns/certs/ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs/ca.crt create mode 100644 hack/scripts-dev/docker-dns/certs/gencert.json create mode 100755 hack/scripts-dev/docker-dns/certs/gencerts.sh create mode 100755 hack/scripts-dev/docker-dns/certs/run.sh create mode 100644 hack/scripts-dev/docker-dns/certs/server-ca-csr.json create mode 100644 hack/scripts-dev/docker-dns/certs/server.crt create mode 100644 hack/scripts-dev/docker-dns/certs/server.key.insecure delete mode 100755 hack/scripts-dev/docker-dns/run.sh diff --git a/hack/patch/README.md b/hack/patch/README.md new file mode 100644 index 000000000..4f8282e6a --- /dev/null +++ b/hack/patch/README.md @@ -0,0 +1,37 @@ +# ./hack/patch/cherrypick.sh + +Handles cherry-picks of PR(s) from etcd master to a stable etcd release branch automatically. + +## Setup + +Set the `UPSTREAM_REMOTE` and `FORK_REMOTE` environment variables. +`UPSTREAM_REMOTE` should be set to git remote name of `github.com/coreos/etcd`, +and `FORK_REMOTE` should be set to the git remote name of the forked etcd +repo (`github.com/${github-username}/etcd`). Use `git remotes -v` to +look up the git remote names. If etcd has not been forked, create +one on github.com and register it locally with `git remote add ...`. + + +``` +export UPSTREAM_REMOTE=origin +export FORK_REMOTE=${github-username} +export GITHUB_USER=${github-username} +``` + +Next, install hub from https://github.com/github/hub + +## Usage + +To cherry pick PR 12345 onto release-3.2 and propose is as a PR, run: + +```sh +./hack/patch/cherrypick.sh ${UPSTREAM_REMOTE}/release-3.2 12345 +``` + +To cherry pick 12345 then 56789 and propose them togther as a single PR, run: + +``` +./hack/patch/cherrypick.sh ${UPSTREAM_REMOTE}/release-3.2 12345 56789 +``` + + diff --git a/hack/patch/cherrypick.sh b/hack/patch/cherrypick.sh new file mode 100755 index 000000000..4faf3efa2 --- /dev/null +++ b/hack/patch/cherrypick.sh @@ -0,0 +1,229 @@ +#!/usr/bin/env bash + +# Based on github.com/kubernetes/kubernetes/blob/v1.8.2/hack/cherry_pick_pull.sh + +# Checkout a PR from GitHub. (Yes, this is sitting in a Git tree. How +# meta.) Assumes you care about pulls from remote "upstream" and +# checks thems out to a branch named: +# automated-cherry-pick-of--- + +set -o errexit +set -o nounset +set -o pipefail + +declare -r ETCD_ROOT="$(dirname "${BASH_SOURCE}")/../.." +cd "${ETCD_ROOT}" + +declare -r STARTINGBRANCH=$(git symbolic-ref --short HEAD) +declare -r REBASEMAGIC="${ETCD_ROOT}/.git/rebase-apply" +DRY_RUN=${DRY_RUN:-""} +REGENERATE_DOCS=${REGENERATE_DOCS:-""} +UPSTREAM_REMOTE=${UPSTREAM_REMOTE:-upstream} +FORK_REMOTE=${FORK_REMOTE:-origin} + +if [[ -z ${GITHUB_USER:-} ]]; then + echo "Please export GITHUB_USER= (or GH organization, if that's where your fork lives)" + exit 1 +fi + +if ! which hub > /dev/null; then + echo "Can't find 'hub' tool in PATH, please install from https://github.com/github/hub" + exit 1 +fi + +if [[ "$#" -lt 2 ]]; then + echo "${0} ...: cherry pick one or more onto and leave instructions for proposing pull request" + echo + echo " Checks out and handles the cherry-pick of (possibly multiple) for you." + echo " Examples:" + echo " $0 upstream/release-3.14 12345 # Cherry-picks PR 12345 onto upstream/release-3.14 and proposes that as a PR." + echo " $0 upstream/release-3.14 12345 56789 # Cherry-picks PR 12345, then 56789 and proposes the combination as a single PR." + echo + echo " Set the DRY_RUN environment var to skip git push and creating PR." + echo " This is useful for creating patches to a release branch without making a PR." + echo " When DRY_RUN is set the script will leave you in a branch containing the commits you cherry-picked." + echo + echo " Set the REGENERATE_DOCS environment var to regenerate documentation for the target branch after picking the specified commits." + echo " This is useful when picking commits containing changes to API documentation." + echo + echo " Set UPSTREAM_REMOTE (default: upstream) and FORK_REMOTE (default: origin)" + echo " To override the default remote names to what you have locally." + exit 2 +fi + +if git_status=$(git status --porcelain --untracked=no 2>/dev/null) && [[ -n "${git_status}" ]]; then + echo "!!! Dirty tree. Clean up and try again." + exit 1 +fi + +if [[ -e "${REBASEMAGIC}" ]]; then + echo "!!! 'git rebase' or 'git am' in progress. Clean up and try again." + exit 1 +fi + +declare -r BRANCH="$1" +shift 1 +declare -r PULLS=( "$@" ) + +function join { local IFS="$1"; shift; echo "$*"; } +declare -r PULLDASH=$(join - "${PULLS[@]/#/#}") # Generates something like "#12345-#56789" +declare -r PULLSUBJ=$(join " " "${PULLS[@]/#/#}") # Generates something like "#12345 #56789" + +echo "+++ Updating remotes..." +git remote update "${UPSTREAM_REMOTE}" "${FORK_REMOTE}" + +if ! git log -n1 --format=%H "${BRANCH}" >/dev/null 2>&1; then + echo "!!! '${BRANCH}' not found. The second argument should be something like ${UPSTREAM_REMOTE}/release-0.21." + echo " (In particular, it needs to be a valid, existing remote branch that I can 'git checkout'.)" + exit 1 +fi + +declare -r NEWBRANCHREQ="automated-cherry-pick-of-${PULLDASH}" # "Required" portion for tools. +declare -r NEWBRANCH="$(echo "${NEWBRANCHREQ}-${BRANCH}" | sed 's/\//-/g')" +declare -r NEWBRANCHUNIQ="${NEWBRANCH}-$(date +%s)" +echo "+++ Creating local branch ${NEWBRANCHUNIQ}" + +cleanbranch="" +prtext="" +gitamcleanup=false +function return_to_kansas { + if [[ "${gitamcleanup}" == "true" ]]; then + echo + echo "+++ Aborting in-progress git am." + git am --abort >/dev/null 2>&1 || true + fi + + # return to the starting branch and delete the PR text file + if [[ -z "${DRY_RUN}" ]]; then + echo + echo "+++ Returning you to the ${STARTINGBRANCH} branch and cleaning up." + git checkout -f "${STARTINGBRANCH}" >/dev/null 2>&1 || true + if [[ -n "${cleanbranch}" ]]; then + git branch -D "${cleanbranch}" >/dev/null 2>&1 || true + fi + if [[ -n "${prtext}" ]]; then + rm "${prtext}" + fi + fi +} +trap return_to_kansas EXIT + +SUBJECTS=() +function make-a-pr() { + local rel="$(basename "${BRANCH}")" + echo + echo "+++ Creating a pull request on GitHub at ${GITHUB_USER}:${NEWBRANCH}" + + # This looks like an unnecessary use of a tmpfile, but it avoids + # https://github.com/github/hub/issues/976 Otherwise stdin is stolen + # when we shove the heredoc at hub directly, tickling the ioctl + # crash. + prtext="$(mktemp -t prtext.XXXX)" # cleaned in return_to_kansas + cat >"${prtext}" <&2 + exit 1 + fi + done + + if [[ "${conflicts}" != "true" ]]; then + echo "!!! git am failed, likely because of an in-progress 'git am' or 'git rebase'" + exit 1 + fi + } + + # set the subject + subject=$(grep -m 1 "^Subject" "/tmp/${pull}.patch" | sed -e 's/Subject: \[PATCH//g' | sed 's/.*] //') + SUBJECTS+=("#${pull}: ${subject}") + + # remove the patch file from /tmp + rm -f "/tmp/${pull}.patch" +done +gitamcleanup=false + +# Re-generate docs (if needed) +if [[ -n "${REGENERATE_DOCS}" ]]; then + echo + echo "Regenerating docs..." + if ! hack/generate-docs.sh; then + echo + echo "hack/generate-docs.sh FAILED to complete." + exit 1 + fi +fi + +if [[ -n "${DRY_RUN}" ]]; then + echo "!!! Skipping git push and PR creation because you set DRY_RUN." + echo "To return to the branch you were in when you invoked this script:" + echo + echo " git checkout ${STARTINGBRANCH}" + echo + echo "To delete this branch:" + echo + echo " git branch -D ${NEWBRANCHUNIQ}" + exit 0 +fi + +if git remote -v | grep ^${FORK_REMOTE} | grep etcd/etcd.git; then + echo "!!! You have ${FORK_REMOTE} configured as your etcd/etcd.git" + echo "This isn't normal. Leaving you with push instructions:" + echo + echo "+++ First manually push the branch this script created:" + echo + echo " git push REMOTE ${NEWBRANCHUNIQ}:${NEWBRANCH}" + echo + echo "where REMOTE is your personal fork (maybe ${UPSTREAM_REMOTE}? Consider swapping those.)." + echo "OR consider setting UPSTREAM_REMOTE and FORK_REMOTE to different values." + echo + make-a-pr + cleanbranch="" + exit 0 +fi + +echo +echo "+++ I'm about to do the following to push to GitHub (and I'm assuming ${FORK_REMOTE} is your personal fork):" +echo +echo " git push ${FORK_REMOTE} ${NEWBRANCHUNIQ}:${NEWBRANCH}" +echo +read -p "+++ Proceed (anything but 'y' aborts the cherry-pick)? [y/n] " -r +if ! [[ "${REPLY}" =~ ^[yY]$ ]]; then + echo "Aborting." >&2 + exit 1 +fi + +git push "${FORK_REMOTE}" -f "${NEWBRANCHUNIQ}:${NEWBRANCH}" +make-a-pr diff --git a/hack/scripts-dev/Makefile b/hack/scripts-dev/Makefile index 7ad3063d2..1942da97d 100644 --- a/hack/scripts-dev/Makefile +++ b/hack/scripts-dev/Makefile @@ -12,6 +12,7 @@ build: clean: rm -f ./codecov + rm -rf ./agent-* rm -rf ./covdir rm -f ./*.log rm -f ./bin/Dockerfile-release @@ -30,7 +31,7 @@ endif # Example: # GO_VERSION=1.8.5 make build-docker-test -f ./hack/scripts-dev/Makefile # make build-docker-test -f ./hack/scripts-dev/Makefile -# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd.json)" https://gcr.io +# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd-development.json)" https://gcr.io # GO_VERSION=1.8.5 make push-docker-test -f ./hack/scripts-dev/Makefile # make push-docker-test -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com @@ -94,7 +95,7 @@ test: $(info TEST_OPTS: $(_TEST_OPTS)) $(info log-file: test-$(TEST_SUFFIX).log) $(_TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log - ! egrep "(--- FAIL:|leak)" -A10 -B50 test-$(TEST_SUFFIX).log + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 test-$(TEST_SUFFIX).log docker-test: $(info GO_VERSION: $(_GO_VERSION)) @@ -102,20 +103,22 @@ docker-test: $(info log-file: test-$(TEST_SUFFIX).log) docker run \ --rm \ + --volume=/tmp:/tmp \ --volume=`pwd`:/go/src/github.com/coreos/etcd \ gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ /bin/bash -c "$(_TEST_OPTS) ./test 2>&1 | tee test-$(TEST_SUFFIX).log" - ! egrep "(--- FAIL:|leak)" -A10 -B50 test-$(TEST_SUFFIX).log + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 test-$(TEST_SUFFIX).log docker-test-coverage: $(info GO_VERSION: $(_GO_VERSION)) $(info log-file: docker-test-coverage-$(TEST_SUFFIX).log) docker run \ --rm \ + --volume=/tmp:/tmp \ --volume=`pwd`:/go/src/github.com/coreos/etcd \ gcr.io/etcd-development/etcd-test:go$(_GO_VERSION) \ /bin/bash -c "COVERDIR=covdir PASSES='build build_cov cov' ./test 2>&1 | tee docker-test-coverage-$(TEST_SUFFIX).log && /codecov -t 6040de41-c073-4d6f-bbf8-d89256ef31e1" - ! egrep "(--- FAIL:|leak)" -A10 -B50 docker-test-coverage-$(TEST_SUFFIX).log + ! egrep "(--- FAIL:|panic: test timed out|appears to have leaked|Too many goroutines)" -B50 -A10 docker-test-coverage-$(TEST_SUFFIX).log # build release container image with Linux _ETCD_VERSION ?= $(shell git rev-parse --short HEAD || echo "GitNotFound") @@ -150,13 +153,14 @@ push-docker-release-master: # make build-docker-test -f ./hack/scripts-dev/Makefile # make compile-with-docker-test -f ./hack/scripts-dev/Makefile # make build-docker-dns-test -f ./hack/scripts-dev/Makefile -# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd.json)" https://gcr.io +# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd-development.json)" https://gcr.io # make push-docker-dns-test -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com # make pull-docker-dns-test -f ./hack/scripts-dev/Makefile -# make docker-dns-test-run -f ./hack/scripts-dev/Makefile +# make docker-dns-test-certs-run -f ./hack/scripts-dev/Makefile +# make docker-dns-test-certs-gateway-run -f ./hack/scripts-dev/Makefile +# make docker-dns-test-certs-wildcard-run -f ./hack/scripts-dev/Makefile -# build base container image for DNS testing build-docker-dns-test: $(info GO_VERSION: $(_GO_VERSION)) @cat ./hack/scripts-dev/docker-dns/Dockerfile | sed s/REPLACE_ME_GO_VERSION/$(_GO_VERSION)/ \ @@ -181,29 +185,54 @@ pull-docker-dns-test: $(info GO_VERSION: $(_GO_VERSION)) docker pull gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) -# run DNS tests inside container -docker-dns-test-run: +docker-dns-test-certs-run: $(info GO_VERSION: $(_GO_VERSION)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/integration/fixtures:/certs \ + --volume=`pwd`/hack/scripts-dev/docker-dns/certs:/certs \ gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ - /bin/bash -c "cd /etcd && /run.sh && rm -rf m*.etcd" + /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" + +docker-dns-test-certs-gateway-run: + $(info GO_VERSION: $(_GO_VERSION)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ + --volume=`pwd`/bin:/etcd \ + --volume=`pwd`/hack/scripts-dev/docker-dns/certs-gateway:/certs-gateway \ + gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-gateway/run.sh && rm -rf m*.etcd" + +docker-dns-test-certs-wildcard-run: + $(info GO_VERSION: $(_GO_VERSION)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ + --volume=`pwd`/bin:/etcd \ + --volume=`pwd`/hack/scripts-dev/docker-dns/certs-wildcard:/certs-wildcard \ + gcr.io/etcd-development/etcd-dns-test:go$(_GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-wildcard/run.sh && rm -rf m*.etcd" # Example: # make build-docker-test -f ./hack/scripts-dev/Makefile # make compile-with-docker-test -f ./hack/scripts-dev/Makefile # make build-docker-dns-srv-test -f ./hack/scripts-dev/Makefile -# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd.json)" https://gcr.io +# gcloud docker -- login -u _json_key -p "$(cat /etc/gcp-key-etcd-development.json)" https://gcr.io # make push-docker-dns-srv-test -f ./hack/scripts-dev/Makefile # gsutil -m acl ch -u allUsers:R -r gs://artifacts.etcd-development.appspot.com # make pull-docker-dns-srv-test -f ./hack/scripts-dev/Makefile -# make docker-dns-srv-test-run -f ./hack/scripts-dev/Makefile +# make docker-dns-srv-test-certs-run -f ./hack/scripts-dev/Makefile +# make docker-dns-srv-test-certs-gateway-run -f ./hack/scripts-dev/Makefile +# make docker-dns-srv-test-certs-wildcard-run -f ./hack/scripts-dev/Makefile -# build base container image for DNS/SRV testing build-docker-dns-srv-test: $(info GO_VERSION: $(_GO_VERSION)) @cat ./hack/scripts-dev/docker-dns-srv/Dockerfile | sed s/REPLACE_ME_GO_VERSION/$(_GO_VERSION)/ \ @@ -228,16 +257,38 @@ pull-docker-dns-srv-test: $(info GO_VERSION: $(_GO_VERSION)) docker pull gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) -# run DNS/SRV tests inside container -docker-dns-srv-test-run: +docker-dns-srv-test-certs-run: $(info GO_VERSION: $(_GO_VERSION)) docker run \ --rm \ --tty \ --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ --volume=`pwd`/bin:/etcd \ - --volume=`pwd`/integration/fixtures:/certs \ + --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs:/certs \ gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ - /bin/bash -c "cd /etcd && /run.sh && rm -rf m*.etcd" + /bin/bash -c "cd /etcd && /certs/run.sh && rm -rf m*.etcd" -# TODO: add DNS integration tests +docker-dns-srv-test-certs-gateway-run: + $(info GO_VERSION: $(_GO_VERSION)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ + --volume=`pwd`/bin:/etcd \ + --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs-gateway:/certs-gateway \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-gateway/run.sh && rm -rf m*.etcd" + +docker-dns-srv-test-certs-wildcard-run: + $(info GO_VERSION: $(_GO_VERSION)) + docker run \ + --rm \ + --tty \ + --dns 127.0.0.1 \ + --volume=/tmp:/tmp \ + --volume=`pwd`/bin:/etcd \ + --volume=`pwd`/hack/scripts-dev/docker-dns-srv/certs-wildcard:/certs-wildcard \ + gcr.io/etcd-development/etcd-dns-srv-test:go$(_GO_VERSION) \ + /bin/bash -c "cd /etcd && /certs-wildcard/run.sh && rm -rf m*.etcd" \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns-srv/.Dockerfile b/hack/scripts-dev/docker-dns-srv/.Dockerfile deleted file mode 100644 index 8d138e4ba..000000000 --- a/hack/scripts-dev/docker-dns-srv/.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -FROM ubuntu:16.10 - -RUN rm /bin/sh && ln -s /bin/bash /bin/sh -RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections - -RUN apt-get -y update \ - && apt-get -y install \ - build-essential \ - gcc \ - apt-utils \ - pkg-config \ - software-properties-common \ - apt-transport-https \ - libssl-dev \ - sudo \ - bash \ - curl \ - tar \ - git \ - netcat \ - bind9 \ - dnsutils \ - && apt-get -y update \ - && apt-get -y upgrade \ - && apt-get -y autoremove \ - && apt-get -y autoclean - -ENV GOROOT /usr/local/go -ENV GOPATH /go -ENV PATH ${GOPATH}/bin:${GOROOT}/bin:${PATH} -ENV GO_VERSION 1.9.2 -ENV GO_DOWNLOAD_URL https://storage.googleapis.com/golang -RUN rm -rf ${GOROOT} \ - && curl -s ${GO_DOWNLOAD_URL}/go${GO_VERSION}.linux-amd64.tar.gz | tar -v -C /usr/local/ -xz \ - && mkdir -p ${GOPATH}/src ${GOPATH}/bin \ - && go version - -RUN mkdir -p /var/bind /etc/bind -RUN chown root:bind /var/bind /etc/bind -ADD Procfile /Procfile -ADD run.sh /run.sh - -ADD named.conf etcd.zone rdns.zone /etc/bind/ -RUN chown root:bind /etc/bind/named.conf /etc/bind/etcd.zone /etc/bind/rdns.zone -ADD resolv.conf /etc/resolv.conf - -RUN go get github.com/mattn/goreman -CMD ["/run.sh"] diff --git a/hack/scripts-dev/docker-dns-srv/Dockerfile b/hack/scripts-dev/docker-dns-srv/Dockerfile index e53787e4f..07e907214 100644 --- a/hack/scripts-dev/docker-dns-srv/Dockerfile +++ b/hack/scripts-dev/docker-dns-srv/Dockerfile @@ -33,16 +33,12 @@ ENV GO_DOWNLOAD_URL https://storage.googleapis.com/golang RUN rm -rf ${GOROOT} \ && curl -s ${GO_DOWNLOAD_URL}/go${GO_VERSION}.linux-amd64.tar.gz | tar -v -C /usr/local/ -xz \ && mkdir -p ${GOPATH}/src ${GOPATH}/bin \ - && go version + && go version \ + && go get -v -u github.com/mattn/goreman RUN mkdir -p /var/bind /etc/bind RUN chown root:bind /var/bind /etc/bind -ADD Procfile /Procfile -ADD run.sh /run.sh ADD named.conf etcd.zone rdns.zone /etc/bind/ RUN chown root:bind /etc/bind/named.conf /etc/bind/etcd.zone /etc/bind/rdns.zone ADD resolv.conf /etc/resolv.conf - -RUN go get github.com/mattn/goreman -CMD ["/run.sh"] diff --git a/hack/scripts-dev/docker-dns-srv/Procfile b/hack/scripts-dev/docker-dns-srv/Procfile deleted file mode 100644 index e1b2c411c..000000000 --- a/hack/scripts-dev/docker-dns-srv/Procfile +++ /dev/null @@ -1,5 +0,0 @@ -etcd1: ./etcd --name m1 --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth - -etcd2: ./etcd --name m2 --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth - -etcd3: ./etcd --name m3 --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile b/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile new file mode 100644 index 000000000..7c5d07e28 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/Procfile @@ -0,0 +1,7 @@ +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +gateway: ./etcd gateway start --discovery-srv etcd.local --trusted-ca-file /certs-gateway/ca.crt --listen-addr 127.0.0.1:23790 diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt new file mode 100644 index 000000000..19b26c455 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUbQA3lX1hcR1W8D5wmmAwaLp4AWQwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTI5MDBaFw0yNzExMjkxOTI5 +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDdZjG+dJixdUuZLIlPVE/qvqNqbgIQy3Hrgq9OlPevLu3FAKIgTHoSKugq +jOuBjzAtmbGTky3PPmkjWrOUWKEUYMuJJzXA1fO2NALXle47NVyVVfuwCmDnaAAL +Sw4QTZKREoe3EwswbeYguQinCqazRwbXMzzfypIfaHAyGrqFCq12IvarrjfDcamm +egtPkxNNdj1QHbkeYXcp76LOSBRjD2B3bzZvyVv/wPORaGTFXQ0feGz/93/Y/E0z +BL5TdZ84qmgKxW04hxkhhuuxsL5zDNpbXcGm//Zw9qzO/AvtEux6ag9t0JziiEtj +zLz5M7yXivfG4oxEeLKTieS/1ZkbAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBR7XtZP3fc6ElgHl6hdSHLmrFWj +MzANBgkqhkiG9w0BAQsFAAOCAQEAPy3ol3CPyFxuWD0IGKde26p1mT8cdoaeRbOa +2Z3GMuRrY2ojaKMfXuroOi+5ZbR9RSvVXhVX5tEMOSy81tb5OGPZP24Eroh4CUfK +bw7dOeBNCm9tcmHkV+5frJwOgjN2ja8W8jBlV1flLx+Jpyk2PSGun5tQPsDlqzor +E8QQ2FzCzxoGiEpB53t5gKeX+mH6gS1c5igJ5WfsEGXBC4xJm/u8/sg30uCGP6kT +tCoQ8gnvGen2OqYJEfCIEk28/AZJvJ90TJFS3ExXJpyfImK9j5VcTohW+KvcX5xF +W7M6KCGVBQtophobt3v/Zs4f11lWck9xVFCPGn9+LI1dbJUIIQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh b/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh new file mode 100755 index 000000000..ef4c1667c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/run.sh @@ -0,0 +1,47 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-gateway/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --discovery-srv etcd.local \ + get abc + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + put ghi jkl + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + get ghi diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json new file mode 100644 index 000000000..72bd38082 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server-ca-csr.json @@ -0,0 +1,23 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt new file mode 100644 index 000000000..ef591cc7c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAx2gAwIBAgIUcviGEkA57QgUUFUIuB23kO/jHWIwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTI5MDBaFw0yNzExMjkxOTI5 +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6rB1Kh08Fo +FieWqzB4WvKxSFjLWlNfAXbSC1IEPEc/2JOSTF/VfsEX7Xf4eDlTUIZ/TpMS4nUE +Jn0rOIxDJWieQgF99a88CKCwVeqyiQ1iGlI/Ls78P7712QJ1QvcYPBRCvAFo2VLg +TSNhq4taRtAnP690TJVKMSxHg7qtMIpiBLc8ryNbtNUkQHl7/puiBZVVFwHQZm6d +ZRkfMqXWs4+VKLTx0pqJaM0oWVISQlLWQV83buVsuDVyLAZu2MjRYZwBj9gQwZDO +15VGvacjMU+l1+nLRuODrpGeGlxwfT57jqipbUtTsoZFsGxPdIWn14M6Pzw/mML4 +guYLKv3UqkkCAwEAAaOB1TCB0jAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKYKYVPu +XPnZ2j0NORiNPUJpBnhkMB8GA1UdIwQYMBaAFHte1k/d9zoSWAeXqF1IcuasVaMz +MFMGA1UdEQRMMEqCDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0 +Y2QubG9jYWyCCmV0Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0B +AQsFAAOCAQEAK40lD6Nx/V6CaShL95fQal7mFp/LXiyrlFTqCqrCruVnntwpukSx +I864bNMxVSTStEA3NM5V4mGuYjRvdjS65LBhaS1MQDPb4ofPj0vnxDOx6fryRIsB +wYKDuT4LSQ7pV/hBfL/bPb+itvb24G4/ECbduOprrywxmZskeEm/m0WqUb1A08Hv +6vDleyt382Wnxahq8txhMU+gNLTGVne60hhfLR+ePK7MJ4oyk3yeUxsmsnBkYaOu +gYOak5nWzRa09dLq6/vHQLt6n0AB0VurMAjshzO2rsbdOkD233sdkvKiYpayAyEf +Iu7S5vNjP9jiUgmws6G95wgJOd2xv54D4Q== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure new file mode 100644 index 000000000..623457b5d --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-gateway/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvqsHUqHTwWgWJ5arMHha8rFIWMtaU18BdtILUgQ8Rz/Yk5JM +X9V+wRftd/h4OVNQhn9OkxLidQQmfSs4jEMlaJ5CAX31rzwIoLBV6rKJDWIaUj8u +zvw/vvXZAnVC9xg8FEK8AWjZUuBNI2Gri1pG0Cc/r3RMlUoxLEeDuq0wimIEtzyv +I1u01SRAeXv+m6IFlVUXAdBmbp1lGR8ypdazj5UotPHSmolozShZUhJCUtZBXzdu +5Wy4NXIsBm7YyNFhnAGP2BDBkM7XlUa9pyMxT6XX6ctG44OukZ4aXHB9PnuOqKlt +S1OyhkWwbE90hafXgzo/PD+YwviC5gsq/dSqSQIDAQABAoIBAEAOsb0fRUdbMuZG +BmmYZeXXjdjXKReNea5zzv3VEnNVjeu2YRZpYdZ5tXxy6+FGjm1BZCKhW5e4tz2i +QbNN88l8MezSZrJi1vs1gwgAx27JoNI1DALaWIhNjIT45HCjobuk2AkZMrpXRVM3 +wyxkPho8tXa6+efGL1MTC7yx5vb2dbhnEsjrPdUO0GLVP56bgrz7vRk+hE772uq2 +QDenZg+PcH+hOhptbY1h9CYotGWYXCpi0+yoHhsh5PTcEpyPmLWSkACsHovm3MIn +a5oU0uh28nVBfYE0Sk6I9XBERHVO/OrCvz4Y3ZbVyGpCdLcaMB5wI1P4a5ULV52+ +VPrALQkCgYEA+w85KYuL+eUjHeMqa8V8A9xgcl1+dvB8SXgfRRm5QTqxgetzurD9 +G7vgMex42nqgoW1XUx6i9roRk3Qn3D2NKvBJcpMohYcY3HcGkCsBwtNUCyOWKasS +Oj2q9LzPjVqTFII0zzarQ85XuuZyTRieFAMoYmsS8O/GcapKqYhPIDMCgYEAwmuR +ctnCNgoEj1NaLBSAcq7njONvYUFvbXO8BCyd1WeLZyz/krgXxuhQh9oXIccWAKX2 +uxIDaoWV8F5c8bNOkeebHzVHfaLpwl4IlLa/i5WTIc+IZmpBR0aiS021k/M3KkDg +KnQXAer6jEymT3lUL0AqZd+GX6DjFw61zPOFH5MCgYAnCiv6YN/IYTA/woZjMddi +Bk/dGNrEhgrdpdc++IwNL6JQsJtTaZhCSsnHGZ2FY9I8p/MPUtFGipKXGlXkcpHU +Hn9dWLLRaLud9MhJfNaORCxqewMrwZVZByPhYMbplS8P3lt16WtiZODRiGo3wN87 +/221OC8+1hpGrJNln3OmbwKBgDV8voEoY4PWcba0qcQix8vFTrK2B3hsNimYg4tq +cum5GOMDwDQvLWttkmotl9uVF/qJrj19ES+HHN8KNuvP9rexTj3hvI9V+JWepSG0 +vTG7rsTIgbAbX2Yqio/JC0Fu0ihvvLwxP/spGFDs7XxD1uNA9ekc+6znaFJ5m46N +GHy9AoGBAJmGEv5+rM3cucRyYYhE7vumXeCLXyAxxaf0f7+1mqRVO6uNGNGbNY6U +Heq6De4yc1VeAXUpkGQi/afPJNMU+fy8paCjFyzID1yLvdtFOG38KDbgMmj4t+cH +xTp2RT3MkcCWPq2+kXZeQjPdesPkzdB+nA8ckaSursV908n6AHcM +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/Procfile b/hack/scripts-dev/docker-dns-srv/certs-wildcard/Procfile new file mode 100644 index 000000000..02613553c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/Procfile @@ -0,0 +1,5 @@ +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca.crt b/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca.crt new file mode 100644 index 000000000..c89d6531c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUWzsBehxAkgLLYBUZEUpSjHkIaMowDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTUxODAyMDBaFw0yNzExMTMxODAy +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCxjHVNtcCSCz1w9AiN7zAql0ZsPN6MNQWJ2j3iPCvmy9oi0wqSfYXTs+xw +Y4Q+j0dfA54+PcyIOSBQCZBeLLIwCaXN+gLkMxYEWCCVgWYUa6UY+NzPKRCfkbwG +oE2Ilv3R1FWIpMqDVE2rLmTb3YxSiw460Ruv4l16kodEzfs4BRcqrEiobBwaIMLd +0rDJju7Q2TcioNji+HFoXV2aLN58LDgKO9AqszXxW88IKwUspfGBcsA4Zti/OHr+ +W+i/VxsxnQSJiAoKYbv9SkS8fUWw2hQ9SBBCKqE3jLzI71HzKgjS5TiQVZJaD6oK +cw8FjexOELZd4r1+/p+nQdKqwnb5AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBRLfPxmhlZix1eTdBMAzMVlAnOV +gTANBgkqhkiG9w0BAQsFAAOCAQEAeT2NfOt3WsBLUVcnyGMeVRQ0gXazxJXD/Z+3 +2RF3KClqBLuGmPUZVl0FU841J6hLlwNjS33mye7k2OHrjJcouElbV3Olxsgh/EV0 +J7b7Wf4zWYHFNZz/VxwGHunsEZ+SCXUzU8OiMrEcHkOVzhtbC2veVPJzrESqd88z +m1MseGW636VIcrg4fYRS9EebRPFvlwfymMd+bqLky9KsUbjNupYd/TlhpAudrIzA +wO9ZUDb/0P44iOo+xURCoodxDTM0vvfZ8eJ6VZ/17HIf/a71kvk1oMqEhf060nmF +IxnbK6iUqqhV8DLE1869vpFvgbDdOxP7BeabN5FXEnZFDTLDqg== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencert.json b/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencerts.sh b/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/run.sh b/hack/scripts-dev/docker-dns-srv/certs-wildcard/run.sh new file mode 100755 index 000000000..13e16bda9 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/run.sh @@ -0,0 +1,33 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-wildcard/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --discovery-srv etcd.local \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --discovery-srv etcd.local \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --discovery-srv etcd.local \ + get abc diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/server-ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server-ca-csr.json new file mode 100644 index 000000000..fd9adae03 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server-ca-csr.json @@ -0,0 +1,21 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "*.etcd.local", + "etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.crt b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.crt new file mode 100644 index 000000000..385f0321c --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFjCCAv6gAwIBAgIUCIUuNuEPRjp/EeDBNHipRI/qoAcwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTUxODAyMDBaFw0yNzExMTMxODAy +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzoOebyKdXF +5QiVs0mB3cVqMRgRoRGWt9emIOsYCX89SBaRNOIAByop98Vb1GmUDNDv1qR4Oq+m +4JlWhgZniABWpekFw8mpN8wMIT86DoNnTe64ouLkDQRZDYOBO9I2+r4EuschRxNs ++Hh5W9JzX/eOomnOhaZfTp6EaxczRHnVmgkWuFUnacfUf7W2FE/HAYfjYpvXw5/+ +eT9AW+Jg/b9SkyU9XKEpWZT7NMqF9OXDXYdxHtRNTGxasLEqPZnG58mqR2QFU2me +/motY24faZpHo8i9ASb03Vy6xee2/FlS6cj2POCGQx3oLZsiQdgIOva7JrQtRsCn +e5P0Wk4qk+cCAwEAAaOBtjCBszAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCI+fP2T +xgvJG68Xdgamg4lzGRX1MB8GA1UdIwQYMBaAFEt8/GaGVmLHV5N0EwDMxWUCc5WB +MDQGA1UdEQQtMCuCDCouZXRjZC5sb2NhbIIKZXRjZC5sb2NhbIIJbG9jYWxob3N0 +hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQASub3+YZAXJ8x8b55Hl7FkkIt+rML1 +LdgPHsolNntNXeSqVJ4oi4KvuaM0ueFf/+AlTusTAbXWbi/qiG5Tw24xyzY6NGgV +/vCs56YqNlFyr3bNp1QJlnV3JQ4d3KqosulJ5jk+InhjAKJKomMH01pYhhStRAKg +1fNwSyD34oyZpSQL0Z7X7wdaMGdOmzxwE99EG6jmYl/P7MiP6rC0WP1elIF4sCGM +jY6oewvIMj0zWloBf/NlzrcY7VKpPqvBnV65Tllyo5n4y1sc8y2uzgJO/QnVKqhp +Sdd/74mU8dSh3ALSOqkbmIBhqig21jP7GBgNCNdmsaR2LvPI97n1PYE7 +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.key.insecure b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.key.insecure new file mode 100644 index 000000000..2b6595fa8 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs-wildcard/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAzOg55vIp1cXlCJWzSYHdxWoxGBGhEZa316Yg6xgJfz1IFpE0 +4gAHKin3xVvUaZQM0O/WpHg6r6bgmVaGBmeIAFal6QXDyak3zAwhPzoOg2dN7rii +4uQNBFkNg4E70jb6vgS6xyFHE2z4eHlb0nNf946iac6Fpl9OnoRrFzNEedWaCRa4 +VSdpx9R/tbYUT8cBh+Nim9fDn/55P0Bb4mD9v1KTJT1coSlZlPs0yoX05cNdh3Ee +1E1MbFqwsSo9mcbnyapHZAVTaZ7+ai1jbh9pmkejyL0BJvTdXLrF57b8WVLpyPY8 +4IZDHegtmyJB2Ag69rsmtC1GwKd7k/RaTiqT5wIDAQABAoIBAF0nTfuCKCa5WtA2 +TlWippGzHzKUASef32A4dEqsmNSxpW4tAV+lJ5yxi6S7hKui1Ni/0FLhHbzxHrZX +MYMD2j5dJfvz1Ph+55DqCstVt3dhpXpbkiGYD5rkaVJZlDqTKBbuy4LvzAI2zhbn +BSl9rik7PPbhHr1uIq3KAW2Arya7dlpPZiEX04Dg9xqZvxZkxt9IM25E+uzTWKSR +v5BRmijWiGJ6atujgmP7KcYtgBC5EDR9yZf2uK+hnsKEcH94TUkTnJriTcOCKVbb +isAuzsxStLpmyibfiLXD55aYjzr7KRVzQpoVXGJ4vJfs7lTxqxXBjUIsBJMPBcck +ATabIcECgYEA8C8JeKPmcA4KaGFSusF5OsXt4SM9jz5Kr7larA+ozuuR/z0m4pnx +AdjwQiGlhXaMtyziZ7Uwx+tmfnJDijpE/hUnkcAIKheDLXB/r1VpJdj/mqXtK49Y +mnOxV66TcWAmXav31TgmLVSj0SYLGEnvV4MPbgJroMg3VO7LnNbNL7cCgYEA2maB +Edbn4pJqUjVCZG68m0wQHmFZFOaoYZLeR3FgH+PQYIzUj96TP9XFpOwBmYAl2jiM +kQZ3Q6VQY37rwu0M+2BVFkQFnFbelH5jXbHDLdoeFDGCRnJkH2VG1kE/rPfzVsiz +NFDJD+17kPw3tTdHwDYGHwxyNuEoBQw3q6hfXVECgYBEUfzttiGMalIHkveHbBVh +5H9f9ThDkMKJ7b2fB+1KvrOO2QRAnO1zSxQ8m3mL10b7q+bS/TVdCNbkzPftT9nk +NHxG90rbPkjwGfoYE8GPJITApsYqB+J6PMKLYHtMWr9PEeWzXv9tEZBvo9SwGgfc +6sjuz/1xhMJIhIyilm9TTQKBgHRsYDGaVlK5qmPYcGQJhBFlItKPImW579jT6ho7 +nfph/xr49/cZt3U4B/w6sz+YyJTjwEsvHzS4U3o2lod6xojaeYE9EaCdzllqZp3z +vRAcThyFp+TV5fm2i2R7s+4I33dL1fv1dLlA57YKPcgkh+M26Vxzzg7jR+oo8SRY +xT2BAoGBAKNR60zpSQZ2SuqEoWcj1Nf+KloZv2tZcnsHhqhiugbYhZOQVyTCNipa +Ib3/BGERCyI7oWMk0yTTQK4wg3+0EsxQX10hYJ5+rd4btWac7G/tjo2+BSaTnWSW +0vWM/nu33Pq0JHYIo0q0Jee0evTgizqH9UJ3wI5LG29LKwurXxPW +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns-srv/certs/Procfile b/hack/scripts-dev/docker-dns-srv/certs/Procfile new file mode 100644 index 000000000..0b54c5665 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/Procfile @@ -0,0 +1,5 @@ +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --discovery-srv=etcd.local --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth diff --git a/hack/scripts-dev/docker-dns-srv/certs/ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs/ca.crt b/hack/scripts-dev/docker-dns-srv/certs/ca.crt new file mode 100644 index 000000000..b853bf4cc --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUfPEaJnrBzeHM8echLjsPOsV1IzUwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMjIxNzMzMDBaFw0yNzExMjAxNzMz +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDDU14WMuV1AC+6wDWRF6itx71EljW7Prw2drhuxOC3bE+QQx4LGcY2OP9N +9MC9u9M0s8waGDAbZvdLmCMfAAJoJ05rLcO7F2XEr7Ww7jUWl7+B/sW8ENQiqtUY +1JqLVjwducxmfHspAmSkhEpDBTiTFsya/i1Ic+ctfxDLtsNGgQuA9mCiBvuUhbWG +CkB0JpuL4s6LMuDukQHpZZCDnq0Y26M9sZnjmowbdRoQlhVId6Tl5b5b4Y3qLLbe +r1E+VChcPpOYrKhXBOW/dT5ph/fIQDuVKN6E5Z54AMm3fKsP3MLGBCMfFqIVg1+s +BZA5/Jau+US8Ll4bn8sy/HK1xoy/AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSZZ+PEsPywCRKo/fxY2eSnI0wQ +IDANBgkqhkiG9w0BAQsFAAOCAQEAFU4QXMGx8zr8rKAp/IyGipDp/aQ49qYXPjIt +c92rzbYo11sJmBEXiYIOGuZdBBeawIzYsM8dW59LFO8ZcMq/gISBcS5ilqllw6SG +20UrFEKNzcPoRwXp3GSbSGr5PxTgWYWpwJaDa0j2qiM4PB9/IuTBqr6Vu1Olhx06 +mXztYl4UL0HPkuB4Td+BIhjc+ZpxCfBOOBpiwAyeh4SpJ3cpZrbyz7JAsCTtywzy +lVO4lfcmxTWwruRyYAnexHdBvnqa8GZw1gufZoSbMTsN4Zz/j3j9T2LG1Q0Agi7o +MhqPqhG/9ISjA0G3bu2B/jHbmWMVbb+ueEYtAz5JHFik2snRtA== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs/gencert.json b/hack/scripts-dev/docker-dns-srv/certs/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns-srv/certs/gencerts.sh b/hack/scripts-dev/docker-dns-srv/certs/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns-srv/certs/run.sh b/hack/scripts-dev/docker-dns-srv/certs/run.sh new file mode 100755 index 000000000..066c9df67 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/run.sh @@ -0,0 +1,33 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --discovery-srv etcd.local \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --discovery-srv etcd.local \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --discovery-srv etcd.local \ + get abc diff --git a/hack/scripts-dev/docker-dns-srv/certs/server-ca-csr.json b/hack/scripts-dev/docker-dns-srv/certs/server-ca-csr.json new file mode 100644 index 000000000..72bd38082 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/server-ca-csr.json @@ -0,0 +1,23 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns-srv/certs/server.crt b/hack/scripts-dev/docker-dns-srv/certs/server.crt new file mode 100644 index 000000000..938fcf8f8 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAx2gAwIBAgIUPr4J62m04v7Sr5rFop1P0+VbN+8wDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMjIxNzMzMDBaFw0yNzExMjAxNzMz +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOZuU1wqUMoI +/Vkxo5ep8vGxgCg38c0PdxAJX4ViEBRIsKxnjMUmgMWEes9bJ14wrqQ2G3l0tSSr +nOtRPRGeSBAsiFKU41sRdHZQgZKhWXKvOqLlll9tgTmAypXeYt1zrtV8zPan3AWn +OYz+FdO41BESmg00SctcIVoP57keSkr/binJuwy+e1w6Z8Prnoc+OqsFvjp6RPNH +ZJYKsBziYVldg3RN0K/1MQBP587AhF0Dh+iTqnMWhJwbAGw82j7b7jgJnatMvj0L +e/nunxB9BgWaRl4Xq0WueFBfVSLIYUspTogpaz2bUsIAxV3xbRRbpiFY/eqT6nSK +grR6Qc8oOVsCAwEAAaOB1TCB0jAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFE4dpGTp ++hE0TR9Ku1wf1/GQ9zVjMB8GA1UdIwQYMBaAFJln48Sw/LAJEqj9/FjZ5KcjTBAg +MFMGA1UdEQRMMEqCDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0 +Y2QubG9jYWyCCmV0Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0B +AQsFAAOCAQEADDh4aThZsXaXkAluZP1yC+gc+z+gJT88SeBgIX11++3SqzERCcWv +71boMeYGDa/TuvDtAXQcZAtfNdjcZCxPGPoDuOYMksEMk/+oekb8JR1Nfd9jgRr+ +0MD2Hh6ElM9F/FXO+NHavAbtbTjbEGXGXCciGqL/fPw4AF0bAIQjiIE69wiZgCfM +1/+wR2+paZ+CxE3QZZKUhgoDRPY91J8KCiDPHvZRafQEulzb8w4G7h8TUy1xjZPw +UQfHsquLQHIfCHVHSn2yubMrlMbdJPhnJT35APBa7Uj0TYwb1tuFQ/xbO2GKoq3f +T7Rad1T50qRTqsRZzPdG4lZjAgnybjJUIQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns-srv/certs/server.key.insecure b/hack/scripts-dev/docker-dns-srv/certs/server.key.insecure new file mode 100644 index 000000000..73cb4aa07 --- /dev/null +++ b/hack/scripts-dev/docker-dns-srv/certs/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5m5TXCpQygj9WTGjl6ny8bGAKDfxzQ93EAlfhWIQFEiwrGeM +xSaAxYR6z1snXjCupDYbeXS1JKuc61E9EZ5IECyIUpTjWxF0dlCBkqFZcq86ouWW +X22BOYDKld5i3XOu1XzM9qfcBac5jP4V07jUERKaDTRJy1whWg/nuR5KSv9uKcm7 +DL57XDpnw+uehz46qwW+OnpE80dklgqwHOJhWV2DdE3Qr/UxAE/nzsCEXQOH6JOq +cxaEnBsAbDzaPtvuOAmdq0y+PQt7+e6fEH0GBZpGXherRa54UF9VIshhSylOiClr +PZtSwgDFXfFtFFumIVj96pPqdIqCtHpBzyg5WwIDAQABAoIBAQDBdpk4RTLFHV0P +uLRfzkjxkRRHMAksIDLXXPc8tkNHtGvYo6u1jokIzByL4T0hQIAv0Fmq1EiNfCPo +EbHTC+/23Fyr8OMdf38nIppW8G538hSp1VY10mtvSulLgIXC5bBA/2HaKL56ZJbW +ADF1K7Woi9SZB3B5c2VxBu+HJZ48bbZLFoKMw+48998K/S0Msh4NeZ3Lq75i2LmZ +GhPmeR2d922UAO72hgP8h771Cejz3bd0mdFGtbwSS+1vpseFsZHu8yQjBAbP13o2 +e6+SpZf7Yndeg1Wv/WALiKFFTIfqnpVtVhMqD+nx/0DweW1b1vdDVz+LmPPUyvxR +owhQV9b5AoGBAPNPSgMxlMvsaoTo08AU6YjZgfqMAxJNgVU/KsyK9qhq/O9Q9O8d +OKt/kehdeYQOkkM77mLTtcDlFfbg6NmNnN7iBMY9v5iZP8U14avjmvjDKrwigsK+ +HWuFlA7RpmecIwHH17ya32PydnoM7MMH46N28fSnAR7bIgZC3USmUfYtAoGBAPJz +E8Gcf9eVox5o5hhhocLtjFQcXxjcL3Bxz1qFPNvQ440s/7ubGORPoDzOf1lPyxI9 +HewZTJ/aP8lyhPwGC0+O3mH6Gwr2YflaoLdZxBAX0gliPKI0OWsH73RGkBxUte46 +ugTgKXpwtvM9R7pENJbP8lOFKdg5EoA6ZjIKCmqnAoGBAMMXT4wyBFJi9aIuoiNB +YWQmq47/FzNkzBBTfvjVcCPo7Xji3BKixp7UwmSkFtxpZqPceS/q+7B4v9zdyDcw +0pjwd82RE4DDWJvDsXjHHqraqviBX4HROPvO9sHPHvOzAWrbF8QWFosojhEdLfbP +65pVtHpsMnzQTn7gvFTgW5XdAoGAepDYfPlL28Wm99mZ8NtydmO2nFLXdG7jgJnY +dG+E6683SghkpAftVoY2gGb4FEN1apwBA3lqtikUNBezyOCZWTfljmxsvWb+8prx +Qp+bsXMJWHsUIf/6wvP5BrQhaGEes/d2UL6t2Vsf8emZ2D1gxJkNbVGVbNy1UKO1 +RDi1OWMCgYB+DZ/CvJ8i6VwzOm/SXtycuDJZ96NGwjpK4A71HoocrVi1phGMlOp+ +c48XR0Xr2/AEfFsmcTIilI2ShsjN4u9YDXJK8Efek2EX77pP6MsUXuSZ6i1OS9wP +5WPYypGxNXsZU99D78UBV9PohWqp4LkBSP/55sFBcd3iyLbdHlthLA== +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns-srv/etcd.zone b/hack/scripts-dev/docker-dns-srv/etcd.zone index e501ed399..b9cebbba4 100644 --- a/hack/scripts-dev/docker-dns-srv/etcd.zone +++ b/hack/scripts-dev/docker-dns-srv/etcd.zone @@ -1,16 +1,21 @@ -etcd.local. IN SOA bindhostname. admin.etcd.local. ( -1452607488 -10800 -3600 -604800 -38400 ) -etcd.local. IN NS bindhostname. -m1.etcd.local. 300 IN A 127.0.0.1 -m2.etcd.local. 300 IN A 127.0.0.1 -m3.etcd.local. 300 IN A 127.0.0.1 -_etcd-client-ssl._tcp 300 IN SRV 0 0 2379 m1.etcd.local. -_etcd-client-ssl._tcp 300 IN SRV 0 0 22379 m2.etcd.local. -_etcd-client-ssl._tcp 300 IN SRV 0 0 32379 m3.etcd.local. -_etcd-server-ssl._tcp 300 IN SRV 0 0 2380 m1.etcd.local. -_etcd-server-ssl._tcp 300 IN SRV 0 0 22380 m2.etcd.local. -_etcd-server-ssl._tcp 300 IN SRV 0 0 32380 m3.etcd.local. \ No newline at end of file +$TTL 86400 +@ IN SOA etcdns.local. root.etcdns.local. ( + 100500 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + IN NS ns.etcdns.local. + IN A 127.0.0.1 + +ns IN A 127.0.0.1 +m1 IN A 127.0.0.1 +m2 IN A 127.0.0.1 +m3 IN A 127.0.0.1 + +_etcd-client-ssl._tcp IN SRV 0 0 2379 m1.etcd.local. +_etcd-server-ssl._tcp IN SRV 0 0 2380 m1.etcd.local. +_etcd-client-ssl._tcp IN SRV 0 0 22379 m2.etcd.local. +_etcd-server-ssl._tcp IN SRV 0 0 22380 m2.etcd.local. +_etcd-client-ssl._tcp IN SRV 0 0 32379 m3.etcd.local. +_etcd-server-ssl._tcp IN SRV 0 0 32380 m3.etcd.local. diff --git a/hack/scripts-dev/docker-dns-srv/run.sh b/hack/scripts-dev/docker-dns-srv/run.sh deleted file mode 100755 index 7c7415f8d..000000000 --- a/hack/scripts-dev/docker-dns-srv/run.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -/etc/init.d/bind9 start - -# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost -cat /dev/null >/etc/hosts - -goreman -f /Procfile start & -sleep 7s - -ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs/ca.crt \ - --cert=/certs/server-wildcard.crt \ - --key=/certs//server-wildcard.key.insecure \ - --discovery-srv etcd.local \ - put foo bar diff --git a/hack/scripts-dev/docker-dns/Dockerfile b/hack/scripts-dev/docker-dns/Dockerfile index 7b8548d8e..07e907214 100644 --- a/hack/scripts-dev/docker-dns/Dockerfile +++ b/hack/scripts-dev/docker-dns/Dockerfile @@ -33,16 +33,12 @@ ENV GO_DOWNLOAD_URL https://storage.googleapis.com/golang RUN rm -rf ${GOROOT} \ && curl -s ${GO_DOWNLOAD_URL}/go${GO_VERSION}.linux-amd64.tar.gz | tar -v -C /usr/local/ -xz \ && mkdir -p ${GOPATH}/src ${GOPATH}/bin \ - && go version + && go version \ + && go get -v -u github.com/mattn/goreman RUN mkdir -p /var/bind /etc/bind RUN chown root:bind /var/bind /etc/bind -ADD Procfile.tls /Procfile.tls -ADD run.sh /run.sh ADD named.conf etcd.zone rdns.zone /etc/bind/ RUN chown root:bind /etc/bind/named.conf /etc/bind/etcd.zone /etc/bind/rdns.zone ADD resolv.conf /etc/resolv.conf - -RUN go get github.com/mattn/goreman -CMD ["/run.sh"] diff --git a/hack/scripts-dev/docker-dns/Procfile.tls b/hack/scripts-dev/docker-dns/Procfile.tls deleted file mode 100644 index c4842ae56..000000000 --- a/hack/scripts-dev/docker-dns/Procfile.tls +++ /dev/null @@ -1,6 +0,0 @@ -# Use goreman to run `go get github.com/mattn/goreman` -etcd1: ./etcd --name m1 --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth - -etcd2: ./etcd --name m2 --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth - -etcd3: ./etcd --name m3 --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server-wildcard.crt --peer-key-file=/certs/server-wildcard.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server-wildcard.crt --key-file=/certs/server-wildcard.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs-common-name/Procfile b/hack/scripts-dev/docker-dns/certs-common-name/Procfile new file mode 100644 index 000000000..a0ea061ac --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json b/hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name/ca.crt b/hack/scripts-dev/docker-dns/certs-common-name/ca.crt new file mode 100644 index 000000000..00faeca22 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUdASu5zT1US/6LPyKmczbC3NgdY4wDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTQwNjIzMDBaFw0yNzExMTIwNjIz +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDBbE44RP/Tk9l7KShzxQAypatoqDJQL32hyw8plZIfni5XFIlG2GwyjNvX +wiP6u0YcsApZKc58ytqcHQqMyk68OTTxcM+HVWvKHMKOBPBYgXeeVnD+7Ixuinq/ +X6RK3n2jEipFgE9FiAXDNICF3ZQz+HVNBSbzwCjBtIcYkinWHX+kgnQkFT1NnmuZ +uloz6Uh7/Ngn/XPNSsoMyLrh4TwDsx/fQEpVcrXMbxWux1xEHmfDzRKvE7VhSo39 +/mcpKBOwTg4jwh9tDjxWX4Yat+/cX0cGxQ7JSrdy14ESV5AGBmesGHd2SoWhZK9l +tWm1Eq0JYWD+Cd5yNrODTUxWRNs9AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSZMjlLnc7Vv2mxRMebo5ezJ7gt +pzANBgkqhkiG9w0BAQsFAAOCAQEAA2d2nV4CXjp7xpTQrh8sHzSBDYUNr9DY5hej +52X6q8WV0N3QC7Utvv2Soz6Ol72/xoGajIJvqorsIBB5Ms3dgCzPMy3R01Eb3MzI +7KG/4AGVEiAKUBkNSD8PWD7bREnnv1g9tUftE7jWsgMaPIpi6KhzhyJsClT4UsKQ +6Lp+Be80S293LrlmUSdZ/v7FAvMzDGOLd2iTlTr1fXK6YJJEXpk3+HIi8nbUPvYQ +6O8iOtf5QoCm1yMLJQMFvNr51Z1EeF935HRj8U2MJP5jXPW4/UY2TAUBcWEhlNsK +6od+f1B8xGe/6KHvF0C8bg23kj8QphM/E7HCZiVgdm6FNf54AQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name/gencert.json b/hack/scripts-dev/docker-dns/certs-common-name/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh b/hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs-common-name/run.sh b/hack/scripts-dev/docker-dns/certs-common-name/run.sh new file mode 100755 index 000000000..6d3bb026f --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/run.sh @@ -0,0 +1,255 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-common-name/Procfile start & +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379 \ + endpoint health --cluster + +sleep 2s +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put abc def + +sleep 2s +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get abc + +sleep 1s && printf "\n" +echo "Step 1. creating root role" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + role add root + +sleep 1s && printf "\n" +echo "Step 2. granting readwrite 'foo' permission to role 'root'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + role grant-permission root readwrite foo + +sleep 1s && printf "\n" +echo "Step 3. getting role 'root'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + role get root + +sleep 1s && printf "\n" +echo "Step 4. creating user 'root'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --interactive=false \ + user add root:123 + +sleep 1s && printf "\n" +echo "Step 5. granting role 'root' to user 'root'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + user grant-role root root + +sleep 1s && printf "\n" +echo "Step 6. getting user 'root'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + user get root + +sleep 1s && printf "\n" +echo "Step 7. enabling auth" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + auth enable + +sleep 1s && printf "\n" +echo "Step 8. writing 'foo' with 'root:123'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + put foo bar + +sleep 1s && printf "\n" +echo "Step 9. writing 'aaa' with 'root:123'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + put aaa bbb + +sleep 1s && printf "\n" +echo "Step 10. writing 'foo' without 'root:123'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put foo bar + +sleep 1s && printf "\n" +echo "Step 11. reading 'foo' with 'root:123'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + get foo + +sleep 1s && printf "\n" +echo "Step 12. reading 'aaa' with 'root:123'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + get aaa + +sleep 1s && printf "\n" +echo "Step 13. creating a new user 'test-common-name:test-pass'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + --interactive=false \ + user add test-common-name:test-pass + +sleep 1s && printf "\n" +echo "Step 14. creating a role 'test-role'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + role add test-role + +sleep 1s && printf "\n" +echo "Step 15. granting readwrite 'aaa' --prefix permission to role 'test-role'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + role grant-permission test-role readwrite aaa --prefix + +sleep 1s && printf "\n" +echo "Step 16. getting role 'test-role'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + role get test-role + +sleep 1s && printf "\n" +echo "Step 17. granting role 'test-role' to user 'test-common-name'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=root:123 \ + user grant-role test-common-name test-role + +sleep 1s && printf "\n" +echo "Step 18. writing 'aaa' with 'test-common-name:test-pass'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=test-common-name:test-pass \ + put aaa bbb + +sleep 1s && printf "\n" +echo "Step 19. writing 'bbb' with 'test-common-name:test-pass'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=test-common-name:test-pass \ + put bbb bbb + +sleep 1s && printf "\n" +echo "Step 20. reading 'aaa' with 'test-common-name:test-pass'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=test-common-name:test-pass \ + get aaa + +sleep 1s && printf "\n" +echo "Step 21. reading 'bbb' with 'test-common-name:test-pass'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + --user=test-common-name:test-pass \ + get bbb + +sleep 1s && printf "\n" +echo "Step 22. writing 'aaa' with CommonName 'test-common-name'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put aaa ccc + +sleep 1s && printf "\n" +echo "Step 23. reading 'aaa' with CommonName 'test-common-name'" +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-common-name/ca.crt \ + --cert=/certs-common-name/server.crt \ + --key=/certs-common-name/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get aaa diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json b/hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json new file mode 100644 index 000000000..6a57789b1 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/server-ca-csr.json @@ -0,0 +1,23 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "test-common-name", + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server.crt b/hack/scripts-dev/docker-dns/certs-common-name/server.crt new file mode 100644 index 000000000..b9719b2f0 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIERDCCAyygAwIBAgIUO500NxhwBHJsodbGKbo5NsW9/p8wDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTQwNjIzMDBaFw0yNzExMTIwNjIz +MDBaMH0xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTEZMBcGA1UEAxMQdGVzdC1jb21tb24tbmFtZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMRvVMj3+5jAhRng4izVm4zrvMBnHNMh2MOFVTp7 +wdhEF2en7pFsKzWgczewil6v4d6QzJpgB9yQzPT2q0SOvetpbqP950y6MdPHAF9D +qZd0+wC+RLdSmK5oQKzgZER/vH3eSbTa1UdwaLBHlT6PiTzGm+gEYL43gr3kle+A +9c7aT9pkJWQFTCSdqwcQopyHEwgrfPHC8Bdn804soG4HtR9Gg/R4xtlu7ir6LTHn +vpPBScaMZDUQ5UNrEMh8TM8/sXG6oxqo86r5wpVQt6vscnTMrTTUqq+Mo/OJnDAf +plaqkWX5NfIJ9tmE2V06hq1/ptQkl714Wb+ske+aJ2Poc/UCAwEAAaOByTCBxjAO +BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG +A1UdEwEB/wQCMAAwHQYDVR0OBBYEFEG2hXyVTpxLXTse3fXe0U/g0F8kMB8GA1Ud +IwQYMBaAFJkyOUudztW/abFEx5ujl7MnuC2nMEcGA1UdEQRAMD6CDW0xLmV0Y2Qu +bG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0Y2QubG9jYWyCCWxvY2FsaG9zdIcE +fwAAATANBgkqhkiG9w0BAQsFAAOCAQEADtH0NZBrWfXTUvTa3WDsa/JPBhiPu/kH ++gRxOD5UNeDX9+QAx/gxGHrCh4j51OUx55KylUe0qAPHHZ4vhgD2lCRBqFLYx69m +xRIzVnt5NCruriskxId1aFTZ5pln5KK5tTVkAp04MBHZOgv8giXdRWn+7TtMyJxj +wVGf8R7/bwJGPPJFrLNtN4EWwXv/a2/SEoZd8fkTxzw12TeJ8w1PnkH4Zer+nzNb +dH5f+OIBGGZ2fIWANX5g9JEJvvsxBBL8uoCrFE/YdnD0fLyhoplSOVEIvncQLHd8 +3QoIVQ5GXnreMF9vuuEU5LlSsqd/Zv5mAQNrbEAfAL+QZQsnHY12qQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure b/hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure new file mode 100644 index 000000000..07417b255 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-common-name/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxG9UyPf7mMCFGeDiLNWbjOu8wGcc0yHYw4VVOnvB2EQXZ6fu +kWwrNaBzN7CKXq/h3pDMmmAH3JDM9ParRI6962luo/3nTLox08cAX0Opl3T7AL5E +t1KYrmhArOBkRH+8fd5JtNrVR3BosEeVPo+JPMab6ARgvjeCveSV74D1ztpP2mQl +ZAVMJJ2rBxCinIcTCCt88cLwF2fzTiygbge1H0aD9HjG2W7uKvotMee+k8FJxoxk +NRDlQ2sQyHxMzz+xcbqjGqjzqvnClVC3q+xydMytNNSqr4yj84mcMB+mVqqRZfk1 +8gn22YTZXTqGrX+m1CSXvXhZv6yR75onY+hz9QIDAQABAoIBABiq+nS6X4gRNSXI +zd5ffMc3m152FHKXH4d+KPPNMsyb0Gyd9CGi+dIkMhPeQaIeaDjw6iDAynvyWyqw +B1X2rvbvKIvDiNZj03oK1YshDh0M/bBcNHjpEG9mfCi5jR3lBKCx14O0r2/nN95b +Puy6TbuqHU4HrrZ0diCuof2Prk6pd0EhQC+C3bZCcoWXOaRTqrMBTT6DdSMQrVKD +eGTXYqCzs/AlGKkOiErKtKWouNpkPpPiba1qp7YWXUasrXqPgPi4d97TmOShGIfc +zXNJT+e2rDX4OEVAJtOt6U2l9QG+PIhpH4P/ZYsvindm4VZBs+Vysrj4xkLgGBBP +ygOfBIECgYEA0IfP9Z9mzvCXiGrkrx2tN/k31cX674P/KwxPgSWM/AdXenYYzsmj +rVcoFx2eCFnBFdPz4BAqEfH70gtsG7OoTmoJSwN6wurIdGcFQwItrghgt9Qp46Dq +AIT9RXSpcB9AjM6p2reCjWcNeBVMrrHU3eaQitCxZbzuxvMMhMs/zzECgYEA8Sak +UhXFtNjxBW6EMNmTpjhShIZmxtPNzTJ5DtmARr8F+SMELp3JGJj/9Bm4TsvqJmGs +j9g/MVvSTjJlOuYPGJ5DBl3egZ5ZlRJx3I2qA4lFFCb71OJzuoR8YdHRlHnhJOu9 +2Jyrki1wrAefby8Fe/+5vswxq2u+Qurjya716AUCgYB+E06ZGzmmLfH/6Vi/wzqC +F+w5FAzGGNECbtv2ogReL/YktRgElgaee45ig2aTd+h0UQQmWL+Gv/3XHU7MZM+C +MTvTHZRwGlD9h3e37q49hRUsr1pwJE6157HU91al0k9NknlBIigNY9vR2VbWW+/u +BUMomkpWz2ax5CqScuvuUQKBgQCE+zYqPe9kpy1iPWuQNKuDQhPfGO6cPjiDK44u +biqa2MRGetTXkBNRCS48QeKtMS3SNJKgUDOo2GXE0W2ZaTxx6vQzEpidCeGEn0NC +yKw0fwIk9spwvt/qvxyIJNhZ9Ev/vDBYvyyt03kKpLl66ocvtfmMCbZqPWQSKs2q +bl0UsQKBgQDDrsPnuVQiv6l0J9VrZc0f5DYZIJmQij1Rcg/fL1Dv2mEpADrH2hkY +HI27Q15dfgvccAGbGXbZt3xi7TCLDDm+Kl9V9bR2e2EhqA84tFryiBZ5XSDRAWPU +UIjejblTgtzrTqUd75XUkNoKvJIGrLApmQiBJRQbcbwtmt2pWbziyQ== +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs-gateway/Procfile b/hack/scripts-dev/docker-dns/certs-gateway/Procfile new file mode 100644 index 000000000..8e9a22c57 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/Procfile @@ -0,0 +1,8 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth + +gateway: ./etcd gateway start --endpoints https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 --trusted-ca-file /certs-gateway/ca.crt --listen-addr 127.0.0.1:23790 diff --git a/hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json b/hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns/certs-gateway/ca.crt b/hack/scripts-dev/docker-dns/certs-gateway/ca.crt new file mode 100644 index 000000000..7e3814e92 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUClliB9ECLPuQpOrlqLkeI1ib7zYwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTE3MDBaFw0yNzExMjkxOTE3 +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCjClF0TCk2qrHUTjFgFv2jmV0yUqnP3SG/7eVCptcFKE7kcGAx+j06GfEP +UXmCV13cgE0dYYLtz7/g29BiZzlBLlLsmpBMM+S4nfVH9BGLbKCSnwp5ba816AuS +rc8+qmJ0fAo56snLQWoAlnZxZ1tVjAtj5ZrQP9QDK2djgyviPS4kqWQ7Ulbeqgs7 +rGz56xAsyMTWYlotgZTnnZ3Pckr1FHXhwkO1rFK5+oMZPh2HhvXL9wv0/TMAypUv +oQqDzUfUvYeaKr6qy1ADc53SQjqeTXg0jOShmnWM2zC7MwX+VPh+6ZApk3NLXwgv +6wT0U1tNfvctp8JvC7FqqCEny9hdAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQWI6eUGqKWkCjOKGAYd+5K6eh5 +GTANBgkqhkiG9w0BAQsFAAOCAQEAS3nIyLoGMsioLb89T1KMq+0NDDCx7R20EguT +qUvFUYKjzdxDA1RlZ2HzPxBJRwBc0Vf98pNtkWCkwUl5hxthndNQo7F9lLs/zNzp +bL4agho6kadIbcb4v/3g9XPSzqJ/ysfrwxZoBd7D+0PVGJjRTIJiN83Kt68IMx2b +8mFEBiMZiSJW+sRuKXMSJsubJE3QRn862y2ktq/lEJyYR6zC0MOeYR6BPIs/B6vU +8/iUbyk5ULc7NzWGytC+QKC3O9RTuA8MGF1aFaNSK7wDyrAlBZdxjWi52Mz3lJCK +ffBaVfvG55WKjwAqgNU17jK/Rxw1ev9mp4aCkXkD0KUTGLcoZw== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-gateway/gencert.json b/hack/scripts-dev/docker-dns/certs-gateway/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh b/hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs-gateway/run.sh b/hack/scripts-dev/docker-dns/certs-gateway/run.sh new file mode 100755 index 000000000..94fdc32ee --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/run.sh @@ -0,0 +1,47 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-gateway/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get abc + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + put ghi jkl + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-gateway/ca.crt \ + --cert=/certs-gateway/server.crt \ + --key=/certs-gateway/server.key.insecure \ + --endpoints=127.0.0.1:23790 \ + get ghi diff --git a/hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json b/hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json new file mode 100644 index 000000000..77cdb408c --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json @@ -0,0 +1,22 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns/certs-gateway/server.crt b/hack/scripts-dev/docker-dns/certs-gateway/server.crt new file mode 100644 index 000000000..688a5afe6 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIUDOkW+H3KLeHEwsovqOUMKKfEuqQwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTE3MDBaFw0yNzExMjkxOTE3 +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANfu298kCxFY +KXAmdG5BeqnFoezAJQCtgv+ZRS0+OB4hVsahnNSsztEfIJnVSvYJTr1u+TGSbzBZ +q85ua3S92Mzo/71yoDlFjj1JfBmPdL1Ij1256LAwUYoPXgcACyiKpI1DnTlhwTvU +G41teQBo+u4sxr9beuNpLlehVbknH9JkTNaTbF9/B5hy5hQPomGvzPzzBNAfrb2B +EyqabnzoX4qv6cMsQSJrcOYQ8znnTPWa5WFP8rWujsvxOUjxikQn8d7lkzy+PHwq +zx69L9VzdoWyJgQ3m73SIMTgP+HL+OsxDfmbu++Ds+2i2Dgf/vdJku/rP+Wka7vn +yCM807xi96kCAwEAAaOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAH+dsuv +L6qvUmB/w9eKl83+MGTtMB8GA1UdIwQYMBaAFBYjp5QaopaQKM4oYBh37krp6HkZ +MEcGA1UdEQRAMD6CDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0 +Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAh049 +srxFkiH9Lp8le3fJkuY25T/MUrmfa10RdNSKgj3qcpCMnf9nQjIWtaQsjoZJ5MQc +VIT3gWDWK8SWlpx+O2cVEQDG0ccv7gc38YGywVhMoQ5HthTAjLCbNk4TdKJOIk7D +hmfs7BHDvjRPi38CFklLzdUQaVCcvB43TNA3Y9M75oP/UGOSe3lJz1KKXOI/t+vA +5U3yxwXlVNJVsZgeWAbXN9F6WbCZDsz+4Obpk/LV1NLqgLd/hHXzoOOWNw977S2b ++dOd95OJ/cq09OzKn/g26NgtHOl0xqol7wIwqJhweEEiVueyFxXD04jcsxdAFZSJ +9H6q3inNQaLyJHSYWQ== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure b/hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure new file mode 100644 index 000000000..6c0c16c0b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1+7b3yQLEVgpcCZ0bkF6qcWh7MAlAK2C/5lFLT44HiFWxqGc +1KzO0R8gmdVK9glOvW75MZJvMFmrzm5rdL3YzOj/vXKgOUWOPUl8GY90vUiPXbno +sDBRig9eBwALKIqkjUOdOWHBO9QbjW15AGj67izGv1t642kuV6FVuScf0mRM1pNs +X38HmHLmFA+iYa/M/PME0B+tvYETKppufOhfiq/pwyxBImtw5hDzOedM9ZrlYU/y +ta6Oy/E5SPGKRCfx3uWTPL48fCrPHr0v1XN2hbImBDebvdIgxOA/4cv46zEN+Zu7 +74Oz7aLYOB/+90mS7+s/5aRru+fIIzzTvGL3qQIDAQABAoIBABO8azA79R8Ctdbg +TOf+6B04SRKAhWFIep6t/ZqjAzINzgadot31ZXnLpIkq640NULsTt4cGYU9EAuX9 +RakH6RbhfO5t2aMiblu/qa4UZJEgXqosYc4ovGsn+GofYOW1tlCLC4XBH44+Vr5Y +cSTOc5DtWsUGsXazmF6+Cj3AC7KI+VWegHexGezyO0not8Q5L55TuH2lCW4sx9th +W4Q7jg2lrCvz4x8ZRIAXOGmBaDTZmMtVlEjezu+7xr8QDQsvUwj7a87HPjgXFesj +CbbCr8kaqEdZ23AVDZuLAKS4hWQlbacRhRAxMkomZkg5U6J/PC3ikIqfOda1zu1D +MTIOuwECgYEA8hFkISWVEzbaIZgO1BZl36wNaOLYIpX0CzlycptcEssbefLy7Nxo +TZ+m9AjF6TBPl4fO4edo00iiJMy6ZdhItduNWLO+usJEY9UdzHex7fCUeG8usUXQ +g4VGEvPGg88VEM45pkAgbga7kzkG2Ihfu6La5apbXeOpNpuC58DdlzkCgYEA5Fxl +/qGzLlTwioaaE+qpEX46MfbJl38nkeSf9B7J1ISc/fnDPcBPvcHaYELqyHM+7OFa +Gt9oBDrLgyP4ZgOTaHKHdofXjAMC97b9oa/Lrors5dMrf/fxTTe2X+Kab94E1Wbo +39kA3qzV/CT7EZWuqbHO3Bqkv/qe6ks0Tbahc/ECgYBuB2OpAWkyc6NQ08ohsxCZ +S55Ix5uQlPJ5y6Hu4BlI3ZNeqgSrjz/F0MTVdctnxDLZYLyzyDjImOJCseAj/NyH +9QTZhdIzF6x4aF2EG///dHQ4Del+YIp3zbNdV/sq3Izpt6NSoyFagarvL2OiNtK0 ++kBfVkDze1Dl5mfpKaxPWQKBgQC+gXqxJxKE92VIGyxUqzHqHwTLg9b/ZJuNMU5j +aH/1o8AYfJFtZY7gfeUA4zJckRAQq5rwyilLRgVbXNmvuRHzU4BA2OhvrF+Aag9D +IJXqAYnJ3RXwBtcuFOk3KqKt6mjb4qMpgy4flc5aMDunmtiARo6MvklswtZqHN0A +a/ha8QKBgQCqF/xCf5ORzVkikYYGsO910QXlzsyPdRJbhrBCRTsdhz/paT5GQQXr +y3ToUuKEoHfjFudUeGNOstjchWw+WgT9iqMJhtwV1nU1lkPyjmCQ2ONIP+13dZ+i +I/LDyMngtOKzvD5qpswY1Er+84+RVrtseQjXDC2NlrvDr5LnZDtGag== +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/Procfile b/hack/scripts-dev/docker-dns/certs-wildcard/Procfile new file mode 100644 index 000000000..af291402c --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-wildcard/server.crt --peer-key-file=/certs-wildcard/server.key.insecure --peer-trusted-ca-file=/certs-wildcard/ca.crt --peer-client-cert-auth --cert-file=/certs-wildcard/server.crt --key-file=/certs-wildcard/server.key.insecure --trusted-ca-file=/certs-wildcard/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/ca-csr.json b/hack/scripts-dev/docker-dns/certs-wildcard/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/ca.crt b/hack/scripts-dev/docker-dns/certs-wildcard/ca.crt new file mode 100644 index 000000000..23ee34f4a --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUanA77pXfEz2idrPSlIoPrSo6MmcwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTMwNDA5MDBaFw0yNzExMTEwNDA5 +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDqtw5G6XZ4N2uuc7TAoiXI+IXA/H+IJIbHrVFQ3LIzLDaS6AmVWw4yT4o2 +X/1IbR5TU6dCnGxuHPutnfnG87is5Oxk1HfIy5cfpf75St3uQycJRcr3Bui/fEZ0 +IZaoRyklcYGI8Y+VfaSADl++EP7UU0X7cc263rZulJXkqp4HihDTPixBgVDruNWf +Yfa2K/Zhiq+zj3hE6s/cBn2pIdY6SMlQ1P0uT/Y5oBTTJFBxeqw+Sz/NXgKgErQg +Za/gNHQWzyRoYHiOGQylvsiXr6tgdk29f0Z6gTQy8FQpwOXYERJr45zh8KvE+FJK +MaWUhGW7hkv85JDZSsmDZ6lVYIfhAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBS+p7B3RLjI8HOOPvVhqtBQNRmH +ZTANBgkqhkiG9w0BAQsFAAOCAQEAFWHLvzzTRQJYjVDxBuXrNZkhFsGAoCYoXhAK +1nXmqLb9/dPMxjkB4ptkQNuP8cMCMPMlapoLkHxEihN1sWZwJRfWShRTK2cQ2kd6 +IKH/M3/ido1PqN/CxhfqvMj3ap3ZkV81nvwn3XhciCGca1CyLzij9RroO0Ee+R3h +mK5A38I1YeRMNOnNAJAW+5scaVtPe6famG2p/OcswobF+ojeZIQJcuk7/FP5iXGA +UfG5WaW3bVfSr5aUGtf/RYZvYu3kWZlAzGaey5iLutRc7f63Ma4jjEEauiGLqQ+6 +F17Feafs2ibRr1wes11O0B/9Ivx9qM/CFgEYhJfp/nBgY/UZXw== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/gencert.json b/hack/scripts-dev/docker-dns/certs-wildcard/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/gencerts.sh b/hack/scripts-dev/docker-dns/certs-wildcard/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/run.sh b/hack/scripts-dev/docker-dns/certs-wildcard/run.sh new file mode 100755 index 000000000..683a4d28a --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/run.sh @@ -0,0 +1,33 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs-wildcard/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs-wildcard/ca.crt \ + --cert=/certs-wildcard/server.crt \ + --key=/certs-wildcard/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get abc diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/server-ca-csr.json b/hack/scripts-dev/docker-dns/certs-wildcard/server-ca-csr.json new file mode 100644 index 000000000..616bf11f8 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/server-ca-csr.json @@ -0,0 +1,20 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "*.etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/server.crt b/hack/scripts-dev/docker-dns/certs-wildcard/server.crt new file mode 100644 index 000000000..a51cd0b94 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECjCCAvKgAwIBAgIUQ0AgAKntDzHW4JxYheDkVMow5ykwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTMwNDA5MDBaFw0yNzExMTEwNDA5 +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMqNEozhdLm +K5ATSkgIOyQmBmoUCgiWB+P52YWzfmwaWwQP2FFs3qih2c3DHHH7s2zdceXKT2ZN +lvSO8yj08slLPYSC4LQ3su8njGJlasJ28JMjRqshnH3umxFXf9+aPcZ5yYkoXE9V +fzsnBMJz8hI6K2j4Q6sJe+v/0pdz8MpbdIPnmL9qfVpuD6JqmDCZiQOJ8lpMuqqD +60uLjtLv/JKjgdqe5C4psERVm09fg3vOZckv9CC6a4MupeXo2il6femZnPrxC8LX +u2KT3njEjoyzEu2NSdy+BUJDVLgKSh8s2TC8ViNfiFONQo6L1y78ZAyCDrRbTgN9 +Nu1Ou/yzqHkCAwEAAaOBqjCBpzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC83cRfE +/EKcz7GJKmgDLUBi3kRSMB8GA1UdIwQYMBaAFL6nsHdEuMjwc44+9WGq0FA1GYdl +MCgGA1UdEQQhMB+CDCouZXRjZC5sb2NhbIIJbG9jYWxob3N0hwR/AAABMA0GCSqG +SIb3DQEBCwUAA4IBAQCI7estG86E9IEGREfYul1ej8hltpiAxucmsI0i0lyRHOGa +dss3CKs6TWe5LWXThCIJ2WldI/VgPe63Ezz7WuP3EJxt9QclYArIklS/WN+Bjbn7 +6b8KAtGQkFh7hhjoyilBixpGjECcc7lbriXoEpmUZj9DYQymXWtjKeUJCfQjseNS +V/fmsPph8QveN+pGCypdQ9EA4LGXErg4DQMIo40maYf9/uGBMIrddi930llB0wAh +lsGNUDkrKKJVs2PiVsy8p8sF1h7zAQ+gSqk3ZuWjrTqIIMHtRfIaNICimc7wEy1t +u5fbySMusy1PRAwHVdl5yPxx++KlHyBNowh/9OJh +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs-wildcard/server.key.insecure b/hack/scripts-dev/docker-dns/certs-wildcard/server.key.insecure new file mode 100644 index 000000000..ac56ed4ea --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs-wildcard/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0yo0SjOF0uYrkBNKSAg7JCYGahQKCJYH4/nZhbN+bBpbBA/Y +UWzeqKHZzcMccfuzbN1x5cpPZk2W9I7zKPTyyUs9hILgtDey7yeMYmVqwnbwkyNG +qyGcfe6bEVd/35o9xnnJiShcT1V/OycEwnPyEjoraPhDqwl76//Sl3Pwylt0g+eY +v2p9Wm4PomqYMJmJA4nyWky6qoPrS4uO0u/8kqOB2p7kLimwRFWbT1+De85lyS/0 +ILprgy6l5ejaKXp96Zmc+vELwte7YpPeeMSOjLMS7Y1J3L4FQkNUuApKHyzZMLxW +I1+IU41CjovXLvxkDIIOtFtOA3027U67/LOoeQIDAQABAoIBAH/sM104NTv8QCu5 +4+gbRGizuHMOzL1C1mjfdU0v3chzduvRBYTeZUzXL/Ec3+CVUK8Ev/krREp/epGQ +//Gx4lrbf9sExkem7nk/Biadtb00/KzGVAtcA0evArXQwiCdegsAwHycvL861ibp +jlKWlvE/2AhxTd0Rk8b2ZYdmr1qGTesIy7S4ilj1B8aYWnZglhSyyU7TqLhYmsWo +3B1ufNpkPCzo97bJmc1/bqXCIQXi/HkkDxJRFa/vESebiy2wdgkWflybW37vLaN0 +mox44uXpVYtZuuGyxdKjX6T2EOglZztXlC8gdxrnFS5leyBEu+7ABS5OvHgnlOX5 +80MyUpkCgYEA/4xpEBltbeJPH52Lla8VrcW3nGWPnfY8xUSnjKBspswTQPu389EO +ayM3DewcpIfxFu/BlMzKz0lm77QQZIu3gIJoEu8IXzUa3fJ2IavRKPSvbNFj5Icl +kVX+mE4BtF+tnAjDWiX9qaNXZcU7b0/q0yXzL35WB4H7Op4axqBir/sCgYEA04m3 +4LtRKWgObQXqNaw+8yEvznWdqVlJngyKoJkSVnqwWRuin9eZDfc84genxxT0rGI9 +/3Fw8enfBVIYGLR5V5aYmGfYyRCkN4aeRc0zDlInm0x2UcZShT8D0LktufwRYZh8 +Ui6+iiIBELwxyyWfuybH5hhstbdFazfu1yNA+xsCgYB47tORYNceVyimh4HU9iRG +NfjsNEvArxSXLiQ0Mn74eD7sU7L72QT/wox9NC1h10tKVW/AoSGg8tWZvha73jqa +wBvMSf4mQBVUzzcEPDEhNpoF3xlsvmAS5SU0okXAPD8GRkdcU/o02y2y5aF4zdMM +1Tq+UQUZTHO9i7CUKrZJHQKBgQC+FueRn0ITv1oXRlVs3dfDi3L2SGLhJ0csK4D3 +SBZed+m4aUj98jOrhRzE0LRIBeDId4/W2A3ylYK/uUHGEYdo2f9OFSONqtKmwuW/ +O+JBYDoPJ+q7GUhWTIYVLhKVKppD5U7yWucGIgBrFXJ5Ztnex76iWhh2Qray3pRV +52whOQKBgHVBI4F7pkn6id9W4sx2LqrVjpjw6vTDepIRK0SXBIQp34WnCL5CERDJ +pks203i42Ww7IadufepkGQOfwuik9wVRNWrNp4oKle6oNK9oK3ihuyb+5DtyKwDm +5sQUYUXc5E3qDQhHCGDzbT7wP+bCDnWKgvV6smshuQSW8M+tFIOQ +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/certs/Procfile b/hack/scripts-dev/docker-dns/certs/Procfile new file mode 100644 index 000000000..c25bff58b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/Procfile @@ -0,0 +1,6 @@ +# Use goreman to run `go get github.com/mattn/goreman` +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth + +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth + +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs/server.crt --peer-key-file=/certs/server.key.insecure --peer-trusted-ca-file=/certs/ca.crt --peer-client-cert-auth --cert-file=/certs/server.crt --key-file=/certs/server.key.insecure --trusted-ca-file=/certs/ca.crt --client-cert-auth \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/certs/ca-csr.json b/hack/scripts-dev/docker-dns/certs/ca-csr.json new file mode 100644 index 000000000..ecafabaad --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/ca-csr.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "ca", + "ca": { + "expiry": "87600h" + } +} diff --git a/hack/scripts-dev/docker-dns/certs/ca.crt b/hack/scripts-dev/docker-dns/certs/ca.crt new file mode 100644 index 000000000..4a17292de --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsTCCApmgAwIBAgIUCeu/ww6+XbCM3m8m6fp17t8bjOcwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTMwNDA2MDBaFw0yNzExMTEwNDA2 +MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCgH8KMvldAoQjWA5YQoEOQgRyjZ3hkKdTQcFBj3OR8OyhiNJ+4oEJ/AqyJ +b41G9NGd+88hRSrcCeUBrUY3nWVhqzclCe7mQ1IyordmuKxekmPD/uvzcbySzpJT +qGEwNEiiBcr4mSQiGA5yMgBLKLpKw27t0ncVn/Qt0rKtqwLUYYWGEfADLw7+6iDK +xzCxLeXV/cB1VtFZa62j3KRJR4XQ/QosqwZw2dRGF/jUZgmsRYYK8noOvqY/uRPV +sqwGAKq0B0zOMp185dFrzJVD+LHZgSS9GLGmvRgttwayDuYSOny7WXugQ28fCaRX +p+53s1eBb5cHCGSko48f2329cnlFAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSgglhjDWaAJm9ju5x1YMArtH7c +yjANBgkqhkiG9w0BAQsFAAOCAQEAK6IGimbnP9oFSvwNGmXjEtn/vE82dDhQJv8k +oiAsx0JurXBYybvu/MLaBJVQ6bF77hW/fzvhMOzLNEMGY1ql80TmfaTqyPpTN85I +6YhXOViZEQJvH17lVA8d57aSve0WPZqBqS3xI0dGpn/Ji6JPrjKCrgjeukXXHR+L +MScK1lpxaCjD45SMJCzANsMnIKTiKN8RnIcSmnrr/gGl7bC6Y7P84xUGgYu2hvNG +1DZBcelmzbZYk2DtbrR0Ed6IFD1Tz4RAEuKJfInjgAP2da41j4smoecXOsJMGVl5 +5RX7ba3Hohys6la8jSS3opCPKkwEN9mQaB++iN1qoZFY4qB9gg== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs/gencert.json b/hack/scripts-dev/docker-dns/certs/gencert.json new file mode 100644 index 000000000..09b67267b --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/gencert.json @@ -0,0 +1,13 @@ +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "87600h" + } + } +} diff --git a/hack/scripts-dev/docker-dns/certs/gencerts.sh b/hack/scripts-dev/docker-dns/certs/gencerts.sh new file mode 100755 index 000000000..efc098f53 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/gencerts.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if ! [[ "$0" =~ "./gencerts.sh" ]]; then + echo "must be run from 'fixtures'" + exit 255 +fi + +if ! which cfssl; then + echo "cfssl is not installed" + exit 255 +fi + +cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca +mv ca.pem ca.crt +openssl x509 -in ca.crt -noout -text + +# generate wildcard certificates DNS: *.etcd.local +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr.json | cfssljson --bare ./server +mv server.pem server.crt +mv server-key.pem server.key.insecure + +rm -f *.csr *.pem *.stderr *.txt diff --git a/hack/scripts-dev/docker-dns/certs/run.sh b/hack/scripts-dev/docker-dns/certs/run.sh new file mode 100755 index 000000000..7f6c31d4f --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/run.sh @@ -0,0 +1,33 @@ +#!/bin/sh +rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data + +/etc/init.d/bind9 start + +# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost +cat /dev/null >/etc/hosts + +goreman -f /certs/Procfile start & + +# TODO: remove random sleeps +sleep 7s + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379 \ + endpoint health --cluster + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + put abc def + +ETCDCTL_API=3 ./etcdctl \ + --cacert=/certs/ca.crt \ + --cert=/certs/server.crt \ + --key=/certs/server.key.insecure \ + --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ + get abc diff --git a/hack/scripts-dev/docker-dns/certs/server-ca-csr.json b/hack/scripts-dev/docker-dns/certs/server-ca-csr.json new file mode 100644 index 000000000..77cdb408c --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/server-ca-csr.json @@ -0,0 +1,22 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "hosts": [ + "m1.etcd.local", + "m2.etcd.local", + "m3.etcd.local", + "127.0.0.1", + "localhost" + ] +} diff --git a/hack/scripts-dev/docker-dns/certs/server.crt b/hack/scripts-dev/docker-dns/certs/server.crt new file mode 100644 index 000000000..928e3cf5d --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/server.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIUUwtQlOqMccWY8MOaSaWutEjlMrgwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTMwNDA2MDBaFw0yNzExMTEwNDA2 +MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyYH7bL79If +75AezzSpkuTOPAGBzPlGFLM5QS4jrt6fJBpElAUV2VmZm+isVsTs2X63md1t4s3Y +44soYK02HONUxUXxbeW7S8yJYSplG5hCJpFiSVP0GyVojQ04OLO1yI5m82fWJNi6 +9PgTmb3+/YD08TKbjjJ4FB0kqoFJE4qoUNNpbkpQxHW4cx9iyWbE9gwyGoC76ftr +DC4J5HavmZ/y51rq1VWrO/d9rmCEUN++M8FcGt6D4WVQ54sWafl4Q1HafBq3FAT5 +swpqi6aDDFKYYTdvjFEmJ2uWacak8NO+vjTt8fTfSFBUYcxweVWIDm6xU8kR8Lwy +aNxD26jQ9GMCAwEAAaOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFELi+Ig+ +uxXrOvjoacXjcCjtfHcsMB8GA1UdIwQYMBaAFKCCWGMNZoAmb2O7nHVgwCu0ftzK +MEcGA1UdEQRAMD6CDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0 +Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAn6e8 +LPd53xQGiicDHN8+WkUS7crr+A+bIfY0nbWUf1H7zwNxpHHnKgVRHc4MKpRY4f+E +M2bEYdNJZDrjFYIWWlFDteVKZevH2dB3weiCAYWPYuiR9dGH6NvVbPcEMwarPBW4 +mLsm9Nl/r7YBxXx73rhfxyBbhTuDwKtY/BAMi+ZO4msnuWiiSiQEUrEmzm9PWhAD +CgNjxCL3xoGyIJGj1xev0PYo+iFrAd9Pkfg2+FaSYXtNPbZX229yHmxU7GbOJumx +5vGQMRtzByq7wqw1dZpITlgbDPJc5jdIRKGnusQ96GXLORSQcP+tfG4NhreYYpI1 +69Y78gNCTl0uGmI21g== +-----END CERTIFICATE----- diff --git a/hack/scripts-dev/docker-dns/certs/server.key.insecure b/hack/scripts-dev/docker-dns/certs/server.key.insecure new file mode 100644 index 000000000..08784a7c6 --- /dev/null +++ b/hack/scripts-dev/docker-dns/certs/server.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvJgftsvv0h/vkB7PNKmS5M48AYHM+UYUszlBLiOu3p8kGkSU +BRXZWZmb6KxWxOzZfreZ3W3izdjjiyhgrTYc41TFRfFt5btLzIlhKmUbmEImkWJJ +U/QbJWiNDTg4s7XIjmbzZ9Yk2Lr0+BOZvf79gPTxMpuOMngUHSSqgUkTiqhQ02lu +SlDEdbhzH2LJZsT2DDIagLvp+2sMLgnkdq+Zn/LnWurVVas7932uYIRQ374zwVwa +3oPhZVDnixZp+XhDUdp8GrcUBPmzCmqLpoMMUphhN2+MUSYna5ZpxqTw076+NO3x +9N9IUFRhzHB5VYgObrFTyRHwvDJo3EPbqND0YwIDAQABAoIBAQC0YCbM9YZ9CRBe +Xik9rAYTknBv3I6Hx5BaziLaF0TUJY8pFHgh2QDVooYsZlBi7kki2kVuNAAdcxhG +ayrz33KHtvcq6zt54sYfbTGik6tt1679k+ygQDOKdtGZWDFbKD0Wfb7FjFoXc9CC +SHTd9DjPkvXxujepa5GJQh1Vo+ftz2I+8e6LeoiBZJM1IosfrpxKg02UnWrLia7o +i8eoXIyMAJHuNUGpGl33WnckyMGDsVKMc2DVG2exfVBZ37lAemYOLRKmd4AwUk2l +ztd71sXQodLk++1BqaS9cc9yvsNiBjGL3Ehm7uUcLH1k3VHd4ArcGhiqffKzQuSE +Dhm8GXNZAoGBAMrXOAdnfLlxYKCqOaj0JwN0RusWBP3cC7jluS5UmeTROPnBa0Fb +219YtiXkDrWtoiwLvvPXobem0/juPkiGnprGcOsPUGa6pV3TPJ40BiIfh9/vt7fr +Bko2SqEA9U0FxredcOFoCPxX9k9EDWxhF/nD20amvRHKK/wv995iXKxHAoGBAO4F +GILNxBHlH5F++dbSSSTcZUTXvuBr7JQkbMK+luSikEtaSW9IO2bf65LtqjaWp4Ds +rENCQAB3PmI111Rjwrk7925W0JCHw/+UArlVoM3K2q1zhYUWAn9L3v+qUTN2TLu1 +Tso3OkCrQ5aa812tffW3hZHOWJ+aZp2nnBnruDEFAoGAGJDCD1uAJnFNs4eKHiUb +iHaPlC8BgcEhhk4EBFFopeaU0OKU28CFK+HxhVs+UNBrgIwXny5xPm2s5EvuLRho +ovP/fuhG43odRuSrRbmlOIK7EOrWRCbphxlWJnOYQbC+ZURjBFl2JSF+ChGC0qpb +nfsTVlYhNcNXWl5w1XTyJkcCgYEAp07XquJeh0GqTgiWL8XC+nEdkiWhG3lhY8Sy +2rVDtdT7XqxJYDrC3o5Ztf7vnc2KUpqKgACqomkvZbN49+3j63bWdy35Dw8P27A7 +tfEVxnJoAnJokWMmQDqhts8OowDt8SgCCSyG+vwn10518QxJtRXaguIr84yBwyIV +HTdPUs0CgYBIAxoPD9/6R2swClvln15sjaIXDp5rYLbm6mWU8fBURU2fdUw3VBlJ +7YVgQ4GnKiCI7NueBBNRhjXA3KDkFyZw0/oKe2uc/4Gdyx1/L40WbYOaxJD2vIAf +FZ4pK9Yq5Rp3XiCNm0eURBlNM+fwXOQin2XdzDRoEq1B5JalQO87lA== +-----END RSA PRIVATE KEY----- diff --git a/hack/scripts-dev/docker-dns/run.sh b/hack/scripts-dev/docker-dns/run.sh deleted file mode 100755 index 5e877c7b9..000000000 --- a/hack/scripts-dev/docker-dns/run.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -/etc/init.d/bind9 start - -# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost -cat /dev/null >/etc/hosts - -goreman -f /Procfile.tls start & -sleep 7s - -ETCDCTL_API=3 ./etcdctl \ - --cacert=/certs/ca.crt \ - --cert=/certs/server-wildcard.crt \ - --key=/certs//server-wildcard.key.insecure \ - --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ - put abc def