You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by om...@apache.org on 2019/10/25 11:18:15 UTC
[incubator-dlab] branch DLAB-1158 updated: added step ca for
endpoint; removed generating of self signed certs for ssn and endpoint;
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-1158
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/DLAB-1158 by this push:
new ee7822f added step ca for endpoint; removed generating of self signed certs for ssn and endpoint;
ee7822f is described below
commit ee7822fb5c76dea196a4799730b5a0b86ea73aeb
Author: Oleh Martushevskyi <Ol...@epam.com>
AuthorDate: Fri Oct 25 14:18:03 2019 +0300
added step ca for endpoint;
removed generating of self signed certs for ssn and endpoint;
---
.../terraform/aws/endpoint/main/instance.tf | 2 +-
.../terraform/aws/endpoint/main/network.tf | 11 +++
.../terraform/aws/endpoint/main/variables.tf | 2 +-
.../ssn-helm-charts/main/dlab-ui-chart/values.yaml | 2 -
.../terraform/aws/ssn-helm-charts/main/dlab-ui.tf | 1 -
.../terraform/aws/ssn-helm-charts/main/outputs.tf | 16 +++++
.../terraform/aws/ssn-helm-charts/main/secrets.tf | 27 ++++---
.../aws/ssn-helm-charts/main/variables.tf | 6 +-
.../aws/ssn-k8s/main/auto_scaling_groups.tf | 22 +++---
.../aws/ssn-k8s/main/files/masters-user-data.sh | 34 ++++-----
.../terraform/aws/ssn-k8s/main/main.tf | 26 +++----
.../terraform/aws/ssn-k8s/main/vpc.tf | 22 +++---
.../terraform/bin/deploy/endpoint_fab.py | 82 +++++++++++++++++-----
infrastructure-provisioning/terraform/bin/dlab.py | 30 ++++----
services/self-service/Dockerfile_aws | 1 +
services/self-service/entrypoint_aws.sh | 21 ++++--
16 files changed, 194 insertions(+), 111 deletions(-)
diff --git a/infrastructure-provisioning/terraform/aws/endpoint/main/instance.tf b/infrastructure-provisioning/terraform/aws/endpoint/main/instance.tf
index e2000b2..dd002ce 100644
--- a/infrastructure-provisioning/terraform/aws/endpoint/main/instance.tf
+++ b/infrastructure-provisioning/terraform/aws/endpoint/main/instance.tf
@@ -46,6 +46,6 @@ resource "aws_instance" "endpoint" {
resource "aws_eip_association" "e_ip_assoc" {
instance_id = aws_instance.endpoint.id
- allocation_id = var.endpoint_eip_allocation_id
+ allocation_id = aws_eip.endpoint_eip.allocation_id
count = var.network_type == "public" ? 1 : 0
}
diff --git a/infrastructure-provisioning/terraform/aws/endpoint/main/network.tf b/infrastructure-provisioning/terraform/aws/endpoint/main/network.tf
index c69bcdf..892ffae 100644
--- a/infrastructure-provisioning/terraform/aws/endpoint/main/network.tf
+++ b/infrastructure-provisioning/terraform/aws/endpoint/main/network.tf
@@ -25,6 +25,7 @@ locals {
endpoint_vpc_name = "${var.service_base_name}-endpoint-vpc"
additional_tag = split(":", var.additional_tag)
endpoint_igw_name = "${var.service_base_name}-endpoint-igw"
+ endpoint_ip_name = "${var.service_base_name}-endpoint-eip"
}
@@ -126,3 +127,13 @@ resource "aws_security_group" "endpoint_sec_group" {
"${var.service_base_name}-Tag" = local.endpoint_sg_name
}
}
+
+resource "aws_eip" "endpoint_eip" {
+ vpc = true
+ tags = {
+ Name = local.endpoint_ip_name
+ "${local.additional_tag[0]}" = local.additional_tag[1]
+ "${var.tag_resource_id}" = "${var.service_base_name}:${local.endpoint_ip_name}"
+ "${var.service_base_name}-Tag" = local.endpoint_ip_name
+ }
+}
diff --git a/infrastructure-provisioning/terraform/aws/endpoint/main/variables.tf b/infrastructure-provisioning/terraform/aws/endpoint/main/variables.tf
index 8cadb45..73716d8 100644
--- a/infrastructure-provisioning/terraform/aws/endpoint/main/variables.tf
+++ b/infrastructure-provisioning/terraform/aws/endpoint/main/variables.tf
@@ -52,7 +52,7 @@ variable "vpc_cidr" {}
variable "endpoint_volume_size" {}
-variable "endpoint_eip_allocation_id" {}
+//variable "endpoint_eip_allocation_id" {}
variable "endpoint_id" {}
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
index 4357509..c24fc50 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui-chart/values.yaml
@@ -56,8 +56,6 @@ ui:
port: ${mongo_port}
username: ${mongo_user}
db_name: ${mongo_db_name}
- provisionService:
- host: ${provision_service_host}
keycloak:
auth_server_url: https://${ssn_k8s_alb_dns_name}/auth
redirect_uri: https://${ssn_k8s_alb_dns_name}/
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
index 8183baf..9f5330f 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/dlab-ui.tf
@@ -28,7 +28,6 @@ data "template_file" "dlab_ui_values" {
mongo_service_name = var.mongo_service_name
ssn_k8s_alb_dns_name = data.kubernetes_service.nginx-service.load_balancer_ingress.0.hostname
ssn_bucket_name = var.ssn_bucket_name
- provision_service_host = var.endpoint_eip_address
service_base_name = var.service_base_name
os = var.env_os
namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
index 469b98b..03b0f40 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/outputs.tf
@@ -25,4 +25,20 @@ output "keycloak_client_secret" {
output "nginx_load_balancer_hostname" {
value = data.kubernetes_service.nginx-service.load_balancer_ingress.0.hostname
+}
+
+output "step_root_ca" {
+ value = lookup(data.external.step-ca-config-values.result, "rootCa")
+}
+
+output "step_kid" {
+ value = lookup(data.external.step-ca-config-values.result, "kid")
+}
+
+output "step_kid_password" {
+ value = random_string.step_ca_provisioner_password.result
+}
+
+output "step_ca_url" {
+ value = "https://${var.ssn_k8s_nlb_dns_name}:7443"
}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
index 313d4d7..ab58bc4 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/secrets.tf
@@ -21,6 +21,11 @@
resource "random_uuid" "keycloak_client_secret" {}
+resource "random_string" "ssn_keystore_password" {
+ length = 16
+ special = false
+}
+
resource "kubernetes_secret" "keycloak_client_secret" {
metadata {
name = "keycloak-client-secret"
@@ -120,20 +125,20 @@ resource "kubernetes_secret" "ssn_keystore_password" {
}
data = {
- password = var.ssn_keystore_password
+ password = random_string.ssn_keystore_password.result
}
}
-resource "kubernetes_secret" "endpoint_keystore_password" {
- metadata {
- name = "endpoint-keystore-password"
- namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
- }
-
- data = {
- password = var.endpoint_keystore_password
- }
-}
+//resource "kubernetes_secret" "endpoint_keystore_password" {
+// metadata {
+// name = "endpoint-keystore-password"
+// namespace = kubernetes_namespace.dlab-namespace.metadata[0].name
+// }
+//
+// data = {
+// password = var.endpoint_keystore_password
+// }
+//}
resource "random_string" "step_ca_password" {
length = 8
diff --git a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
index 0e04e69..d8bcbf0 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-helm-charts/main/variables.tf
@@ -108,13 +108,13 @@ variable "ssn_k8s_workers_count" {
default = "2"
}
-variable "ssn_keystore_password" {}
+//variable "ssn_keystore_password" {}
-variable "endpoint_keystore_password" {}
+//variable "endpoint_keystore_password" {}
variable "ssn_bucket_name" {}
-variable "endpoint_eip_address" {}
+//variable "endpoint_eip_address" {}
variable "service_base_name" {}
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
index 6acec65..22b6a71 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/auto_scaling_groups.tf
@@ -28,15 +28,15 @@ locals {
cluster_name = "${var.service_base_name}-k8s-cluster"
}
-resource "random_string" "ssn_keystore_password" {
- length = 16
- special = false
-}
+//resource "random_string" "ssn_keystore_password" {
+// length = 16
+// special = false
+//}
-resource "random_string" "endpoint_keystore_password" {
- length = 16
- special = false
-}
+//resource "random_string" "endpoint_keystore_password" {
+// length = 16
+// special = false
+//}
data "template_file" "ssn_k8s_masters_user_data" {
template = file("./files/masters-user-data.sh")
@@ -47,9 +47,9 @@ data "template_file" "ssn_k8s_masters_user_data" {
k8s-nlb-dns-name = aws_lb.ssn_k8s_nlb.dns_name
k8s-tg-arn = aws_lb_target_group.ssn_k8s_nlb_api_target_group.arn
k8s_os_user = var.os_user
- ssn_keystore_password = random_string.ssn_keystore_password.result
- endpoint_keystore_password = random_string.endpoint_keystore_password.result
- endpoint_elastic_ip = aws_eip.k8s-endpoint-eip.public_ip
+ // ssn_keystore_password = random_string.ssn_keystore_password.result
+ // endpoint_keystore_password = random_string.endpoint_keystore_password.result
+// endpoint_elastic_ip = aws_eip.k8s-endpoint-eip.public_ip
kubernetes_version = var.kubernetes_version
cluster_name = local.cluster_name
}
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
index 39b685e..d52bd76 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/files/masters-user-data.sh
@@ -136,24 +136,24 @@ EOF
sudo -i -u ${k8s_os_user} kubectl create -f /tmp/rbac-config.yaml
sudo -i -u ${k8s_os_user} helm init --service-account tiller --history-max 200
# Generating Java SSL certs
-sudo mkdir -p /home/${k8s_os_user}/keys
-sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${ssn_keystore_password} \
- -keypass ${ssn_keystore_password} -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks \
- -keysize 2048 -dname "CN=dlab-kubernetes-cluster" -ext SAN=dns:localhost
-sudo keytool -exportcert -alias dlab -storepass ${ssn_keystore_password} -file /home/${k8s_os_user}/keys/ssn.crt \
- -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks
-
-aws s3 cp /home/${k8s_os_user}/keys/ssn.keystore.jks s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.keystore.jks
-aws s3 cp /home/${k8s_os_user}/keys/ssn.crt s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.crt
-
-sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${endpoint_keystore_password} \
- -keypass ${endpoint_keystore_password} -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks \
- -keysize 2048 -dname "CN=${endpoint_elastic_ip}" -ext SAN=dns:localhost,dns:${endpoint_elastic_ip}
-sudo keytool -exportcert -alias dlab -storepass ${endpoint_keystore_password} -file /home/${k8s_os_user}/keys/endpoint.crt \
- -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks
+# sudo mkdir -p /home/${k8s_os_user}/keys
+#sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${ssn_keystore_password} \
+# -keypass ${ssn_keystore_password} -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks \
+# -keysize 2048 -dname "CN=dlab-kubernetes-cluster" -ext SAN=dns:localhost
+#sudo keytool -exportcert -alias dlab -storepass ${ssn_keystore_password} -file /home/${k8s_os_user}/keys/ssn.crt \
+# -keystore /home/${k8s_os_user}/keys/ssn.keystore.jks
+#
+#aws s3 cp /home/${k8s_os_user}/keys/ssn.keystore.jks s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.keystore.jks
+#aws s3 cp /home/${k8s_os_user}/keys/ssn.crt s3://${k8s-bucket-name}/dlab/certs/ssn/ssn.crt
-aws s3 cp /home/${k8s_os_user}/keys/endpoint.keystore.jks s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.keystore.jks
-aws s3 cp /home/${k8s_os_user}/keys/endpoint.crt s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.crt
+#sudo keytool -genkeypair -alias dlab -keyalg RSA -validity 730 -storepass ${endpoint_keystore_password} \
+# -keypass ${endpoint_keystore_password} -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks \
+# -keysize 2048 -dname "CN=${endpoint_elastic_ip}" -ext SAN=dns:localhost,dns:${endpoint_elastic_ip}
+#sudo keytool -exportcert -alias dlab -storepass ${endpoint_keystore_password} -file /home/${k8s_os_user}/keys/endpoint.crt \
+# -keystore /home/${k8s_os_user}/keys/endpoint.keystore.jks
+#
+#aws s3 cp /home/${k8s_os_user}/keys/endpoint.keystore.jks s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.keystore.jks
+#aws s3 cp /home/${k8s_os_user}/keys/endpoint.crt s3://${k8s-bucket-name}/dlab/certs/endpoint/endpoint.crt
sleep 60
aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/main.tf b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/main.tf
index 47ec548..5ff9443 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/main.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/main.tf
@@ -55,21 +55,21 @@ output "ssn_k8s_sg_id" {
value = aws_security_group.ssn_k8s_sg.id
}
-output "endpoint_eip_allocation_id" {
- value = aws_eip.k8s-endpoint-eip.id
-}
-
-output "endpoint_eip_address" {
- value = aws_eip.k8s-endpoint-eip.public_ip
-}
+//output "endpoint_eip_allocation_id" {
+// value = aws_eip.k8s-endpoint-eip.id
+//}
+//
+//output "endpoint_eip_address" {
+// value = aws_eip.k8s-endpoint-eip.public_ip
+//}
-output "ssn_keystore_password" {
- value = random_string.ssn_keystore_password.result
-}
+//output "ssn_keystore_password" {
+// value = random_string.ssn_keystore_password.result
+//}
-output "endpoint_keystore_password" {
- value = random_string.endpoint_keystore_password.result
-}
+//output "endpoint_keystore_password" {
+// value = random_string.endpoint_keystore_password.result
+//}
output "region" {
value = var.region
diff --git a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/vpc.tf b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/vpc.tf
index 6d597b3..56a1956 100644
--- a/infrastructure-provisioning/terraform/aws/ssn-k8s/main/vpc.tf
+++ b/infrastructure-provisioning/terraform/aws/ssn-k8s/main/vpc.tf
@@ -26,7 +26,7 @@ locals {
ssn_subnet_a_name = "${var.service_base_name}-ssn-subnet-az-a"
ssn_subnet_b_name = "${var.service_base_name}-ssn-subnet-az-b"
ssn_subnet_c_name = "${var.service_base_name}-ssn-subnet-az-c"
- endpoint_ip_name = "${var.service_base_name}-endpoint-eip"
+// endpoint_ip_name = "${var.service_base_name}-endpoint-eip"
endpoint_rt_name = "${var.service_base_name}-endpoint-rt"
endpoint_s3_name = "${var.service_base_name}-endpoint-s3"
}
@@ -132,16 +132,16 @@ data "aws_subnet" "k8s-subnet-c-data" {
id = aws_subnet.ssn_k8s_subnet_c.0.id
}
-resource "aws_eip" "k8s-endpoint-eip" {
- vpc = true
- tags = {
- Name = local.endpoint_ip_name
- "${local.additional_tag[0]}" = local.additional_tag[1]
- "${var.tag_resource_id}" = "${var.service_base_name}:${local.endpoint_ip_name}"
- "${var.service_base_name}-Tag" = local.endpoint_ip_name
- "kubernetes.io/cluster/${local.cluster_name}" = "owned"
- }
-}
+//resource "aws_eip" "k8s-endpoint-eip" {
+// vpc = true
+// tags = {
+// Name = local.endpoint_ip_name
+// "${local.additional_tag[0]}" = local.additional_tag[1]
+// "${var.tag_resource_id}" = "${var.service_base_name}:${local.endpoint_ip_name}"
+// "${var.service_base_name}-Tag" = local.endpoint_ip_name
+// "kubernetes.io/cluster/${local.cluster_name}" = "owned"
+// }
+//}
resource "aws_route_table" "ssn-k8s-users-route-table" {
vpc_id = data.aws_vpc.ssn_k8s_vpc_data.id
diff --git a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
index 5359851..fd74547 100644
--- a/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
+++ b/infrastructure-provisioning/terraform/bin/deploy/endpoint_fab.py
@@ -98,6 +98,35 @@ def ensure_jre_jdk_endpoint():
sys.exit(1)
+def ensure_step_certs():
+ try:
+ if not exists(conn, '/home/{}/.ensure_dir/step_ensured'.format(args.os_user)):
+ conn.sudo('wget https://github.com/smallstep/cli/releases/download/v0.13.3/step-cli_0.13.3_amd64.deb '
+ '-O /tmp/step-cli_0.13.3_amd64.deb')
+ conn.sudo('dpkg -i /tmp/step-cli_0.13.3_amd64.deb')
+ conn.sudo('echo "{0}" | base64 --decode > /home/{1}/keys/root_ca.crt'.format(args.step_root_ca,
+ args.os_user))
+ fingerptint = conn.sudo('step certificate fingerprint /home/{0}/keys/root_ca.crt'.format(
+ args.os_user)).stdout
+ conn.sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerptint, args.step_ca_url))
+ conn.sudo('echo "{0}" > /home/{1}/keys/provisioner_password'.format(args.step_kid_password, args.os_user))
+ try:
+ ip_address = conn.sudo('curl -s http://169.254.169.254/latest/meta-data/public-ipv4').stdout
+ except:
+ ip_address = conn.sudo('curl -s http://169.254.169.254/latest/meta-data/local-ipv4').stdout
+ token = conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /home/{2}/keys/root_ca.crt '
+ '--password-file /home/{2}/keys/provisioner_password'.format(
+ args.step_kid, args.step_ca_url, args.os_user, ip_address)).stdout
+ conn.sudo('step ca certificate "{0}" /home/{2}/keys/endpoint.crt /home/{2}/keys/endpoint.key '
+ '--token "{1}"'.format(ip_address, token, args.os_user))
+ conn.sudo('touch /home/{}/.ensure_dir/step_ensured'
+ .format(args.os_user))
+ except Exception as err:
+ logging.error('Failed to install Java JDK: ', str(err))
+ traceback.print_exc()
+ sys.exit(1)
+
+
def ensure_supervisor_endpoint():
try:
if not exists(conn, '/home/{}/.ensure_dir/superv_ensured'.format(args.os_user)):
@@ -172,18 +201,29 @@ def create_key_dir_endpoint():
def configure_keystore_endpoint(os_user):
try:
if args.cloud_provider == "aws":
- conn.sudo('apt-get install -y awscli')
- if not exists(conn, '/home/' + args.os_user + '/keys/endpoint.keystore.jks'):
- conn.sudo('aws s3 cp s3://{0}/dlab/certs/endpoint/endpoint.keystore.jks '
- '/home/{1}/keys/endpoint.keystore.jks'
- .format(args.ssn_bucket_name, args.os_user))
- if not exists(conn, '/home/' + args.os_user + '/keys/dlab.crt'):
- conn.sudo('aws s3 cp s3://{0}/dlab/certs/endpoint/endpoint.crt'
- ' /home/{1}/keys/endpoint.crt'.format(args.ssn_bucket_name, args.os_user))
- if not exists(conn, '/home/' + args.os_user + '/keys/ssn.crt'):
- conn.sudo('aws s3 cp '
- 's3://{0}/dlab/certs/ssn/ssn.crt /home/{1}/keys/ssn.crt'
- .format(args.ssn_bucket_name, args.os_user))
+ conn.sudo('openssl pkcs12 -export -in /home/{0}/keys/endpoint.crt -inkey '
+ '/home/{0}/keys/endpoint.key -out /home/{0}/keys/endpoint.p12 -password pass:changeit'.format(
+ args.os_user))
+ conn.sudo('keytool -importkeystore -srckeystore /home/{0}/keys/endpoint.p12 -srcstoretype PKCS12 '
+ '-destkeystore /home/{0}/keys/endpoint.keystore.jks -deststoretype JKS -storepass "{1}" '
+ '-srcstorepass changeit -keypass "{1}"'.format(args.os_user, endpoint_keystore_password))
+ conn.sudo('keytool -importcert -trustcacerts -alias dlab -file /home/{0}/keys/endpoint.crt -noprompt '
+ '-storepass changeit -keystore {1}/lib/security/cacerts'.format(os_user, java_home))
+ conn.sudo('keytool -importcert -trustcacerts -file /home/{0}/keys/root_ca.crt -noprompt '
+ '-storepass changeit -keystore {1}/lib/security/cacerts'.format(os_user, java_home))
+ conn.sudo('touch /home/{0}/.ensure_dir/cert_imported'.format(args.os_user))
+ # conn.sudo('apt-get install -y awscli')
+ # if not exists(conn, '/home/' + args.os_user + '/keys/endpoint.keystore.jks'):
+ # conn.sudo('aws s3 cp s3://{0}/dlab/certs/endpoint/endpoint.keystore.jks '
+ # '/home/{1}/keys/endpoint.keystore.jks'
+ # .format(args.ssn_bucket_name, args.os_user))
+ # if not exists(conn, '/home/' + args.os_user + '/keys/dlab.crt'):
+ # conn.sudo('aws s3 cp s3://{0}/dlab/certs/endpoint/endpoint.crt'
+ # ' /home/{1}/keys/endpoint.crt'.format(args.ssn_bucket_name, args.os_user))
+ # if not exists(conn, '/home/' + args.os_user + '/keys/ssn.crt'):
+ # conn.sudo('aws s3 cp '
+ # 's3://{0}/dlab/certs/ssn/ssn.crt /home/{1}/keys/ssn.crt'
+ # .format(args.ssn_bucket_name, args.os_user))
elif args.cloud_provider == "gcp":
if not exists(conn, '/home/' + args.os_user + '/keys/endpoint.keystore.jks'):
conn.sudo('gsutil -m cp -r gs://{0}/dlab/certs/endpoint/endpoint.keystore.jks '
@@ -245,7 +285,7 @@ def configure_supervisor_endpoint():
conn.sudo('sed -i "s|KEYNAME|{}|g" {}provisioning.yml'
.format(args.key_name, dlab_conf_dir))
conn.sudo('sed -i "s|KEYSTORE_PASSWORD|{}|g" {}provisioning.yml'
- .format(args.endpoint_keystore_password, dlab_conf_dir))
+ .format(endpoint_keystore_password, dlab_conf_dir))
conn.sudo('sed -i "s|JRE_HOME|{}|g" {}provisioning.yml'
.format(java_home, dlab_conf_dir))
conn.sudo('sed -i "s|CLOUD_PROVIDER|{}|g" {}provisioning.yml'
@@ -534,7 +574,7 @@ def init_args():
parser.add_argument('--docker_version', type=str,
default='18.06.3~ce~3-0~ubuntu')
parser.add_argument('--ssn_bucket_name', type=str, default='')
- parser.add_argument('--endpoint_keystore_password', type=str, default='')
+ # parser.add_argument('--endpoint_keystore_password', type=str, default='')
parser.add_argument('--keycloak_client_id', type=str, default='')
parser.add_argument('--keycloak_client_secret', type=str, default='')
parser.add_argument('--branch_name', type=str, default='DLAB-terraform') # change default
@@ -563,6 +603,10 @@ def init_args():
parser.add_argument('--ldap_users_group', type=str, default='')
parser.add_argument('--ldap_user', type=str, default='')
parser.add_argument('--ldap_bind_creds', type=str, default='')
+ parser.add_argument('--step_root_ca', type=str, default='')
+ parser.add_argument('--step_kid', type=str, default='')
+ parser.add_argument('--step_kid_password', type=str, default='')
+ parser.add_argument('--step_ca_url', type=str, default='')
# TEMPORARY
parser.add_argument('--ssn_k8s_nlb_dns_name', type=str, default='')
@@ -639,6 +683,12 @@ def start_deploy():
set_java_home()
+ logging.info("Creating key directory")
+ create_key_dir_endpoint()
+
+ logging.info("Installing Step Certificates")
+ ensure_step_certs()
+
logging.info("Installing Supervisor")
ensure_supervisor_endpoint()
@@ -648,9 +698,6 @@ def start_deploy():
logging.info("Configuring Supervisor")
configure_supervisor_endpoint()
- logging.info("Creating key directory")
- create_key_dir_endpoint()
-
logging.info("Copying admin key")
copy_keys()
@@ -677,4 +724,5 @@ def start_deploy():
if __name__ == "__main__":
+ endpoint_keystore_password = id_generator()
start_deploy()
diff --git a/infrastructure-provisioning/terraform/bin/dlab.py b/infrastructure-provisioning/terraform/bin/dlab.py
index 3b07849..9606c8f 100644
--- a/infrastructure-provisioning/terraform/bin/dlab.py
+++ b/infrastructure-provisioning/terraform/bin/dlab.py
@@ -604,14 +604,14 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
group='k8s')
.add_str('--zone', 'Name of AWS zone', default='a',
group=('k8s'))
- .add_str('--ssn_keystore_password', 'ssn_keystore_password',
- group='helm_charts')
- .add_str('--endpoint_keystore_password', 'endpoint_keystore_password',
- group='helm_charts')
+ # .add_str('--ssn_keystore_password', 'ssn_keystore_password',
+ # group='helm_charts')
+ # .add_str('--endpoint_keystore_password', 'endpoint_keystore_password',
+ # group='helm_charts')
.add_str('--ssn_bucket_name', 'ssn_bucket_name',
group='helm_charts')
- .add_str('--endpoint_eip_address', 'endpoint_eip_address',
- group='helm_charts')
+ # .add_str('--endpoint_eip_address', 'endpoint_eip_address',
+ # group='helm_charts')
.add_str('--ldap_host', 'ldap host', required=True,
group='helm_charts')
.add_str('--ldap_dn', 'ldap dn', required=True,
@@ -778,9 +778,9 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
self.fill_args_from_dict(json.loads(output))
def output_terraform_result(self):
- dns_name = json.loads(
- TerraformProvider(self.no_color).output(self.tf_params,
- '-json nginx_load_balancer_hostname'))
+ # dns_name = json.loads(
+ # TerraformProvider(self.no_color).output(self.tf_params,
+ # '-json nginx_load_balancer_hostname'))
ssn_bucket_name = json.loads(
TerraformProvider(self.no_color).output(self.tf_params,
'-json ssn_bucket_name'))
@@ -797,14 +797,12 @@ class AWSK8sSourceBuilder(AbstractDeployBuilder):
logging.info("""
DLab SSN K8S cluster has been deployed successfully!
Summary:
- DNS name: {}
Bucket name: {}
VPC ID: {}
Subnet ID: {}
SG IDs: {}
- DLab UI URL: http://{}
- """.format(dns_name, ssn_bucket_name, ssn_vpc_id,
- ssn_subnet, ssn_k8s_sg_id, dns_name))
+ """.format(ssn_bucket_name, ssn_vpc_id,
+ ssn_subnet, ssn_k8s_sg_id))
def fill_args_from_dict(self, output):
for key, value in output.items():
@@ -931,9 +929,9 @@ class AWSEndpointBuilder(AbstractDeployBuilder):
default='t2.medium', group='endpoint')
.add_int('--endpoint_volume_size', 'Size of root volume in GB.',
default=30, group='endpoint')
- .add_str('--endpoint_eip_allocation_id',
- 'Elastic Ip created for Endpoint',
- group='endpoint')
+ # .add_str('--endpoint_eip_allocation_id',
+ # 'Elastic Ip created for Endpoint',
+ # group='endpoint')
.add_str('--product', 'Product name.', default='dlab',
group='endpoint')
.add_str('--additional_tag', 'Additional tag.',
diff --git a/services/self-service/Dockerfile_aws b/services/self-service/Dockerfile_aws
index 951fdd7..df4b523 100644
--- a/services/self-service/Dockerfile_aws
+++ b/services/self-service/Dockerfile_aws
@@ -28,6 +28,7 @@ RUN apk add --update \
python \
python-dev \
py-pip \
+ openssl \
build-base \
&& pip install awscli --upgrade \
&& apk --purge -v del py-pip \
diff --git a/services/self-service/entrypoint_aws.sh b/services/self-service/entrypoint_aws.sh
index a9bc3c1..923b730 100644
--- a/services/self-service/entrypoint_aws.sh
+++ b/services/self-service/entrypoint_aws.sh
@@ -2,16 +2,23 @@
/bin/mkdir -p /root/keys
-/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.keystore.jks /root/keys/ssn.keystore.jks
-/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.crt /root/keys/ssn.crt
-/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/endpoint/endpoint.crt /root/keys/endpoint.crt
+#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.keystore.jks /root/keys/ssn.keystore.jks
+#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/ssn/ssn.crt /root/keys/ssn.crt
+#/usr/bin/aws s3 cp s3://${SSN_BUCKET_NAME}/dlab/certs/endpoint/endpoint.crt /root/keys/endpoint.crt
-/usr/bin/keytool -importcert -trustcacerts -alias dlab -file /root/keys/ssn.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
-/usr/bin/keytool -importcert -trustcacerts -file /root/keys/endpoint.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+
+
+#/usr/bin/keytool -importcert -trustcacerts -alias dlab -file /root/keys/ssn.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+#/usr/bin/keytool -importcert -trustcacerts -file /root/keys/endpoint.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
if [ -d "/root/step-certs" ]; then
- /usr/bin/keytool -importcert -trustcacerts -alias step-ca -file /root/step-certs/ca.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
- /usr/bin/keytool -importcert -trustcacerts -alias step-crt -file /root/step-certs/tls.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+ /bin/mkdir -p /root/dlab-certs
+ cp -rf /root/step-certs/* /root/dlab-certs/
+ /usr/bin/keytool -importcert -trustcacerts -alias step-ca -file /root/dlab-certs/ca.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
+ /usr/bin/keytool -importcert -trustcacerts -alias step-crt -file /root/dlab-certs/tls.crt -noprompt -storepass changeit -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
fi
+/usr/bin/openssl pkcs12 -export -in /root/dlab-certs/tls.crt -inkey /root/dlab-certs/tls.key -out dlab.p12 -password pass:changeit
+/usr/bin/keytool -importkeystore -srckeystore dlab.p12 -srcstoretype PKCS12 -destkeystore /root/keys/ssn.keystore.jks -deststoretype JKS -storepass "${SSN_KEYSTORE_PASSWORD}" -srcstorepass changeit -keypass "${SSN_KEYSTORE_PASSWORD}"
+
/usr/bin/java -Xmx1024M -jar -Duser.timezone=UTC -Dfile.encoding=UTF-8 -DDLAB_CONF_DIR=/root/ /root/self-service-2.1.jar server /root/self-service.yml
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org