Documentation ¶
Index ¶
- Variables
- func Add(a int, b int) int
- func EtcdBackupScript(mgr *manager.Manager, node *kubekeyapiv1alpha1.HostCfg) (string, error)
- func GenerateEtcdBinary(mgr *manager.Manager, index int) (string, error)
- func GenerateEtcdEnv(node *kubekeyapiv1alpha1.HostCfg, index int, endpoints []string, state string) (string, error)
- func GenerateEtcdService(index int, etcdContainer bool) (string, error)
- func GenerateEtcdSslCfg(cfg *kubekeyapiv1alpha1.ClusterSpec) (string, error)
- func GenerateEtcdSslScript(mgr *manager.Manager) (string, error)
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // EtcdSslCfgTempl defines the template of openssl's configuration for etcd. EtcdSslCfgTempl = template.Must(template.New("etcdSslCfg").Funcs(funcMap).Parse( dedent.Dedent(`[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ ssl_client ] extendedKeyUsage = clientAuth, serverAuth basicConstraints = CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName = @alt_names [ v3_ca ] basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names authorityKeyIdentifier=keyid:always,issuer [alt_names] {{- range $i, $v := .Dns }} DNS.{{ Add $i 1 }} = {{ $v }} {{- end }} {{- range $i, $v := .Ips }} IP.{{ Add $i 1 }} = {{ $v }} {{- end }} `))) // EtcdSslTempl defines the template of the script for generating etcd certs. EtcdSslTempl = template.Must(template.New("etcdSsl").Parse( dedent.Dedent(`#!/bin/bash # Author: Smana smainklh@gmail.com # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. set -o errexit set -o pipefail usage() { cat << EOF Create self signed certificates Usage : $(basename $0) -f <config> [-d <ssldir>] -h | --help : Show this message -f | --config : Openssl configuration file -d | --ssldir : Directory where the certificates will be installed ex : $(basename $0) -f openssl.conf -d /srv/ssl EOF } # Options parsing while (($#)); do case "$1" in -h | --help) usage; exit 0;; -f | --config) CONFIG=${2}; shift 2;; -d | --ssldir) SSLDIR="${2}"; shift 2;; *) usage echo "ERROR : Unknown option" exit 3 ;; esac done if [ -z ${CONFIG} ]; then echo "ERROR: the openssl configuration file is missing. option -f" exit 1 fi if [ -z ${SSLDIR} ]; then SSLDIR="/etc/ssl/etcd" fi tmpdir=$(mktemp -d /tmp/etcd_cacert.XXXXXX) trap 'rm -rf "${tmpdir}"' EXIT cd "${tmpdir}" mkdir -p "${SSLDIR}" # Root CA if [ -e "$SSLDIR/ca-key.pem" ]; then # Reuse existing CA cp $SSLDIR/{ca.pem,ca-key.pem} . else openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1 openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1 fi MASTERS='{{ .Masters }}' HOSTS='{{ .Hosts }}' # ETCD member if [ -n "$MASTERS" ]; then for host in $MASTERS; do cn="${host%%.*}" # Member key openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1 openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1 # Admin key openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1 openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1 done fi # Node keys if [ -n "$HOSTS" ]; then for host in $HOSTS; do cn="${host%%.*}" openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1 openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1 done fi # Install certs if [ -e "$SSLDIR/ca-key.pem" ]; then # No pass existing CA rm -f ca.pem ca-key.pem fi mv *.pem ${SSLDIR}/ `))) )
View Source
var ( // EtcdServiceTempl defines the template of etcd's service for systemd. EtcdServiceTempl = template.Must(template.New("EtcdService").Parse( dedent.Dedent(`[Unit] {{- if .EtcdContainer }} Description=etcd docker wrapper Wants=docker.socket After=docker.service {{- else }} Description=etcd After=network.target {{- end }} [Service] User=root {{- if .EtcdContainer }} PermissionsStartOnly=true EnvironmentFile=-/etc/etcd.env ExecStart=/usr/local/bin/etcd ExecStartPre=-/usr/bin/docker rm -f {{ .Name }} ExecStop=/usr/bin/docker stop {{ .Name }} RestartSec=15s TimeoutStartSec=30s {{- else }} Type=notify EnvironmentFile=/etc/etcd.env ExecStart=/usr/local/bin/etcd NotifyAccess=all RestartSec=10s LimitNOFILE=40000 {{- end }} Restart=always [Install] WantedBy=multi-user.target `))) // EtcdEnvTempl defines the template of etcd's env. EtcdEnvTempl = template.Must(template.New("etcdEnv").Parse( dedent.Dedent(`# Environment file for etcd {{ .Tag }} ETCD_DATA_DIR=/var/lib/etcd ETCD_ADVERTISE_CLIENT_URLS=https://{{ .Ip }}:2379 ETCD_INITIAL_ADVERTISE_PEER_URLS=https://{{ .Ip }}:2380 ETCD_INITIAL_CLUSTER_STATE={{ .State }} ETCD_METRICS=basic ETCD_LISTEN_CLIENT_URLS=https://{{ .Ip }}:2379,https://127.0.0.1:2379 ETCD_ELECTION_TIMEOUT=5000 ETCD_HEARTBEAT_INTERVAL=250 ETCD_INITIAL_CLUSTER_TOKEN=k8s_etcd ETCD_LISTEN_PEER_URLS=https://{{ .Ip }}:2380 ETCD_NAME={{ .Name }} ETCD_PROXY=off ETCD_ENABLE_V2=true ETCD_INITIAL_CLUSTER={{ .peerAddresses }} ETCD_AUTO_COMPACTION_RETENTION=8 ETCD_SNAPSHOT_COUNT=10000 {{- if .UnsupportedArch }} ETCD_UNSUPPORTED_ARCH={{ .Arch }} {{ end }} # TLS settings ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ssl/ca.pem ETCD_CERT_FILE=/etc/ssl/etcd/ssl/member-{{ .Hostname }}.pem ETCD_KEY_FILE=/etc/ssl/etcd/ssl/member-{{ .Hostname }}-key.pem ETCD_CLIENT_CERT_AUTH=true ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ssl/ca.pem ETCD_PEER_CERT_FILE=/etc/ssl/etcd/ssl/member-{{ .Hostname }}.pem ETCD_PEER_KEY_FILE=/etc/ssl/etcd/ssl/member-{{ .Hostname }}-key.pem ETCD_PEER_CLIENT_CERT_AUTH=True # CLI settings ETCDCTL_ENDPOINTS=https://127.0.0.1:2379 ETCDCTL_CA_FILE=/etc/ssl/etcd/ssl/ca.pem ETCDCTL_KEY_FILE=/etc/ssl/etcd/ssl/admin-{{ .Hostname }}-key.pem ETCDCTL_CERT_FILE=/etc/ssl/etcd/ssl/admin-{{ .Hostname }}.pem `))) // EtcdTempl defines the template of etcd's container binary. EtcdTempl = template.Must(template.New("etcd").Parse( dedent.Dedent(`#!/bin/bash /usr/bin/docker run \ --restart=on-failure:5 \ --env-file=/etc/etcd.env \ --net=host \ -v /etc/ssl/certs:/etc/ssl/certs:ro \ -v /etc/ssl/etcd/ssl:/etc/ssl/etcd/ssl:ro \ -v /var/lib/etcd:/var/lib/etcd:rw \ --memory=512M \ --blkio-weight=1000 \ --name={{ .Name }} \ {{ .EtcdImage }} \ /usr/local/bin/etcd \ "$@" `))) )
View Source
var EtcdBackupScriptTmpl = template.Must(template.New("etcdBackupScript").Parse( dedent.Dedent(`#!/bin/bash set -o errexit set -o nounset set -o pipefail ETCDCTL_PATH='/usr/local/bin/etcdctl' ENDPOINTS='{{ .Etcdendpoint }}' ETCD_DATA_DIR="/var/lib/etcd" BACKUP_DIR="{{ .Backupdir }}/etcd-$(date +%Y-%m-%d-%H-%M-%S)" KEEPBACKUPNUMBER='{{ .KeepbackupNumber }}' ETCDBACKUPPERIOD='{{ .EtcdBackupPeriod }}' ETCDBACKUPSCIPT='{{ .EtcdBackupScriptDir }}' ETCDBACKUPHOUR='{{ .EtcdBackupHour }}' ETCDCTL_CERT="/etc/ssl/etcd/ssl/admin-{{ .Hostname }}.pem" ETCDCTL_KEY="/etc/ssl/etcd/ssl/admin-{{ .Hostname }}-key.pem" ETCDCTL_CA_FILE="/etc/ssl/etcd/ssl/ca.pem" [ ! -d $BACKUP_DIR ] && mkdir -p $BACKUP_DIR export ETCDCTL_API=2;$ETCDCTL_PATH backup --data-dir $ETCD_DATA_DIR --backup-dir $BACKUP_DIR sleep 3 { export ETCDCTL_API=3;$ETCDCTL_PATH --endpoints="$ENDPOINTS" snapshot save $BACKUP_DIR/snapshot.db \ --cacert="$ETCDCTL_CA_FILE" \ --cert="$ETCDCTL_CERT" \ --key="$ETCDCTL_KEY" } > /dev/null sleep 3 cd $BACKUP_DIR/../ && ls -lt |awk '{if(NR > '$KEEPBACKUPNUMBER'){print "rm -rf "$9}}'|sh if [[ ! $ETCDBACKUPHOUR ]]; then time="*/$ETCDBACKUPPERIOD * * * *" else if [[ 0 == $ETCDBACKUPPERIOD ]];then time="* */$ETCDBACKUPHOUR * * *" else time="*/$ETCDBACKUPPERIOD */$ETCDBACKUPHOUR * * *" fi fi crontab -l | grep -v '#' > /tmp/file echo "$time sh $ETCDBACKUPSCIPT/etcd-backup.sh" >> /tmp/file && awk ' !x[$0]++{print > "/tmp/file"}' /tmp/file crontab /tmp/file rm -rf /tmp/file `)))
EtcdBackupScriptTmpl defines the template of etcd backup script.
Functions ¶
func EtcdBackupScript ¶
EtcdBackupScript is used to generate etcd backup script content.
func GenerateEtcdBinary ¶
GenerateEtcdBinary is used to generate etcd's container binary content.
func GenerateEtcdEnv ¶
func GenerateEtcdEnv(node *kubekeyapiv1alpha1.HostCfg, index int, endpoints []string, state string) (string, error)
GenerateEtcdEnv is used to generate the etcd's env content.
func GenerateEtcdService ¶
GenerateEtcdService is used to generate the etcd's service content for systemd.
func GenerateEtcdSslCfg ¶
func GenerateEtcdSslCfg(cfg *kubekeyapiv1alpha1.ClusterSpec) (string, error)
GenerateEtcdSslCfg is used to generate openssl configuration content for etcd.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.