nicolas
/
openshift-4-installation
mirror of https://github.com/nmasse-itix/openshift-4-installation.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

improve acme support

standalone
Nicolas Massé 5 years ago
parent
99be7df1f6
commit
514a3ba480
8 changed files with 75 additions and 22 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      README.md
  2. 20
      acme.tf
  3. 19
      cluster
  4. 8
      main.tf
  5. 18
      post-install.tf
  6. 5
      provider.tf
  7. 1
      terraform.tfvars.sample
  8. 4
      variables.tf

14
README.md
View File

@ -36,11 +36,13 @@ make
make install make install
``` ```
Install lego. Install the acme terraform provider.
```sh ```sh
curl -Lo /tmp/lego.tgz https://github.com/go-acme/lego/releases/download/v4.3.1/lego_v4.3.1_linux_amd64.tar.gz git clone https://github.com/vancluever/terraform-provider-acme
sudo tar zxvf /tmp/lego.tgz -C /usr/local/bin lego cd terraform-provider-acme
mkdir -p ~/.terraform.d/plugins/vancluever/acme/2.3.0/linux_amd64/
GOBIN=$HOME/.terraform.d/plugins/vancluever/acme/2.3.0/linux_amd64/ make
``` ```
Create the template files from their samples. Create the template files from their samples.
@ -57,6 +59,12 @@ Install the required Ansible collections.
ansible-galaxy collection install -r ansible/requirements.yaml ansible-galaxy collection install -r ansible/requirements.yaml
``` ```
Initialize Terraform.
```sh
terraform init
```
### On the server ### On the server
Install libvirt. Install libvirt.

20
acme.tf
View File

@ -0,0 +1,20 @@
resource "tls_private_key" "account_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "acme_registration" "cluster_reg" {
account_key_pem = tls_private_key.account_key.private_key_pem
email_address = var.acme_account_email
}
resource "acme_certificate" "cluster_cert" {
account_key_pem = acme_registration.cluster_reg.account_key_pem
common_name = "api.${local.network_domain}"
subject_alternative_names = ["*.apps.${local.network_domain}"]
key_type = "2048" // RSA 2048
dns_challenge {
provider = "gandiv5"
}
}

19
cluster
View File

@ -130,24 +130,21 @@ EOF
function post_install_le () { function post_install_le () {
local cluster_name="${1:-}" local cluster_name="${1:-}"
# Generated by terraform cert_dn="$(openssl x509 -noout -subject -in "$cluster_name/cluster.crt")"
source "$cluster_name/dns.env" cert_cn="${cert_dn#subject=CN = }"
# Get a certificate from Let's Encrypt
lego -m "nmasse@redhat.com" -d "$LE_API_HOSTNAME" -d "$LE_ROUTER_HOSTNAME" -a --dns gandiv5 run --no-bundle
# Deploy certificate to ingress # Deploy certificate to ingress
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" create secret tls router-certs-$(date "+%Y-%m-%d") --cert=.lego/certificates/$LE_API_HOSTNAME.crt --key=.lego/certificates/$LE_API_HOSTNAME.key -n openshift-ingress --dry-run -o yaml > "$cluster_name/router-certs.yaml" oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" create secret tls router-certs-$(date "+%Y-%m-%d") --cert="$cluster_name/cluster.crt" --key="$cluster_name/cluster.key" -n openshift-ingress --dry-run -o yaml > "$cluster_name/router-certs.yaml"
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" apply -f "$cluster_name/router-certs.yaml" -n openshift-ingress oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" apply -f "$cluster_name/router-certs.yaml" -n openshift-ingress
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch-file=/dev/fd/0 <<EOF oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch-file=/dev/fd/0 <<EOF
{"spec": { "defaultCertificate": { "name": "router-certs-$(date "+%Y-%m-%d")" }}} {"spec": { "defaultCertificate": { "name": "router-certs-$(date "+%Y-%m-%d")" }}}
EOF EOF
# Deploy certificate to api # Deploy certificate to api
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" create secret tls api-certs-$(date "+%Y-%m-%d") --cert=.lego/certificates/$LE_API_HOSTNAME.crt --key=.lego/certificates/$LE_API_HOSTNAME.key -n openshift-config --dry-run -o yaml > "$cluster_name/api-certs.yaml" oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" create secret tls api-certs-$(date "+%Y-%m-%d") --cert="$cluster_name/cluster.crt" --key="$cluster_name/cluster.key" -n openshift-config --dry-run -o yaml > "$cluster_name/api-certs.yaml"
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" apply -f "$cluster_name/api-certs.yaml" -n openshift-config oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" apply -f "$cluster_name/api-certs.yaml" -n openshift-config
oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" patch apiserver cluster --type=merge --patch-file=/dev/fd/0 <<EOF oc --insecure-skip-tls-verify --kubeconfig="$cluster_name/auth/kubeconfig" patch apiserver cluster --type=merge --patch-file=/dev/fd/0 <<EOF
{"spec":{"servingCerts":{"namedCertificates":[{"names":["$LE_API_HOSTNAME"],"servingCertificate":{"name": "api-certs-$(date "+%Y-%m-%d")"}}]}}} {"spec":{"servingCerts":{"namedCertificates":[{"names":["$cert_cn"],"servingCertificate":{"name": "api-certs-$(date "+%Y-%m-%d")"}}]}}}
EOF EOF
} }
@ -205,7 +202,11 @@ function shell () {
export DEFAULT_HOST_LIST="$PWD/$cluster_name" export DEFAULT_HOST_LIST="$PWD/$cluster_name"
# Terraform # Terraform
export TF_CLI_ARGS="-var-file=$cluster_name/terraform.tfvars -state=$cluster_name/terraform.tfstate" export TF_CLI_ARGS_plan="-var-file=$cluster_name/terraform.tfvars -state=$cluster_name/terraform.tfstate"
export TF_CLI_ARGS_apply="-var-file=$cluster_name/terraform.tfvars -state=$cluster_name/terraform.tfstate"
export TF_CLI_ARGS_destroy="-var-file=$cluster_name/terraform.tfvars -state=$cluster_name/terraform.tfstate"
export TF_CLI_ARGS_state_list="-state=$cluster_name/terraform.tfstate"
export TF_CLI_ARGS_state_rm="-state=$cluster_name/terraform.tfstate"
# OpenShift # OpenShift
export KUBECONFIG="$PWD/$cluster_name/auth/kubeconfig" export KUBECONFIG="$PWD/$cluster_name/auth/kubeconfig"

8
main.tf
View File

@ -21,6 +21,14 @@ terraform {
version = "2.0.0" version = "2.0.0"
source = "github/go-gandi/gandi" source = "github/go-gandi/gandi"
} }
acme = {
source = "vancluever/acme"
version = "2.3.0"
}
tls = {
source = "hashicorp/tls"
version = ">=3.1.0"
}
} }
} }

18
post-install.tf
View File

@ -10,14 +10,20 @@ resource "local_file" "nfs_provisioner" {
file_permission = "0644" file_permission = "0644"
} }
resource "local_file" "dns_config" {
content = templatefile("${path.module}/templates/dns.env", { api_server = "api.${local.network_domain}", router = "*.apps.${local.network_domain}", dns_zone = var.base_domain, cluster_name = var.cluster_name })
filename = "${var.cluster_name}/dns.env"
file_permission = "0644"
}
resource "local_file" "ansible_inventory" { resource "local_file" "ansible_inventory" {
content = templatefile("${path.module}/templates/inventory", { nodes = local.all_nodes, network_domain = local.network_domain, dns_server = cidrhost(var.network_ip_range, 1) }) content = templatefile("${path.module}/templates/inventory", { nodes = local.all_nodes, network_domain = local.network_domain, dns_server = cidrhost(var.network_ip_range, 1) })
filename = "${var.cluster_name}/inventory" filename = "${var.cluster_name}/inventory"
file_permission = "0644" file_permission = "0644"
} }
resource "local_file" "cluster_key" {
content = acme_certificate.cluster_cert.private_key_pem
filename = "${var.cluster_name}/cluster.key"
file_permission = "0600"
}
resource "local_file" "cluster_cert" {
content = "${acme_certificate.cluster_cert.certificate_pem}${acme_certificate.cluster_cert.issuer_pem}"
filename = "${var.cluster_name}/cluster.crt"
file_permission = "0644"
}

5
provider.tf
View File

@ -5,3 +5,8 @@ provider "gandi" {
# key = "<livedns apikey>" # key = "<livedns apikey>"
# sharing_id = "<sharing id>" # sharing_id = "<sharing id>"
} }
provider "acme" {
server_url = "https://acme-v02.api.letsencrypt.org/directory"
# server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

1
terraform.tfvars.sample
View File

@ -3,3 +3,4 @@ external_mac_address = "02:00:00:00:00:04"
public_cluster_ip = "1.2.3.4" public_cluster_ip = "1.2.3.4"
cluster_name = "__CLUSTER_NAME__" cluster_name = "__CLUSTER_NAME__"
bootstrap_nodes = 1 bootstrap_nodes = 1
acme_account_email = "your.username@redhat.com"

4
variables.tf
View File

@ -136,6 +136,10 @@ variable "bootstrap_memory_size" {
default = 16 * 1024 default = 16 * 1024
} }
variable "acme_account_email" {
type = string
}
locals { locals {
master_format = "${var.cluster_name}-master-%02d" master_format = "${var.cluster_name}-master-%02d"
worker_format = "${var.cluster_name}-worker-%02d" worker_format = "${var.cluster_name}-worker-%02d"

Write Preview
Loading…
Cancel
Save