From e4f147b1f27e0c91baf9ce3ae5fc20ef3fda5087 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sun, 27 Mar 2016 18:38:03 -0700
Subject: [PATCH] scripts: Simplify TLS scripts into k8s-certgen and generate
 kubeconfig

* Remove kubecfg-rkt and kubecfg-docker which used relative paths
---
 examples/README.md                  | 21 +++---------
 examples/groups/.gitkeep            |  0
 examples/kubecfg-docker             | 19 -----------
 examples/kubecfg-rkt                | 19 -----------
 scripts/tls/gen-bm-k8s-secrets      | 14 --------
 scripts/tls/gen-docker0-k8s-secrets | 14 --------
 scripts/tls/gen-rkt-k8s-secrets     | 14 --------
 scripts/tls/k8s-certgen             | 42 +++++++++++++++++++++++
 scripts/tls/kube-conf               | 52 +++++++++++++++++++++++++++++
 9 files changed, 98 insertions(+), 97 deletions(-)
 delete mode 100644 examples/groups/.gitkeep
 delete mode 100644 examples/kubecfg-docker
 delete mode 100644 examples/kubecfg-rkt
 delete mode 100755 scripts/tls/gen-bm-k8s-secrets
 delete mode 100755 scripts/tls/gen-docker0-k8s-secrets
 delete mode 100755 scripts/tls/gen-rkt-k8s-secrets
 create mode 100755 scripts/tls/k8s-certgen
 create mode 100755 scripts/tls/kube-conf

diff --git a/examples/README.md b/examples/README.md
index 3a08ae65..e428c206 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -53,19 +53,9 @@ Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver
 
     rm -rf assets/tls
     # for Kubernetes on CNI metal0, i.e. rkt
-    ./scripts/tls/gen-rkt-k8s-secrets
+    ./scripts/tls/k8s-certgen -d assets/tls -s 172.15.0.21 -m IP.1=10.3.0.1,IP.2=172.15.0.21 -w IP.1=172.15.0.22,IP.2=172.15.0.23
     # for Kubernetes on docker0
-    ./scripts/tls/gen-docker-k8s-secrets
-
-Alternately, you can add your own CA certificate, entity certificates, and entity private keys to `assets/tls`.
-
-    * ca.pem
-    * apiserver.pem
-    * apiserver-key.pem
-    * worker.pem
-    * worker-key.pem
-    * admin.pem
-    * admin-key.pem
+    ./scripts/tls/k8s-certgen -d assets/tls -s 172.17.0.21 -m IP.1=10.3.0.1,IP.2=172.17.0.21 -w IP.1=172.17.0.22,IP.2=172.17.0.23
 
 See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/latest/openssl.html) document or [Kubernetes Step by Step](https://coreos.com/kubernetes/docs/latest/getting-started.html) for more details.
 
@@ -74,14 +64,11 @@ See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/late
 Install the `kubectl` CLI on your host. Use the provided kubeconfig's to access the Kubernetes cluster created on rkt `metal0` or `docker0`.
 
     cd /path/to/coreos-baremetal
-    # for kubernetes on CNI metal0, i.e. rkt
-    kubectl --kubeconfig=examples/kubecfg-rkt get nodes
-    # for kubernetes on docker0
-    kubectl --kubeconfig=examples/kubecfg-docker get nodes
+    kubectl --kubeconfig=assets/tls/kubeconfig get nodes
 
 Get all pods.
 
-    kubectl --kubeconfig=examples/kubecfg-rkt get pods --all-namespaces
+    kubectl --kubeconfig=assets/tls/kubeconfig get pods --all-namespaces
 
 On my laptop, VMs download and network boot CoreOS in the first 45 seconds, the Kubernetes API becomes available after about 150 seconds, and add-on pods are scheduled by 180 seconds. On physical hosts and networks, OS and container image download times are a bit longer.
 
diff --git a/examples/groups/.gitkeep b/examples/groups/.gitkeep
deleted file mode 100644
index e69de29b..00000000
diff --git a/examples/kubecfg-docker b/examples/kubecfg-docker
deleted file mode 100644
index fa866474..00000000
--- a/examples/kubecfg-docker
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority: ../assets/tls/ca.pem
-    server: https://172.17.0.21:443
-  name: k8s-docker
-contexts:
-- context:
-    cluster: k8s-docker
-    namespace: default
-    user: k8s-docker
-  name: k8s-docker
-current-context: k8s-docker
-users:
-- name: k8s-docker
-  user:
-    client-certificate: ../assets/tls/admin.pem
-    client-key: ../assets/tls/admin-key.pem
\ No newline at end of file
diff --git a/examples/kubecfg-rkt b/examples/kubecfg-rkt
deleted file mode 100644
index 137eec7f..00000000
--- a/examples/kubecfg-rkt
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority: ../assets/tls/ca.pem
-    server: https://172.15.0.21:443
-  name: k8s-rkt
-contexts:
-- context:
-    cluster: k8s-rkt
-    namespace: default
-    user: k8s-rkt
-  name: k8s-rkt
-current-context: k8s-rkt
-users:
-- name: k8s-rkt
-  user:
-    client-certificate: ../assets/tls/admin.pem
-    client-key: ../assets/tls/admin-key.pem
\ No newline at end of file
diff --git a/scripts/tls/gen-bm-k8s-secrets b/scripts/tls/gen-bm-k8s-secrets
deleted file mode 100755
index b5f5c9ed..00000000
--- a/scripts/tls/gen-bm-k8s-secrets
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=192.168.1.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=192.168.1.22,IP.2=192.168.1.23
diff --git a/scripts/tls/gen-docker0-k8s-secrets b/scripts/tls/gen-docker0-k8s-secrets
deleted file mode 100755
index 5981b55a..00000000
--- a/scripts/tls/gen-docker0-k8s-secrets
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.17.0.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=172.17.0.22,IP.2=172.17.0.23
diff --git a/scripts/tls/gen-rkt-k8s-secrets b/scripts/tls/gen-rkt-k8s-secrets
deleted file mode 100755
index 7648ae96..00000000
--- a/scripts/tls/gen-rkt-k8s-secrets
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.15.0.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=172.15.0.22,IP.2=172.15.0.23
diff --git a/scripts/tls/k8s-certgen b/scripts/tls/k8s-certgen
new file mode 100755
index 00000000..0de8e2d9
--- /dev/null
+++ b/scripts/tls/k8s-certgen
@@ -0,0 +1,42 @@
+#!/bin/bash -e
+
+USAGE="Usage: $(basename $0)
+Options:
+  -d DEST     Destination for generated files (default: ./assets/tls)
+  -s SERVER   Reachable Server IP for kubeconfig (e.g. 172.15.0.21)
+  -m MASTERS  Master Node Names/Addresses in SAN format (e.g. IP.1=10.3.0.1,IP.2=172.15.0.21).
+  -w WORKERS  Worker Node Names/Addresses in SAN format (e.g. IP.1=172.15.0.22,IP.2=172.15.0.23)
+  -h          Show help.
+"
+
+DEST="./assets/tls"
+SERVER="172.15.0.21"
+MASTERS="IP.1=10.3.0.1,IP.2=172.15.0.21"
+WORKERS="IP.1=172.15.0.22,IP.2=172.15.0.23"
+
+while getopts "d:s:m:w:vh" opt; do
+  case $opt in
+    d) DEST="$OPTARG" ;;
+    s) SERVER="$OPTARG" ;;
+    m) MASTERS="$OPTARG" ;;
+    w) WORKERS="$OPTARG" ;;
+    h) echo "$USAGE"; exit;;
+    *) exit 1;;
+  esac
+done
+
+if [ ! -d "$DEST" ]; then
+  echo "Creating directory $DEST"
+  mkdir -p $DEST
+fi
+
+# create root CA
+./scripts/tls/root-ca $DEST
+
+# create Kubernetes master and worker certificates
+./scripts/tls/kubernetes-cert $DEST admin kube-admin
+./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver $MASTERS
+./scripts/tls/kubernetes-cert $DEST worker kube-worker $WORKERS
+
+# create a kubeconfig
+./scripts/tls/kube-conf $DEST $SERVER
diff --git a/scripts/tls/kube-conf b/scripts/tls/kube-conf
new file mode 100755
index 00000000..1b8433a8
--- /dev/null
+++ b/scripts/tls/kube-conf
@@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+function usage {
+    echo "USAGE: $0 DEST MASTER_IP"
+    echo "example: $0 dest/path 192.168.1.21"
+}
+
+function base64_encode {
+  if [[ "$OSTYPE" == "darwin" ]]; then
+    base64 $1
+  else
+    base64 -w 0 $1
+  fi
+}
+
+if [ -z "$1" ] || [ -z "$2" ]; then
+    usage
+    exit 1
+fi
+
+DEST="$1"
+MASTER_IP="$2"
+ADMIN_CERT_BASE64=$(base64_encode $DEST/admin.pem)
+ADMIN_KEY_BASE64="$(base64_encode $DEST/admin-key.pem)"
+CA_CERT_BASE64="$(base64_encode $DEST/ca.pem)"
+
+if [ -f "$DEST/kubeconfig" ]; then
+  echo "$DEST/kubeconfig already exists"
+  exit 1
+fi
+
+cat << EOF > $DEST/kubeconfig
+apiVersion: v1
+kind: Config
+users:
+- name: bootcfg-user
+  user:
+    client-certificate-data: ${ADMIN_CERT_BASE64}
+    client-key-data: ${ADMIN_KEY_BASE64}
+clusters:
+- name: bootcfg-cluster
+  cluster:
+    certificate-authority-data: ${CA_CERT_BASE64}
+    server: https://${MASTER_IP}:443
+contexts:
+- context:
+    cluster: bootcfg-cluster
+    user: bootcfg-user
+  name: bootcfg-context
+current-context: bootcfg-context
+EOF
+echo "Wrote kubeconfig to $DEST/kubeconfig"