Merge pull request #2105 from shahbazn/k8s-config-automation-script
Problem: bugs in k8s automation
This commit is contained in:
Ahmed Muawia Khan
GitHub
commit
b752b4cbf2
|
|
@ -28,10 +28,7 @@ spec:
|
|||
name: vars
|
||||
key: mongodb-backend-port
|
||||
- name: BIGCHAINDB_DATABASE_BACKEND
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: bdb-config
|
||||
key: bdb-db-backend
|
||||
value: "localmongodb"
|
||||
- name: BIGCHAINDB_DATABASE_NAME
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
@ -104,7 +101,7 @@ spec:
|
|||
key: bdb-user
|
||||
- name: BIGCHAINDB_START_TENDERMINT
|
||||
value: "0"
|
||||
- name: TENDERMINT_HOST
|
||||
- name: BIGCHAINDB_TENDERMINT_HOST
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: tendermint-config
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ http {
|
|||
# Frontend server for the external clients; acts as HTTPS termination point.
|
||||
server {
|
||||
listen CLUSTER_FRONTEND_PORT ssl;
|
||||
server_name "CLUSTER_FQDN";
|
||||
server_name "NODE_FQDN";
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/cert.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/cert.key;
|
||||
|
|
@ -115,7 +115,7 @@ http {
|
|||
}
|
||||
|
||||
# POST requests get forwarded to BDB.
|
||||
if ($request_method = POST ) {}
|
||||
if ($request_method = POST ) {
|
||||
proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
|
||||
}
|
||||
|
||||
|
|
@ -139,7 +139,7 @@ http {
|
|||
# when an HTTP request is sent instead of HTTPS.
|
||||
server {
|
||||
listen 80;
|
||||
server_name "CLUSTER_FQDN";
|
||||
server_name "NODE_FQDN";
|
||||
|
||||
location / {
|
||||
add_header Upgrade "TLS/1.2, HTTP/1.1" always;
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ http {
|
|||
# Frontend server for the external clients; acts as HTTPS termination point.
|
||||
server {
|
||||
listen CLUSTER_FRONTEND_PORT ssl;
|
||||
server_name "CLUSTER_FQDN";
|
||||
server_name "NODE_FQDN";
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/cert.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/cert.key;
|
||||
|
|
@ -141,7 +141,7 @@ http {
|
|||
# when an HTTP request is sent instead of HTTPS.
|
||||
server {
|
||||
listen 80;
|
||||
server_name "CLUSTER_FQDN";
|
||||
server_name "NODE_FQDN";
|
||||
|
||||
location / {
|
||||
add_header Upgrade "TLS/1.2, HTTP/1.1" always;
|
||||
|
|
|
|||
|
|
@ -5,8 +5,9 @@ set -euo pipefail
|
|||
threescale_auth_mode="threescale"
|
||||
secret_token_auth_mode="secret-token"
|
||||
|
||||
|
||||
# Cluster vars
|
||||
cluster_fqdn=`printenv CLUSTER_FQDN`
|
||||
node_fqdn=`printenv NODE_FQDN`
|
||||
cluster_frontend_port=`printenv CLUSTER_FRONTEND_PORT`
|
||||
|
||||
|
||||
|
|
@ -15,18 +16,14 @@ dns_server=`printenv DNS_SERVER`
|
|||
health_check_port=`printenv HEALTH_CHECK_PORT`
|
||||
authorization_mode=`printenv AUTHORIZATION_MODE`
|
||||
|
||||
|
||||
# MongoDB vars
|
||||
mongo_frontend_port=`printenv MONGODB_FRONTEND_PORT`
|
||||
mongo_backend_host=`printenv MONGODB_BACKEND_HOST`
|
||||
mongo_backend_port=`printenv MONGODB_BACKEND_PORT`
|
||||
|
||||
|
||||
# OpenResty vars
|
||||
openresty_backend_host=`printenv OPENRESTY_BACKEND_HOST`
|
||||
openresty_backend_port=`printenv OPENRESTY_BACKEND_PORT`
|
||||
|
||||
|
||||
# BigchainDB vars
|
||||
bdb_backend_host=`printenv BIGCHAINDB_BACKEND_HOST`
|
||||
bdb_api_port=`printenv BIGCHAINDB_API_PORT`
|
||||
|
|
@ -37,9 +34,9 @@ tm_pub_key_access_port=`printenv TM_PUB_KEY_ACCESS_PORT`
|
|||
tm_backend_host=`printenv TM_BACKEND_HOST`
|
||||
tm_p2p_port=`printenv TM_P2P_PORT`
|
||||
|
||||
|
||||
# sanity check
|
||||
if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!}" || \
|
||||
-z "${mongo_frontend_port:?MONGODB_FRONTEND_PORT not specified. Exiting!}" || \
|
||||
-z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \
|
||||
-z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \
|
||||
-z "${openresty_backend_port:?OPENRESTY_BACKEND_PORT not specified. Exiting!}" || \
|
||||
|
|
@ -49,19 +46,17 @@ if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!
|
|||
-z "${bdb_ws_port:?BIGCHAINDB_WS_PORT not specified. Exiting!}" || \
|
||||
-z "${dns_server:?DNS_SERVER not specified. Exiting!}" || \
|
||||
-z "${health_check_port:?HEALTH_CHECK_PORT not specified. Exiting!}" || \
|
||||
-z "${cluster_fqdn:?CLUSTER_FQDN not specified. Exiting!}" || \
|
||||
-z "${node_fqdn:?NODE_FQDN not specified. Exiting!}" || \
|
||||
-z "${tm_pub_key_access_port:?TM_PUB_KEY_ACCESS_PORT not specified. Exiting!}" || \
|
||||
-z "${tm_backend_host:?TM_BACKEND_HOST not specified. Exiting!}" || \
|
||||
-z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" || \
|
||||
-z "${authorization_mode:-threescale_auth_mode}" ]]; then # Set the default authorization mode to threescale
|
||||
-z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" ]]; then
|
||||
echo "Missing required environment variables. Exiting!"
|
||||
exit 1
|
||||
else
|
||||
echo CLUSTER_FQDN="$cluster_fqdn"
|
||||
echo NODE_FQDN="$node_fqdn"
|
||||
echo CLUSTER_FRONTEND_PORT="$cluster_frontend_port"
|
||||
echo DNS_SERVER="$dns_server"
|
||||
echo HEALTH_CHECK_PORT="$health_check_port"
|
||||
echo MONGODB_FRONTEND_PORT="$mongo_frontend_port"
|
||||
echo MONGODB_BACKEND_HOST="$mongo_backend_host"
|
||||
echo MONGODB_BACKEND_PORT="$mongo_backend_port"
|
||||
echo OPENRESTY_BACKEND_HOST="$openresty_backend_host"
|
||||
|
|
@ -77,7 +72,7 @@ fi
|
|||
if [[ ${authorization_mode} == ${secret_token_auth_mode} ]]; then
|
||||
NGINX_CONF_FILE=/etc/nginx/nginx.conf
|
||||
secret_access_token=`printenv SECRET_ACCESS_TOKEN`
|
||||
sed -i "s|SECRET_ACCESS_TOKEN|${secret_token_header}|g"
|
||||
sed -i "s|SECRET_ACCESS_TOKEN|${secret_access_token}|g" ${NGINX_CONF_FILE}
|
||||
elif [[ ${authorization_mode} == ${threescale_auth_mode} ]]; then
|
||||
NGINX_CONF_FILE=/etc/nginx/nginx-threescale.conf
|
||||
sed -i "s|OPENRESTY_BACKEND_PORT|${openresty_backend_port}|g" ${NGINX_CONF_FILE}
|
||||
|
|
@ -88,9 +83,8 @@ else
|
|||
fi
|
||||
|
||||
# configure the nginx.conf file with env variables
|
||||
sed -i "s|CLUSTER_FQDN|${cluster_fqdn}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|CLUSTER_FRONTEND_PORT|${cluster_frontend_port}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|MONGODB_FRONTEND_PORT|${mongo_frontend_port}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}
|
||||
sed -i "s|BIGCHAINDB_BACKEND_HOST|${bdb_backend_host}|g" ${NGINX_CONF_FILE}
|
||||
|
|
|
|||
|
|
@ -25,11 +25,11 @@ spec:
|
|||
configMapKeyRef:
|
||||
name: vars
|
||||
key: cluster-health-check-port
|
||||
- name: CLUSTER_FQDN
|
||||
- name: NODE_FQDN
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: vars
|
||||
key: cluster-fqdn
|
||||
key: node-fqdn
|
||||
- name: DNS_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ function configure_member_cert_gen(){
|
|||
echo 'set_var EASYRSA_REQ_OU "MONGO-MEMBER"' >> $1/vars
|
||||
echo 'set_var EASYRSA_REQ_EMAIL "dev@bigchaindb.com"' >> $1/vars
|
||||
echo "set_var EASYRSA_SSL_CONF \"$1/openssl-1.0.cnf\"" >> $1/vars
|
||||
echo "set_var EASYRSA_PKI \"$1/pki\"" >> member-cert/easy-rsa-3.0.1/easyrsa3/vars
|
||||
echo "set_var EASYRSA_PKI \"$1/pki\"" >> $1/vars
|
||||
$1/easyrsa init-pki
|
||||
$1/easyrsa --req-cn="$MDB_CN"-"$INDEX" --subject-alt-name=DNS:localhost,DNS:"$MDB_CN"-"$INDEX" gen-req "$MDB_CN"-"$INDEX" nopass
|
||||
}
|
||||
|
|
@ -216,17 +216,17 @@ function generate_config_map(){
|
|||
|
||||
mdb_instance_name="$MDB_CN-$INDEX"
|
||||
bdb_instance_name="$BDB_CN-$INDEX"
|
||||
tm_instance_name="tm-instance-$INDEX"
|
||||
ngx_instance_name="mdb-instance-$INDEX"
|
||||
ngx_instance_name="ngx-instance-$INDEX"
|
||||
|
||||
bdb_user=`cat $1/"$BDB_CN"-"${INDEX}".user`
|
||||
mdb_admin_username=$2
|
||||
cluster_fqdn=$3
|
||||
node_fqdn=$3
|
||||
tm_seeds=$4
|
||||
tm_validators=$5
|
||||
tm_validators_power=$6
|
||||
tm_genesis_time=$7
|
||||
tm_chain_id=$8
|
||||
tm_instance_name=$9
|
||||
|
||||
cat > config-map.yaml << EOF
|
||||
apiVersion: v1
|
||||
|
|
@ -235,8 +235,8 @@ metadata:
|
|||
name: vars
|
||||
namespace: default
|
||||
data:
|
||||
# cluster-fqdn is the DNS name registered for your HTTPS certificate.
|
||||
cluster-fqdn: "${cluster_fqdn}"
|
||||
# node-fqdn is the DNS name registered for your HTTPS certificate.
|
||||
node-fqdn: "${node_fqdn}"
|
||||
|
||||
# cluster-frontend-port is the port number on which this node's services
|
||||
# are available to external clients.
|
||||
|
|
@ -316,8 +316,8 @@ data:
|
|||
# it will use the default cache size; i.e. max((50% RAM - 1GB), 256MB)
|
||||
storage-engine-cache-size: ""
|
||||
|
||||
# POST API authorization mode [threescale | secrete-token]
|
||||
authorization-mode: "threescale"
|
||||
# POST API authorization mode [threescale | secret-token]
|
||||
authorization-mode: "secret-token"
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
@ -403,5 +403,6 @@ metadata:
|
|||
data:
|
||||
# User name for MongoDB adminuser
|
||||
mdb-admin-username: "${mdb_admin_username}"
|
||||
mdb-mon-user: ""
|
||||
EOF
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,25 +4,25 @@ set -euo pipefail
|
|||
source vars
|
||||
source functions
|
||||
|
||||
# base directories for operations
|
||||
BASE_DIR=$(pwd)
|
||||
# Default directory for certificates
|
||||
CERT_DIR="certificates"
|
||||
|
||||
# base variables with default values
|
||||
MDB_CN="mdb-instance"
|
||||
BDB_CN="bdb-instance"
|
||||
MDB_MON_CN="mdb-mon-instance"
|
||||
INDEX='0'
|
||||
CONFIGURE_CA='true'
|
||||
CONFIGURE_MEMBER='true'
|
||||
CONFIGURE_CLIENT='true'
|
||||
|
||||
function show_help(){
|
||||
cat > /dev/stdout << END
|
||||
${0} --index INDEX --mdb-name MONGODB_MEMBER_COMMON_NAME
|
||||
--bdb-name BIGCHAINDB_INSTANCE_COMMON_NAME
|
||||
--mdb-mon-name MONGODB_MONITORING_INSTNACE_COMMON_NAME [--help]
|
||||
OPTIONAL ARGS:
|
||||
--mdb-cn - Common name of MongoDB instance:- default ${MDB_CN}
|
||||
--bdb-cn - Common name of BigchainDB instance:- default ${BDB_CN}
|
||||
--mdb-mon-cn - Common name of MongoDB monitoring agent:- default ${MDB_MON_CN}
|
||||
--dir - Absolute path of base directory:- default ${BASE_DIR}
|
||||
${0} --cert-dir - Name of directory containing certificates:- default ${CERT_DIR}
|
||||
--help - show help
|
||||
EXAMPLES
|
||||
- "Generate Certificates for first node(index=1) in the cluster i.e. MongoDB instance: mdb-instance,"
|
||||
"BigchainDB instance: bdb-instance, MongoDB monitoring agent: mdb-mon-instance"
|
||||
./cert_gen.sh --index 1 --mdb-cn mdb-instance --bdb-cn bdb-instance \
|
||||
--mdb-mon-cn mdb-mon-instance
|
||||
- "Generate configs"
|
||||
./generate_configs.sh --cert-dir ${CERT_DIR}
|
||||
END
|
||||
}
|
||||
|
||||
|
|
@ -30,24 +30,8 @@ END
|
|||
while [[ $# -gt 0 ]]; do
|
||||
arg="$1"
|
||||
case $arg in
|
||||
--index)
|
||||
INDEX="$2"
|
||||
shift
|
||||
;;
|
||||
--mdb-cn)
|
||||
MDB_CN="$2"
|
||||
shift
|
||||
;;
|
||||
--bdb-cn)
|
||||
BDB_CN="$2"
|
||||
shift
|
||||
;;
|
||||
--mdb-mon-cn)
|
||||
MDB_MON_CN="$2"
|
||||
shift
|
||||
;;
|
||||
--dir)
|
||||
BASE_DIR="$2"
|
||||
--cert-dir)
|
||||
CERT_DIR="$2"
|
||||
shift
|
||||
;;
|
||||
--help)
|
||||
|
|
@ -62,6 +46,16 @@ while [[ $# -gt 0 ]]; do
|
|||
shift
|
||||
done
|
||||
|
||||
# sanity checks
|
||||
if [[ -z "${CERT_DIR}" ]] ; then
|
||||
echo "Missing required argument CERT_DIR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create BASE_DIR
|
||||
BASE_DIR="$(pwd)/${CERT_DIR}"
|
||||
mkdir -p "${BASE_DIR}"
|
||||
|
||||
BASE_CA_DIR="${BASE_DIR}"/bdb-cluster-ca
|
||||
BASE_MEMBER_CERT_DIR="${BASE_DIR}"/member-cert
|
||||
BASE_CLIENT_CERT_DIR="${BASE_DIR}"/client-cert
|
||||
|
|
@ -69,12 +63,6 @@ BASE_EASY_RSA_PATH='easy-rsa-3.0.1/easyrsa3'
|
|||
BASE_K8S_DIR="${BASE_DIR}"/k8s
|
||||
BASE_USERS_DIR="$BASE_DIR"/users
|
||||
|
||||
# sanity checks
|
||||
if [[ -z "${INDEX}" ]] ; then
|
||||
echo "Missing required arguments"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Configure Root CA
|
||||
mkdir $BASE_CA_DIR
|
||||
configure_common $BASE_CA_DIR
|
||||
|
|
@ -99,4 +87,4 @@ convert_b64 $BASE_K8S_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH $BASE_CLIENT_CERT_DIR
|
|||
get_users $BASE_USERS_DIR $BASE_CA_DIR/$BASE_EASY_RSA_PATH
|
||||
generate_secretes_no_threescale $BASE_K8S_DIR $SECRET_TOKEN $HTTPS_CERT_KEY_FILE_NAME $HTTPS_CERT_CHAIN_FILE_NAME $MDB_ADMIN_PASSWORD
|
||||
|
||||
generate_config_map $BASE_USERS_DIR $MDB_ADMIN_USER $CLUSTER_FQDN $TM_SEEDS $TM_VALIDATORS $TM_VALIDATOR_POWERS $TM_GENESIS_TIME $TM_CHAIN_ID
|
||||
generate_config_map $BASE_USERS_DIR $MDB_ADMIN_USER $NODE_FQDN $TM_SEEDS $TM_VALIDATORS $TM_VALIDATOR_POWERS $TM_GENESIS_TIME $TM_CHAIN_ID $TM_INSTANCE_NAME
|
||||
|
|
|
|||
|
|
@ -1,23 +1,41 @@
|
|||
CLUSTER_FQDN="test.bigchaindb.com"
|
||||
SECRET_TOKEN="test"
|
||||
HTTPS_CERT_KEY_FILE_NAME="https_key"
|
||||
HTTPS_CERT_CHAIN_FILE_NAME="https_cert_chain"
|
||||
# DNS name of the bigchaindb node
|
||||
NODE_FQDN="test-node.bigchaindb.com"
|
||||
|
||||
# base variables with default values
|
||||
MDB_CN="mdb-instance"
|
||||
BDB_CN="bdb-instance"
|
||||
MDB_MON_CN="mdb-mon-instance"
|
||||
INDEX='1'
|
||||
CONFIGURE_CA=''
|
||||
CONFIGURE_MEMBER=''
|
||||
CONFIGURE_CLIENT=''
|
||||
MDB_ADMIN_PASSWORD=''
|
||||
MDB_ADMIN_USER=''
|
||||
# Secret token used for authorization of
|
||||
# POST requests to the bigchaindb node
|
||||
SECRET_TOKEN="test-secret"
|
||||
|
||||
# Absolute path for the SSL certificate key
|
||||
HTTPS_CERT_KEY_FILE_NAME="</path/to/https.key>"
|
||||
|
||||
# Tendermint data
|
||||
TM_SEEDS='123,4565'
|
||||
TM_VALIDATORS='11234,1234'
|
||||
TM_VALIDATOR_POWERS='1,1'
|
||||
TM_GENESIS_TIME='11324'
|
||||
TM_CHAIN_ID='test-id'
|
||||
# Absolute path for the SSL certificate chain
|
||||
HTTPS_CERT_CHAIN_FILE_NAME="</path/to/https.pem>"
|
||||
|
||||
# MongoDB Admin user credentials
|
||||
MDB_ADMIN_USER='adminUser'
|
||||
MDB_ADMIN_PASSWORD='superstrongpassword'
|
||||
|
||||
# Tendermint instance name of the bigchaindb
|
||||
# node. This name should be unique
|
||||
TM_INSTANCE_NAME='tm-instance-0'
|
||||
|
||||
# Comma sperated list of initial peers in the
|
||||
# network.
|
||||
TM_SEEDS='tm-instance-0,tm-instance-1,tm-instance-2'
|
||||
|
||||
# Comma separated list of validators in the
|
||||
# network
|
||||
TM_VALIDATORS='tm-instance-0,tm-instance-1,tm-instance-2'
|
||||
|
||||
# Comma separated list of voting
|
||||
# power of all validators. Make sure
|
||||
# order and number of powers corresponds
|
||||
# to TM_VALIDATORS
|
||||
TM_VALIDATOR_POWERS='10,10,10'
|
||||
|
||||
# Offical time of blockchain start
|
||||
TM_GENESIS_TIME='0001-01-01T00:00:00Z'
|
||||
|
||||
# Blockchain ID must be unique for
|
||||
# every blockchain
|
||||
TM_CHAIN_ID='test-chain-rwcPML'
|
||||
|
|
@ -2,7 +2,7 @@ apiVersion: v1
|
|||
kind: Service
|
||||
metadata:
|
||||
# Name of tendermint instance you are trying to connect to
|
||||
# e.g. tm-instance-0
|
||||
# name: "tm-instance-0"
|
||||
name: "<remote-tendermint-host>"
|
||||
namespace: default
|
||||
spec:
|
||||
|
|
@ -13,5 +13,8 @@ spec:
|
|||
name: p2p
|
||||
- port: 46657
|
||||
name: pubkey
|
||||
type: ExternalName
|
||||
# FQDN of remote cluster/NGINX instance
|
||||
#externalName: "nginx-instance-for-tm-instance-0.westeurope.cloudapp.azure.com"
|
||||
externalName: "<dns-name-remote-nginx>"
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ for i in "${!VALS_ARR[@]}"; do
|
|||
# wait until validator generates priv/pub key pair
|
||||
set +e
|
||||
echo Validator: "${VALS_ARR[$i]}"
|
||||
echo Validator Power: "${VALS_POWERS_ARR[$i]}"
|
||||
echo Validator Power: "${VAL_POWERS_ARR[$i]}"
|
||||
echo "http://${VALS_ARR[$i]}:$tm_pub_key_access_port/pub_key.json"
|
||||
curl -s --fail "http://${VALS_ARR[$i]}:$tm_pub_key_access_port/pub_key.json" > /dev/null
|
||||
ERR=$?
|
||||
|
|
|
|||
Loading…
Reference in New Issue