tools: move cluster-specific stuff to cluster/tools
Change-Id: I1813bb221d1bff0d6067eceb84d23510face60ff
diff --git a/cluster/tools/BUILD b/cluster/tools/BUILD
new file mode 100644
index 0000000..974463d
--- /dev/null
+++ b/cluster/tools/BUILD
@@ -0,0 +1,45 @@
+load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar", "pkg_deb")
+load("//bzl:rules.bzl", "copy_go_binary")
+
+copy_go_binary(
+ name = "kubectl",
+ src = "@io_k8s_kubernetes//cmd/kubectl:kubectl",
+ visibility = ["//visibility:public"],
+)
+
+copy_go_binary(
+ name = "kubecfg",
+ src = "@com_github_ksonnet_kubecfg//:kubecfg",
+ visibility = ["//visibility:public"],
+)
+
+copy_go_binary(
+ name = "calicoctl.bin",
+ src = "@com_github_projectcalico_calicoctl//calicoctl:calicoctl",
+ visibility = ["//visibility:public"],
+)
+
+sh_binary(
+ name = "calicoctl",
+ srcs = ["calicoctl.sh"],
+ data = [":calicoctl.bin", "//tools:secretstore"],
+)
+
+copy_go_binary(
+ name = "cfssl",
+ src = "@com_github_cloudflare_cfssl//cmd/cfssl:cfssl",
+ visibility = ["//visibility:public"],
+)
+
+copy_go_binary(
+ name = "nixops.bin",
+ src = "@nixops//:bin",
+ visibility = ["//visibility:public"],
+)
+
+sh_binary(
+ name = "nixops",
+ srcs = ["nixops.sh"],
+ data = [":nixops.bin", "//tools:secretstore"],
+)
+
diff --git a/cluster/tools/calicoctl.sh b/cluster/tools/calicoctl.sh
new file mode 100755
index 0000000..dc38998
--- /dev/null
+++ b/cluster/tools/calicoctl.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# A wrapper around the real calicoctl to configure etcd access...
+
+if [ -z "$hscloud_root" ]; then
+ echo 2>&1 "Please source env.sh"
+ exit 1
+fi
+
+ETCD_ENDPOINTS="https://bc01n01.hswaw.net:2379,https://bc01n01.hswaw.net:2379,https://bc01n01.hswaw.net:2379"
+ETCD_KEY_FILE="$hscloud_root/cluster/secrets/plain/kube-calico.key"
+ETCD_CERT_FILE="$hscloud_root/cluster/certs/kube-calico.crt"
+ETCD_CA_CERT_FILE="$hscloud_root/cluster/certs/ca.crt"
+
+if [ ! -f "$ETCD_KEY_FILE" ] ; then
+ secretstore decrypt "$hscloud_root/cluster/secrets/cipher/kube-calico.key" > "$ETCD_KEY_FILE"
+fi
+
+export ETCD_ENDPOINTS
+export ETCD_KEY_FILE
+export ETCD_CERT_FILE
+export ETCD_CA_CERT_FILE
+calicoctl.bin "$@"
diff --git a/cluster/tools/install.sh b/cluster/tools/install.sh
new file mode 100755
index 0000000..d2084ae
--- /dev/null
+++ b/cluster/tools/install.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+if [ -z "$hscloud_root" ]; then
+ echo 2>&1 "Please first source env.sh"
+ exit 1
+fi
+
+cd "${hscloud_root}"
+
+bazel build //cluster/tools/...
+
+if [ ! -e /nix ] ; then
+ echo "WARNING: No Nix installation detected. nix-dependent tools (nixops) will not be built or available."
+else
+ bazel build \
+ //cluster/tools:nixops
+fi
diff --git a/cluster/tools/nixops.sh b/cluster/tools/nixops.sh
new file mode 100755
index 0000000..f3848d2
--- /dev/null
+++ b/cluster/tools/nixops.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# A wrapper around real nixops to decrypt GCP secret.
+
+if [ -z "$hscloud_root" ]; then
+ echo 2>&1 "Please source env.sh"
+ exit 1
+fi
+
+for f in sa.json sa.pem; do
+ plain="$hscloud_root/gcp/secrets/plain/$f"
+ cipher="$hscloud_root/gcp/secrets/cipher/$f"
+ if [ ! -f "$plain" ]; then
+ secretstore decrypt "$cipher" > "$plain"
+ fi
+done
+
+export GCE_PROJECT="hscloud"
+export GCE_SERVICE_ACCOUNT="nixops@hscloud.iam.gserviceaccount.com"
+export ACCESS_KEYPATH="$hscloud_root/gcp/secrets/plain/sa.pem"
+
+nixops.bin "$@"
diff --git a/cluster/tools/rook-s3cmd-config b/cluster/tools/rook-s3cmd-config
new file mode 100755
index 0000000..6ee5a08
--- /dev/null
+++ b/cluster/tools/rook-s3cmd-config
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Generates s3cmd config from rook.io CephObjectStoreUser secrets fetched from
+# Kubernetes apiserver. Accepts extra K8S_INTERNAL=1 environment variable flag
+# that generates config that connects to internal rgw service.
+#
+# Usage:
+# ./rook-s3cmd-config USERNAME STORENAME CLUSTERNAME > config
+# s3cmd -c config --region "STORENAME:default-placement" mb s3://test/
+
+set -e
+
+username="${1:-registry}"
+storename="${2:-waw-hdd-redundant-1-object}"
+clustername="${3:-ceph-waw1}"
+
+secret="$(kubectl get secrets rook-ceph-object-user-$storename-$username -n $clustername -o json)"
+accesskey="$(echo "$secret" | jq -r '.data.AccessKey' | base64 -d)"
+secretkey="$(echo "$secret" | jq -r '.data.SecretKey' | base64 -d)"
+
+if [[ ! -z "$K8S_INTERNAL" ]]; then
+ domain="rook-ceph-rgw-$storename.$clustername.svc.cluster.local"
+else
+ domain="object.$clustername.hswaw.net"
+fi
+
+cat <<EOF
+[default]
+access_key = $accesskey
+secret_key = $secretkey
+host_base = $domain
+host_bucket = $domain
+EOF
+
+if [[ ! -z "$K8S_INTERNAL" ]]; then
+ echo "use_https = False"
+fi