Sergiusz Bazanski | de06180 | 2019-01-13 21:14:02 +0100 | [diff] [blame] | 1 | #!/usr/bin/env python |
| 2 | |
| 3 | from builtins import object |
| 4 | |
| 5 | import datetime |
| 6 | from io import BytesIO |
| 7 | import logging |
| 8 | import os |
| 9 | import tempfile |
| 10 | import subprocess |
| 11 | import sys |
| 12 | |
| 13 | from cryptography import x509 |
| 14 | from cryptography.hazmat.backends import default_backend |
| 15 | import fabric |
| 16 | |
| 17 | import secretstore |
| 18 | |
| 19 | |
| 20 | cluster = 'k0.hswaw.net' |
| 21 | remote_root = '/opt/hscloud' |
| 22 | local_root = os.getenv('hscloud_root') |
| 23 | |
| 24 | if local_root is None: |
| 25 | raise Exception("Please source env.sh") |
| 26 | |
| 27 | logger = logging.getLogger(__name__) |
| 28 | logger.setLevel(logging.DEBUG) |
| 29 | logger.addHandler(logging.StreamHandler()) |
| 30 | |
| 31 | |
| 32 | def decrypt(base): |
| 33 | src = os.path.join(local_root, 'cluster/secrets/cipher', base) |
| 34 | dst = os.path.join(local_root, 'cluster/secrets/plain', base) |
| 35 | secretstore.decrypt(src, dst) |
| 36 | |
| 37 | |
| 38 | class PKI(object): |
| 39 | def __init__(self): |
| 40 | self.cacert = os.path.join(local_root, 'cluster/certs/ca.crt') |
| 41 | self.cakey = os.path.join(local_root, 'cluster/secrets/plain/ca.key') |
| 42 | |
| 43 | if not os.path.exists(self.cakey): |
| 44 | decrypt('ca.key') |
| 45 | |
| 46 | def sign(self, csr, crt, conf, days=365): |
| 47 | logger.info('pki: signing {} for {} days'.format(csr, days)) |
| 48 | subprocess.check_call([ |
| 49 | 'openssl', 'x509', '-req', |
| 50 | '-in', csr, |
| 51 | '-CA', self.cacert, |
| 52 | '-CAkey', self.cakey, |
| 53 | '-out', crt, |
| 54 | '-extensions', 'SAN', '-extfile', conf, |
| 55 | '-days', str(days), |
| 56 | ]) |
| 57 | |
| 58 | |
| 59 | class Subject(object): |
| 60 | hswaw = "Stowarzyszenie Warszawski Hackerspace" |
| 61 | def __init__(self, o, ou, cn): |
| 62 | self.c = 'PL' |
| 63 | self.st = 'Mazowieckie' |
| 64 | self.l = 'Warszawa' |
| 65 | self.o = o |
| 66 | self.ou = ou |
| 67 | self.cn = cn |
| 68 | |
| 69 | @property |
| 70 | def parts(self): |
| 71 | return { |
| 72 | 'C': self.c, |
| 73 | 'ST': self.st, |
| 74 | 'L': self.l, |
| 75 | 'O': self.o, |
| 76 | 'OU': self.ou, |
| 77 | 'CN': self.cn, |
| 78 | } |
| 79 | |
| 80 | def __str__(self): |
| 81 | parts = self.parts |
| 82 | res = [] |
| 83 | for p in ['C', 'ST', 'L', 'O', 'OU', 'CN']: |
| 84 | res.append('/{}={}'.format(p, parts[p])) |
| 85 | return ''.join(res) |
| 86 | |
| 87 | def _file_exists(c, filename): |
| 88 | res = c.run('stat "{}"'.format(filename), warn=True, hide=True) |
| 89 | return res.exited == 0 |
| 90 | |
| 91 | def openssl_config(san): |
| 92 | with open(os.path.join(local_root, 'cluster/openssl.cnf'), 'rb') as f: |
| 93 | config = BytesIO(f.read()) |
| 94 | |
| 95 | config.seek(0, 2) |
| 96 | config.write(b'\n[SAN]\n') |
| 97 | for s in san: |
| 98 | config.write('subjectAltName=DNS:{}\n'.format(s).encode()) |
| 99 | |
| 100 | f = tempfile.NamedTemporaryFile(delete=False) |
| 101 | path = f.name |
| 102 | f.write(config.getvalue()) |
| 103 | f.close() |
| 104 | |
| 105 | return path |
| 106 | |
| 107 | def remote_cert(pki, c, fqdn, cert_name, subj, san=[], days=365): |
| 108 | logger.info("{}/{}: remote cert".format(fqdn, cert_name)) |
| 109 | |
| 110 | remote_key = os.path.join(remote_root, '{}.key'.format(cert_name)) |
| 111 | remote_cert = os.path.join(remote_root, '{}.crt'.format(cert_name)) |
| 112 | remote_csr = os.path.join(remote_root, '{}.csr'.format(cert_name)) |
| 113 | remote_config = os.path.join(remote_root, 'openssl.cnf') |
| 114 | |
| 115 | generate_cert = False |
| 116 | if not _file_exists(c, remote_key): |
| 117 | logger.info("{}/{}: generating key".format(fqdn, cert_name)) |
| 118 | c.run('openssl genrsa -out "{}" 4096'.format(remote_key), hide=True) |
| 119 | genereate_cert = True |
| 120 | |
| 121 | b = BytesIO() |
| 122 | try: |
| 123 | c.get(local=b, remote=remote_cert) |
| 124 | cert = x509.load_pem_x509_certificate(b.getvalue(), default_backend()) |
| 125 | delta = cert.not_valid_after - datetime.datetime.now() |
| 126 | logger.info("{}/{}: existing cert expiry: {}".format(fqdn, cert_name, delta)) |
| 127 | if delta.total_seconds() < 3600 * 24 * 60: |
| 128 | logger.info("{}/{}: expires soon, regenerating".format(fqdn, cert_name)) |
| 129 | generate_cert = True |
| 130 | except (FileNotFoundError, ValueError): |
| 131 | generate_cert = True |
| 132 | |
| 133 | if not generate_cert: |
| 134 | return False |
| 135 | |
| 136 | |
| 137 | local_config = openssl_config(san) |
| 138 | c.put(local=local_config, remote=remote_config) |
| 139 | |
| 140 | c.run(""" |
| 141 | nix-shell -p openssl --command "openssl req -new -key {remote_key} -out {remote_csr} -subj '{subj}' -config {remote_config} -reqexts SAN" |
| 142 | """.format(remote_key=remote_key, remote_csr=remote_csr, subj=str(subj), remote_config=remote_config)) |
| 143 | |
| 144 | local_csr_f = tempfile.NamedTemporaryFile(delete=False) |
| 145 | local_csr = local_csr_f.name |
| 146 | local_csr_f.close() |
| 147 | |
| 148 | local_cert = os.path.join(local_root, 'cluster/certs', '{}-{}.crt'.format(fqdn, cert_name)) |
| 149 | |
| 150 | c.get(local=local_csr, remote=remote_csr) |
| 151 | |
| 152 | pki.sign(local_csr, local_cert, local_config, days) |
| 153 | |
| 154 | c.put(local=local_cert, remote=remote_cert) |
| 155 | |
| 156 | os.remove(local_csr) |
| 157 | os.remove(local_config) |
| 158 | |
| 159 | return True |
| 160 | |
| 161 | |
| 162 | def shared_cert(pki, c, fqdn, cert_name, subj, san=[], days=365): |
| 163 | logger.info("{}/{}: shared cert".format(fqdn, cert_name)) |
| 164 | |
| 165 | local_key = os.path.join(local_root, 'cluster/secrets/plain', '{}.key'.format(cert_name)) |
| 166 | local_cert = os.path.join(local_root, 'cluster/certs', '{}.crt'.format(cert_name)) |
| 167 | remote_key = os.path.join(remote_root, '{}.key'.format(cert_name)) |
| 168 | remote_cert = os.path.join(remote_root, '{}.crt'.format(cert_name)) |
| 169 | |
| 170 | generate_cert = False |
| 171 | if not os.path.exists(local_key): |
| 172 | try: |
| 173 | decrypt('{}.key'.format(cert_name)) |
| 174 | except subprocess.CalledProcessError: |
| 175 | logger.info("{}/{}: generating key".format(fqdn, cert_name)) |
| 176 | subprocess.check_call([ |
| 177 | 'openssl', 'genrsa', '-out', local_key, '4096', |
| 178 | ]) |
| 179 | generate_cert = True |
| 180 | |
| 181 | if os.path.exists(local_cert): |
| 182 | with open(local_cert, 'rb') as f: |
| 183 | b = f.read() |
| 184 | cert = x509.load_pem_x509_certificate(b, default_backend()) |
| 185 | delta = cert.not_valid_after - datetime.datetime.now() |
| 186 | logger.info("{}/{}: existing cert expiry: {}".format(fqdn, cert_name, delta)) |
| 187 | if delta.total_seconds() < 3600 * 24 * 60: |
| 188 | logger.info("{}/{}: expires soon, regenerating".format(fqdn, cert_name)) |
| 189 | generate_cert = True |
| 190 | else: |
| 191 | generate_cert = True |
| 192 | |
| 193 | if not generate_cert: |
| 194 | return False |
| 195 | |
| 196 | local_csr_f = tempfile.NamedTemporaryFile(delete=False) |
| 197 | local_csr = local_csr_f.name |
| 198 | local_csr_f.close() |
| 199 | |
| 200 | local_config = openssl_config(san) |
| 201 | |
| 202 | subprocess.check_call([ |
| 203 | 'openssl', 'req', '-new', |
| 204 | '-key', local_key, |
| 205 | '-out', local_csr, |
| 206 | '-subj', str(subj), |
| 207 | '-config', local_config, |
| 208 | '-reqexts', 'SAN', |
| 209 | ]) |
| 210 | |
| 211 | pki.sign(local_csr, local_cert, local_config, days) |
| 212 | |
| 213 | c.put(local=local_key, remote=remote_key) |
| 214 | c.put(local=local_cert, remote=remote_cert) |
| 215 | |
| 216 | os.remove(local_csr) |
| 217 | os.remove(local_config) |
| 218 | return True |
| 219 | |
| 220 | |
| 221 | def configure_k8s(username, ca, cert, key): |
| 222 | subprocess.check_call([ |
| 223 | 'kubectl', 'config', |
| 224 | 'set-cluster', cluster, |
| 225 | '--certificate-authority=' + ca, |
| 226 | '--embed-certs=true', |
| 227 | '--server=https://' + cluster + ':4001', |
| 228 | ]) |
| 229 | subprocess.check_call([ |
| 230 | 'kubectl', 'config', |
| 231 | 'set-credentials', username, |
| 232 | '--client-certificate=' + cert, |
| 233 | '--client-key=' + key, |
| 234 | '--embed-certs=true', |
| 235 | ]) |
| 236 | subprocess.check_call([ |
| 237 | 'kubectl', 'config', |
| 238 | 'set-context', cluster, |
| 239 | '--cluster=' + cluster, |
| 240 | '--user=' + username, |
| 241 | ]) |
| 242 | subprocess.check_call([ |
| 243 | 'kubectl', 'config', |
| 244 | 'use-context', cluster, |
| 245 | ]) |
| 246 | |
| 247 | def admincreds(args): |
| 248 | if len(args) != 1: |
| 249 | sys.stderr.write("Usage: admincreds q3k\n") |
| 250 | return 1 |
| 251 | username = args[0] |
| 252 | |
| 253 | pki = PKI() |
| 254 | |
| 255 | local_key = os.path.join(local_root, '.kubectl/admin.key') |
| 256 | local_cert = os.path.join(local_root, '.kubectl/admin.crt') |
| 257 | local_csr = os.path.join(local_root, '.kubectl/admin.csr') |
| 258 | |
| 259 | generate_cert = False |
| 260 | if not os.path.exists(local_key): |
| 261 | subprocess.check_call([ |
| 262 | 'openssl', 'genrsa', '-out', local_key, '4096', |
| 263 | ]) |
| 264 | generate_cert = True |
| 265 | |
| 266 | if os.path.exists(local_cert): |
| 267 | with open(local_cert, 'rb') as f: |
| 268 | b = f.read() |
| 269 | cert = x509.load_pem_x509_certificate(b, default_backend()) |
| 270 | delta = cert.not_valid_after - datetime.datetime.now() |
| 271 | logger.info("admin: existing cert expiry: {}".format(delta)) |
| 272 | if delta.total_seconds() < 3600 * 24: |
| 273 | logger.info("admin: expires soon, regenerating") |
| 274 | generate_cert = True |
| 275 | else: |
| 276 | generate_cert = True |
| 277 | |
| 278 | if not generate_cert: |
| 279 | return configure_k8s(username, pki.cacert, local_cert, local_key) |
| 280 | |
| 281 | local_config = openssl_config([]) |
| 282 | subj = Subject('system:masters', "Kubernetes Admin Account for {}".format(username), username) |
| 283 | |
| 284 | subprocess.check_call([ |
| 285 | 'openssl', 'req', '-new', |
| 286 | '-key', local_key, |
| 287 | '-out', local_csr, |
| 288 | '-subj', str(subj), |
| 289 | '-config', local_config, |
| 290 | '-reqexts', 'SAN', |
| 291 | ]) |
| 292 | |
| 293 | pki.sign(local_csr, local_cert, local_config, 5) |
| 294 | os.remove(local_config) |
| 295 | |
| 296 | configure_k8s(username, pki.cacert, local_cert, local_key) |
| 297 | |
| 298 | |
| 299 | def nodestrap(args): |
| 300 | if len(args) != 1: |
| 301 | sys.stderr.write("Usage: nodestrap bc01n01.hswaw.net\n") |
| 302 | return 1 |
| 303 | fqdn = args[0] |
| 304 | |
| 305 | logger.info("Nodestrapping {}...".format(fqdn)) |
| 306 | |
| 307 | c = fabric.Connection('root@{}'.format(fqdn)) |
| 308 | p = PKI() |
| 309 | |
| 310 | modified = False |
| 311 | modified |= remote_cert(p, c, fqdn, "node", Subject(Subject.hswaw, 'Node Certificate', fqdn)) |
| 312 | modified |= remote_cert(p, c, fqdn, "kube-node", Subject('system:nodes', 'Kubelet Certificate', 'system:node:' + fqdn), san=[fqdn,]) |
| 313 | for component in ['controller-manager', 'proxy', 'scheduler']: |
| 314 | o = 'system:kube-{}'.format(component) |
| 315 | ou = 'Kuberneter Component {}'.format(component) |
| 316 | modified |= shared_cert(p, c, fqdn, 'kube-{}'.format(component), Subject(o, ou, o)) |
| 317 | modified |= shared_cert(p, c, fqdn, 'kube-apiserver', Subject(Subject.hswaw, 'Kubernetes API', cluster)) |
| 318 | modified |= shared_cert(p, c, fqdn, 'kube-serviceaccounts', Subject(Subject.hswaw, 'Kubernetes Service Account Signer', 'service-accounts')) |
| 319 | |
| 320 | if modified: |
| 321 | logger.info('{}: cert(s) modified, restarting services...'.format(fqdn)) |
| 322 | |
| 323 | services = [ |
| 324 | 'kubelet', 'kube-proxy', |
| 325 | 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', |
| 326 | 'etcd' |
| 327 | ] |
| 328 | |
| 329 | for s in services: |
| 330 | c.run('systemctl stop {}'.format(s)) |
| 331 | for s in services[::-1]: |
| 332 | c.run('systemctl start {}'.format(s)) |
| 333 | |
| 334 | def usage(): |
| 335 | sys.stderr.write("Usage: {} <nodestrap|admincreds>\n".format(sys.argv[0])) |
| 336 | |
| 337 | def main(): |
| 338 | if len(sys.argv) < 2: |
| 339 | usage() |
| 340 | return 1 |
| 341 | |
| 342 | mode = sys.argv[1] |
| 343 | if mode == "nodestrap": |
| 344 | return nodestrap(sys.argv[2:]) |
| 345 | elif mode == "admincreds": |
| 346 | return admincreds(sys.argv[2:]) |
| 347 | else: |
| 348 | usage() |
| 349 | return 1 |
| 350 | |
| 351 | if __name__ == '__main__': |
| 352 | sys.exit(main() or 0) |