8 years ago · 9da00c73bd
--- a/hack/scripts-dev/docker-dns/certs-gateway/Procfile
+++ b/hack/scripts-dev/docker-dns/certs-gateway/Procfile
@@ -0,0 +1,8 @@
 
															+# Use goreman to run `go get github.com/mattn/goreman`
														
 
															+etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth
														
 
															+
														
 
															+etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth
														
 
															+
														
 
															+etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-gateway/server.crt --peer-key-file=/certs-gateway/server.key.insecure --peer-trusted-ca-file=/certs-gateway/ca.crt --peer-client-cert-auth --cert-file=/certs-gateway/server.crt --key-file=/certs-gateway/server.key.insecure --trusted-ca-file=/certs-gateway/ca.crt --client-cert-auth
														
 
															+
														
 
															+gateway: ./etcd gateway start --endpoints https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 --trusted-ca-file /certs-gateway/ca.crt --listen-addr 127.0.0.1:23790
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json
+++ b/hack/scripts-dev/docker-dns/certs-gateway/ca-csr.json
@@ -0,0 +1,19 @@
 
															+{
														
 
															+  "key": {
														
 
															+    "algo": "rsa",
														
 
															+    "size": 2048
														
 
															+  },
														
 
															+  "names": [
														
 
															+    {
														
 
															+      "O": "etcd",
														
 
															+      "OU": "etcd Security",
														
 
															+      "L": "San Francisco",
														
 
															+      "ST": "California",
														
 
															+      "C": "USA"
														
 
															+    }
														
 
															+  ],
														
 
															+  "CN": "ca",
														
 
															+  "ca": {
														
 
															+    "expiry": "87600h"
														
 
															+  }
														
 
															+}
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/ca.crt
+++ b/hack/scripts-dev/docker-dns/certs-gateway/ca.crt
@@ -0,0 +1,22 @@
 
															+-----BEGIN CERTIFICATE-----
														
 
															+MIIDsTCCApmgAwIBAgIUClliB9ECLPuQpOrlqLkeI1ib7zYwDQYJKoZIhvcNAQEL
														
 
															+BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
														
 
															+Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
														
 
															+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTE3MDBaFw0yNzExMjkxOTE3
														
 
															+MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
														
 
															+BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
														
 
															+ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
														
 
															+AoIBAQCjClF0TCk2qrHUTjFgFv2jmV0yUqnP3SG/7eVCptcFKE7kcGAx+j06GfEP
														
 
															+UXmCV13cgE0dYYLtz7/g29BiZzlBLlLsmpBMM+S4nfVH9BGLbKCSnwp5ba816AuS
														
 
															+rc8+qmJ0fAo56snLQWoAlnZxZ1tVjAtj5ZrQP9QDK2djgyviPS4kqWQ7Ulbeqgs7
														
 
															+rGz56xAsyMTWYlotgZTnnZ3Pckr1FHXhwkO1rFK5+oMZPh2HhvXL9wv0/TMAypUv
														
 
															+oQqDzUfUvYeaKr6qy1ADc53SQjqeTXg0jOShmnWM2zC7MwX+VPh+6ZApk3NLXwgv
														
 
															+6wT0U1tNfvctp8JvC7FqqCEny9hdAgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS
														
 
															+BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQWI6eUGqKWkCjOKGAYd+5K6eh5
														
 
															+GTANBgkqhkiG9w0BAQsFAAOCAQEAS3nIyLoGMsioLb89T1KMq+0NDDCx7R20EguT
														
 
															+qUvFUYKjzdxDA1RlZ2HzPxBJRwBc0Vf98pNtkWCkwUl5hxthndNQo7F9lLs/zNzp
														
 
															+bL4agho6kadIbcb4v/3g9XPSzqJ/ysfrwxZoBd7D+0PVGJjRTIJiN83Kt68IMx2b
														
 
															+8mFEBiMZiSJW+sRuKXMSJsubJE3QRn862y2ktq/lEJyYR6zC0MOeYR6BPIs/B6vU
														
 
															+8/iUbyk5ULc7NzWGytC+QKC3O9RTuA8MGF1aFaNSK7wDyrAlBZdxjWi52Mz3lJCK
														
 
															+ffBaVfvG55WKjwAqgNU17jK/Rxw1ev9mp4aCkXkD0KUTGLcoZw==
														
 
															+-----END CERTIFICATE-----
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/gencert.json
+++ b/hack/scripts-dev/docker-dns/certs-gateway/gencert.json
@@ -0,0 +1,13 @@
 
															+{
														
 
															+  "signing": {
														
 
															+    "default": {
														
 
															+        "usages": [
														
 
															+          "signing",
														
 
															+          "key encipherment",
														
 
															+          "server auth",
														
 
															+          "client auth"
														
 
															+        ],
														
 
															+        "expiry": "87600h"
														
 
															+    }
														
 
															+  }
														
 
															+}
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh
+++ b/hack/scripts-dev/docker-dns/certs-gateway/gencerts.sh
@@ -0,0 +1,26 @@
 
															+#!/bin/bash
														
 
															+
														
 
															+if ! [[ "$0" =~ "./gencerts.sh" ]]; then
														
 
															+	echo "must be run from 'fixtures'"
														
 
															+	exit 255
														
 
															+fi
														
 
															+
														
 
															+if ! which cfssl; then
														
 
															+	echo "cfssl is not installed"
														
 
															+	exit 255
														
 
															+fi
														
 
															+
														
 
															+cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
														
 
															+mv ca.pem ca.crt
														
 
															+openssl x509 -in ca.crt -noout -text
														
 
															+
														
 
															+# generate wildcard certificates DNS: *.etcd.local
														
 
															+cfssl gencert \
														
 
															+    --ca ./ca.crt \
														
 
															+    --ca-key ./ca-key.pem \
														
 
															+    --config ./gencert.json \
														
 
															+    ./server-ca-csr.json | cfssljson --bare ./server
														
 
															+mv server.pem server.crt
														
 
															+mv server-key.pem server.key.insecure
														
 
															+
														
 
															+rm -f *.csr *.pem *.stderr *.txt
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/run.sh
+++ b/hack/scripts-dev/docker-dns/certs-gateway/run.sh
@@ -0,0 +1,47 @@
 
															+#!/bin/sh
														
 
															+rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data
														
 
															+
														
 
															+/etc/init.d/bind9 start
														
 
															+
														
 
															+# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost
														
 
															+cat /dev/null >/etc/hosts
														
 
															+
														
 
															+goreman -f /certs-gateway/Procfile start &
														
 
															+
														
 
															+# TODO: remove random sleeps
														
 
															+sleep 7s
														
 
															+
														
 
															+ETCDCTL_API=3 ./etcdctl \
														
 
															+  --cacert=/certs-gateway/ca.crt \
														
 
															+  --cert=/certs-gateway/server.crt \
														
 
															+  --key=/certs-gateway/server.key.insecure \
														
 
															+  --endpoints=https://m1.etcd.local:2379 \
														
 
															+  endpoint health --cluster
														
 
															+
														
 
															+ETCDCTL_API=3 ./etcdctl \
														
 
															+  --cacert=/certs-gateway/ca.crt \
														
 
															+  --cert=/certs-gateway/server.crt \
														
 
															+  --key=/certs-gateway/server.key.insecure \
														
 
															+  --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \
														
 
															+  put abc def
														
 
															+
														
 
															+ETCDCTL_API=3 ./etcdctl \
														
 
															+  --cacert=/certs-gateway/ca.crt \
														
 
															+  --cert=/certs-gateway/server.crt \
														
 
															+  --key=/certs-gateway/server.key.insecure \
														
 
															+  --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \
														
 
															+  get abc
														
 
															+
														
 
															+ETCDCTL_API=3 ./etcdctl \
														
 
															+  --cacert=/certs-gateway/ca.crt \
														
 
															+  --cert=/certs-gateway/server.crt \
														
 
															+  --key=/certs-gateway/server.key.insecure \
														
 
															+  --endpoints=127.0.0.1:23790 \
														
 
															+  put ghi jkl
														
 
															+
														
 
															+ETCDCTL_API=3 ./etcdctl \
														
 
															+  --cacert=/certs-gateway/ca.crt \
														
 
															+  --cert=/certs-gateway/server.crt \
														
 
															+  --key=/certs-gateway/server.key.insecure \
														
 
															+  --endpoints=127.0.0.1:23790 \
														
 
															+  get ghi
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json
+++ b/hack/scripts-dev/docker-dns/certs-gateway/server-ca-csr.json
@@ -0,0 +1,22 @@
 
															+{
														
 
															+  "key": {
														
 
															+    "algo": "rsa",
														
 
															+    "size": 2048
														
 
															+  },
														
 
															+  "names": [
														
 
															+    {
														
 
															+      "O": "etcd",
														
 
															+      "OU": "etcd Security",
														
 
															+      "L": "San Francisco",
														
 
															+      "ST": "California",
														
 
															+      "C": "USA"
														
 
															+    }
														
 
															+  ],
														
 
															+  "hosts": [
														
 
															+    "m1.etcd.local",
														
 
															+    "m2.etcd.local",
														
 
															+    "m3.etcd.local",
														
 
															+    "127.0.0.1",
														
 
															+    "localhost"
														
 
															+  ]
														
 
															+}
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/server.crt
+++ b/hack/scripts-dev/docker-dns/certs-gateway/server.crt
@@ -0,0 +1,25 @@
 
															+-----BEGIN CERTIFICATE-----
														
 
															+MIIEKTCCAxGgAwIBAgIUDOkW+H3KLeHEwsovqOUMKKfEuqQwDQYJKoZIhvcNAQEL
														
 
															+BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
														
 
															+Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
														
 
															+Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEyMDExOTE3MDBaFw0yNzExMjkxOTE3
														
 
															+MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
														
 
															+BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
														
 
															+ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANfu298kCxFY
														
 
															+KXAmdG5BeqnFoezAJQCtgv+ZRS0+OB4hVsahnNSsztEfIJnVSvYJTr1u+TGSbzBZ
														
 
															+q85ua3S92Mzo/71yoDlFjj1JfBmPdL1Ij1256LAwUYoPXgcACyiKpI1DnTlhwTvU
														
 
															+G41teQBo+u4sxr9beuNpLlehVbknH9JkTNaTbF9/B5hy5hQPomGvzPzzBNAfrb2B
														
 
															+EyqabnzoX4qv6cMsQSJrcOYQ8znnTPWa5WFP8rWujsvxOUjxikQn8d7lkzy+PHwq
														
 
															+zx69L9VzdoWyJgQ3m73SIMTgP+HL+OsxDfmbu++Ds+2i2Dgf/vdJku/rP+Wka7vn
														
 
															+yCM807xi96kCAwEAAaOByTCBxjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
														
 
															+KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAH+dsuv
														
 
															+L6qvUmB/w9eKl83+MGTtMB8GA1UdIwQYMBaAFBYjp5QaopaQKM4oYBh37krp6HkZ
														
 
															+MEcGA1UdEQRAMD6CDW0xLmV0Y2QubG9jYWyCDW0yLmV0Y2QubG9jYWyCDW0zLmV0
														
 
															+Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAh049
														
 
															+srxFkiH9Lp8le3fJkuY25T/MUrmfa10RdNSKgj3qcpCMnf9nQjIWtaQsjoZJ5MQc
														
 
															+VIT3gWDWK8SWlpx+O2cVEQDG0ccv7gc38YGywVhMoQ5HthTAjLCbNk4TdKJOIk7D
														
 
															+hmfs7BHDvjRPi38CFklLzdUQaVCcvB43TNA3Y9M75oP/UGOSe3lJz1KKXOI/t+vA
														
 
															+5U3yxwXlVNJVsZgeWAbXN9F6WbCZDsz+4Obpk/LV1NLqgLd/hHXzoOOWNw977S2b
														
 
															++dOd95OJ/cq09OzKn/g26NgtHOl0xqol7wIwqJhweEEiVueyFxXD04jcsxdAFZSJ
														
 
															+9H6q3inNQaLyJHSYWQ==
														
 
															+-----END CERTIFICATE-----
														
--- a/hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure
+++ b/hack/scripts-dev/docker-dns/certs-gateway/server.key.insecure
@@ -0,0 +1,27 @@
 
															+-----BEGIN RSA PRIVATE KEY-----
														
 
															+MIIEpAIBAAKCAQEA1+7b3yQLEVgpcCZ0bkF6qcWh7MAlAK2C/5lFLT44HiFWxqGc
														
 
															+1KzO0R8gmdVK9glOvW75MZJvMFmrzm5rdL3YzOj/vXKgOUWOPUl8GY90vUiPXbno
														
 
															+sDBRig9eBwALKIqkjUOdOWHBO9QbjW15AGj67izGv1t642kuV6FVuScf0mRM1pNs
														
 
															+X38HmHLmFA+iYa/M/PME0B+tvYETKppufOhfiq/pwyxBImtw5hDzOedM9ZrlYU/y
														
 
															+ta6Oy/E5SPGKRCfx3uWTPL48fCrPHr0v1XN2hbImBDebvdIgxOA/4cv46zEN+Zu7
														
 
															+74Oz7aLYOB/+90mS7+s/5aRru+fIIzzTvGL3qQIDAQABAoIBABO8azA79R8Ctdbg
														
 
															+TOf+6B04SRKAhWFIep6t/ZqjAzINzgadot31ZXnLpIkq640NULsTt4cGYU9EAuX9
														
 
															+RakH6RbhfO5t2aMiblu/qa4UZJEgXqosYc4ovGsn+GofYOW1tlCLC4XBH44+Vr5Y
														
 
															+cSTOc5DtWsUGsXazmF6+Cj3AC7KI+VWegHexGezyO0not8Q5L55TuH2lCW4sx9th
														
 
															+W4Q7jg2lrCvz4x8ZRIAXOGmBaDTZmMtVlEjezu+7xr8QDQsvUwj7a87HPjgXFesj
														
 
															+CbbCr8kaqEdZ23AVDZuLAKS4hWQlbacRhRAxMkomZkg5U6J/PC3ikIqfOda1zu1D
														
 
															+MTIOuwECgYEA8hFkISWVEzbaIZgO1BZl36wNaOLYIpX0CzlycptcEssbefLy7Nxo
														
 
															+TZ+m9AjF6TBPl4fO4edo00iiJMy6ZdhItduNWLO+usJEY9UdzHex7fCUeG8usUXQ
														
 
															+g4VGEvPGg88VEM45pkAgbga7kzkG2Ihfu6La5apbXeOpNpuC58DdlzkCgYEA5Fxl
														
 
															+/qGzLlTwioaaE+qpEX46MfbJl38nkeSf9B7J1ISc/fnDPcBPvcHaYELqyHM+7OFa
														
 
															+Gt9oBDrLgyP4ZgOTaHKHdofXjAMC97b9oa/Lrors5dMrf/fxTTe2X+Kab94E1Wbo
														
 
															+39kA3qzV/CT7EZWuqbHO3Bqkv/qe6ks0Tbahc/ECgYBuB2OpAWkyc6NQ08ohsxCZ
														
 
															+S55Ix5uQlPJ5y6Hu4BlI3ZNeqgSrjz/F0MTVdctnxDLZYLyzyDjImOJCseAj/NyH
														
 
															+9QTZhdIzF6x4aF2EG///dHQ4Del+YIp3zbNdV/sq3Izpt6NSoyFagarvL2OiNtK0
														
 
															++kBfVkDze1Dl5mfpKaxPWQKBgQC+gXqxJxKE92VIGyxUqzHqHwTLg9b/ZJuNMU5j
														
 
															+aH/1o8AYfJFtZY7gfeUA4zJckRAQq5rwyilLRgVbXNmvuRHzU4BA2OhvrF+Aag9D
														
 
															+IJXqAYnJ3RXwBtcuFOk3KqKt6mjb4qMpgy4flc5aMDunmtiARo6MvklswtZqHN0A
														
 
															+a/ha8QKBgQCqF/xCf5ORzVkikYYGsO910QXlzsyPdRJbhrBCRTsdhz/paT5GQQXr
														
 
															+y3ToUuKEoHfjFudUeGNOstjchWw+WgT9iqMJhtwV1nU1lkPyjmCQ2ONIP+13dZ+i
														
 
															+I/LDyMngtOKzvD5qpswY1Er+84+RVrtseQjXDC2NlrvDr5LnZDtGag==
														
 
															+-----END RSA PRIVATE KEY-----