-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hack/scripts-dev: add "docker-dns-example-certs-common-name-run" #8961
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Use goreman to run `go get github.com/mattn/goreman` | ||
etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls https://127.0.0.1:2379 --advertise-client-urls https://m1.etcd.local:2379 --listen-peer-urls https://127.0.0.1:2380 --initial-advertise-peer-urls=https://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth | ||
|
||
etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://m2.etcd.local:22379 --listen-peer-urls https://127.0.0.1:22380 --initial-advertise-peer-urls=https://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth | ||
|
||
etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://m3.etcd.local:32379 --listen-peer-urls https://127.0.0.1:32380 --initial-advertise-peer-urls=https://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=https://m1.etcd.local:2380,m2=https://m2.etcd.local:22380,m3=https://m3.etcd.local:32380 --initial-cluster-state new --peer-cert-file=/certs-common-name/server.crt --peer-key-file=/certs-common-name/server.key.insecure --peer-trusted-ca-file=/certs-common-name/ca.crt --peer-client-cert-auth --peer-cert-allowed-cn test-common-name --cert-file=/certs-common-name/server.crt --key-file=/certs-common-name/server.key.insecure --trusted-ca-file=/certs-common-name/ca.crt --client-cert-auth |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
{ | ||
"key": { | ||
"algo": "rsa", | ||
"size": 2048 | ||
}, | ||
"names": [ | ||
{ | ||
"O": "etcd", | ||
"OU": "etcd Security", | ||
"L": "San Francisco", | ||
"ST": "California", | ||
"C": "USA" | ||
} | ||
], | ||
"CN": "ca", | ||
"ca": { | ||
"expiry": "87600h" | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIDsTCCApmgAwIBAgIUdASu5zT1US/6LPyKmczbC3NgdY4wDQYJKoZIhvcNAQEL | ||
BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH | ||
Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl | ||
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzExMTQwNjIzMDBaFw0yNzExMTIwNjIz | ||
MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE | ||
BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT | ||
ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK | ||
AoIBAQDBbE44RP/Tk9l7KShzxQAypatoqDJQL32hyw8plZIfni5XFIlG2GwyjNvX | ||
wiP6u0YcsApZKc58ytqcHQqMyk68OTTxcM+HVWvKHMKOBPBYgXeeVnD+7Ixuinq/ | ||
X6RK3n2jEipFgE9FiAXDNICF3ZQz+HVNBSbzwCjBtIcYkinWHX+kgnQkFT1NnmuZ | ||
uloz6Uh7/Ngn/XPNSsoMyLrh4TwDsx/fQEpVcrXMbxWux1xEHmfDzRKvE7VhSo39 | ||
/mcpKBOwTg4jwh9tDjxWX4Yat+/cX0cGxQ7JSrdy14ESV5AGBmesGHd2SoWhZK9l | ||
tWm1Eq0JYWD+Cd5yNrODTUxWRNs9AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwIBBjAS | ||
BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSZMjlLnc7Vv2mxRMebo5ezJ7gt | ||
pzANBgkqhkiG9w0BAQsFAAOCAQEAA2d2nV4CXjp7xpTQrh8sHzSBDYUNr9DY5hej | ||
52X6q8WV0N3QC7Utvv2Soz6Ol72/xoGajIJvqorsIBB5Ms3dgCzPMy3R01Eb3MzI | ||
7KG/4AGVEiAKUBkNSD8PWD7bREnnv1g9tUftE7jWsgMaPIpi6KhzhyJsClT4UsKQ | ||
6Lp+Be80S293LrlmUSdZ/v7FAvMzDGOLd2iTlTr1fXK6YJJEXpk3+HIi8nbUPvYQ | ||
6O8iOtf5QoCm1yMLJQMFvNr51Z1EeF935HRj8U2MJP5jXPW4/UY2TAUBcWEhlNsK | ||
6od+f1B8xGe/6KHvF0C8bg23kj8QphM/E7HCZiVgdm6FNf54AQ== | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{ | ||
"signing": { | ||
"default": { | ||
"usages": [ | ||
"signing", | ||
"key encipherment", | ||
"server auth", | ||
"client auth" | ||
], | ||
"expiry": "87600h" | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/bin/bash | ||
|
||
if ! [[ "$0" =~ "./gencerts.sh" ]]; then | ||
echo "must be run from 'fixtures'" | ||
exit 255 | ||
fi | ||
|
||
if ! which cfssl; then | ||
echo "cfssl is not installed" | ||
exit 255 | ||
fi | ||
|
||
cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca | ||
mv ca.pem ca.crt | ||
openssl x509 -in ca.crt -noout -text | ||
|
||
# generate wildcard certificates DNS: m1/m2/m3.etcd.local | ||
cfssl gencert \ | ||
--ca ./ca.crt \ | ||
--ca-key ./ca-key.pem \ | ||
--config ./gencert.json \ | ||
./server-ca-csr.json | cfssljson --bare ./server | ||
mv server.pem server.crt | ||
mv server-key.pem server.key.insecure | ||
|
||
rm -f *.csr *.pem *.stderr *.txt |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,255 @@ | ||
#!/bin/sh | ||
rm -rf /tmp/m1.data /tmp/m2.data /tmp/m3.data | ||
|
||
/etc/init.d/bind9 start | ||
|
||
# get rid of hosts so go lookup won't resolve 127.0.0.1 to localhost | ||
cat /dev/null >/etc/hosts | ||
|
||
goreman -f /certs-common-name/Procfile start & | ||
|
||
# TODO: remove random sleeps | ||
sleep 7s | ||
|
||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379 \ | ||
endpoint health --cluster | ||
|
||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
put abc def | ||
|
||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
get abc | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 1. creating root role" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't quite understand this test. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. User must create There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you are testing this scenario right?https://github.com/coreos/etcd/blob/master/Documentation/op-guide/authentication.md#using-tls-common-name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes. |
||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
role add root | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 2. granting readwrite 'foo' permission to role 'root'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
role grant-permission root readwrite foo | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 3. getting role 'root'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
role get root | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 4. creating user 'root'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--interactive=false \ | ||
user add root:123 | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 5. granting role 'root' to user 'root'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
user grant-role root root | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 6. getting user 'root'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
user get root | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 7. enabling auth" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
auth enable | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 8. writing 'foo' with 'root:123'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
put foo bar | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 9. writing 'aaa' with 'root:123'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
put aaa bbb | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 10. writing 'foo' without 'root:123'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
put foo bar | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 11. reading 'foo' with 'root:123'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
get foo | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 12. reading 'aaa' with 'root:123'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
get aaa | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 13. creating a new user 'test-common-name:test-pass'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
--interactive=false \ | ||
user add test-common-name:test-pass | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 14. creating a role 'test-role'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
role add test-role | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 15. granting readwrite 'aaa' --prefix permission to role 'test-role'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
role grant-permission test-role readwrite aaa --prefix | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 16. getting role 'test-role'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
role get test-role | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 17. granting role 'test-role' to user 'test-common-name'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=root:123 \ | ||
user grant-role test-common-name test-role | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 18. writing 'aaa' with 'test-common-name:test-pass'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=test-common-name:test-pass \ | ||
put aaa bbb | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 19. writing 'bbb' with 'test-common-name:test-pass'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=test-common-name:test-pass \ | ||
put bbb bbb | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 20. reading 'aaa' with 'test-common-name:test-pass'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=test-common-name:test-pass \ | ||
get aaa | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 21. reading 'bbb' with 'test-common-name:test-pass'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
--user=test-common-name:test-pass \ | ||
get bbb | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 22. writing 'aaa' with CommonName 'test-common-name'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
put aaa ccc | ||
|
||
sleep 1s && printf "\n" | ||
echo "Step 23. reading 'aaa' with CommonName 'test-common-name'" | ||
ETCDCTL_API=3 ./etcdctl \ | ||
--cacert=/certs-common-name/ca.crt \ | ||
--cert=/certs-common-name/server.crt \ | ||
--key=/certs-common-name/server.key.insecure \ | ||
--endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ | ||
get aaa |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
{ | ||
"key": { | ||
"algo": "rsa", | ||
"size": 2048 | ||
}, | ||
"names": [ | ||
{ | ||
"O": "etcd", | ||
"OU": "etcd Security", | ||
"L": "San Francisco", | ||
"ST": "California", | ||
"C": "USA" | ||
} | ||
], | ||
"CN": "test-common-name", | ||
"hosts": [ | ||
"m1.etcd.local", | ||
"m2.etcd.local", | ||
"m3.etcd.local", | ||
"127.0.0.1", | ||
"localhost" | ||
] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no sleep?
same as many places down below/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep sleep here. I am trying to put example workflow here with print statements. Otherwise, it's hard to follow.