Initial commit

Author: discordianfish

Diff for: .dockerignore

@@ -0,0 +1 @@
+generated/

Diff for: .gitignore

@@ -0,0 +1 @@
+generated/

Diff for: Dockerfile

@@ -0,0 +1,13 @@
+FROM debian:sid
+
+ENV KUBE_VERSION v1.8.4
+ENV KUBEADM_URL https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubeadm
+
+RUN apt-get -qy update && apt-get -qy install curl make awscli golang-cfssl \
+  && useradd -m user \
+  && curl -Lfo /usr/bin/kubeadm "$KUBEADM_URL" \
+  && chmod a+x  /usr/bin/kubeadm
+
+COPY  . /usr/src
+WORKDIR /usr/src
+ENTRYPOINT [ "make" ]

Diff for: Makefile

@@ -0,0 +1,116 @@
+NAME                 ?= int
+DOMAIN_ROOT          ?= example.com
+DOMAIN_NAME          := $(NAME).$(DOMAIN_ROOT)
+CONTROLLER_SUBDOMAIN := api
+CONTROLLER_FQDN      := $(CONTROLLER_SUBDOMAIN).$(DOMAIN_NAME)
+CONTROLLER_POOL_SIZE := 3
+
+REGION       ?= us-east-1
+ASSET_BUCKET ?= example-asset-bucket
+
+TOP := $(shell pwd)
+TLS_CA_CSR ?= $(TOP)/cfssl/csr/ca-csr.json
+
+BUILD         ?= generated/$(NAME)
+BUILD_TLS     := $(BUILD)/tls
+BUILD_KUBEADM := $(BUILD)/kubeadm
+
+PUBLIC_SUBNET_CIDR_PREFIX  ?= 172.20.15
+PRIVATE_SUBNET_CIDR_PREFIX ?= 172.20.16
+
+PARENT_ZONEID ?= ZABCD
+
+VPCID ?= vpc-1234
+IGW   ?= igw-1234
+
+CLUSTER_STATE ?= existing
+
+define kv_pair
+{ "ParameterKey": "$(1)", "ParameterValue": "$(2)" }
+endef
+
+define cfn_params
+[
+	$(call kv_pair,DomainName,$(DOMAIN_NAME)),
+	$(call kv_pair,ControllerSubdomain,$(CONTROLLER_SUBDOMAIN)),
+	$(call kv_pair,assetBucket,$(ASSET_BUCKET)),
+	$(call kv_pair,PrivateSubnetCidrPrefix,$(PRIVATE_SUBNET_CIDR_PREFIX)),
+	$(call kv_pair,PublicSubnetCidrPrefix,$(PUBLIC_SUBNET_CIDR_PREFIX)),
+	$(call kv_pair,VPCID,$(VPCID)),
+	$(call kv_pair,InternetGateway,$(IGW)),
+	$(call kv_pair,ParentZoneID,$(PARENT_ZONEID)),
+	$(call kv_pair,ClusterState,$(CLUSTER_STATE))
+]
+endef
+export cfn_params
+
+OBJS := $(BUILD_TLS) $(BUILD_TLS)/ca.pem $(BUILD_TLS)/server-key.pem \
+	$(BUILD_TLS)/peer-key.pem $(BUILD_KUBEADM)/ca.crt \
+	$(BUILD_KUBEADM)/front-proxy-ca.crt $(BUILD_KUBEADM)/sa.pub \
+	$(BUILD_KUBEADM)/admin.conf
+
+all: $(OBJS)
+upload: all
+	aws s3 cp --recursive $(BUILD_TLS) s3://$(ASSET_BUCKET)/$(DOMAIN_NAME)/etcd
+	aws s3 cp --recursive $(BUILD_KUBEADM) s3://$(ASSET_BUCKET)/$(DOMAIN_NAME)/kubeadm
+
+require-op:
+ifndef OP
+	$(error OP required)
+endif
+
+params:
+	echo $$cfn_params
+
+create-cluster:
+	OP=create-stack CLUSTER_STATE=new make cloudformation
+
+update-cluster:
+	OP=update-stack make cloudformation
+
+cloudformation: require-op upload
+	aws --region $(REGION) cloudformation $(OP) \
+		--stack-name $(NAME) \
+		--capabilities CAPABILITY_IAM \
+		--parameters "$$cfn_params" \
+		--template-body "$$(cat kubernetes.yaml)" $(OPTS)
+
+$(BUILD):
+	mkdir -p $@
+
+$(BUILD_TLS):
+	mkdir -p $@
+
+$(BUILD_TLS)/ca.pem:
+	cd $(BUILD_TLS); cfssl gencert -initca $(TLS_CA_CSR) | cfssljson -bare ca -
+
+$(BUILD_TLS)/server-key.pem:
+	cd $(BUILD_TLS); \
+		echo '{"CN":"$(CONTROLLER_FQDN)","hosts":["$(DOMAIN_NAME)","*.$(DOMAIN_NAME)","*.ec2.internal","localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster.local" ],"key":{"algo":"rsa","size":2048}}' \
+		| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=$(TOP)/cfssl/ca-config.json -profile=server -hostname="$(HOSTNAME_API)" - \
+		| cfssljson -bare server
+
+$(BUILD_TLS)/peer-key.pem:
+	cd $(BUILD_TLS); \
+		echo '{"CN":"$(CONTROLLER_FQDN)","hosts":["$(DOMAIN_NAME)","*.$(DOMAIN_NAME)","*.ec2.internal","localhost"],"key":{"algo":"rsa","size":2048}}' \
+		| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=$(TOP)/cfssl/ca-config.json -profile=peer -hostname="$(HOSTNAME_API)" - \
+		| cfssljson -bare peer
+
+$(BUILD_KUBEADM)/ca.crt:
+	kubeadm alpha phase certs ca --cert-dir $(TOP)/$(dir $@)
+
+$(BUILD_KUBEADM)/front-proxy-ca.crt:
+	kubeadm alpha phase certs front-proxy-ca --cert-dir $(TOP)/$(dir $@)
+
+$(BUILD_KUBEADM)/sa.pub:
+	kubeadm alpha phase certs sa --cert-dir $(TOP)/$(dir $@)
+
+$(BUILD_KUBEADM)/admin.conf: $(BUILD_KUBEADM)/ca.crt
+	kubeadm alpha phase kubeconfig admin \
+		--apiserver-advertise-address $(CONTROLLER_FQDN) \
+		--cert-dir $(TOP)/$(dir $@)
+	# FIXME: Somehow --apiserver-advertise-address isn't working so we need to
+	# patch file manually.
+	sed 's|\(server: https://\)[^:]*\(.*\)|\1$(CONTROLLER_FQDN)\2|' \
+		/etc/kubernetes/admin.conf \
+		| install -m600 /dev/stdin $(dir $@)/admin.conf

Diff for: README.md

@@ -0,0 +1,81 @@
+# kubecfn
+*Cloudformation based installer for secure multi-node kubeadm cluster.*
+
+# Operations
+You can either edit the Makefile or use environment variable to override
+specific settings.
+
+- After deploying the cluster, you need to install kube2iam. Set your AWS
+  account ID in [manifests/kube2iam.yaml](manifests/kube2iam.yaml) and apply the
+  manifest.
+
+## Known issues / README FIRST / FIXME
+- Run all kubeadm generation steps in the Docker container (if in doubt, run
+  all). This is required since `kubeadm alpha phase kubeconfig` has hardcoded
+  file locations.
+
+- When deleting the stack, it will fail to delete the hosted zone because we
+  created DNS records from the lambda. In this case delete the records manually
+  and retry deletion.
+
+- Same is true for cloud-provider-integration managed resources like ELBs. These
+  should be deleted in kubernetes first. If that's not possible, the resources
+  need to be deleted manually so cloudformation deletion can finish.
+
+- On rolling upgrades etcd-members are suppose to remove themself from the
+  cluster. This isn't working reliably yet. If this happens, the new replacement
+  node can't join the cluster. This will block the rollout. In this case make
+  sure the old node is actually terminated and remove it from the cluster with
+  `/etc/etcdctl-wrapper member remove`.
+
+- Rolling upgrades for workers is disabled right now. When updating, kill the
+  old instances manually.
+
+- Sometimes kubeadm fails, probably when it comes up before etcd reached quorum
+  and fails. Just restart it. FIXME
+
+- Sometimes ignition fails to get assets from s3 and reboots as a slow form or
+  'retry': https://github.com/coreos/bugs/issues/2280
+
+## Create cluster
+- `docker build -t cfn-make .`
+- `docker run -e AWS_ACCESS_KEY_ID=xx -e AWS_SECRET_ACCESS_KEY=yy cfn-make \
+    create-cluster`
+- Wait for the cluster to come up and update it again. This will flip the
+  *initial-cluster-state* flag in etcd, making sure that further updates can be
+  rolled back and forward reliably:
+- `docker run -e AWS_ACCESS_KEY_ID=xx -e AWS_SECRET_ACCESS_KEY=yy cfn-make \
+    update-cluster`
+- Install networking plugin:
+- `kubectl apply -f manifests/kube-flanne.yaml`
+
+## "Dry run"
+Cloudformation supports [Change
+Sets](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets-create.html)
+which can be used to get the changes CloudFormation will do without actually
+updating the stack.
+
+Create ChangeSet:
+```
+docker run -e AWS_ACCESS_KEY_ID=.. -e AWS_SECRET_ACCESS_KEY=.. -v $PWD:/usr/src/ \
+  cfn-make cloudformation OP=create-change-set OPTS=--change-set-name=test2
+```
+
+To view the change set run:
+```
+aws --region us-east-1 cloudformation describe-change-set \
+   --stack-name int2 --change-set-name test2
+```
+
+## Create custom cluster
+To create a second cluster, you need to override the name of the cloudformation
+stack. This can be done with the NAME environment variable.
+Since the stack uses a existing VPC but brings it's own subnets, the network
+ranges need to be adjusted too:
+
+```
+docker run -e AWS_ACCESS_KEY_ID=.. -e AWS_SECRET_ACCESS_KEY=.. -v $PWD:/usr/src/ \
+  cfn-make create-cluster NAME=int3 \
+    PUBLIC_SUBNET_CIDR_PREFIX=172.20.15 \
+    PRIVATE_SUBNET_CIDR_PREFIX=172.20.16
+```

Diff for: cfssl/ca-config.json

@@ -0,0 +1,34 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "43800h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            },
+            "client": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            },
+            "peer": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}

Diff for: cfssl/csr/ca-csr.json

@@ -0,0 +1,17 @@
+{
+    "CN": "kubernetes CA",
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    },
+    "names": [
+        {
+            "C": "US",
+            "L": "NYC",
+            "O": "Foo",
+            "ST": "Bar",
+            "OU": "Baz",
+            "OU": "Infrastructure"
+        }
+    ]
+}