-
Notifications
You must be signed in to change notification settings - Fork 248
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Vitor Savian <[email protected]>
- Loading branch information
1 parent
4929f3e
commit 01a893e
Showing
5 changed files
with
80 additions
and
105 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| FROM mysql:latest | ||
|
|
||
| COPY server.crt /etc/mysql/conf.d/server-cert.pem | ||
| COPY server.key /etc/mysql/conf.d/server-key.pem | ||
| COPY ca.crt /etc/mysql/conf.d/server-ca.pem | ||
| COPY mysql-ssl.cnf /etc/mysql/conf.d/my.cnf | ||
|
|
||
| ENV MYSQL_DATABASE=kine | ||
|
|
||
| # Here we will need to change the permission for the ssl certs | ||
| RUN chown mysql /etc/mysql/conf.d/server-cert.pem /etc/mysql/conf.d/server-key.pem /etc/mysql/conf.d/server-ca.pem | ||
|
|
||
| EXPOSE 3306 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,17 @@ | ||
| #!/bin/sh | ||
|
|
||
| # Generate self signed root CA cert | ||
| openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/C=AU/ST=VIC/L=Melbourne/O=Ranch/OU=root/CN=root/[email protected]" | ||
| openssl req -new -x509 -days 3650 -config server_openssl.cnf -keyout ca.key -out ca.crt | ||
|
|
||
| # Create a private key for the server | ||
| openssl genrsa -out server.key 2048 | ||
|
|
||
| # Generate server cert to be signed | ||
| openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/C=AU/ST=VIC/L=Melbourne/O=Ranch/OU=root/CN=localhost/[email protected]" | ||
| # Generate server CSR with SAN | ||
| openssl req -new -key server.key -out server.csr -config server_openssl.cnf | ||
|
|
||
| # Sign the server cert | ||
| openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt | ||
| # Sign the server CSR with CA | ||
| openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extfile server_openssl.cnf -extensions v3_req | ||
|
|
||
| # Verify if it's a SAN cert | ||
| # if it's a SAN cert, it should print the SANs | ||
| openssl x509 -in server.crt -text -noout | grep -A1 "Subject Alternative Name" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,115 +1,42 @@ | ||
| ## Minimal example of using kine | ||
| The following example uses kine with a mysql database for persistence. | ||
| # Minimal example of using kine | ||
|
|
||
| The following example uses kine with a `mysql` database for persistence. | ||
|
|
||
| A sample script is available to generate certs [here](generate-certs.sh) | ||
| But you also will need to use `SAN` instead of `CN` | ||
| We have a example of the files you will need to generate the certs for the [server](server_openssl.cnf) | ||
|
|
||
| We can run mysql on a host: | ||
| We can run `mysql` on a host using `docker` [here](Dockerfile) | ||
| you will also need the `cnf` file [here](mysql-ssl.cnf) | ||
|
|
||
| ```bash | ||
| docker build -t mysql-kine . | ||
| ``` | ||
| docker run --name kine-mysql -v $PWD:/etc/mysql/conf.d -p 3306:3306 -e MYSQL_DATABASE=kine -e MYSQL_ROOT_PASSWORD=$PASSWORD -d mysql:latest | ||
| ``` | ||
|
|
||
| This will start mysql db with ssl enabled for client connections. | ||
|
|
||
| A sample script is available to generate certs [here](generate-certs.sh) | ||
|
|
||
| Run kine on the same host as mysql database: | ||
| ``` | ||
| kine --endpoint "mysql://root:$PASSWORD@tcp(localhost:3306)/kine" --ca-file ca.crt --cert-file server.crt --key-file server.key | ||
| ```bash | ||
| docker run --name kine-mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=$PASSWORD -d mysql-kine | ||
| ``` | ||
|
|
||
| This will expose the mysql db as an etcd endpoint. | ||
| this will start `mysql` db with everything you will need. | ||
|
|
||
| ### Using with RKE | ||
| Use the following RKE cluster.yml sample to boot up the cluster. | ||
| ## Running kine standalone | ||
|
|
||
| RKE supports using an external etcd endpoint. | ||
| Run kine on the same host as `mysql` database: | ||
|
|
||
| ```bash | ||
| kine --endpoint "mysql://root:$PASSWORD@tcp(localhost:3306)/kine" | ||
| --ca-file ca.crt --cert-file server.crt --key-file server.key | ||
| ``` | ||
| nodes: | ||
| - address: 1.1.1.1 | ||
| user: ubuntu | ||
| role: | ||
| - controlplane | ||
| - worker | ||
| - address: 2.2.2.2 | ||
| user: ubuntu | ||
| role: | ||
| - controlplane | ||
| - worker | ||
| cluster_name: "kine-demo" | ||
| network: | ||
| plugin: canal | ||
| ignore_docker_version: true | ||
| services: | ||
| etcd: | ||
| path: / | ||
| external_urls: | ||
| - http://kine:2379 | ||
| ca_cert: |- | ||
| -----BEGIN CERTIFICATE----- | ||
| -----END CERTIFICATE----- | ||
| cert: |- | ||
| -----BEGIN CERTIFICATE----- | ||
| Cert | ||
| -----END CERTIFICATE----- | ||
| key: |- | ||
| -----BEGIN RSA PRIVATE KEY----- | ||
|
|
||
| -----END RSA PRIVATE KEY----- | ||
| ``` | ||
| This will expose the `mysql` db as an `etcd` endpoint. | ||
|
|
||
| ## Using with kubeadm | ||
| ## Using with k3s | ||
|
|
||
| You can use the following sample kubeadm-master.cfg to launch a cluster with kine. | ||
| You can use the following command to launch a `k3s` server with kine. | ||
|
|
||
| ```bash | ||
| k3s server --datastore-endpoint "mysql://root:$PASSWORD@tcp(localhost:3306)/kine" | ||
| --datastore-cafile ca.crt --datastore-certfile server.crt --datastore-keyfile server.key | ||
| ``` | ||
| apiVersion: kubeadm.k8s.io/v1beta2 | ||
| bootstrapTokens: | ||
| - groups: | ||
| - system:bootstrappers:kubeadm:default-node-token | ||
| token: abcdef.0123456789abcdef | ||
| ttl: 24h0m0s | ||
| usages: | ||
| - signing | ||
| - authentication | ||
| kind: InitConfiguration | ||
| localAPIEndpoint: | ||
| advertiseAddress: 0.0.0.0 | ||
| bindPort: 6443 | ||
| nodeRegistration: | ||
| criSocket: /var/run/dockershim.sock | ||
| name: kubeadm | ||
| taints: | ||
| - effect: NoSchedule | ||
| key: node-role.kubernetes.io/master | ||
| --- | ||
| apiServer: | ||
| timeoutForControlPlane: 4m0s | ||
| apiVersion: kubeadm.k8s.io/v1beta2 | ||
| certificatesDir: /etc/kubernetes/pki | ||
| clusterName: kubernetes | ||
| controllerManager: {} | ||
| dns: | ||
| type: CoreDNS | ||
| imageRepository: registry.k8s.io | ||
| kind: ClusterConfiguration | ||
| kubernetesVersion: v1.17.0 | ||
| networking: | ||
| dnsDomain: cluster.local | ||
| serviceSubnet: 10.96.0.0/12 | ||
| scheduler: {} | ||
| controlPlaneEndpoint: "0.0.0.0:6443" | ||
| etcd: | ||
| external: | ||
| endpoints: | ||
| - http://kine:2379 | ||
| caFile: ./ca.crt | ||
| certFile: ./server.crt | ||
| keyFile: ./server.key | ||
| ``` | ||
|
|
||
| The cluster can then be launched as | ||
|
|
||
| `kubeadm init --config kubeadm-master.cfg --ignore-preflight-errors ExternalEtcdVersion` | ||
| And that's it! You can now use `k3s` with `mysql` as a db. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| [mysqld] | ||
| ssl-ca=/etc/mysql/conf.d/ca.crt | ||
| ssl-cert=/etc/mysql/conf.d/server.crt | ||
| ssl-key=/etc/mysql/conf.d/server.key | ||
| ssl-ca=/etc/mysql/conf.d/server-ca.pem | ||
| ssl-cert=/etc/mysql/conf.d/server-cert.pem | ||
| ssl-key=/etc/mysql/conf.d/server-key.pem | ||
| require_secure_transport=ON |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| [ req ] | ||
| default_bits = 2048 | ||
| prompt = no | ||
| default_md = sha256 | ||
| distinguished_name = req_distinguished_name | ||
| req_extensions = req_ext | ||
| x509_extensions = v3_ca | ||
|
|
||
| [ req_distinguished_name ] | ||
| C = AU | ||
| ST = VIC | ||
| L = Melbourne | ||
| O = Ranch | ||
| OU = CA | ||
| CN = My CA | ||
|
|
||
| [ req_ext ] | ||
| subjectAltName = @alt_names | ||
|
|
||
| [ v3_ca ] | ||
| subjectAltName = @alt_names | ||
| basicConstraints = critical,CA:TRUE | ||
| keyUsage = critical,digitalSignature,keyCertSign | ||
|
|
||
| [ v3_req ] | ||
| subjectAltName = @alt_names | ||
|
|
||
| [ alt_names ] | ||
| DNS.1 = localhost | ||
| DNS.2 = example.com |