aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-11-29 15:15:51 +0100
committerMorgan Richomme <morgan.richomme@orange.com>2019-12-18 07:29:23 +0000
commit216bd6a4870c680555d586f0010a633d5fa15700 (patch)
treec5372dd04226259bd4049a29ecb7d6a24dd8788c
parent83040dff44e13c08a73a78c98ae64d7812fc3b6e (diff)
Import Vagrant environment from test/security/k8s
Infrastructure mockup has been previously set up for CIS guidelines checking. Empty Kubernetes cluster was sufficient for that purpose. It will be adjusted to satisfy minimal ONAP requirements and should eventually supersede previous testing environment. Issue-ID: ONAPARC-537 Change-Id: Iada29d86642b8a5513e9d1bbd895db2094ad12b9 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
-rw-r--r--bootstrap/vagrant-minimal-onap/Vagrantfile174
-rw-r--r--bootstrap/vagrant-minimal-onap/config/cluster.yml49
-rw-r--r--bootstrap/vagrant-minimal-onap/tools/config/95silent-approval2
-rw-r--r--bootstrap/vagrant-minimal-onap/tools/config/dot_curlrc8
-rw-r--r--bootstrap/vagrant-minimal-onap/tools/config/dot_wgetrc2
-rwxr-xr-xbootstrap/vagrant-minimal-onap/tools/get_customization_scripts.sh5
-rwxr-xr-xbootstrap/vagrant-minimal-onap/tools/get_kubectl.sh41
-rwxr-xr-xbootstrap/vagrant-minimal-onap/tools/get_rke.sh39
-rw-r--r--bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-controlnode.sh31
-rw-r--r--bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-workernode.sh34
-rwxr-xr-xbootstrap/vagrant-minimal-onap/tools/setup_kubectl.sh52
11 files changed, 437 insertions, 0 deletions
diff --git a/bootstrap/vagrant-minimal-onap/Vagrantfile b/bootstrap/vagrant-minimal-onap/Vagrantfile
new file mode 100644
index 000000000..1ccc3ef9f
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/Vagrantfile
@@ -0,0 +1,174 @@
+# -*- mode: ruby -*-
+# -*- coding: utf-8 -*-
+
+host_ip = "192.168.121.1"
+operator_key = "${HOME}/.ssh/onap-key"
+vagrant_user = "vagrant"
+vagrant_password = "vagrant"
+synced_folder_main = "/vagrant"
+synced_folder_config = "#{synced_folder_main}/config"
+cluster_yml = "cluster.yml"
+apt_prefs_dir = "/etc/apt/apt.conf.d"
+apt_prefs = "95silent-approval"
+
+vm_memory = 2 * 1024
+vm_cpus = 1
+vm_box = "generic/ubuntu1804"
+
+operation = { name: 'operator', hostname: 'operator', ip: '172.17.4.254' }
+cluster = [
+ { name: 'control', hostname: 'control', ip: '172.17.4.100' },
+ { name: 'worker', hostname: 'worker', ip: '172.17.4.101' }
+]
+
+all = cluster.dup << operation
+
+operation_post_msg = "Run: \"vagrant provision #{operation[:name]} --provision-with=rke_up,setup_kubectl\" to complete cluster creation"
+
+$replace_dns = <<-SCRIPT
+ HOST_IP="$1"
+ rm -f /etc/resolv.conf # drop its dynamic management by systemd-resolved
+ echo nameserver "$HOST_IP" | tee /etc/resolv.conf
+SCRIPT
+
+$add_to_docker_group = <<-SCRIPT
+ USER="$1"
+ echo "Adding ${USER} to 'docker' group"
+ usermod -aG docker "$USER"
+SCRIPT
+
+$setup_debconf = <<-SCRIPT
+ echo "Setting debconf frontend to noninteractive"
+ sed -i'.orig' '/^Config:/a Frontend: noninteractive' /etc/debconf.conf
+SCRIPT
+
+$install_sshpass = <<-SCRIPT
+ apt-get update
+ echo "Installing 'sshpass'"
+ apt-get install sshpass
+SCRIPT
+
+$generate_key = <<-SCRIPT
+ KEY_FILE="$1"
+ echo "Generating SSH key (${KEY_FILE})"
+ ssh-keygen -q -b 4096 -t rsa -f "$KEY_FILE" -N ""
+SCRIPT
+
+$deploy_key = <<-SCRIPT
+ KEY="$1"
+ USER="$2"
+ PASS="$PASSWORD"
+ IPS="$3"
+ echo "Deploying ${KEY} for ${USER}"
+ for ip in $IPS; do
+ echo "on ${ip}"
+ sshpass -p "$PASS" ssh-copy-id -o StrictHostKeyChecking=no -i "$KEY" "${USER}@${ip}"
+ done
+SCRIPT
+
+$link_dotfiles = <<-SCRIPT
+ SYNC_DIR="$1"
+ for rc in ${SYNC_DIR}/dot_*; do
+ src="$rc"
+ dst="${HOME}/.${rc##*dot_}"
+ echo "Symlinking ${src} to ${dst}"
+ ln -sf "$src" "$dst"
+ done
+SCRIPT
+
+$link_file = <<-SCRIPT
+ SYNC_DIR="$1"
+ FILE="$2"
+ src="${SYNC_DIR}/${FILE}"
+ dst="$3"
+ echo "Symlinking ${src} to ${dst}"
+ ln -sf "$src" "$dst"
+SCRIPT
+
+$rke_up = "rke up"
+$rke_down = "rke remove --force"
+
+Vagrant.configure('2') do |config|
+ all.each do |machine|
+ config.vm.define machine[:name] do |config|
+ config.vm.box = vm_box
+ config.vm.hostname = machine[:hostname]
+
+ config.vm.provider :virtualbox do |v|
+ v.name = machine[:name]
+ v.memory = vm_memory
+ v.cpus = vm_cpus
+ end
+
+ config.vm.provider :libvirt do |v|
+ v.memory = vm_memory
+ v.cpus = vm_cpus
+ end
+
+ config.vm.network :private_network, ip: machine[:ip]
+ config.vm.provision "replace_dns", type: :shell, run: "always", inline: $replace_dns, args: host_ip
+
+ if machine[:name] == 'control'
+ config.vm.provision "customize_control", type: :shell, path: "../../tools/dublin/imported/openstack-k8s-controlnode.sh"
+ config.vm.provision "fix_groups_control", type: :shell, inline: $add_to_docker_group, args: vagrant_user
+ end
+
+ if machine[:name] == 'worker'
+ config.vm.provision "customize_worker", type: :shell, path: "../../tools/dublin/imported/openstack-k8s-workernode.sh"
+ config.vm.provision "fix_group_worker", type: :shell, inline: $add_to_docker_group, args: vagrant_user
+ end
+
+ if machine[:name] == 'operator'
+ config.vm.synced_folder ".", synced_folder_main, type: "rsync", rsync__exclude: "Vagrantfile"
+ config.vm.synced_folder "../../tools/config", synced_folder_config, type: "rsync"
+
+ config.vm.provision "setup_debconf", type: :shell, inline: $setup_debconf
+ config.vm.provision "link_apt_prefs", type: :shell, run: "always" do |s|
+ s.inline = $link_file
+ s.args = [synced_folder_config, apt_prefs, apt_prefs_dir]
+ end
+ config.vm.provision "link_dotfiles_root", type: :shell, run: "always" do |s|
+ s.inline = $link_dotfiles
+ s.args = synced_folder_config
+ end
+ config.vm.provision "link_dotfiles_user", type: :shell, run: "always" do |s|
+ s.privileged = false
+ s.inline = $link_dotfiles
+ s.args = synced_folder_config
+ end
+
+ config.vm.provision "install_sshpass", type: :shell, inline: $install_sshpass
+ config.vm.provision "generate_key", type: :shell, privileged: false, inline: $generate_key, args: operator_key
+
+ ips = ""
+ cluster.each { |node| ips << node[:ip] << " " }
+ config.vm.provision "deploy_key", type: :shell do |s|
+ s.privileged = false
+ s.inline = $deploy_key
+ s.args = [operator_key, vagrant_user, ips]
+ s.env = {'PASSWORD': vagrant_password}
+ end
+
+ config.vm.provision "get_rke", type: :shell, path: "../../tools/dublin/get_rke.sh"
+ config.vm.provision "link_cluster_yml", type: :shell, run: "always" do |s|
+ s.privileged = false
+ s.inline = $link_file
+ s.args = [synced_folder_main, cluster_yml, "$HOME"]
+ end
+
+ config.vm.post_up_message = operation_post_msg
+ config.vm.provision "rke_up", type: :shell, run: "never", privileged: false, inline: $rke_up
+ config.trigger.before :destroy do |trigger|
+ trigger.warn = "Removing cluster"
+ trigger.run_remote = {privileged: false, inline: $rke_down}
+ end
+
+ config.vm.provision "get_kubectl", type: :shell, path: "../../tools/dublin/get_kubectl.sh"
+ config.vm.provision "setup_kubectl", type: :shell, run: "never" do |s|
+ s.privileged = false
+ s.path = "../../tools/dublin/setup_kubectl.sh"
+ end
+ end
+ end
+ end
+end
diff --git a/bootstrap/vagrant-minimal-onap/config/cluster.yml b/bootstrap/vagrant-minimal-onap/config/cluster.yml
new file mode 100644
index 000000000..df93a8863
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/config/cluster.yml
@@ -0,0 +1,49 @@
+# An example of a Kubernetes cluster for ONAP
+ssh_key_path: &ssh_key_path "~/.ssh/onap-key"
+nodes:
+- address: 172.17.4.100
+ port: "22"
+ role:
+ - controlplane
+ - etcd
+ hostname_override: "onap-control-1"
+ user: vagrant
+ ssh_key_path: *ssh_key_path
+- address: 172.17.4.101
+ port: "22"
+ role:
+ - worker
+ hostname_override: "onap-k8s-1"
+ user: vagrant
+ ssh_key_path: *ssh_key_path
+services:
+ kube-api:
+ service_cluster_ip_range: 10.43.0.0/16
+ pod_security_policy: false
+ always_pull_images: false
+ kube-controller:
+ cluster_cidr: 10.42.0.0/16
+ service_cluster_ip_range: 10.43.0.0/16
+ kubelet:
+ cluster_domain: cluster.local
+ cluster_dns_server: 10.43.0.10
+ fail_swap_on: false
+network:
+ plugin: canal
+authentication:
+ strategy: x509
+ssh_key_path: *ssh_key_path
+ssh_agent_auth: false
+authorization:
+ mode: rbac
+ignore_docker_version: false
+kubernetes_version: "v1.13.5-rancher1-2"
+private_registries:
+- url: nexus3.onap.org:10001
+ user: docker
+ password: docker
+ is_default: true
+cluster_name: "onap"
+restore:
+ restore: false
+ snapshot_name: ""
diff --git a/bootstrap/vagrant-minimal-onap/tools/config/95silent-approval b/bootstrap/vagrant-minimal-onap/tools/config/95silent-approval
new file mode 100644
index 000000000..dadbfbd86
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/config/95silent-approval
@@ -0,0 +1,2 @@
+Quiet "1";
+APT::Get::Assume-Yes "true";
diff --git a/bootstrap/vagrant-minimal-onap/tools/config/dot_curlrc b/bootstrap/vagrant-minimal-onap/tools/config/dot_curlrc
new file mode 100644
index 000000000..ecf9792f5
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/config/dot_curlrc
@@ -0,0 +1,8 @@
+# Disable progress meter
+--silent
+# Show error messages
+--show-error
+# Fail silently on server errors
+--fail
+# Follow redirections
+--location
diff --git a/bootstrap/vagrant-minimal-onap/tools/config/dot_wgetrc b/bootstrap/vagrant-minimal-onap/tools/config/dot_wgetrc
new file mode 100644
index 000000000..ac472b77a
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/config/dot_wgetrc
@@ -0,0 +1,2 @@
+# Turn off output
+quiet = on
diff --git a/bootstrap/vagrant-minimal-onap/tools/get_customization_scripts.sh b/bootstrap/vagrant-minimal-onap/tools/get_customization_scripts.sh
new file mode 100755
index 000000000..a99b10288
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/get_customization_scripts.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+wget \
+ 'https://docs.onap.org/en/dublin/_downloads/4d5001735f875448b25f11e270d5bc5a/openstack-k8s-controlnode.sh' \
+ 'https://docs.onap.org/en/dublin/_downloads/53998444dcd1b6a8b7396f7f2d35d21e/openstack-k8s-workernode.sh'
diff --git a/bootstrap/vagrant-minimal-onap/tools/get_kubectl.sh b/bootstrap/vagrant-minimal-onap/tools/get_kubectl.sh
new file mode 100755
index 000000000..752c286c2
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/get_kubectl.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+#
+# @file test/security/k8s/tools/dublin/get_kubectl.sh
+# @author Pawel Wieczorek <p.wieczorek2@samsung.com>
+# @brief Utility for obtaining kubectl tool
+#
+
+# Dependencies:
+# wget
+# coreutils
+#
+# Privileges:
+# Script expects to be run with administrative privileges for accessing /usr/local/bin
+#
+# Usage:
+# # ./get_kubectl.sh [VERSION [ARCH [SYSTEM]]]
+#
+
+# Constants
+BINARY='kubectl'
+INSTALL_DIR='/usr/local/bin/'
+
+DEFAULT_VERSION='v1.13.5'
+DEFAULT_ARCH='amd64'
+DEFAULT_SYSTEM='linux'
+
+# Variables
+VERSION="${1:-$DEFAULT_VERSION}"
+ARCH="${2:-$DEFAULT_ARCH}"
+SYSTEM="${3:-$DEFAULT_SYSTEM}"
+
+URL="https://storage.googleapis.com/kubernetes-release/release/${VERSION}/bin/${SYSTEM}/${ARCH}/${BINARY}"
+
+
+# Prerequistes
+wget "$URL"
+chmod +x "$BINARY"
+
+# Installation
+mv "$BINARY" "$INSTALL_DIR"
diff --git a/bootstrap/vagrant-minimal-onap/tools/get_rke.sh b/bootstrap/vagrant-minimal-onap/tools/get_rke.sh
new file mode 100755
index 000000000..01dd20a96
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/get_rke.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+#
+# @file test/security/k8s/tools/dublin/get_rke.sh
+# @author Pawel Wieczorek <p.wieczorek2@samsung.com>
+# @brief Utility for obtaining RKE tool
+#
+
+# Dependencies:
+# wget
+# coreutils
+#
+# Privileges:
+# Script expects to be run with administrative privileges for accessing /usr/local/bin
+#
+# Usage:
+# # ./get_rke.sh [VERSION [ARCH [SYSTEM]]]
+#
+
+# Constants
+DEFAULT_VERSION='v0.2.1'
+DEFAULT_ARCH='amd64'
+DEFAULT_SYSTEM='linux'
+
+# Variables
+VERSION="${1:-$DEFAULT_VERSION}"
+ARCH="${2:-$DEFAULT_ARCH}"
+SYSTEM="${3:-$DEFAULT_SYSTEM}"
+
+BINARY="rke_${SYSTEM}-${ARCH}"
+URL="https://github.com/rancher/rke/releases/download/${VERSION}/${BINARY}"
+
+
+# Prerequistes
+wget "$URL"
+chmod +x "$BINARY"
+
+# Installation
+mv "$BINARY" "/usr/local/bin/${BINARY%%_*}" # this also renames binary to "rke"
diff --git a/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-controlnode.sh b/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-controlnode.sh
new file mode 100644
index 000000000..1d230c2da
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-controlnode.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+DOCKER_VERSION=18.09.5
+
+apt-get update
+
+curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh
+mkdir -p /etc/systemd/system/docker.service.d/
+cat > /etc/systemd/system/docker.service.d/docker.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001
+EOF
+
+sudo usermod -aG docker ubuntu
+
+systemctl daemon-reload
+systemctl restart docker
+apt-mark hold docker-ce
+
+IP_ADDR=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'`
+HOSTNAME=`hostname`
+
+echo "$IP_ADDR $HOSTNAME" >> /etc/hosts
+
+docker login -u docker -p docker nexus3.onap.org:10001
+
+sudo apt-get install make -y
+
+
+exit 0
diff --git a/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-workernode.sh b/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-workernode.sh
new file mode 100644
index 000000000..3f32d050a
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/imported/openstack-k8s-workernode.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+DOCKER_VERSION=18.09.5
+
+apt-get update
+
+curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh
+mkdir -p /etc/systemd/system/docker.service.d/
+cat > /etc/systemd/system/docker.service.d/docker.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001
+EOF
+
+sudo usermod -aG docker ubuntu
+
+systemctl daemon-reload
+systemctl restart docker
+apt-mark hold docker-ce
+
+IP_ADDR=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'`
+HOSTNAME=`hostname`
+
+echo "$IP_ADDR $HOSTNAME" >> /etc/hosts
+
+docker login -u docker -p docker nexus3.onap.org:10001
+
+sudo apt-get install make -y
+
+# install nfs
+sudo apt-get install nfs-common -y
+
+
+exit 0
diff --git a/bootstrap/vagrant-minimal-onap/tools/setup_kubectl.sh b/bootstrap/vagrant-minimal-onap/tools/setup_kubectl.sh
new file mode 100755
index 000000000..bbd31a930
--- /dev/null
+++ b/bootstrap/vagrant-minimal-onap/tools/setup_kubectl.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+#
+# @file test/security/k8s/tools/dublin/setup_kubectl.sh
+# @author Pawel Wieczorek <p.wieczorek2@samsung.com>
+# @brief Utility for setting up kubectl tool for Dublin cluster
+#
+
+# Dependencies:
+# coreutils
+#
+# Privileges:
+# Script expects to be run with administrative privileges for accessing /usr/local/bin
+#
+# Usage:
+# # ./setup_kubectl.sh [RKE_CONFIG [KUBE_DIR [KUBE_CONFIG [KUBE_CONTEXT]]]]
+#
+
+# Constants
+BASHRC='.bashrc'
+BASH_ALIASES='.bash_aliases'
+USE_ONAP_ALIAS='useonap'
+
+DEFAULT_RKE_CONFIG='kube_config_cluster.yml'
+DEFAULT_KUBE_DIR='.kube'
+DEFAULT_KUBE_CONFIG='config.onap'
+DEFAULT_KUBE_CONTEXT='onap'
+
+# Variables
+RKE_CONFIG="${1:-$DEFAULT_RKE_CONFIG}"
+KUBE_DIR="${2:-${HOME}/${DEFAULT_KUBE_DIR}}"
+KUBE_CONFIG="${3:-$DEFAULT_KUBE_CONFIG}"
+KUBE_CONTEXT="${4:-$DEFAULT_KUBE_CONTEXT}"
+
+USE_ONAP="f() { export KUBECONFIG=${KUBE_DIR}/${KUBE_CONFIG}; kubectl config use-context ${KUBE_CONTEXT}; }; f"
+USE_ONAP_CONFIG="$(cat<<CONFIG
+
+# Use ONAP context for kubectl utility (defined in ${HOME}/${BASH_ALIASES})
+${USE_ONAP_ALIAS}
+CONFIG
+)"
+
+
+# Prerequistes
+mkdir -p "$KUBE_DIR"
+echo "alias ${USE_ONAP_ALIAS}='${USE_ONAP}'" >> "${HOME}/${BASH_ALIASES}"
+
+# Setup
+cp "$RKE_CONFIG" "${KUBE_DIR}/${KUBE_CONFIG}"
+
+# Post-setup
+echo "$USE_ONAP_CONFIG" >> "${HOME}/${BASHRC}"