diff --git a/dockerfiles/dind/copy_certs.ps1 b/dockerfiles/dind/copy_certs.ps1 new file mode 100644 index 0000000..d1fcf89 --- /dev/null +++ b/dockerfiles/dind/copy_certs.ps1 @@ -0,0 +1,114 @@ +param ( + [Parameter(Mandatory = $true)] + [string] $Node, + [Parameter(Mandatory = $true)] + [string] $SessionId, + [Parameter(Mandatory = $true)] + [string] $FQDN +) + + +function GetDirectUrlFromIp ($ip) { + $ip_dash=$ip -replace "\.","-" + $url="https://ip${ip_dash}-${SessionId}.direct.${FQDN}" + return $url +} + +function WaitForUrl ($url) { + write-host $url + do { + try{ + invoke-webrequest -UseBasicParsing -uri $url | Out-Null + } catch {} + $status = $? + sleep 1 + } until($status) +} + +function GetNodeRoutableIp ($nodeName) { + $JQFilter='.instances[] | select (.hostname == \"{0}\") | .routable_ip' -f $nodeName + $rip = (invoke-webrequest -UseBasicParsing -uri "https://$FQDN/sessions/$SessionId").Content | jq -r $JQFilter + + IF([string]::IsNullOrEmpty($rip)) { + Write-Host "Could not fetch IP for node $nodeName" + exit 1 + } + return $rip +} + +function Set-UseUnsafeHeaderParsing +{ + param( + [Parameter(Mandatory,ParameterSetName='Enable')] + [switch]$Enable, + + [Parameter(Mandatory,ParameterSetName='Disable')] + [switch]$Disable + ) + + $ShouldEnable = $PSCmdlet.ParameterSetName -eq 'Enable' + + $netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection]) + + if($netAssembly) + { + $bindingFlags = [Reflection.BindingFlags] 'Static,GetProperty,NonPublic' + $settingsType = $netAssembly.GetType('System.Net.Configuration.SettingsSectionInternal') + + $instance = $settingsType.InvokeMember('Section', $bindingFlags, $null, $null, @()) + + if($instance) + { + $bindingFlags = 'NonPublic','Instance' + $useUnsafeHeaderParsingField = $settingsType.GetField('useUnsafeHeaderParsing', $bindingFlags) + + if($useUnsafeHeaderParsingField) + { + $useUnsafeHeaderParsingField.SetValue($instance, $ShouldEnable) + } + } + } +} + + +$ProgressPreference = 'SilentlyContinue' +$ErrorActionPreference = 'Stop' + +Set-UseUnsafeHeaderParsing -Enable + +Start-Transcript -path ("C:\{0}.log" -f $MyInvocation.MyCommand.Name) -append + +add-type @" + using System.Net; + using System.Security.Cryptography.X509Certificates; + + public class IDontCarePolicy : ICertificatePolicy { + public IDontCarePolicy() {} + public bool CheckValidationResult( + ServicePoint sPoint, X509Certificate cert, + WebRequest wRequest, int certProb) { + return true; + } + } +"@ + +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +[System.Net.ServicePointManager]::CertificatePolicy = new-object IDontCarePolicy + + +$dtr_ip = GetNodeRoutableIp $Node +$dtr_url = GetDirectUrlFromIp $dtr_ip +$dtr_hostname = $dtr_url -replace "https://","" + +WaitForUrl "${dtr_url}/ca" + +invoke-webrequest -UseBasicParsing -uri "$dtr_url/ca" -o c:\ca.crt + +$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 c:\ca.crt +$store = new-object System.Security.Cryptography.X509Certificates.X509Store('Root','localmachine') +$store.Open('ReadWrite') +$store.Add($cert) +$store.Close() + +Stop-Transcript diff --git a/dockerfiles/dind/ee/ucp-cert.pem b/dockerfiles/dind/ee/ucp-cert.pem new file mode 100644 index 0000000..7e124b1 --- /dev/null +++ b/dockerfiles/dind/ee/ucp-cert.pem @@ -0,0 +1,63 @@ +-----BEGIN CERTIFICATE----- +MIIGPDCCBSSgAwIBAgISA4MIK4JV9npV+QdQS7wVa48rMA0GCSqGSIb3DQEBCwUA +MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMzEyMTQ3MjZaFw0x +ODA2MjkyMTQ3MjZaMDQxMjAwBgNVBAMMKSouZGlyZWN0LmJldGEtaHlicmlkLnBs +YXktd2l0aC1kb2NrZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA6PQCi9Rqr7Ka1KXSGCfBQVzgPyx/hh+uST1dz7PDw2epghYyaqNByaQEVKNR +3ubPvOoASzhdJ1dZdyUzKUoU/jm8hgVK7HHdQDpFEX60az+r4Xo32R6WirG5+GXd +hU3M0yRzbu0zZx7eVZognP/HcXJDhuf16hiHKmCr6MYXV4JY9xLMxExZOTB4fpGA +Loiyvn2OEZAhREhiSX+6n4x7KJga8gYn/0f89o7up1DYQSwev+gQgRjTGlo1xrgu +Oztekc3ydvbhGv7aL7Uj/zqPcVvXnDfnioQV7kEDcz8gupFyV7gZKolR1G8IQJdm +TaYHguzFXF5Q3lKVWx19/CSZ8wIDAQABo4IDMDCCAywwDgYDVR0PAQH/BAQDAgWg +MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G +A1UdDgQWBBTVloZoUI5vKAN+D1PTgtYBgU184zAfBgNVHSMEGDAWgBSoSmpjBH3d +uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6 +Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6 +Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDQGA1UdEQQtMCuCKSouZGly +ZWN0LmJldGEtaHlicmlkLnBsYXktd2l0aC1kb2NrZXIuY29tMIH+BgNVHSAEgfYw +gfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0 +cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBD +ZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBh +cnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0 +ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3Np +dG9yeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDbdK/uyynssf7KPnFtLOW5 +qrs294Rxg8ddnU83th+/ZAAAAWJ+PniYAAAEAwBGMEQCIDngZdWcYWY0fPfUGTqX +/Vt2qx+PRN5DN+m13TnA37e2AiBHIi5kMSxlvKNc3xzuJrvt/RKaj9xsBLmc8+uW +ckaEdAB2ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABYn4+eLUA +AAQDAEcwRQIhAMkf8SYdt1egjzBE6nzOrY+f4WMS/N6XWN+gFl0mQIkhAiBn9+GG +0XbLw33+WNJLUkau2ZdTo5kTw2qdUXdYpWJwrDANBgkqhkiG9w0BAQsFAAOCAQEA +TAl62gFi+2l/yLItjNIrXeWh2ICH/epjeWlmF+rAb7Sb4iz9U8fsNBdDBQh25xJo +6nLOlS2NG0hdUScylCYyGJZe6PeQvGO+qSLDamXf1DvXWvzbmQOCUkejgD7Uwbol +5huuCAKoW4SsiaMku0J3545MEQx4Q5cPetsPawaByY5sgr2GZJzgM7lvtzr4hKWg +x5QAns/bmcqe9LCJ2NLcgArliYu6dOHtS62kB7/Dz2DQRtCvpV553RaBe4k9Ruwl +0ndHvjEC5OWa5sW1hwow5W3PC7Db7s0zqpt63EITkhrUOqtqtkwOMYBAkFIIe1eR +T5fSFAdirKUOt5GnRJ40qw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ +MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT +DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow +SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT +GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF +q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 +SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 +Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA +a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj +/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T +AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG +CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv +bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k +c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw +VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC +ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz +MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu +Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF +AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo +uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ +wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu +X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG +PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 +KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== +-----END CERTIFICATE----- diff --git a/dockerfiles/dind/ee/ucp-key.pem b/dockerfiles/dind/ee/ucp-key.pem new file mode 100644 index 0000000..e61bf3b --- /dev/null +++ b/dockerfiles/dind/ee/ucp-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDo9AKL1GqvsprU +pdIYJ8FBXOA/LH+GH65JPV3Ps8PDZ6mCFjJqo0HJpARUo1He5s+86gBLOF0nV1l3 +JTMpShT+ObyGBUrscd1AOkURfrRrP6vhejfZHpaKsbn4Zd2FTczTJHNu7TNnHt5V +miCc/8dxckOG5/XqGIcqYKvoxhdXglj3EszETFk5MHh+kYAuiLK+fY4RkCFESGJJ +f7qfjHsomBryBif/R/z2ju6nUNhBLB6/6BCBGNMaWjXGuC47O16RzfJ29uEa/tov +tSP/Oo9xW9ecN+eKhBXuQQNzPyC6kXJXuBkqiVHUbwhAl2ZNpgeC7MVcXlDeUpVb +HX38JJnzAgMBAAECggEAVqm4bMa4bea3HRcXYu8fQS7JKhdm1cHhd9PBm6yXzpE5 +CXEyjmNv7RD8n3Qm2BLsA67WLyWn2iPv35hSQTETQETAcudzKSVvFx7WZRzLB/8m +9XofXsG3ZZ+avONAlwALjB1KaGEMN3fPZO8y5NVvIDBPGNggr1cyqbxPGAjh1Cav +Laqki0rdPfr3FhxTyPBdmBFDcaMLc77Yl/7rmQJRYWb1qe+g4SEG4xXmEYpcpSUz +zDJZAkY5XAO5cHU5EoKgKJedVBNxqAaRtaisO9yv+CKMqD83hAWhXqeK1bSphghs +2qIkzNe134ZNUBbmK2FDsAbiPMHNcMKuI4ljfb78iQKBgQD5oZ/uzaYTt6ZQQzKq +rQFA2DxSlBt4Ewae5n6JYzw0hIjRf7LvitZF9zKXcMkHP2QcL+5RiibyJ6ohGypa +jpDP+m5e0B5tS6gEgFzBnrXWbjnrDxUR5Qj0lKg3uuOXw8OdwNxn+MulKkIfGyTW +pCu7G1nh/kltwvN87s4cJycwnwKBgQDu5XUyIcok8nxcBwtxu3zFdtdNn+P4Yq1a +W2sUEUEJUDwcUZqksPIxQhG/SMEEtBqii+EJj3nAlaWItBgTE37mzKGyKv16ZiM1 +hr+Rlv5AURxER+Eo4JLFqULZKwMaDlXDrFdV2ulF+6SXWOqKrp4/6sPYxtxHmKfs +oBnXq/4yLQKBgCQFl5+NG2cC/EPevoP0fRbPXT0JVEFqdW0ek6ndoQVvDpM0myyH +202zUyCZTNj348lRfVFU3zPYV2t5kQ4KPolUePLDk3BwF2m24CusbE7qDv+FaKPx +ae5pOTD5jfgLbsHn36Y9N5240FvOve0fOZRBaSH8YLovBJXFnAZh+/y/AoGALZzQ +CJddAjruNZ/+tmNmykkLiL2riERG9waXZkh5E28nWvzVuvYx9+e2fcBFYkGFCF4O +xIWJaJTp+zTvl8zUIPsXMG524UTZGiI1N3YN63fRHtRekDB4tZbAtbg5qmLsSyT/ +s9vNSFhor6EBfyMiAfAwHpaxflYOUearqHslWK0CgYEAzi/B0azCOaDqzpp6RhAL +rhTRFfu2HR8wN8EJLOSbBbUnlSSJHdnHJBwyyXe3shD/rETLV8dHx+6/k47e1l2d +MUlsad/dOKQyL2pY7UodBzPJkIkmwknDnKzioGety8Tb98oUSTQ8oHfHMuRBOie9 +mq1MSTuZyZtsdSXnFhH3qNc= +-----END PRIVATE KEY----- diff --git a/dockerfiles/dind/ucp-beta.sh b/dockerfiles/dind/ucp-beta.sh new file mode 100755 index 0000000..2231cd9 --- /dev/null +++ b/dockerfiles/dind/ucp-beta.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +set -e + +function wait_for_url { + # Wait for docker daemon to be ready + while ! curl -k -sS $1 > /dev/null; do + sleep 1; + done +} + +function deploy_ucp { + wait_for_url "https://localhost:2376" + + docker config create com.docker.ucp.config $HOME/ucp-config.toml + + docker run --rm -i --name ucp \ + -v /var/run/docker.sock:/var/run/docker.sock \ + docker/ucp:3.1.3 install --debug --force-insecure-tcp --skip-cloud-provider-check \ + --san *.direct.${PWD_HOST_FQDN} \ + --license $(cat $HOME/workshop_beta.lic) \ + --swarm-port 2375 \ + --existing-config \ + --admin-username admin \ + --admin-password admin1234 + + rm $HOME/workshop_beta.lic $HOME/ucp-config.toml + echo "Finished deploying UCP" +} + +function get_instance_ip { + ip -o -4 a s eth1 | awk '{print $4}' | cut -d '/' -f1 +} + +function get_node_routable_ip { + curl -sS https://${PWD_HOST_FQDN}/sessions/${SESSION_ID} | jq -r '.instances[] | select(.hostname == "'$1'") | .routable_ip' +} + +function get_direct_url_from_ip { + local ip_dash="${1//./-}" + local url="https://ip${ip_dash}-${SESSION_ID}.direct.${PWD_HOST_FQDN}" + echo $url +} + +function deploy_dtr { + if [ $# -lt 1 ]; then + echo "DTR node hostname" + return + fi + + + local dtr_ip=$(get_node_routable_ip $1) + local ucp_ip=$(get_instance_ip) + + local dtr_url=$(get_direct_url_from_ip $dtr_ip) + local ucp_url=$(get_direct_url_from_ip $ucp_ip) + + docker run -i --rm docker/dtr:2.6.2 install \ + --dtr-external-url $dtr_url \ + --ucp-node $1 \ + --ucp-username admin \ + --ucp-password admin1234 \ + --ucp-insecure-tls \ + --ucp-url $ucp_url +} + +function setup_dtr_certs { + if [ $# -lt 1 ]; then + echo "DTR node hostname is missing" + return + fi + + + local dtr_ip=$(get_node_routable_ip $1) + local dtr_url=$(get_direct_url_from_ip $dtr_ip) + local dtr_hostname="${dtr_url/https:\/\/}" + + wait_for_url "$dtr_url/ca" + + curl -kfsSL $dtr_url/ca -o /usr/local/share/ca-certificates/$dtr_hostname.crt + update-ca-certificates +} + + +case "$1" in + deploy) + deploy_ucp + deploy_dtr $2 + setup_dtr_certs $2 + ;; + setup-certs) + setup_dtr_certs $2 + ;; + *) + echo "Illegal option $1" + ;; +esac + diff --git a/dockerfiles/dind/ucp-config.toml b/dockerfiles/dind/ucp-config.toml new file mode 100644 index 0000000..ba78e35 --- /dev/null +++ b/dockerfiles/dind/ucp-config.toml @@ -0,0 +1,2 @@ +[cluster_config] + custom_kubelet_flags = ["--http-check-frequency=20s", "--containerized=false"]