diff --git a/cicd/common.sh b/cicd/common.sh index ec676593f..580deb87c 100644 --- a/cicd/common.sh +++ b/cicd/common.sh @@ -22,6 +22,15 @@ docker_extra_opts="" # lxdocker="ghcr.io/loxilb-io/loxilb:latestu22" #fi + +if [ ! -d loxilb.io ]; then + ../common/minica --domains loxilb.io + mkdir cert + cp minica.pem cert/rootCA.crt + cp loxilb.io/cert.pem cert/server.crt + cp loxilb.io/key.pem cert/server.key +fi + loxilbs=() ## Given a docker name(arg1), return its pid @@ -118,7 +127,7 @@ spawn_docker_host() { get_llb_peerIP $dname docker exec -dt $dname /root/loxilb-io/loxilb/loxilb $bgp_opts $cluster_opts $ka_opts $extra_opts else - docker run -u root --cap-add SYS_ADMIN --restart unless-stopped --privileged -dt $docker_extra_opts --entrypoint /bin/bash $bgp_conf -v /dev/log:/dev/log $loxilb_config --name $dname $lxdocker $bgp_opts + docker run -u root --cap-add SYS_ADMIN --restart unless-stopped --privileged -dt $docker_extra_opts --entrypoint /bin/bash $bgp_conf -v /dev/log:/dev/log -v `pwd`/cert:/opt/loxilb/cert/ $loxilb_config --name $dname $lxdocker $bgp_opts docker exec -dt $dname /root/loxilb-io/loxilb/loxilb $bgp_opts $cluster_opts $extra_opts fi elif [[ "$dtype" == "host" ]]; then diff --git a/cicd/common/minica b/cicd/common/minica new file mode 100755 index 000000000..a152b1664 Binary files /dev/null and b/cicd/common/minica differ diff --git a/cicd/k3s-flannel-loxilb-ingress/ingress/loxilb-secret.yml b/cicd/k3s-flannel-loxilb-ingress/ingress/loxilb-secret.yml deleted file mode 100644 index 73d691823..000000000 --- a/cicd/k3s-flannel-loxilb-ingress/ingress/loxilb-secret.yml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - server.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZDVENDQXZHZ0F3SUJBZ0lVSENPekxWNlRFeVg2cjIxNllycFlOWWZOY2Zzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0piRzk0YVd4aUxtbHZNQjRYRFRJME1EZ3dPREEyTXpNeE5Gb1hEVEkxTURndwpPREEyTXpNeE5Gb3dGREVTTUJBR0ExVUVBd3dKYkc5NGFXeGlMbWx2TUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBZzhBTUlJQ0NnS0NBZ0VBb2hMNWgxSlFFVVlpRExvR0hzdDNmM3ZrWkcyMWU1LzM2Rml1WDhsa1pOTkwKZUlUZmUzR1E0ci96K253N0oxSXdlc2VHdkkyZW5FNWtLYVdsZHhpekNEd2JxS21GRk1EMk1zQklEUlRJb2d4NgpOak1YUFlqQ1VxUlhVODJwNzhUa1Bvd1FqdllhcExiZ3REcWdiWWxMZC95VUg5aWdmcHo5VFY2d2grQlMvUDJwCnc1MUMrckRIUHdSM0JNL2hGNUtpeVZway9GNmJNQjZRSFE2bGk5SmR4ZEVNSGtDRXhPWUo1R01kVkEvRmUzODMKbTNwK2JucVd2OXdLTXF0d29LVVVEOFJ0TmdkUXJxSmp0elV3YXRmT0VkY3ptTG1uVXg2VjgyMk9weFhQeG4vSApiSmxUcy8vblRrV0FCWmFEVGFqQ2FnZUpCQnZ4Rk1Eci9mVUdQWlRPRUdEZkxxaE9HM0g4UDJmMGp1OHFpMUJ0Cnp0ODBmT2N2eElLME8veWJnemRINjB6YXJFcEZFRjFEcGF3a0hGWmZHYmVTdnpUeTZSVm0zWWxRRjc2NFZHTDQKSCtMMFFEcVI2Zm0veHoxaEhLbER6dFA2VUV1MjExUUc4RDUvQ1ZUVzdQQUIrMkRWbk1vN0JqRzYrVG55Z0ZqNApOUXZEaW9VQ1NwZzdRT2g2RWw0UjgwVHR1Vmo5bEsvbnVIR08yQ0hwclhnTzUyeWgrZzNzOUJVeXQ5eXVQQVFxCkhIeWsyT3hIc1dURnFTQ3VaNHo0NVI0NWFTcmNDd2t6N09xbWlVWTUrenduT1F5WlN3Y2JzUVhzbVNEUm9KUVcKR2lwSUp0VVZjcnZSbWIzWkFnRDVNdlVQRXpEYjVTME5La1lqczNvWnVBZXVjSGJSS080RkFMRlRDYi9JR2E4QwpBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGTDRJZFpKNE9Obk53cVVmdFhCR25STndwN0V0TUI4R0ExVWRJd1FZCk1CYUFGTDRJZFpKNE9Obk53cVVmdFhCR25STndwN0V0TUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dJQkFFWHg0Q3pUMnNTOCtMVjRHc0I2bDFtRWM5UFJiT205Q1pQK3M2MzQ5QVd5MXh3cwppUmlaYVJVcEJ2Skk1MHZYMjhaeWJRVXpPdVg3ZGE5bFIzWEhLM01QdHlVUk5NYkcySzlmbzVZQ1RqV3lTZEg1CnpJQm1RZVV0cXE1OVMwdytSQytUcC9xd3lveUlUajk2dGU0YmdheGhUV2RtazZUNFZjWkgwY1NQU0hEMG9DeFkKcHJDOVdnQ21kQ3JOWWQ0T2pxaUhwOERhWHFybGhmbWZXdThHaFJlcVNmL1pEOTBrSUw3aEx0OHBXYXRpQnZ3UAowRmtGMjNWcFBwZ0s0MElKM1NBcllSWXlIUllKaDNLK1QzZ2RQY0pOdUloaENrRE1YNUtKdlI1QXdUdWpEL1lKCjNTTVRzL1F0SnZScDd0Q0kxM1lwZXFiaHFoQnBtdzdVWFpSUnh4WURiNHU2L25oZUZkMS9NNjdsYTJtUmpvZlIKUDQxc2pRa1lQSkhsY2hVMHRkQnRjN203bVkrdFo1U2h4bklKZnFBS1pqTEpEZUJyYlhrS2hjNms4NFpBM09vQwpCajl1U3V1RERlUUJ0VDlYUHppOVZaV2pVWis2Zk42QlB0RHVRa0x4V2xacHN0TXJIUEhia1gvVXhmU2NuZEpiCkw0ZXBhTVVqUDJDWnd2NGFraUxjZmQzVXEwaENQZzVZNTNOL1cyWlJ2Y204aGlpcXptaDIyeUxMYUZEQXBOaGEKZitXdUNxNU1HQ2Rib3U1Wnk4TXRoaXZwRnhEUXAzWkh4RktXTGw3VGZpR0hRYXZVK0ZnUVdQUFUrOVVmYksyZQpQYmRSSmxoaVE1Z09VbHBWT1V6bGVxR3lhVldDRHpuQ3JlVWFVcnNzbkNZejdzQmNORTViYUl4dlptUmkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - server.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQ2lFdm1IVWxBUlJpSU0KdWdZZXkzZC9lK1JrYmJWN24vZm9XSzVmeVdSazAwdDRoTjk3Y1pEaXYvUDZmRHNuVWpCNng0YThqWjZjVG1RcApwYVYzR0xNSVBCdW9xWVVVd1BZeXdFZ05GTWlpREhvMk14YzlpTUpTcEZkVHphbnZ4T1ErakJDTzlocWt0dUMwCk9xQnRpVXQzL0pRZjJLQituUDFOWHJDSDRGTDgvYW5EblVMNnNNYy9CSGNFeitFWGtxTEpXbVQ4WHBzd0hwQWQKRHFXTDBsM0YwUXdlUUlURTVnbmtZeDFVRDhWN2Z6ZWJlbjV1ZXBhLzNBb3lxM0NncFJRUHhHMDJCMUN1b21PMwpOVEJxMTg0UjF6T1l1YWRUSHBYemJZNm5GYy9HZjhkc21WT3ovK2RPUllBRmxvTk5xTUpxQjRrRUcvRVV3T3Y5CjlRWTlsTTRRWU44dXFFNGJjZncvWi9TTzd5cUxVRzNPM3pSODV5L0VnclE3L0p1RE4wZnJUTnFzU2tVUVhVT2wKckNRY1ZsOFp0NUsvTlBMcEZXYmRpVkFYdnJoVVl2Z2Y0dlJBT3BIcCtiL0hQV0VjcVVQTzAvcFFTN2JYVkFidwpQbjhKVk5iczhBSDdZTldjeWpzR01icjVPZktBV1BnMUM4T0toUUpLbUR0QTZIb1NYaEh6Uk8yNVdQMlVyK2U0CmNZN1lJZW10ZUE3bmJLSDZEZXowRlRLMzNLNDhCQ29jZktUWTdFZXhaTVdwSUs1bmpQamxIamxwS3R3TENUUHMKNnFhSlJqbjdQQ2M1REpsTEJ4dXhCZXlaSU5HZ2xCWWFLa2dtMVJWeXU5R1p2ZGtDQVBreTlROFRNTnZsTFEwcQpSaU96ZWhtNEI2NXdkdEVvN2dVQXNWTUp2OGdacndJREFRQUJBb0lDQUFKVCt3SE5iUnA3c28zenpnYm1zWlNOCldpSFkyYWxwSHFmWHBOSmdWTkR4aTZUQ3Q0ZFRsaHNPbC9jZXR6RE8wc09tS3cvcDhDT1RQWklCR05KRE9tSXAKS0hqelp6Zjl3aVBsNHBKdERRK3dtRkFYQ0l0ZUhQM25RNzRaN0xnZUNSWFc2c2FJWHc2dkFFbFYwcytETHZvZApiUHZUdVNYUlp4MHRRWEVpaC93VUlVU2pSeE16OE5GaFg3MENmeTF5VTI2NU1rTFYyVXY2Z3M4N2o4UmJEZjlBCnBhWnFKNWp6NUJTYTVsaHl5cFpZQ3pVam9NMm5meTF5OE9BOVZIaDl5SGMxYjFMMmtzYlJBQTJQalBoRjF4bHUKeVE5OUs3Qk9nUEg4VGROVDZVSms1UXNQcE5mR1V0U2hEZkR2a1RNNjZkZlcwTFc2cVJtWlBJdlpUVERkM0J2SwpCN1NnOUs3bXZCbVlsNEpMM05pZXBJVjkvNEVPRzZsNi9QaGxUR0JVRUdrTmdNQ2dTaWxyc05qU2E4ZW9SZHdzCm40VmN5enNWeWZYaGFSTVBFTklLVWZJTmFuenpYRkY2ZFRyd3Azelo0RDNhVzNLdWltYUxJR0hCNXZZaGRFTGoKUE9PQVVXRkVXUjMxMVFMZ3hUUm53aStnRUNlMmhPVmNyUkZVcjhDdlVrWWRUT0FGQzdjUnBOUW5rSVdQNU1QbQpXZkRvM2dZRnkyZU45NGR1MHBzTzVabzlHMm5UMlpiTjl1d0FCMk1ibk91R0xiWVRFbWpHdVRIUVc5Uzd6TFBzCnJMUmtVdndvYWE4cVBmaGc4SWw2ak1mcG5heUdETnU1S2tVV05KcGFZaGp5Y2l6SkVGUjVicTF6UU1QZjE2Qk0KdVloWVMySEhuS1VhdFRmZ3hyNmxBb0lCQVFEa0E3UlB2MURtNmxKTXYzaUU0K1FRYzUyTDdueUJHc3FueEVzdwo1Ly9PN2gvd2ZMMkd4VzFzRXcrSUNDd1VmVjNwZjBqWEl2dktjM3V0YXByWjc2Tk5uWnJJU0syYnFCamZpc2VrCk9vMWRlRlQvNlVaOGxhOWVDMFF3UlVWMWdmZ1I2K0VCayttUDJjSWpJRDVKbkx1b1lLSFNwenRmZG15UEUrODUKVUtXRU5rR1BsN200aStqTzRwWUhYQXdhZVFkU2NSbjVPdVUyY3FBTkZVbmpRbmtQNnp6U2tJVkNUaFNGVkpUYgplZEpIOFNwbW9YL0IzL3VVSm9vVGFvWXQwb1V4NnJsR0xqTDhadUx0TUlVU1J0WUJNd2JuMDVQQkZ0cStuaitlClVtWEJqUEgxbURRN0tlWG1yZHlldHYzQWRUQjdjWUhMZW1GL0lNL1g5N3Brb2twVEFvSUJBUUMxOTJheDhReTkKWGkrNmlVNDIzTEx1R3p3a3EwNlVHeVdSMlBHM3pCeDlHRU5KNS9rV0FrSUdPWjlSMG1xOGRuTnJOeitROTFlawp4QlFJS0xGZzEvMVFWZ2VOMEw3TVJySWxSelBsa2NZYUkrNDFhbktKYUpsd3BMaDEza0RmdzRMUXpOLzhDcElrCk9KajBZWFpNNkpSbHlmTE5jQ1pURFBKVjY0R24vaFNDZ3RISndaRk9MdWZsalIzSVpQbEphcHBTNlNRUDBkVDYKeExmUEsyUWZGR251UTBETitsQjdPVTJMT3d4enF0UldsYWFjTnpOU3B0cUJ2NzMvVFFoQ1l5eVc0RnBReER4Vgo3MzJWZ0tvWVQ3dElpZFF5Z2NrWnp0NnFhRUNVQ0o3UmtuUVNyZDEvUHBITDBrdXkxNDIxc0VLdkUyWVpON21WCkNGYVlzRGdqb0orMUFvSUJBUURFckpGT0xEYUxSMWkvekhRWEpEN25GZUt4L1g2MUdiZnQ1N24zc0ZXTlZ3YUQKdUFUK2g3S3ZndTFscDY3bDZaRWt3OTYvZXZSMmx3LzU4RGNyZnJGOFZGSmJLWjFkNHl1NVBncWdGTVUwOTROUgp6aFEzaUNGZzNCVHdFZ0Fzc0hPYWVieDJVUEFvWFd0QVF5S1crak0vdEVKQTRuQ3JFZ25uakFsUGhjbU85Z0dzCjZ2R09SbGdFZzV0bk03Vlk3RVl0alZNYkQvci84UFV1ODhyczFMeDV4NjJKN3BDVE5hZ3JyVjVNeFpKazdaZG0KT1MxcXZGbFRXNzdEcXFHY1NyY0s3R3p0SlJKamRoZU5BY24yanRVdTZhV3VOMmgrSjhsOG5DRkIzYzdabVVwbgpUZWJYbFhjeGQ0d1I5c04veTFXTFZNZmhER21tYjFYMzhqMTdhaVR6QW9JQkFGN0VLTXlWSURCakkvSSszZWYrCmlvVXMwK2E0L0tSdmV1SjVISEcvTURzSjdzbEhzVlovK0lpcmE4aStEKzUwdGVscGpZWmUrbHNKN3ZETTJJdjYKRUtmTkZnUUthY09UTWVYdUxoM3FERVRDMzZVYitlaUwvQlZKQS9RR3VyeU9Zc3VCVjBrNDdDRkhCSW1KVklYNwpQb1hBWmQ0T0FUZVJiNGZGcmZHaWhtWHQ0WG4wZ0VzNmJIVUZTRFI4T2NPOWEvK3dBYUxuZ2NiVHVuSi9RNVpZCkdFOEk0WEFrWTlPNDVTU1VyUWgwT0QrYmtuaWEydlM1aHVTNXlpWnlwTkdHT3N1Y3JneVFGbWdlNE1XQ2k1TTcKdXVxdE5VRFVqTG9QSGJHYnQ3NGd1eTJqMnlWN1BQYXV6RmxjL1NWMzB3cURjRWNqa0RHajd0ZXB6d2VZQnJTdgpTMTBDZ2dFQUNqSHBrZE5VZkdzOGZnN0x4WDlFcURRZjY4SkhIblBscTQ1azFwN0U4UExmRytFVWNIMnUzekRzCjhmZDByTHAwb2Z3VEhONUNPMmhJVWhCVC9UU0poQ1VaOTZ2ZlRyeXVVWVJjdjZ2NkEvaW1OdFQ3MEQ0ZkZ0cXoKWnB3Si9GNzFwdVlJTmtwSEpteWIvSHdIZmxEdURyVkRjMFF3VmY2WkFPcE9QbnhzM0VHUElqNGdVcDFYMEdVcAp1TERCdVJtR0RFNEVKYUhYUjFHemM0YkduZVlUV0FnY1IxQ2MrbThuWnR3a2dxQWVia0ZtaXFmZDBPOGNkUDlUCkZKWjNSbkRJZHBCYmw0b0hJS0NiTWY0M2pkdlZnM2RTb0hwUTlXUkZ1MEhVQURqenJUS2Z5c0JLMFM3WnlZRmEKc1RoOGJ6QU01YXpBWlZSeHNTbXJiSm95VFRZM3pBPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= -kind: Secret -metadata: - creationTimestamp: null - name: loxilb-ssl - namespace: kube-system -type: Opaque diff --git a/cicd/k3s-flannel-loxilb-ingress/master.sh b/cicd/k3s-flannel-loxilb-ingress/master.sh index e78fce62e..bea1de21a 100755 --- a/cicd/k3s-flannel-loxilb-ingress/master.sh +++ b/cicd/k3s-flannel-loxilb-ingress/master.sh @@ -1,13 +1,32 @@ export MASTER_IP=$(ip a |grep global | grep -v '10.0.2.15' | grep '192.168.80' | awk '{print $2}' | cut -f1 -d '/') +apt-get update && apt install -y libnss3-tools +ldconfig /usr/local/lib64/ | true +mkdir certs +cd certs +wget --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 3 https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 +chmod +x mkcert-v1.4.3-linux-amd64 +mv mkcert-v1.4.3-linux-amd64 mkcert +mkdir loxilb.io +export CAROOT=`pwd`/loxilb.io +./mkcert -install +./mkcert loxilb.io +mv loxilb.io.pem ../server.crt +mv loxilb.io-key.pem ../server.key +cd - + curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--disable traefik --disable servicelb --node-ip=${MASTER_IP}" sh - echo $MASTER_IP > /vagrant/master-ip sudo cp /var/lib/rancher/k3s/server/node-token /vagrant/node-token sudo sed -i -e "s/127.0.0.1/${MASTER_IP}/g" /etc/rancher/k3s/k3s.yaml sudo cp /etc/rancher/k3s/k3s.yaml /vagrant/k3s.yaml +sudo kubectl create secret tls loxilb-ssl --cert server.crt --key server.key -n kube-system -o yaml --dry-run >> loxilb-secret.yml +sed -i -e 's/tls.key/server.key/g' ./loxilb-secret.yml +sed -i -e 's/tls.crt/server.crt/g' ./loxilb-secret.yml +sed -i -e 's/kubernetes.io\/tls/Opaque/g' ./loxilb-secret.yml sudo kubectl apply -f /vagrant/kube-loxilb.yml -sudo kubectl apply -f /vagrant/ingress/loxilb-secret.yml +sudo kubectl apply -f loxilb-secret.yml sudo kubectl apply -f /vagrant/ingress/loxilb-ingress-deploy.yml sudo kubectl apply -f /vagrant/ingress/loxilb-ingress-svc.yml sudo kubectl apply -f /vagrant/ingress/loxilb-ingress.yml diff --git a/options/options.go b/options/options.go index e139cec39..0dcfda75e 100644 --- a/options/options.go +++ b/options/options.go @@ -13,7 +13,7 @@ var Opts struct { Host string `long:"host" description:"the IP to listen on" default:"0.0.0.0" env:"HOST"` Port int `long:"port" description:"the port to listen on for insecure connections" default:"11111" env:"PORT"` TLS bool `long:"tls" description:"enable TLS " env:"TLS"` - TLSHost string `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"` + TLSHost string `long:"tls-host" description:"the IP to listen on for tls" default:"0.0.0.0" env:"TLS_HOST"` TLSPort int `long:"tls-port" description:"the port to listen on for secure connections" default:"8091" env:"TLS_PORT"` TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" default:"/opt/loxilb/cert/server.crt" env:"TLS_CERTIFICATE"` TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections" default:"/opt/loxilb/cert/server.key" env:"TLS_PRIVATE_KEY"` diff --git a/tools/k8s/mkllb-url b/tools/k8s/mkllb-url index e9cf052d7..60274d482 100755 --- a/tools/k8s/mkllb-url +++ b/tools/k8s/mkllb-url @@ -44,10 +44,12 @@ if [[ ${cloud} == "aws" ]]; then unzip awscliv2.zip && ./aws/install fi token=`curl -s -m 10 -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && \ - if [[ "x$addr" == "x0.0.0.0" ]]; then - laddr=`curl -s -m 10 -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/local-ipv4` + laddr=`curl -s -m 10 -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/local-ipv4` + if [[ "x$addr" == "xlocal" ]]; then + addr=$laddr + else + addr=`curl -s -m 10 -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/public-ipv4` fi - addr=`curl -s -m 10 -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/public-ipv4` else if [[ "x$addr" == "x0.0.0.0" ]]; then laddr=`ip route get 8.8.8.8 | head -1 | cut -d' ' -f3`