-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile
160 lines (120 loc) · 3.88 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
SHELL := /usr/bin/env bash
bin/session_server:
go build -o bin/session_server cmd/session_token/server/main.go
bin/gh_server:
go build -o bin/gh_server cmd/gh/server/main.go
bin/proxy_server:
go build -o bin/proxy_server cmd/proxy/server/main.go
.PHONY: build_server
build_server: bin/session_server bin/gh_server bin/proxy_server
bin/session_client:
go build -o bin/session_client cmd/session_token/client/main.go
bin/gh_client:
go build -o bin/gh_client cmd/gh/client/main.go
bin/proxy_client:
go build -o bin/proxy_client cmd/proxy/client/main.go
.PHONY: build_client
build_client: bin/session_client bin/gh_client bin/proxy_client
.PHONY: build
build: build_server build_client
.PHONY: all
all: build
.PHONY: clean
clean:
rm bin/*
.PHONY: test
test:
go test -cover -timeout 60s -v ./...
#### Keygen
keys:
mkdir -p keys
keys/aes.key: keys
openssl rand 32 > keys/aes.key
keys/id_rsa: keys
ssh-keygen -t rsa -N "" -b 4096 -f keys/id_rsa
keys/id_ecdsa: keys
ssh-keygen -t ecdsa -N "" -b 256 -f keys/id_ecdsa
keys/hmac.key: keys
openssl rand -base64 32 > keys/hmac.key
.PHONY: all_keys
all_keys: keys/aes.key keys/id_rsa keys/id_ecdsa keys/hmac.key
.PHONY: clean_keys
clean_keys:
rm -f keys/*
SERVER_ARGS := --log-level info
### SessionToken
.PHONY: session_server
session_server: bin/session_server keys/aes.key
./bin/session_server $(SERVER_ARGS) --session-token-encryption-key keys/aes.key | jq
.PHONY: session_client
session_client: bin/session_client keys/id_rsa keys/hmac.key keys/id_ecdsa
./bin/session_client \
--key ./keys/id_ecdsa \
--key-algo ecdsa-p256-sha256
./bin/session_client \
--key ./keys/hmac.key \
--key-algo hmac-sha256
./bin/session_client \
--key ./keys/id_rsa \
--key-algo rsa-pss-sha512
### GitHub
.PHONY: gh_server
gh_server: bin/gh_server
./bin/gh_server $(SERVER_ARGS) --usernames micahhausler | jq .
GH_KEY := ~/.ssh/id_rsa
.PHONY: gh_client
gh_client: bin/gh_client
echo "Set GH_KEY to the path of your private key registered with GitHub"
./bin/gh_client --key $(GH_KEY)
### Proxy
mount/server-cert.pem:
openssl req -x509 \
-newkey rsa:2048 \
-keyout mount/server-key.pem \
-out mount/server-cert.pem \
-sha256 \
-days 3650 \
-nodes \
-subj "/CN=kubernetes" \
-addext "subjectAltName=DNS:kubernetes,IP:127.0.0.1"
.PHONY: certs
certs: mount/server-cert.pem
.PHONY: clean-certs
clean-certs:
rm -f mount/*.pem mount/*.key mount/*.crt
.PHONY: kind
kind:
kind create cluster --config kind.yaml -v2
# reuse front-proxy-client.crt and front-proxy-client.key, would use unique certs in production
mount/front-proxy-client.crt:
docker exec -it kind-control-plane cp /etc/kubernetes/pki/front-proxy-client.crt /mount/front-proxy-client.crt
docker exec -it kind-control-plane cp /etc/kubernetes/pki/front-proxy-client.key /mount/front-proxy-client.key
kubeconfig:
KUBECONFIG=./kubeconfig kubectl config set-cluster kind-proxy \
--server=https://127.0.0.1:9091
KUBECONFIG=./kubeconfig kubectl config set-credentials kind-proxy
KUBECONFIG=./kubeconfig kubectl config set-context kind-proxy \
--cluster=kind-proxy \
--user=kind-proxy
KUBECONFIG=./kubeconfig kubectl config set current-context kind-proxy
# --embed-certs \
# --certificate-authority=./mount/server-cert.pem \
.PHONY: proxy
proxy_server: mount/server-cert.pem mount/front-proxy-client.crt bin/proxy_server
./bin/proxy_server \
--client-cert mount/front-proxy-client.crt \
--client-key mount/front-proxy-client.key \
--backend $$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') | jq
.PHONY: proxy_client
proxy_client: kubeconfig bin/proxy_client
./bin/proxy_client \
-v 99 \
--key $(GH_KEY) \
--kubeconfig ./kubeconfig
.PHONY: clean-kind
clean-kind: clean-certs
kind delete cluster
rm mount/*.log
.PHONY: tail-api-logs
tail-api-logs:
docker exec -it kind-control-plane /bin/sh -c 'tail -f /var/log/containers/kube-apiserver-*' | grep signed