jesus/provisioning
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: add current provisioning state before migration

Browse source
This commit is contained in:
Jesús Pérez 2025-09-22 23:11:41 +01:00
parent a9703b4748
commit 50745b0f22
660 changed files with 88126 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

50
taskservs/etcd/default/backup.sh.j2 Executable file
View file

@ -0,0 +1,50 @@
#!/bin/bash
{# LIST="
/etc/etcd
/etc/ssl/etcd
{{data_dir}}
"
#}
{# KLOUDS_ETC_PATH=${KLOUDS_ETC_PATH:-{{klouds_etc_path | default(value="/etc/klouds")}}}
KLOUDS_LIB_PATH=${KLOUDS_LIB_PATH:-{{klouds_lib_path | default(value="/var/lib/klouds")}}}
KLOUDS_SAVE_PATH=${KLOUDS_SAVE_PATH:-{{klouds_save_path | default(value="/var/lib/klouds/save")}}}
[ -r "$KLOUDS_ETC_PATH/backup_env" ] && . "$KLOUDS_ETC_PATH/backup_env"
#}
_etcd_cmd() {
sudo etcdctl \
--endpoints {{taskserv.etcd_protocol}}://{{taskserv.peer_ip}}:{{taskserv.peer_port}} \
{% if taskserv.ssl_mode != "" -%}
--cacert /etc/ssl/etcd/ca.crt \
--cert /etc/ssl/etcd/{{taskserv.cluster_name}}.crt \
--key /etc/ssl/etcd/{{taskserv.cluster_name}}.key \
{%- endif %}
$*
}
_make_snapshot() {
[ -z "$1" ] && echo "No path to create etcd snapshot" && exit 1
_etcd_cmd snapshot save "$1"
}
_verify_snapshot() {
[ -z "$1" ] && echo "No path to verify etcd snapshot" && exit 1
[ -r "$1" ] && echo "No path fount to verify etcd snapshot" && exit 1
_etcd_cmd --write-out=table snapshot status "$1"
}
_service_backup_verify() {
_verify_snapshot $1
return 0
}
_service_backup() {
_make_snapshot $1
return 0
}
_service_restore() {
return 0
}
{# local has_run="$(type -t _run_init)"
[ -n "$has_run" ] && _run_init
#}

3
taskservs/etcd/default/cert-show.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
[ -z "$1" ] || [ ! -r "$1" ] && echo "Cert file $1 not found" && exit 1
openssl x509 -in "$1" -text -noout

75
taskservs/etcd/default/env-etcd.j2 Normal file
View file

@ -0,0 +1,75 @@
PROV_PATH={{taskserv.prov_path}}
USE_LOCALHOST={{taskserv.use_localhost}}
{% if taskserv.domain_name == "$defaults" or taskserv.domain_name == "" -%}
DOMAIN_NAME={{server.main_domain}}
{%- elif taskserv.domain_name == "$server" -%}
{%- if server.main_domain == "$default" -%}
DOMAIN_NAME={{server.main_domain}}
{%- else %}
DOMAIN_NAME={{server.main_domain}}
{%- endif %}
{%- else %}
DOMAIN_NAME={{taskserv.domain_name}}
{%- endif %}
DISCOVERY_SRV={{taskserv.discovery_srv}}
USE_DNS={{taskserv.use_dns}}
ETCD_VERSION="v{{taskserv.version}}"
{% if taskserv.name == "$hostname" %}
ETCD_NAME="{{server.hostname}}"
{%- else %}
ETCD_NAME="{{taskserv.name}}"
{%- endif %}
ETCD_CN="{{taskserv.cn}}"
ETCD_C="{{taskserv.c}}"
ETCD_PROTOCOL="{{taskserv.etcd_protocol}}"
ETCD_PORT="{{taskserv.peer_port}}"
SSL_MODE="{{taskserv.ssl_mode}}"
SIGNATURE="{{taskserv.ssl_sign}}"
CA_SIGNATURE="{{taskserv.ca_sign}}"
SSL_CURVE="{{taskserv.ssl_curve}}"
SIGN_LONG="{{taskserv.long_sign}}"
SIGN_CIPHER="{{taskserv.cipher}}"
SIGN_DAYS="{{taskserv.sign_days}}"
CA_SIGN_DAYS="{{taskserv.ca_sign_days}}"
SIGN_SHA="{{taskserv.sign_sha}}"
SOURCE_URL="{{taskserv.source_url}}"
{% if taskserv.peer_ip == "$network_private_ip" %}
ETCD_LISTEN_PEER_URLS="{{taskserv.etcd_protocol}}://{{server.network_private_ip}}:{{taskserv.peer_port}}"
ETCD_INITIAL_ADVERTISE_PEER_URLS="{{taskserv.etcd_protocol}}://{{server.network_private_ip}}:{{taskserv.peer_port}}"
{% elif taskserv.peer_ip == "$network_public_ip" and server.ip_addresses.pub -%}
ETCD_LISTEN_PEER_URLS="{{taskserv.etcd_protocol}}://{{server.ip_addresses.pub}}:{{taskserv.peer_port}}"
ETCD_INITIAL_ADVERTISE_PEER_URLS="{{taskserv.etcd_protocol}}://{{server.ip_addresses.pub}}:{{taskserv.peer_port}}"
{%- else %}
ETCD_LISTEN_PEER_URLS="{{taskserv.etcd_protocol}}://{{taskserv.peer_ip}}:{{taskserv.peer_port}}"
ETCD_INITIAL_ADVERTISE_PEER_URLS="{{taskserv.etcd_protocol}}://{{taskserv.peer_ip}}:{{taskserv.peer_port}}"
{%- endif %}
{% if taskserv.cli_ip == "$network_private_ip" %}
ETCD_LISTEN_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{server.network_private_ip}}:{{taskserv.cli_port}}"
ETCD_ADVERTISE_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{server.network_private_ip}}:{{taskserv.cli_port}}"
{% elif taskserv.cli_ip == "$network_public_ip" and server.ip_addresses.pub -%}
ETCD_LISTEN_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{server.ip_addresses.pub}}:{{taskserv.cli_port}}"
ETCD_ADVERTISE_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{server.ip_addresses.pub}}:{{taskserv.cli_port}}"
{%- else %}
ETCD_LISTEN_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{taskserv.cli_ip}}:{{taskserv.cli_port}}"
ETCD_ADVERTISE_CLIENT_URLS="{{taskserv.etcd_protocol}}://{{taskserv.cli_ip}}:{{taskserv.cli_port}}"
{%- endif %}
ETCD_INITIAL_CLUSTER_TOKEN="{{taskserv.token}}"
ETCD_INITIAL_CLUSTER="{{taskserv.cluster_list}}"
ETCD_TRUSTED_CA_FILE="{{taskserv.certs_path}}/ca.crt"
ETCD_CERT_FILE="{{taskserv.certs_path}}/{{taskserv.cluster_name}}.crt"
ETCD_KEY_FILE="{{taskserv.certs_path}}/{{taskserv.cluster_name}}.key"
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE="{{taskserv.certs_path}}/ca.crt"
ETCD_PEER_KEY_FILE="{{taskserv.certs_path}}/{{taskserv.name}}.key"
ETCD_PEER_CERT_FILE="{{taskserv.certs_path}}/{{taskserv.name}}.crt"
ETCD_DATA="{{taskserv.data_dir}}"
ETCD_CLUSTER_LIST="{{taskserv.cluster_list}}"
{% if taskserv.use_localhost and taskserv.use_localhost == "true" %}
USE_LOCALHOST="{{taskserv.use_localhost}}"
{%- endif %}
PROVISION_PATH="{{taskserv.prov_path}}"
CLUSTER_NAME="{{taskserv.cluster_name}}"
SOURCE_NAME="{{taskserv.cluster_name}}.{{taskserv.domain_name}}"

28
taskservs/etcd/default/etcd.service.j2 Normal file
View file

@ -0,0 +1,28 @@
[Unit]
Description=etcd - highly-available key value store
Documentation=https://etcd.io
Documentation=man:etcd
After=network.target
Wants=network-online.target
[Service]
Environment=DAEMON_ARGS=""
Environment=ETCD_CONFIG_FILE={{taskserv.conf_path}}
#Environment=ETCD_NAME=%H
Environment=ETCD_DATA_DIR={{taskserv.data_dir}}
#EnvironmentFile=-/etc/default/%p
#EnvironmentFile=-/etc/etcd/env
Type=notify
User=etcd
PermissionsStartOnly=true
#ExecStart=/bin/sh -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd $DAEMON_ARGS"
ExecStart=/usr/local/bin/etcd $DAEMON_ARGS
#Restart=on-abnormal
Restart=always
RestartSec=10s
#LimitNOFILE=65536
LimitNOFILE=4000
[Install]
WantedBy=multi-user.target
Alias=etcd.service

217
taskservs/etcd/default/etcd.yaml.j2 Normal file
View file

@ -0,0 +1,217 @@
# This is the configuration file for the etcd server.
# Human-readable name for this member.
{% if taskserv.etcd_name == "$hostname" %}
name: '{{server.hostname}}'
{%- else %}
name: '{{taskserv.etcd_name}}'
{%- endif %}
# Path to the data directory.
data-dir: {{taskserv.data_dir}}
#/var/lib/etcd
# Path to the dedicated wal directory.
wal-dir:
# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000
# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100
# Time (in milliseconds) for an election to timeout.
election-timeout: 1000
# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 0
{% set str_peer_port = "" ~ taskserv.peer_port %}
{% set str_cli_port = "" ~ taskserv.cli_port %}
# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: "{%- if taskserv.listen_peers is containing("$network_private_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
{%- elif taskserv.listen_peers is containing("$network_public_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
{%- else -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers",to=server.hostname) | replace(from="$peer_port", to=str_peer_port)}}
{%- endif %}"
# List of comma separated URLs to listen on for client traffic.
listen-client-urls: "{%- if taskserv.listen_clients is containing("$network_private_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$cli_port", to=str_cli_port)}}
{%- elif taskserv.listen_clients is containing("$network_public_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$cli_port", to=str_cli_port)}}
{%- else -%}
{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers",to=server.hostname) | replace(from="$cli_port", to=str_cli_port)}}
{%- endif %}"
# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5
# Maximum number of wal files to retain (0 is unlimited).
max-wals: 5
# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors:
# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: "{%- if taskserv.adv_listen_peers is containing("$network_private_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
{%- elif taskserv.adv_listen_peers is containing("$network_public_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
{%- else -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers",to=server.hostname) | replace(from="$peer_port", to=str_peer_port)}}
{%- endif %}"
# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: "{%- if taskserv.adv_listen_clients is containing("$network_private_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$cli_port", to=str_cli_port)}}
{%- elif taskserv.adv_listen_clients is containing("$network_public_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) | replace(from="$cli_port", to=str_cli_port)}}
{%- else -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers",to=server.hostname) | replace(from="$cli_port", to=str_cli_port)}}
{%- endif %}"
# Discovery URL used to bootstrap the cluster.
discovery: {{discovery_url | default(value="")}}
# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'
# HTTP proxy to use for traffic to discovery service.
discovery-proxy:
# DNS domain used to bootstrap initial cluster.
discovery-srv: {{taskserv.discovery_srv | default(value="")}}
# Initial cluster configuration for bootstrapping.
initial-cluster: "{%- if taskserv.initial_peers is starting_with("$servers") -%}
{%- for srv in defs.servers %}
{%- set srv_index = loop.index -%}
{%- for task in srv.taskservs -%}
{%- if task.name != "etcd" -%}{% continue %}{% endif %}
{%- if srv_index > 1 -%},{%- endif -%}
{%- if taskserv.initial_peers is containing("$network_private_ip") -%}
{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers:$network_private_ip",to=srv.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
{%- elif task.initial_peers is containing("$network_public_ip") -%}
{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
{%- else -%}
{%- set full_hostname = srv.hostname ~ "." ~ taskserv.domain_name -%}
{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers",to=full_hostname) | replace(from="$peer_port", to=str_peer_port)}}
{%- endif -%}
{% break %}
{%- endfor -%}
{%- endfor -%}
{%- else -%}
{{taskserv.cluster_list}}
{%- endif -%}"
{# {%- endif %} #}
# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-{{taskserv.cluster_name}}-cluster'
# Initial cluster state ('new' or 'existing').
#initial-cluster-state: {% if pos.server == 0 %} 'new' {% else %} 'existing'{% endif %}
initial-cluster-state: new
# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false
# Enable runtime profiling data via HTTP server
enable-pprof: true
# Valid values include 'on', 'readonly', 'off'
proxy: 'off'
# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000
# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000
# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000
# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000
# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0
{% if taskserv.ssl_mode != "" -%}
client-transport-security:
# Path to the client server TLS cert file.
cert-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.crt
# Path to the client server TLS key file.
key-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.key
# Enable client cert authentication.
client-cert-auth: false
# Path to the client server TLS trusted CA cert file.
trusted-ca-file: {{taskserv.certs_path}}/ca.crt
# Client TLS using generated certificates
auto-tls: false
peer-transport-security:
{% if taskserv.hostname == "$hostname" %}
# Path to the peer server TLS cert file.
cert-file: {{taskserv.certs_path}}/{{server.hostname}}.crt
# Path to the peer server TLS key file.
key-file: {{taskserv.certs_path}}/{{server.hostname}}.key
{%- else %}
name: '{{taskserv.hostname}}'
# Path to the peer server TLS cert file.
cert-file: {{taskserv.certs_path}}/{{hostname}}.crt
# Path to the peer server TLS key file.
key-file: {{taskserv.certs_path}}/{{hostname}}.key
{%- endif %}
# Enable peer client cert authentication.
client-cert-auth: false
# Path to the peer server TLS trusted CA cert file.
trusted-ca-file: {{taskserv.certs_path}}/ca.crt
# Peer TLS using generated certificates.
auto-tls: false
# Allowed CN for inter peer authentication.
allowed-cn:
# Allowed TLS hostname for inter peer authentication.
allowed-hostname:
# The validity period of the self-signed certificate, the unit is year.
self-signed-cert-validity: 1
{%- endif %}
# Enable debug-level logging for etcd.
debug: false
logger: zap
# Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.
log-outputs: ['{{taskserv.log_out| default(value="stdout")}}']
log-level: '{{taskserv.log_level | default(value="warn")}}'
# Force to create a new one member cluster.
force-new-cluster: false
auto-compaction-mode: periodic
auto-compaction-retention: "1"
# Limit etcd to a specific set of tls cipher suites
cipher-suites: [
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]

28
taskservs/etcd/default/etcdctl.sh.j2 Normal file
View file

@ -0,0 +1,28 @@
#!/bin/bash
[ -z "$1" ] && echo "No arguments for etcdctl " && exit 1
{% set str_cli_port = "" ~ taskserv.cli_port %}
etcdctl \
--endpoints {% if taskserv.adv_listen_clients is starting_with("$servers") -%}
{%- for srv in defs.servers %}
{%- set srv_index = loop.index -%}
{%- for task in srv.taskservs -%}
{%- if task.name != "etcd" -%}{% continue %}{% endif %}
{%- if srv_index > 1 -%},{%- endif -%}
{%- if taskserv.adv_listen_clients is containing("$network_private_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_private_ip",to=srv.network_private_ip) | replace(from="$cli_port", to=str_cli_port)}}
{%- elif taskserv.adv_listen_clients is containing("$network_public_ip") -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) | replace(from="$cli_port", to=str_cli_port)}}
{%- else -%}
{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers",to=srv.hostname) | replace(from="$cli_port", to=str_cli_port)}}
{%- endif -%}
{%- endfor -%}
{%- endfor -%}
{%- else -%}
{{taskserv.adv_listen_clients}}
{%- endif %} \
{% if taskserv.ssl_mode != "" -%}
--cacert /etc/ssl/etcd/ca.crt \
--cert /etc/ssl/etcd/{{taskserv.cluster_name}}.crt \
--key /etc/ssl/etcd/{{taskserv.cluster_name}}.key \
{%- endif %}
$*

149
taskservs/etcd/default/install-etcd.sh Executable file
View file

@ -0,0 +1,149 @@
#!/bin/bash
# Info: Script to install/create/delete/update etcd from file settings
# Author: JesusPerezLorenzo
# Release: 1.0
# Date: 12-11-2024
USAGE="install-etcd.sh install | update | remvoe"
[ "$1" == "-h" ] && echo "$USAGE" && exit 1
[ -r "env-etcd" ] && . ./env-etcd
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')"
CMD_TSK=${1:-install}
#[ -z "$ETCD_VERSION" ] && echo "No ETCD_VERSION found " && exit
HOSTNAME=$(hostname)
export LC_CTYPE=C.UTF-8
export LANG=C.UTF-8
[ ! -d "/etc/etcd" ] && sudo mkdir /etc/etcd
_init() {
[ -z "$ETCD_VERSION" ] || [ -z "$ARCH" ] && exit 1
local curr_vers
local has_etcd
has_etcd=$(type etcd 2>/dev/null)
[ -n "$has_etcd" ] && curr_vers="v"$(etcd -version 2>/dev/null | grep etcd | cut -f2 -d":" | sed 's/ //g')
[ "$curr_vers" == "$ETCD_VERSION" ] && return
# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
case "$SOURCE_URL" in
google) DOWNLOAD_URL=${GOOGLE_URL} ;;
github) DOWNLOAD_URL=${GITHUB_URL} ;;
esac
rm -f "/tmp/etcd-${ETCD_VERSION}-${ARCH}.tar.gz"
[ -d "/tmp/etcd-download" ] && rm -rf /tmp/etcd-download
mkdir -p /tmp/etcd-download
if ! curl -fsSL "${DOWNLOAD_URL}/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-${ARCH}.tar.gz" -o "/tmp/etcd-${ETCD_VERSION}-${ARCH}.tar.gz" ; then
echo "Error downloading etcd-${ETCD_VERSION}-${ARCH}.tar.gz"
exit 1
fi
if ! tar xzf "/tmp/etcd-${ETCD_VERSION}-${ARCH}.tar.gz" -C /tmp/etcd-download --strip-components=1 ; then
echo "Error extracting etcd-${ETCD_VERSION}-${ARCH}.tar.gz"
exit 1
fi
rm -f "/tmp/etcd-${ETCD_VERSION}-${ARCH}.tar.gz"
chmod +x /tmp/etcd-download/etcd
chmod +x /tmp/etcd-download/etcdctl
sudo mv /tmp/etcd-download/etcd /usr/local/bin
sudo mv /tmp/etcd-download/etcdctl /usr/local/bin
sudo mv /tmp/etcd-download/etcdutl /usr/local/bin
sudo mv /tmp/etcd-download /etc/etcd/"${ETCD_VERSION}"
# start a local etcd server
# /tmp/etcd-download/etcd
# write,read to etcd
# /tmp/etcd-download/etcdctl --endpoints=localhost:2379 put foo bar
# /tmp/etcd-download/etcdctl --endpoints=localhost:2379 get foo
}
_config_etcd() {
[ ! -d "/etc/etcd" ] && sudo mkdir /etc/etcd
has_user=$(sudo grep etcd /etc/passwd)
[ -z "$has_user" ] && sudo useradd -d /home/etcd -m etcd
[ ! -d "/etc/ssl/etcd" ] && sudo mkdir -p /etc/ssl/etcd
sudo cp certs/* /etc/ssl/etcd
sudo chown -R etcd:etcd /etc/ssl/etcd
[ ! -d "${ETCD_DATA}" ] && sudo mkdir -p "${ETCD_DATA}"
sudo chown -R etcd:etcd "${ETCD_DATA}"
sudo chmod 700 "${ETCD_DATA}"
#[ -r "etcd-sysusers.conf" ] && sudo cp etcd-sysusers.conf /usr/lib/sysusers.d
#[ -r "etcd-tmpfile.conf" ] && sudo cp etcd-tmpfiles.conf /usr/lib/tmpfiles.d
sudo cp etcdctl.sh /etc/etcd/etcdctl.sh
sed 's/, / /g' < etcdctl.sh | sudo tee /etc/etcd/etcdctl.sh &>/dev/null
sudo chmod +x /etc/etcd/etcdctl.sh
sudo cp cert-show.sh /etc/etcd/cert-show.sh
# sudo cp setup.sh /etc/etcd/etcd_setup.sh
sudo cp env-etcd /etc/etcd/env
# [ ! -r "/etc/etcd/config.yaml" ] &&
sed 's/,"/"/g' < etcd.yaml | sudo tee /etc/etcd/config.yaml &>/dev/null
sudo cp etcd.service /lib/systemd/system/etcd.service
#[ ! -L "/etc/systemd/system/etcd.service" ] && sudo ln -s /lib/systemd/system/etcd.service /etc/systemd/system
sudo timeout -k 10 20 systemctl daemon-reload >/dev/null 2>&1
sudo timeout -k 10 20 systemctl enable --now etcd >/dev/null 2>&1
# sudo timeout -k 10 20 systemctl restart etcd >/dev/null 2>&1
# This command sets the cluster to existing for the next start
#sudo sed -i s"/initial-cluster-state: 'new'/initial-cluster-state: 'existing'/"g /etc/etcd/config.yaml
#sudo sed -i s"/ETCD_INITIAL_CLUSTER_STATE=\"new\"/ETCD_INITIAL_CLUSTER_STATE=\"existing\"/"g /etc/etcd/env
}
_stop_resolved() {
sudo timeout -k 10 20 systemctl stop etcd >/dev/null 2>&1
sudo timeout -k 10 20 systemctl disable etcd >/dev/null 2>&1
}
_remove_etcd() {
sudo timeout -k 10 20 systemctl stop etcd >/dev/null 2>&1
sudo timeout -k 10 20 systemctl disable etcd >/dev/null 2>&1
}
_start_etcd() {
sudo timeout -k 10 20 systemctl enable etcd >/dev/null 2>&1
sudo timeout -k 10 20 systemctl start etcd >/dev/null 2>&1
}
_restart_etcd() {
sudo timeout -k 10 20 systemctl restart etcd >/dev/null 2>&1
}
if [ "$CMD_TSK" == "install" ] ; then
if ! _init ; then
echo "error etcd init"
exit 1
fi
# _make_certs
_config_etcd
exit 0
fi
if [ "$CMD_TSK" == "config" ] ; then
if ! _config_etcd ; then
echo "error etcd config"
exit 1
fi
exit
fi
if [ "$CMD_TSK" == "remove" ] ; then
_remove_etcd
exit
fi
if [ "$CMD_TSK" == "update" ] ; then
_restart_etcd && exit 0
fi
if ! _stop_resolved ; then
echo "error etcd stop"
exit 1
fi
if ! _start_etcd ; then
echo "error etcd start"
exit 1
fi

33
taskservs/etcd/default/openssl.conf.tpl Normal file
View file

@ -0,0 +1,33 @@
[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ ssl_client ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName = @alt_names
[ ssl_peer ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
authorityKeyIdentifier=keyid,issuer
subjectAltName = @alt_names
[ v3_ca ]
basicConstraints = CA:TRUE
keyUsage = keyCertSign,cRLSign
[alt_names]

463
taskservs/etcd/default/prepare Executable file
View file

@ -0,0 +1,463 @@
#!/usr/bin/env nu
# Info: Prepare for etcd installation
# Author: JesusPerezLorenzo
# Release: 1.0.2
# Date: 26-02-2024
use lib_provisioning/cmd/env.nu *
use lib_provisioning/cmd/lib.nu *
use lib_provisioning/utils/ui.nu *
use lib_provisioning/utils/files.nu find_file
use lib_provisioning/sops *
def get_domain_name [
defs: record
source: string
] {
match $source {
"$defaults" => $defs.server.main_domain,
_ => $source
}
}
def openssl_ecc_cert [
defs: record
src: string
run_root: string
cluster_name: string
hostname: string
signature: string
long_sign: int
] {
let etcd_cn = ( $defs.taskserv.cn | default "")
let ca_signature = ($defs.taskserv.ca_sign | default "")
let ssl_curve = ($defs.taskserv.ssl_curve | default "")
let sign_sha = ($defs.taskserv.sign_sha | default "")
let sign_cipher = ($defs.taskserv.cipher | default "")
let sign_days = ($defs.taskserv.sign_days | default "")
let on_error = { |msg: string|
print $"🛑 (_ansi red)Error(_ansi reset) (_ansi yellow)ECC(_ansi reset): ($msg)"
rm -f ($src | path join "pass")
}
^openssl ecparam -genkey -name $ssl_curve -out ($src | path join $"($cluster_name).key") | ignore
let res = (^openssl req -new $"-SHA($sign_sha)" -key ($src | path join $"($cluster_name).key") -nodes
-out ($src | path join $"($cluster_name).csr")
-subj $"/CN=($etcd_cn)" -config ($src | path join "openssl.conf") -extensions ssl_peer
| complete )
if $res.exit_code != 0 {
do $on_error $"openssl csr error ($res.stdout)"
exit 1
}
let res = (^openssl x509 -req $"-SHA($sign_sha)" -in ($src | path join $"($cluster_name).csr")
-CA ($src | path join "ca.crt") -CAkey ($src | path join "ca.key")
-CAcreateserial -out ($src | path join $"($cluster_name).crt") -days $sign_days
-extensions ssl_peer -extfile ($src | path join "openssl.conf")
| complete )
if $res.exit_code != 0 {
do $on_error $"openssl x509 req error ($res.exit_code)($res.stdout)"
exit 1
}
^openssl ecparam -genkey -name $ssl_curve -out ($src | path join $"($hostname).key") | ignore
let res = (^openssl req -noenc -new $"-SHA($sign_sha)" -key ($src | path join $"($hostname).key")
-nodes -out ($src | path join $"($hostname).csr")
-subj $"/CN=($etcd_cn)" -config ($src | path join "openssl.conf") -extensions ssl_peer | complete )
if res.exit_code != 0 and not ($src | path join $"($hostname).csr" | path exists) {
do $on_error $"🛑 openssl req csr error ($res.exit_code) ($res.stdout)"
exit 1
}
let res = (^openssl x509 -req -noenc $"-SHA($sign_sha)" -in ($src | path join $"($hostname).csr")
-CA ($src | path join "ca.crt") -CAkey ($src | path join "ca.key")
-CAcreateserial -out ($src | path join $"($hostname).crt") -days $sign_days
-extensions ssl_peer -extfile ($src | path join "openssl.conf")
| complete )
if res.exit_code != 0 and not ($src | path join $"($hostname).crt" | path exists) {
do $on_error $"🛑 openssl x509 req error ($res.stdout)"
exit 1
}
}
def openssl_rsa_cert [
defs: record
src: string
run_root: string
cluster_name: string
hostname: string
signature: string
long_sign: int
] {
let etcd_cn = ( $defs.taskserv.cn | default "")
let sign_cipher = ($defs.taskserv.cipher | default "")
let sign_days = ($defs.taskserv.sign_days | default "")
let on_error = { |msg: string|
print $"🛑 (_ansi red)Error(_ansi reset) (_ansi yellow)RSA(_ansi reset): ($msg)"
rm -f ($src | path join "pass")
}
if not ($src | path join "pass" | path exists) { $defs.taskserv.sign_pass | save -f ($src | path join "pass") }
^openssl genrsa -passout $"file:($src | path join "pass")" $sign_cipher -out ($src | path join $"($cluster_name)_p.key") $long_sign
^openssl rsa -in "$src/$cluster_name"_p.key -out ($src | path join $"($cluster_name).key")
if not ($src | path join "openssl.conf" | path exists) {
do $on_error $"openssl.con not found in ($src |path join "openssl.conf")"
exit 1
}
let res = (^openssl req -newkey rsa:($long_sign) -passout $"file:($src | path join "pass")" -key ($src | path join $"($cluster_name).key")
-out ($src | path join $"($cluster_name).csr")
-subj $"/CN=($etcd_cn)" -config ($src | path join "openssl.conf") -extensions ssl_client
| complete)
if $res.exit_code != 0 {
do $on_error $"openssl req error ($res.exit_code) ($res.stdout)"
exit 1
}
print $"openssl gemrsa error ($res.exit_code) ($res.stdout)"
(^openssl x509 -req -in ($src | path join $"($cluster_name).csr") -CA ($src | path join "ca.crt")
-CAkey ($src | path join "ca.key") -out ($src | path join $"($cluster_name).crt") -days $sign_days
-extensions ssl_client -extfile ($src | path join "openssl.conf")
)
let res = (^openssl genrsa -passout $"file:($src | path join "pass")" $sign_cipher
-out ($src | path join $"($hostname)_p.key") $long_sign
| complete)
if $res.exit_code != 0 {
do $on_error $"openssl genrsa error ($res.exit_code) ($res.stdout)"
exit 1
}
^openssl rsa -in ($src | path join $"($hostname)_p.key") -out ($src | path join $"($hostname).key")
if not ($src | path join "openssl.conf" | path exists) {
print $"openssl.con not found in ($src | path join "openssl.conf") "
rm -f ($src | path join "pass")
exit 1
}
let res = (^openssl req -newkey rsa:$long_sign -passout $"file:($src | path join "pass")"
-key ($src | path join $"($hostname).key") -out ($src | path join $"($hostname).csr")
-subj $"/CN=($etcd_cn)" -config ($src | path join "openssl.conf") -extensions ssl_peer
| complete)
if $res.exit_code == 0 {
do $on_error $"openssl req key error ($res.exit_code) ($res.stdout)"
exit 1
}
let res = (^openssl x509 -req -in ($src | path join $"($hostname).csr") -CA ($src | path join "ca.crt") -CAkey ($src | path join "ca.key")
-out ($src | path join $"($hostname).crt") -days $sign_days
-extensions ssl_peer -extfile ($src | path join "openssl.conf")
| complete)
if $res.exit_code != 0 {
do $on_error $"openssl x509 req cst error ($res.exit_code) ($res.stdout)"
exit 1
}
rm -f ($src | path join "pass")
}
def openssl_mode [
defs: record
src: string
run_root: string
cluster_name: string
hostname: string
signature: string
long_sign: int
] {
let etcd_cn = ( $defs.taskserv.cn | default "")
let ca_signature = ($defs.taskserv.ca_sign | default "")
let ssl_curve = ($defs.taskserv.ssl_curve | default "")
let sign_sha = ($defs.taskserv.sign_sha | default "")
let sign_cipher = ($defs.taskserv.cipher | default "")
let sign_days = ($defs.taskserv.sign_days | default "")
let ca_sign_days = ($defs.taskserv.ca_sign_days | default "")
mut openssl = (^bash -c "type -P openssl")
if $openssl == "" {
^sudo apt install openssl -y
$openssl = (^bash -c "type -P openssl")
}
if openssl == "" { print $"openssl not installed " ; exit 1 }
if not ($src | path join "openssl.conf" | path exists) and ($run_root | path join "openssl.conf.tpl" | path exists) {
cp ($run_root | path join "openssl.conf.tpl") ($src | path join "openssl.conf")
if ($src | path join "openssl_conf_alt_names" | path exists ) {
open ($src | path join "openssl_conf_alt_names") -r | save -a ($src | path join "openssl.conf")
}
}
print $"CA signature: ($ca_signature)"
if not ($src | path join "ca.key" | path exists) {
sops_cmd "decrypt" ($src | path join "ca.key") ($src | path join "ca.key") --error_exit
#sudo mv "$src/ca.key.$$" "$src/ca.key"
}
if $ca_signature == "ECC" {
if not ($src | path join "ca.key" | path exists) and not ($src| path join "ca.crt" | path exists) {
^openssl ecparam -genkey -name $ssl_curve -out ($src | path join "ca.key")
let res = (^openssl req -x509 -extensions v3_ca -config ($src | path join "openssl.conf") -new $"-SHA($sign_sha)"
-nodes -key ($src | path join "ca.key") -days $ca_sign_days
-out ($src | path join "ca.crt") -subj $"/CN=($etcd_cn)"
| complete )
if $res.exit_code != 0 {
print $"🛑 openssl key ($ca_signature) error ($res.stdout)"
exit 1
}
}
} else if not ($src | path join "ca.key" | path exists) and not ($src |path join "ca.crt" | path exists) {
$defs.taskserv.sign_pass | save -f ($src | path join "pass")
^openssl genrsa -passout $"file:($src | path join "pass")" $sign_cipher -out ($src | path join "ca_p.key") $long_sign
^openssl rsa -in ($src |path join "ca_p.key") -out ($src | path join "ca.key")
let res = (^openssl req -x509 -extensions v3_ca -config ($src | path join "openssl.conf") -newkey rsa:($long_sign)
-nodes -key ($src | path join "ca.key") -days $sign_days -out ($src | path join "ca.crt") -subj $"CN=($etcd_cn)"
| complete )
if $res.exit_code != 0 {
print $"🛑 openssl ca ($ca_signature) error ($res.stdout)"
exit 1
}
}
print $"Certs signature: ($signature)"
if not ($src | path join $"($cluster_name).crt" | path exists) or not ($src | path join $"($cluster_name).key" | path exists) {
match $signature {
"ECC" => {
(openssl_ecc_cert $defs $src $run_root $cluster_name $hostname $signature $long_sign)
},
_ => {
(openssl_rsa_cert $defs $src $run_root $cluster_name $hostname $signature $long_sign)
},
}
}
copy_certs $defs $src $run_root $cluster_name $signature
}
def cfssl_mode [
defs: record
src: string
run_root: string
cluster_name: string
hostname: string
signature: string
long_sign: int
] {
let domain_name = (get_domain_name $defs ($defs.taskserv.domain_name | default ""))
let source_name = $"($cluster_name | default "").($domain_name)"
let ORG = $env.PWD
let etcd_c = ($defs.taskserv.c | default "")
mut CFSSL = (^bash -c "type -P cfssl")
if "$CFSSL" == "" {
let cfssl_install_bin = ($env.PROVISIONING | path join "core"| path join "bin" | path join "cfssl-install.sh")
if ($cfssl_install_bin | path exists) { ^$cfssl_install_bin }
$CFSSL = (^bash -c "type -P cfssl")
}
if "$CFSSL" == "" { print $"cfssl not installed " ; exit 1 }
let CFSSLJSON = (^bash -c "type -P cfssljson")
let csr_json_file = ($src | path join "csr.json")
if not ($csr_json_file) {
"{" | tee { save -f $csr_json_file } | ignore
$"\"hosts\": [" | tee { save -a $csr_json_file } | ignore
for server in $defs.defs.servers {
let ip = ($server.network_private_ip | default "")
if $ip == "" { continue }
$"\"($server.hostname)\",\"($server.hostname).($domain_name)\",\"($ip)\"," | tee { save -a $csr_json_file } | ignore
}
if $source_name != "" and $source_name != $"($cluster_name).($domain_name)" {
print $"\"($source_name)\","| tee { save -a ($src | path join "csr.json") } | ignore
}
$"\"${domain_name}\", \"$cluster_name\"],\"key\": {" | tee { save -a $csr_json_file } | ignore
if $signature == "ECC" {
$"\"algo\": \"ecdsa\",\"size\": ($long_sign) " | tee { save -a $csr_json_file } | ignore
} else {
$"\"algo\": \"rsa\",\"size\": ($long_sign) " | tee { save -a $csr_json_file } | ignore
}
$"}, \"names\": [{ \"C\":\"($etcd_c)\", \"CN\": \"($domain_name)\" }]" | tee { save -a $csr_json_file } | ignore
$"}" | tee { save -a $csr_json_file } | ignore
#sudo echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca -
#$sudo echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' \&ca-config.json
}
if not ( $"($cluster_name).key" | path exists) {
cd $src
if ((^($CFSSL) genkey -initca csr.json | ^($CFSSLJSON) -bare ca) | complete).exit_code == 0 {
if ((^($CFSSL) gencert -ca ca.pem -ca-key ca-key.pem csr.json
| ^($CFSSLJSON) -bare $cluster_name) | complete).exit_code == 0 {
mv ca.pem ca.crt
sudo mv ca-key.pem ca.key
mv $"($cluster_name).pem" $"($cluster_name).crt"
sudo mv $"($cluster_name)-key.pem" $"($cluster_name).key"
for server in $defs.defs.servers {
cp $"($cluster_name).crt" $"($server.hostname).crt"
sudo cp $"($cluster_name).key" $"($server.hostname).key"
}
cd $ORG
copy_certs $defs $src $run_root $cluster_name $signature
}
}
cd $ORG
} else {
copy_certs $defs $src $run_root $cluster_name $signature
}
}
export def make_certs [
defs: record
src: string
run_root: string
cluster_name: string
signature: string
ssl_mode: string
settings_root: string
long_sign: int
] {
if $signature == "" { print $"No signatures found" ; return 1 }
if not ($src | path exists) { print $"Directory ($src) not found" ; return 1 }
let hostname = ($defs.server.hostname | default "")
if $hostname == "" { print $"hostname not found in ($env.PROVISIONING_VARS)" ; exit 1 }
let servers_list = ($defs.defs.servers | select "hostname" | flatten | get -i "hostname")
match $ssl_mode {
"open" | "openssl" => {
openssl_mode $defs $src $run_root $cluster_name $hostname $signature $long_sign
},
"cf" | "cfssl" => {
cfssl_mode $defs $src $run_root $cluster_name $hostname $signature $long_sign
},
}
}
export def etcd_conf [
defs: record
src: string
run_root: string
cluster_name: string
signature: string
ssl_mode: string
] {
if not ($src | path exists) { mkdir $src }
let domain_name = (get_domain_name $defs ($defs.taskserv.domain_name | default ""))
let etcd_cn = ( $defs.taskserv.cn | default "")
let source_name = $"($cluster_name | default "").($domain_name)"
if $domain_name == "" or $domain_name == "" { print $"No names \( cluster_name and domain \) are defined" ; return 1 }
if $env.PROVISIONING_DEBUG { print $"nodeport: ($defs.taskserv.peer_port) \nprotocol: ($defs.taskserv.etcd_protocol) \n" }
let conf_alt_names_path = ($src | path join "openssl_conf_alt_names")
let setup_tpl_path = ($src | path join "setup.tpl")
mut n = 0
match $ssl_mode {
"open"| "openssl" => {
rm -f $conf_alt_names_path $setup_tpl_path
if $defs.taskserv.use_localhost {
if $env.PROVISIONING_DEBUG { print $"localhost: 127.0.0.1" }
match $ssl_mode {
"open"| "openssl" => {
$n += 1
$"DNS.$n = localhost" | tee { save -a $conf_alt_names_path } | ignore
$"IP.$n = 127.0.0.1" | tee { save -a $conf_alt_names_path } | ignore
}
}
}
$n += 1
$"DNS.($n) = ($cluster_name)" | tee { save -a $conf_alt_names_path } | ignore
$n += 1
$"DNS.($n) = ($etcd_cn)" | tee { save -a $conf_alt_names_path } | ignore
}
}
mut cluster_list = ""
for server in $defs.defs.servers {
let ip = ($server.network_private_ip | default "")
if $ip == "" { continue }
if $env.PROVISIONING_DEBUG { print $"($server.hostname): ($ip)" }
if $cluster_list != "" { $cluster_list += "," }
$cluster_list += $"($server.hostname)=($defs.taskserv.etcd_protocol)://($ip):($defs.taskserv.peer_port)"
$n += 1
match $ssl_mode {
"open"| "openssl" => {
$"export Node($n)_IP=($ip)" | tee { save -a $setup_tpl_path } | ignore
$"DNS.($n) = ($server.hostname)" | tee { save -a $conf_alt_names_path } | ignore
$"IP.($n) = ($ip)" | tee { save -a $conf_alt_names_path } | ignore
$n += 1
$"DNS.($n) = ($server.hostname).($domain_name)" | tee { save -a $conf_alt_names_path } | ignore
}
}
}
match $ssl_mode {
"open"| "openssl" => {
if $source_name != "" and $source_name != $"($cluster_name).($domain_name)" {
$n += 1
print $"DNS.($n) = ($source_name)" | tee { save -a $conf_alt_names_path } | ignore
}
}
}
if $env.PROVISIONING_DEBUG { print $"\ncluster_list: ($cluster_list)" }
return 0
}
export def copy_certs [
defs: record
src: string
run_root: string
cluster_name: string
signature: string
] {
print $"Copy certs to ($run_root) ..."
let hostname = $defs.server.hostname
if $hostname == "" { print $"hostname not found for ($env.PROVISIONING_VARS)" ; exit 1 }
if (glob ($src | path join "*.csr") | length) > 0 {
rm -f ...(glob ($src | path join "*.csr"))
}
if not ($run_root | path join "certs" | path exists) { mkdir ($run_root | path join "certs") }
for name in [ ca $hostname $cluster_name] {
if not ($src | path join $"($name).key" | path exists) { continue }
if (sops_cmd "is_sops" ($src | path join $"($name).key")) {
let content = (sops_cmd "decrypt" ($src | path join $"($name).key") --error_exit)
if $content != "" { $content | save -f ($run_root | path join "certs" | path join $"($name).key") }
} else {
cp ($src | path join $"($name).key") ($run_root | path join "certs" | path join $"($name).key" )
sops_cmd "encrypt" ($src | path join $"($name).key") --error_exit | save -f ($src | path join $"($name).key")
}
chmod 400 ($src | path join $"($name).key") ($run_root | path join "certs" | path join $"($name).key")
if ($src | path join $"($name).crt" | path exists) {
cp ($src | path join $"($name).crt") ($run_root | path join "certs")
}
}
if ($src | path join $"($cluster_name).crt" | path exists) {
#if not ($run_root | path join "certs" | path join $"($cluster_name).crt" | path exists) {
# cp ($src | path join $"($cluster_name).crt") ($run_root | path join "certs")
#}
if not ($run_root | path join "certs" | path join $"($hostname).crt" | path exists) {
cp ($src | path join $"($cluster_name).crt") ($run_root | path join "certs" | path join $"($hostname).crt")
}
if not ($run_root | path join "certs" | path join $"($hostname).key" | path exists) {
cp ($run_root | path join "certs" | path join $"($cluster_name).key") ($run_root | path join "certs" | path join $"($hostname).key")
}
print $"Certificate for ($hostname) signed ($signature) in ($src) copy to deployment"
}
if (glob ($run_root | path join "openssl.*") | length) > 0 {
rm -r ...(glob ($run_root | path join "openssl.*"))
}
}
def main [] {
print $"(_ansi green_bold)ETCD(_ansi reset) with ($env.PROVISIONING_VARS?) "
let run_root = $env.PROVISIONING_WK_ENV_PATH
let defs = load_defs
let src = ($env.PROVISIONING_SETTINGS_SRC_PATH | path join "resources" | path join $defs.taskserv.prov_path)
if not ($env.PROVISIONING_SETTINGS_SRC_PATH | path join "resources" | path exists) {
^mkdir -p ($env.PROVISIONING_SETTINGS_SRC_PATH | path join "resources")
}
let provision_path = ($defs.taskserv.prov_path | default "" | str replace "~" $env.HOME)
if $provision_path == "" {
print $"🛑 prov_path not found taskserv definition"
exit 1
}
let cluster_name = $defs.taskserv.cluster_name | default ""
if $cluster_name == "" {
print $"🛑 cluster_name not foundi taskserv definition"
exit 1
}
let domain_name = (get_domain_name $defs ($defs.taskserv.domain_name | default ""))
if $domain_name == "" {
print $"🛑 domain_name nor found in settings"
exit 1
}
let source_name = $"($cluster_name | default "").($domain_name)"
let settings_root = ($env.PROVISIONING_SETTINGS_SRC_PATH | default "" )
let signature = ($defs.taskserv.ssl_sign | default "")
let ssl_mode = ($defs.taskserv.ssl_mode | default "")
let long_sign = ($defs.taskserv.long_sign | default 0)
if ($env.PROVISIONING_SETTINGS_SRC_PATH | path join $provision_path | path join $"($cluster_name).crt" | path exists) {
copy_certs $defs $src $run_root $cluster_name $signature
} else {
if not ($env.PROVISIONING_SETTINGS_SRC_PATH | path join $provision_path | path exists) {
^mkdir -p ($env.PROVISIONING_SETTINGS_SRC_PATH | path join $provision_path)
}
etcd_conf $defs $src $run_root $cluster_name $signature $ssl_mode
make_certs $defs $src $run_root $cluster_name $signature $ssl_mode $settings_root $long_sign
}
}