Cleaning up the setup instructions for Kubernetes 1.7

Particularly, making it easier and more straightforward to install service-catalog
for use behind the aggregator

.gitignore

@@ -20,3 +20,11 @@ contrib/build/*/tmp/*
 .pkg
 .kube
 .var
+charts/catalog/apiserver-key.pem
+charts/catalog/apiserver.csr
+charts/catalog/apiserver.pem
+charts/catalog/ca-key.pem
+charts/catalog/ca.csr
+charts/catalog/ca.pem
+charts/catalog/server-ca-config.json
+charts/catalog/svc-cat-ca.json

contrib/svc-cat-apiserver-aggregation-tls-setup.sh → charts/catalog/aggregation-tls-setup.sh

@@ -1,4 +1,4 @@
-#!/bin/sh --
+#!/bin/bash
 
 # Copyright 2017 The Kubernetes Authors.
 #
@@ -14,6 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+CUR=$(pwd)
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+echo "Entering $DIR"
+cd $DIR
+
 export HELM_NAME=catalog
 export SVCCAT_NAMESPACE=catalog
 export SVCCAT_SERVICE_NAME=${HELM_NAME}-${SVCCAT_NAMESPACE}-apiserver
@@ -44,7 +49,7 @@ EOF
 
 
 cfssl genkey --initca ${SVCCAT_CA_SETUP} | cfssljson -bare ${CA_NAME}
-# now the files 'ca.csr  ca-key.pem  ca.pem' exist
+# now the files 'ca.csr, ca-key.pem, and ca.pem' exist
 
 export SVCCAT_CA_CERT=${CA_NAME}.pem
 export SVCCAT_CA_KEY=${CA_NAME}-key.pem

charts/catalog/templates/apiregistration.yaml

@@ -13,6 +13,11 @@ spec:
   service:
     namespace: {{ .Release.Namespace }}
     name: {{ template "fullname" . }}-apiserver
-  caBundle: {{ .Values.apiserver.tls.ca }}
+  caBundle: {{ (.Files.Get .Values.apiserver.tls.caFileName) | b64enc }}
+  {{ if .Capabilities.APIVersions.Has "apiregistration.k8s.io/v1alpha1" -}}
   priority: 100
+  {{ else if .Capabilities.APIVersions.Has "apiregistration.k8s.io/v1beta1" -}}
+  groupPriorityMinimum: 10000
+  versionPriority: 20
+  {{- end }}
 {{ end }}

charts/catalog/templates/apiserver-cert-secret.yaml

@@ -9,8 +9,8 @@ metadata:
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-  tls.crt: {{ .Values.apiserver.tls.cert }}
-  tls.key: {{ .Values.apiserver.tls.key }}
+  tls.crt: {{ (.Files.Get .Values.apiserver.tls.certFileName) | b64enc }}
+  tls.key: {{ (.Files.Get .Values.apiserver.tls.keyFileName) | b64enc }}
 {{- if .Values.apiserver.tls.requestHeaderCA }}
   requestheader-ca.crt: {{ .Values.apiserver.tls.requestHeaderCA }}
 {{- end }}

charts/catalog/templates/apiserver-deployment.yaml

@@ -59,6 +59,8 @@ spec:
         - "{{ .Values.apiserver.verbosity }}"
         {{- if .Values.apiserver.tls.requestHeaderCA }}
         - --requestheader-client-ca-file=/var/run/kubernetes-service-catalog/requestheader-ca.crt
+        {{ else }}
+        - --authentication-skip-lookup=true
         {{- end }}
         {{- if not .Values.apiserver.auth.enabled }}
         - --disable-auth

charts/catalog/values.yaml

@@ -9,13 +9,22 @@ apiserver:
   # are some outstanding problems with the TLS-secured endpoint
   insecure: true
   tls:
-    # Base64-encoded certificate authority for the APIService object to register
-    # the Service Catalog API with the apiregistration
-    ca: ""
-    # Base64-encoded x509 certificate
-    cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFpTVNBd0hnWURWUVFEREJjeE1DNHgKTVRJdU1TNHhPRFJBTVRRNE56RTVPRE14TWpBZUZ3MHhOekF5TVRVeU1qTTRNekphRncweE9EQXlNVFV5TWpNNApNekphTUNJeElEQWVCZ05WQkFNTUZ6RXdMakV4TWk0eExqRTRORUF4TkRnM01UazRNekV5TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc1J6WlcxTllJQ2FaV3NScytrUGZxRU1uUnI0eE91N2gKb0l5ODI2MHltU3lCRkFZaUh0ankrVVc5NldNbXdCQkFRcVlGR3BQczN2UnI1SGF1RkJuV1dicHRMUjlnbVdZWApRa0tzYm9yK1MybTJwYWUyQ2EyVVRnMXJkMkV5VHpkbWkzaFdKMWRQMllRV0tOSXJOSGpmcTM5L25HTU5YWHRjCmJqbWYxb0ZHUER5ODVMNlIyclpVMHlaM0NMNVByczNhV0tQQmtLVXU3NDZhbldONzNTcGRoSTFxMnhNWHJseXMKcFlnUzdjV2FhZERidjVvNjFUYUFyTm0yTCtUWlNESExUMUVzOXdlVCs3TkhQQVlkUVpYTW1lRXU1V1U5ZzZ0UApnOEtmQk5PVG9iUzZPOTZLTzl4Y0VqT0JLcWdaZTQyYVpoZmFja09rcCs5aUFRN1BPQXhTVVFJREFRQUJvNEdOCk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUIKQWY4RUJUQURBUUgvTUZJR0ExVWRFUVJMTUVtQ0ZtdDFZbVZ5Ym1WMFpYTXVaR1ZtWVhWc2RDNXpkbU9DRW10MQpZbVZ5Ym1WMFpYTXVaR1ZtWVhWc2RJSUthM1ZpWlhKdVpYUmxjNElKYkc5allXeG9iM04waHdRS2NBRzRNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCYWlPckpOS3FhMmFWdG13YVdoaDAyVFJrMjlXLzA0WlRCYnJseFlpbHQKVi9CYklHbmF3UzlxcGRyVHJNc0RBVmtBbUpRaGtabHJOeFpYbE01WnR2c2wyc3ZHMVlFVnA1UTJuaU9PT3B1Sgo1UDFINUo2SDJNWUpQS2c3OTAyVnZnZ0xPVG5QU01aVjgyWFRlV2JrRW51UjFlY3pwK1NmWjVjZFArSnE3WVRuCm52dHc3aHUzOW1mSVZIU3g3Rk0vN2lBWUJLN0tNQlNUUHZYdWk0SGRTamUzTkhkNlllL0c1bTgvOXNxVXVIL0gKcWJMT0lpenFRRVFNTFRzaFNHdUtxYlVFZ2tBU0ExaTVPbENZcWpEUGRQNTBvVEJkQ24vRnhrMVIvc0R5UlhtQwpYMUR4cUZjNzdkT0pMaHJKM0tDT1RsTy9RY2tkcytkR0tTU09jV0Y4L0p5egotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    # The name of the file that contains the certificate authority for the APIService object to 
+    # register the Service Catalog API with the API aggregator in the APIRegistration object.
+    # This field is required if apiserver.auth.enabled is true.
+    caFileName:
+    # The name of the file that contains the x509 certificate for use in the aforementioned
+    # APIService object. This field is required if apiserver.auth.enabled is true.
+    certFileName:
+    # The name of the file that contains the private key for use in the aforementioned APIService
+    # object. This field is required if apiserver.auth.enabled is true.
     # Base64-encoded private key
-    key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc1J6WlcxTllJQ2FaV3NScytrUGZxRU1uUnI0eE91N2hvSXk4MjYweW1TeUJGQVlpCkh0ankrVVc5NldNbXdCQkFRcVlGR3BQczN2UnI1SGF1RkJuV1dicHRMUjlnbVdZWFFrS3Nib3IrUzJtMnBhZTIKQ2EyVVRnMXJkMkV5VHpkbWkzaFdKMWRQMllRV0tOSXJOSGpmcTM5L25HTU5YWHRjYmptZjFvRkdQRHk4NUw2UgoyclpVMHlaM0NMNVByczNhV0tQQmtLVXU3NDZhbldONzNTcGRoSTFxMnhNWHJseXNwWWdTN2NXYWFkRGJ2NW82CjFUYUFyTm0yTCtUWlNESExUMUVzOXdlVCs3TkhQQVlkUVpYTW1lRXU1V1U5ZzZ0UGc4S2ZCTk9Ub2JTNk85NksKTzl4Y0VqT0JLcWdaZTQyYVpoZmFja09rcCs5aUFRN1BPQXhTVVFJREFRQUJBb0lCQUUyYUVWWmxkeWhuSVN4WApBbFRKWm5iSUxhNWVhUjJrU3pIWVdHdDhRTDVDZEsvOFcvamVIOSsrZ2c1L2hod0RRdFN3LzIxOHdQMlRaSzZ1Cm5XbHJSTEw5N3hZbE9HTWVDelRhRjhrN2wxNGRqSXlhcGpVcFcrQ3pHcEl0QVNrYVloRGNBZ3Vzd3V6UVpoRXUKdlFWNXJLN3M1MUh6U0lqY0kweWNiUDlFbHl5T3lhQWJhRnNuQmw5RkFCSUgydmhIRS9NNUZsUHBOaVZPaGhraQpQUWdEQng1VGdrYUJrUDJtMVF1WmdxbnRkakRpcC9ZUWdpNE03ai9FMm9tWWtxOGkvd0lnUTBmaUkrZmxzVXpyCmNBWHNvaTU5TGVwLzEyUllqUEtoMXFJUHd4Y0dvTCtHektxNlQ0RG9xRXgxYXg4c1YwK1ZZVHJ6UHJXbTBZL0cKdHVhaXJnRUNnWUVBMm95RDVDNkdJb1JKU21ldTRTbnlxZTFJTjYrUndTd3RvMmd1SUx3K3dUSVBPTFJyNFJzMwpvRjJ6VS9NcmZpRFliTSswK0NXSGhOb3huMmcwOEsyd0pFV01EY1JlNjJLeEhjUEFXcFZuajVUcEJSaHRibUhZCkFoaGVidnErOW9RSkM3c3FLRHp3dWVpYzZhVlVmcVBtTXJ0M0tpRVh6R3VHWVVGbi93dm12dkVDZ1lFQXozYVQKaGU2OG9neHUrSEs4MElYSWNEMlljNFVYeS9UalNOSVdFakRzTUYrekhyNFNBMHJvQzBCaHc2b1djeUpERXFHdgo3WFg3dmFzMHR2SlBTc1Y3QnZieWxmUzY1cVdyN3JJQ2VsbG44Z3ptbERLUlcwbE5hNVAzWWxsSGx1bXVBR29MCjFJMHBwVUVLN3ZOK2hzQk5CdmtRL3NTVlRqME9aNTJuemo1ZmlXRUNnWUJ3TytrZnJhVEU1UnFlVTFERDRUNzEKZFIyNU96aW04NEVjZ2N2dWs3M0dpV2Ezd0RBR2ttdW10M2Y0ak5DeEhUMEg1RU1UakhKa0Q0bWNTMitraWc0RApFcFF5SGI2Qk0xV3g2MjFGRjZUdlg1R3JSRGd1ajZEV3NwME1jVWpRWUU0azhDRmVPSzJIUzZZSmR4WkZVdlpNCjUyanpBYnV2Qnlram1PdEhWMTFRZ1FLQmdGQ0xsTkxXMFYySXZqeXZMeWMyQ1krcUdsb2ZQaEh0VGFDa0QvV1kKRU5ybkRML093MmVMMlhNazE5QURaUnZtSFd4S1llY3JlMFUwQnc5UUhBREhrdkF0U0JsNEhtZ1Z3aDYxOWNoUwpsY3lmdlpXajNGTTRybG9wNUUzR284aXZpT0tZU1dlSU5yYjEvYXl2MUZ1MHBUTWoxN2xSMFRYQzlxaTd5TDZGCjhNbUJBb0dCQU0vN2ROK2lLN2NOTlFiT3haMWJ0VDduQzkySTI1ekduRWNXZFBzMWdZR2w2SnQ3TXJUQTEzRDUKNDNNTXIvTE1OdnI0ZWMyVHl0VUpkMXMzQ1dEMEM5UHg5dUlURUNOT1ZCRHpvN2hoUFcxb0NkTTl0OWM4V0hSNwpzSSsrWktKOVJVanZzeUNZeHM1SFNlNzFVNXZYMTFMcUhydkc2Q2docnNNc2lCa0N1NGZWCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+    keyFileName:
+    # The name of the file that contains the CA to authenticate connections from API server
+    # proxies. This field is not required. If it is not set, the service-catalog API server 
+    # will be started with the --authentication-skip-lookup flag, which will disable the auth checks
+    # from the API server proxies as well as client cert authentication.
+    requestHeaderCA:
   # Attributes of the apiserver's service resource
   service:
     # Type of service; valid values are "LoadBalancer" and "NodePort"

docs/api-aggregation-setup.md

@@ -1,4 +1,3 @@
-
 # Setting up Service Catalog for API Aggregation in Kubernetes
 
 The aggregator is a server that sits in front of the core API
@@ -15,7 +14,7 @@ certificate bundle to the APIService apiregistration endpoint.
 
 For development purposes, it is convenient to use the existing CA
 automatically set up by the kubernetes development environment. The
-[script in contrib](../contrib/svc-cat-apiserver-aggregation-tls-setup.sh)
+[script in the catalog chart](../charts/catalog/aggregation-tls-setup.sh)
 generates a fresh CA and certificate setup, without using any existing
 kubernetes infrastructure CAs or certificates. This script should be
 `source`ed to define all of the variables it contains in the current
@@ -179,12 +178,14 @@ keys we just generated inline.
 
 ```
 helm install charts/catalog \
-    --name ${HELM_NAME} --namespace ${SVCCAT_NAMESPACE} \
+    --name ${HELM_NAME} \
+    --namespace ${SVCCAT_NAMESPACE} \
     --set apiserver.auth.enabled=true \
-        --set useAggregator=true \
-        --set apiserver.tls.ca=$(base64 --wrap 0 ${SC_SERVING_CA}) \
-        --set apiserver.tls.cert=$(base64 --wrap 0 ${SC_SERVING_CERT}) \
-        --set apiserver.tls.key=$(base64 --wrap 0 ${SC_SERVING_KEY})
+    --set useAggregator=true \
+    --set apiserver.insecure=false \
+    --set apiserver.tls.caFileName=${SC_SERVING_CA} \
+    --set apiserver.tls.certFileName=${SC_SERVING_CERT} \
+    --set apiserver.tls.keyFileName=${SC_SERVING_KEY}
 ``` 
 
 `servicecatalog.k8s.io/v1alpha1` should show up under `kubectl
@@ -211,5 +212,12 @@ Before installing the helm chart, run the script in contrib by
 `source`ing it, to define all of the necessary variables.
 
 ```shell
-source /contrib/svc-cat-apiserver-aggregation-tls-setup.sh
+source charts/catalog/aggregation/tls-setup/sh
+```
+
+To delete, all resources, execute the following:
+
+```console
+helm delete --purge catalog
+kubectl delete apiservice v1alpha1.servicecatalog.k8s.io
 ```