Skip to content

sighupio/furyagent

Repository files navigation


Furyagent

Automate the burocracy of Kubernetes cluster management

Build Status Release License Slack

Furyagent is a simple CLI tool to automate common tasks in Kubernetes clusters management.

Furyagent can help you with:

  1. etcd and Kubernetes PKI creation and distribution
  2. Backing up and restoring etcd
  3. Managing OpenVPN access
  4. Managing SSH access

Installation

Find furyagent binaries on the Releases page.

Download the latest release directly from the command line:

wget -q https://github.com/sighupio/furyagent/releases/download/v0.4.0/furyagent-$(uname -s)-amd64 -O /tmp/furyagent
chmod +x /tmp/furyagent
sudo mv /tmp/furyagent /usr/local/bin/furyagent

Alternatively, Homebrew users can use brew to install furyagent:

brew tap sighupio/furyagent
brew install furyagent

Check that everything is working correctly with furyagent version:

➜ furyagent version
Furyagent version 0.2.3 - md5: 923428f7616f2942b08e2ce7a4d49aa0 - /usr/local/bin/furyagent

OpenVPN

Since Furyagent calls openvpn client commands, openvpn must be installed in the system.

Homebrew users can use brew to install it:

brew install openvpn

Refer to openvpn-website for instructions to install it via other methods.

Remeber to add openvpn to your $PATH by adding to your .bashrc or .zshrc:

export PATH=$(brew --prefix openvpn)/sbin:$PATH

Configuration

Furyagent uses a storage provider to bookkeep all the information and dispatch certificates easily. To configure the provider furyagent reads a furyagent.yml config file.

The available providers are:

  • local provider
  • s3 provider

Local

To use the local provider add the following options under the storage section of the furyagent.yml config file:

storage:
  provider: local
  path: /path/to/folder

S3 Bucket

To configure access to the S3 Bucket, add the following options under the storage section of the furyagent.yml config file:

storage:
  provider: s3
  url: "http://s3.eu-central-1.amazonaws.com"
  aws_access_key: <AWS_ACCESS_KEY>
  aws_secret_key: <AWS_SECRET_KEY>
  bucketName: <AWS_BUCKET_NAME>
  region: <AWS_BUCKET_REGION>

The storage section contains the AWS credentials and the location of the S3 Bucket. Make sure that the AWS service account has read/write permissions to the bucket and to store this file encrypted or in a secure way

Usage

furyagent has the following commands:

Command Description
backup Executes backups
configure Executes configuration
help Help about any command
init Executes initialization, uploads ca files
parsed-config Prints the parsed furyagent.yaml file
restore Executes restores
version Prints the client version information

The available subcommands are the following:

furyagent
├── init
│   ├── etcd
│   ├── master
│   ├── openvpn
│   └── ssh-keys
├── configure
│   ├── etcd
│   ├── master
│   ├── openvpn
│   ├── openvpn-client
│   └── ssh-keys
├── backup
│   └── etcd
└── restore
    └── etcd

Backup and restore etcd

Backup the state of etcd with furyagent backup --config /path/to/furyagent.yml etcd

To restore the state of etcd:

  1. Stop etcd
  2. Run furyagent restore --config /path/to/furyagent.yml etcd
  3. Restart etcd

Create and upload certificates

  1. Generate certificates

  2. Upload certificates to the bucket furyagent init -d /path/to/cert/dir --config /path/to/furyagent.yml [etcd|master]

  3. Download the certificates to the correct directory specified in the config file: furyagent configure --config /path/to/furyagent.yml [etcd|master]

OpenVPN users management

To enable this feature, add the following configuration to the furyagent.yml file:

clusterComponent:
    openvpn:
        server:
            - 1.2.3.4
            - 5.6.7.8

then you can create an OpenVPN client configuration with the following command:

furyagent configure openvpn-client --client-name foo --config /etc/fury/furyagent.yml > foo.ovpn

The newly created client certificate is saved to the object storage to keep track of all the certificates issued by the OpenVPN CA in case of revocation.

The resulting *.ovpn file can be then used with any OpenVPN client (such as Tunnelblick) to connect to the OpenVPN server.

If you need to revoke access to any user, you can do it with the following command:

furyagent config openvpn-client --client-name foo --revoke --config /etc/fury/furyagent.yml

List OpenVPN client certificates

furyagent --config path/to/furyagent.yml configure openvpn-client --list

This will be the output:

2020-03-19 17:09:00.727031 I | storage.go:146: Item pki/vpn-client/revoked/luca.zecca.crt found [size: 1103]
2020-03-19 17:09:00.727195 I | storage.go:147: Saving item pki/vpn-client/revoked/luca.zecca.crt ...
2020-03-19 17:09:00.830450 I | storage.go:146: Item pki/vpn-client/simone.messina.crt found [size: 1107]
2020-03-19 17:09:00.830470 I | storage.go:147: Saving item pki/vpn-client/simone.messina.crt ...
2020-03-19 17:09:00.948095 I | storage.go:146: Item pki/vpn/ca.crl found [size: 597]
2020-03-19 17:09:00.948113 I | storage.go:147: Saving item pki/vpn/ca.crl ...
2020-03-19 17:09:01.046877 I | storage.go:146: Item pki/vpn/ca.crl found [size: 597]
2020-03-19 17:09:01.046893 I | storage.go:147: Saving item pki/vpn/ca.crl ...
+----------------+------------+------------+---------+--------------------------------+
|      USER      | VALID FROM |  VALID TO  | EXPIRED |            REVOKED             |
+----------------+------------+------------+---------+--------------------------------+
| luca.zecca     | 2020-03-19 | 2021-03-19 | false   | true 2020-03-19 14:47:40 +0000 |
|                |            |            |         | UTC                            |
+----------------+------------+------------+---------+--------------------------------+
| simone.messina | 2020-03-19 | 2021-03-19 | false   | false 0001-01-01 00:00:00      |
|                |            |            |         | +0000 UTC                      |
+----------------+------------+------------+---------+--------------------------------+

you can also add --output=json to the command above and than you can obtain a json output:

go run main.go --config=ssh/furyagent.yml configure openvpn-client --list --output=json
2020-03-19 18:37:25.204840 I | storage.go:146: Item pki/vpn-client/revoked/luca.zecca.crt found [size: 1103]
2020-03-19 18:37:25.204988 I | storage.go:147: Saving item pki/vpn-client/revoked/luca.zecca.crt ...
2020-03-19 18:37:25.314691 I | storage.go:146: Item pki/vpn-client/simone.messina.crt found [size: 1107]
2020-03-19 18:37:25.314715 I | storage.go:147: Saving item pki/vpn-client/simone.messina.crt ...
2020-03-19 18:37:25.432634 I | storage.go:146: Item pki/vpn/ca.crl found [size: 597]
2020-03-19 18:37:25.432655 I | storage.go:147: Saving item pki/vpn/ca.crl ...
2020-03-19 18:37:25.537314 I | storage.go:146: Item pki/vpn/ca.crl found [size: 597]
2020-03-19 18:37:25.537341 I | storage.go:147: Saving item pki/vpn/ca.crl ...
[{"User":"luca.zecca","Valid_from":"2020-03-19","Valid_to":"2021-03-19","Expired":false,"Revoked":{"Revoked":true,"RevokeTime":"2020-03-19T14:47:40Z"}},{"User":"simone.messina","Valid_from":"2020-03-19","Valid_to":"2021-03-19","Expired":false,"Revoked":{"Revoked":false,"RevokeTime":"0001-01-01T00:00:00Z"}}]

SSH management

To enable this feature, you have to add the following configuration to the furyagent.yml file:

clusterComponent:
    sshKeys:
        adapter:
            name: "github" # you can also use "http" as adapter name but you'll need to specify also the "uri" field as well because `non-github` adapter is not well known
        user: "sighup" #  user created on the target system for storing public keys
        tempDir: "/tmp" # the temporary directory where to download files
        localDirConfigs: "secrets/ssh" # where to search the file ssh-users.yml

ssh-users.yml should have the following structure:

users:
    - name: lucazecca
      github_id: lzecca78
    - name: philippe
      github_id: phisco
    - name: samuele
      github_id: nutellinoit
    - name: lucanovara
      github_id: lnovara
    - name: ramiro
      github_id: ralgozino

Once you've done that, all you have to do is to upload the ssh-users.yml to the S3 bucket:

furyagent init --config ssh/furyagent.yml ssh-keys

On the nodes, you must create a cron entry like the following:

*/30 * * * * furyagent configure --config <path>/furyagent.yml ssh-keys --overwrite true

and it will do the following actions:

  1. fetch the ssh-users.yml from S3 Bucket
  2. get the adapter from furyagent.yml (GitHub doesn't require an uri, because it's well known. http requires a uri field to be put in the adapter struct)
  3. once it gets the adapter (name, uri) it will fetch from it the same GitHub structure: a file.keys for each user
  4. create the system user (if it doesn't exist) checking on which OS is launched (RedHat based, Debian based) to use the correct command flags
  5. create a temporary authorized_keys
  6. if the step 3 goes well, it will override the authorized_keys file of the user, otherwise it won't

Contributing

Before contributing, please read first the Contributing Guidelines.

We use go mod as Golang package manager. Run go mod vendor and go build or go install to build the executable.

Reporting Issues

If you experience any problem with furyagent, please open a new issue here on GitHub.

License

This module is open-source and released under the following LICENSE