Example 1 with Request
use of io.fabric8.insight.metrics.model.Request in project curiostack by curioswitch.
the class RequestNamespaceCertTask method exec.
@TaskAction
public void exec() {
ImmutableClusterExtension cluster = getProject().getExtensions().getByType(ClusterExtension.class);
final KeyPairGenerator keygen;
try {
keygen = KeyPairGenerator.getInstance("ECDSA", BouncyCastleProvider.PROVIDER_NAME);
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
throw new IllegalStateException("Could not find RSA, can't happen.", e);
}
keygen.initialize(256, new SecureRandom());
KeyPair keyPair = keygen.generateKeyPair();
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(new X500Principal("CN=" + cluster.namespace() + ".ns.cluster.stellarstation.com"), keyPair.getPublic());
Stream<GeneralName> generalNames = Streams.concat(Stream.of(new GeneralName(GeneralName.dNSName, "*." + cluster.namespace()), new GeneralName(GeneralName.dNSName, "*." + cluster.namespace() + ".svc"), new GeneralName(GeneralName.dNSName, "*." + cluster.namespace() + ".svc.cluster.local")), cluster.extraNamespaceTlsHosts().stream().map(name -> new GeneralName(GeneralName.dNSName, name)));
GeneralNames subjectAltNames = new GeneralNames(generalNames.toArray(GeneralName[]::new));
ExtensionsGenerator extensions = new ExtensionsGenerator();
try {
extensions.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
p10Builder.setAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensions.generate());
} catch (IOException e) {
throw new IllegalStateException("Could not encode cert name, can't happen.", e);
}
final ContentSigner signer;
try {
signer = new JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.getPrivate());
} catch (OperatorCreationException e) {
throw new IllegalStateException("Could not find signer, can't happen.", e);
}
PKCS10CertificationRequest csr = p10Builder.build(signer);
StringWriter csrWriter = new StringWriter();
try (JcaPEMWriter pemWriter = new JcaPEMWriter(csrWriter)) {
pemWriter.writeObject(csr);
} catch (IOException e) {
throw new IllegalStateException("Could not encode csr, can't happen.", e);
}
String encodedCsr = Base64.getEncoder().encodeToString(csrWriter.toString().getBytes(StandardCharsets.UTF_8));
Map<Object, Object> csrApiRequest = ImmutableMap.of("apiVersion", "certificates.k8s.io/v1beta1", "kind", "CertificateSigningRequest", "metadata", ImmutableMap.of("name", cluster.namespace() + ".server.crt"), "spec", ImmutableMap.of("request", encodedCsr, "usages", ImmutableList.of("digital signature", "key encipherment", "server auth", "client auth")));
final byte[] encodedApiRequest;
try {
encodedApiRequest = OBJECT_MAPPER.writeValueAsBytes(csrApiRequest);
} catch (JsonProcessingException e) {
throw new IllegalStateException("Could not encode yaml", e);
}
ImmutableGcloudExtension config = getProject().getRootProject().getExtensions().getByType(GcloudExtension.class);
String command = config.download() ? CommandUtil.getGcloudSdkBinDir(getProject()).resolve("kubectl").toAbsolutePath().toString() : "kubectl";
getProject().exec(exec -> {
exec.executable(command);
exec.args("create", "-f", "-");
exec.setStandardInput(new ByteArrayInputStream(encodedApiRequest));
});
getProject().exec(exec -> {
exec.executable(command);
exec.args("certificate", "approve", cluster.namespace() + ".server.crt");
});
// Need to wait a bit for certificate to propagate before fetching.
try {
TimeUnit.SECONDS.sleep(5);
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
// Gradle Exec seems to be flaky when reading from stdout, so use normal ProcessBuilder.
final byte[] certificateBytes;
try {
Process getCertProcess = new ProcessBuilder(command, "get", "csr", cluster.namespace() + ".server.crt", "-o", "jsonpath={.status.certificate}").start();
certificateBytes = ByteStreams.toByteArray(getCertProcess.getInputStream());
} catch (IOException e) {
throw new UncheckedIOException("Could not fetch certificate.", e);
}
String certificate = new String(Base64.getDecoder().decode(certificateBytes), StandardCharsets.UTF_8);
final JcaPKCS8Generator keyGenerator;
final PemObject keyObject;
try {
keyGenerator = new JcaPKCS8Generator(keyPair.getPrivate(), null);
keyObject = keyGenerator.generate();
} catch (PemGenerationException e) {
throw new IllegalStateException("Could not encode to pkcs8.", e);
}
StringWriter keyWriter = new StringWriter();
try (JcaPEMWriter pemWriter = new JcaPEMWriter(keyWriter)) {
pemWriter.writeObject(keyObject);
} catch (IOException e) {
throw new IllegalStateException("Could not encode csr, can't happen.", e);
}
String key = keyWriter.toString();
KubernetesClient client = new DefaultKubernetesClient();
Secret certificateSecret = new SecretBuilder().withMetadata(new ObjectMetaBuilder().withName("server-tls").withNamespace(cluster.namespace()).build()).withType("Opaque").withData(ImmutableMap.of("server.crt", Base64.getEncoder().encodeToString(certificate.getBytes(StandardCharsets.UTF_8)), "server-key.pem", Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8)))).build();
client.resource(certificateSecret).createOrReplace();
}
Also used :
KeyPair(java.security.KeyPair)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
Extension(org.bouncycastle.asn1.x509.Extension)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Security(java.security.Security)
SecureRandom(java.security.SecureRandom)
TaskAction(org.gradle.api.tasks.TaskAction)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Map(java.util.Map)
PemGenerationException(org.bouncycastle.util.io.pem.PemGenerationException)
PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)
DefaultTask(org.gradle.api.DefaultTask)
DefaultKubernetesClient(io.fabric8.kubernetes.client.DefaultKubernetesClient)
KeyPairGenerator(java.security.KeyPairGenerator)
PemObject(org.bouncycastle.util.io.pem.PemObject)
ImmutableMap(com.google.common.collect.ImmutableMap)
Streams(com.google.common.collect.Streams)
StandardCharsets(java.nio.charset.StandardCharsets)
UncheckedIOException(java.io.UncheckedIOException)
Base64(java.util.Base64)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Stream(java.util.stream.Stream)
GcloudExtension(org.curioswitch.gradle.plugins.gcloud.GcloudExtension)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ByteStreams(com.google.common.io.ByteStreams)
Secret(io.fabric8.kubernetes.api.model.Secret)
JcaPEMWriter(org.bouncycastle.openssl.jcajce.JcaPEMWriter)
X500Principal(javax.security.auth.x500.X500Principal)
PKCSObjectIdentifiers(org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ImmutableGcloudExtension(org.curioswitch.gradle.plugins.gcloud.ImmutableGcloudExtension)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ImmutableClusterExtension(org.curioswitch.gradle.plugins.gcloud.ImmutableClusterExtension)
ImmutableList(com.google.common.collect.ImmutableList)
ClusterExtension(org.curioswitch.gradle.plugins.gcloud.ClusterExtension)
YAMLFactory(com.fasterxml.jackson.dataformat.yaml.YAMLFactory)
ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)
ObjectMetaBuilder(io.fabric8.kubernetes.api.model.ObjectMetaBuilder)
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
StringWriter(java.io.StringWriter)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
TimeUnit(java.util.concurrent.TimeUnit)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient)
CommandUtil(org.curioswitch.gradle.plugins.shared.CommandUtil)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
JcaPKCS8Generator(org.bouncycastle.openssl.jcajce.JcaPKCS8Generator)
NoSuchProviderException(java.security.NoSuchProviderException)
ImmutableGcloudExtension(org.curioswitch.gradle.plugins.gcloud.ImmutableGcloudExtension)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
UncheckedIOException(java.io.UncheckedIOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ImmutableClusterExtension(org.curioswitch.gradle.plugins.gcloud.ImmutableClusterExtension)
SecretBuilder(io.fabric8.kubernetes.api.model.SecretBuilder)
StringWriter(java.io.StringWriter)
JcaPKCS8Generator(org.bouncycastle.openssl.jcajce.JcaPKCS8Generator)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
DefaultKubernetesClient(io.fabric8.kubernetes.client.DefaultKubernetesClient)
KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient)
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
PemGenerationException(org.bouncycastle.util.io.pem.PemGenerationException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
KeyPairGenerator(java.security.KeyPairGenerator)
UncheckedIOException(java.io.UncheckedIOException)
IOException(java.io.IOException)
ObjectMetaBuilder(io.fabric8.kubernetes.api.model.ObjectMetaBuilder)
ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)
Secret(io.fabric8.kubernetes.api.model.Secret)
PemObject(org.bouncycastle.util.io.pem.PemObject)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X500Principal(javax.security.auth.x500.X500Principal)
PemObject(org.bouncycastle.util.io.pem.PemObject)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
DefaultKubernetesClient(io.fabric8.kubernetes.client.DefaultKubernetesClient)
NoSuchProviderException(java.security.NoSuchProviderException)
JcaPEMWriter(org.bouncycastle.openssl.jcajce.JcaPEMWriter)
TaskAction(org.gradle.api.tasks.TaskAction)
Example 2 with Request
use of io.fabric8.insight.metrics.model.Request in project docker-maven-plugin by fabric8io.
the class QueryService method getLatestContainerForImage.
/**
* Get the id of the latest container started for an image
*
* @param image for which its container are looked up
* @return container or <code>null</code> if no container has been started for this image.
* @throws DockerAccessException if the request fails
*/
public Container getLatestContainerForImage(String image) throws DockerAccessException {
long newest = 0;
Container result = null;
for (Container container : getContainersForImage(image)) {
long timestamp = container.getCreated();
if (timestamp < newest) {
continue;
}
newest = timestamp;
result = container;
}
return result;
}
Also used :
Container(io.fabric8.maven.docker.model.Container)
Example 3 with Request
use of io.fabric8.insight.metrics.model.Request in project docker-maven-plugin by fabric8io.
the class EcrExtendedAuthTest method testHeaders.
@Test
public void testHeaders() throws ParseException {
EcrExtendedAuth eea = new EcrExtendedAuth(logger, "123456789012.dkr.ecr.eu-west-1.amazonaws.com");
AuthConfig localCredentials = new AuthConfig("username", "password", null, null);
Date signingTime = AwsSigner4Request.TIME_FORMAT.parse("20161217T211058Z");
HttpPost request = eea.createSignedRequest(localCredentials, signingTime);
assertEquals("ecr.eu-west-1.amazonaws.com", request.getFirstHeader("host").getValue());
assertEquals("20161217T211058Z", request.getFirstHeader("X-Amz-Date").getValue());
assertEquals("AWS4-HMAC-SHA256 Credential=username/20161217/eu-west-1/ecr/aws4_request, SignedHeaders=content-type;host;x-amz-target, Signature=1bab0f5c269debe913e532011d5d192b190bb4c55d3de1bc1506eefb93e058e1", request.getFirstHeader("Authorization").getValue());
}
Also used :
HttpPost(org.apache.http.client.methods.HttpPost)
AuthConfig(io.fabric8.maven.docker.access.AuthConfig)
Date(java.util.Date)
Test(org.junit.Test)
Example 4 with Request
use of io.fabric8.insight.metrics.model.Request in project fabric8 by jboss-fuse.
the class JolokiaFabricConnector method connect.
/**
* connects to a fabric
*/
public void connect() {
if (this.j4p != null || this.fabricServiceFacade != null) {
disconnect();
}
this.j4p = J4pClient.url(this.url).user(this.userName).password(this.password).build();
/* This needs further investigation...
DefaultHttpClient httpClient = (DefaultHttpClient) j4p.getHttpClient();
httpClient.setRedirectStrategy(new DefaultRedirectStrategy() {
@Override
public boolean isRedirected(HttpRequest request, HttpResponse response, HttpContext context) throws ProtocolException {
return true;
}
});
*/
this.fabricServiceFacade = new FabricServiceFacade(this);
this.fabricMBeanFacade = new FabricMBean(this);
}
Also used :
FabricMBean(io.fabric8.jolokia.facade.mbeans.FabricMBean)
FabricServiceFacade(io.fabric8.jolokia.facade.facades.FabricServiceFacade)
Example 5 with Request
use of io.fabric8.insight.metrics.model.Request in project fabric8 by jboss-fuse.
the class OpenShiftDeployAgent method onConfigurationChanged.
protected void onConfigurationChanged() {
LOGGER.info("Configuration has changed; so checking the Fabric managed Java cartridges on OpenShift are up to date");
Container[] containers = fabricService.get().getContainers();
for (Container container : containers) {
Profile effectiveProfile = Profiles.getEffectiveProfile(fabricService.get(), container.getOverlayProfile());
Map<String, String> openshiftConfiguration = effectiveProfile.getConfiguration(OpenShiftConstants.OPENSHIFT_PID);
if (openshiftConfiguration != null) {
DeploymentUpdater deployTask = null;
try {
deployTask = createDeployTask(container, openshiftConfiguration);
} catch (MalformedURLException e) {
LOGGER.error("Failed to create DeploymentUpdater. " + e, e);
}
if (deployTask != null && OpenShiftUtils.isFabricManaged(openshiftConfiguration)) {
String containerId = container.getId();
IOpenShiftConnection connection = OpenShiftUtils.createConnection(container);
CreateOpenshiftContainerOptions options = OpenShiftUtils.getCreateOptions(container);
if (connection == null || options == null) {
LOGGER.warn("Ignoring container which has no openshift connection or options. connection: " + connection + " options: " + options);
} else {
try {
IApplication application = OpenShiftUtils.getApplication(container, connection);
if (application != null) {
final String gitUrl = application.getGitUrl();
if (gitUrl != null) {
LOGGER.info("Git URL is " + gitUrl);
final CartridgeGitRepository repo = new CartridgeGitRepository(containerId);
final List<IOpenShiftSSHKey> sshkeys = application.getDomain().getUser().getSSHKeys();
final CredentialsProvider credentials = new CredentialsProvider() {
@Override
public boolean supports(CredentialItem... items) {
return true;
}
@Override
public boolean isInteractive() {
return true;
}
@Override
public boolean get(URIish uri, CredentialItem... items) throws UnsupportedCredentialItem {
LOGGER.info("Credential request " + uri + " items " + Arrays.asList(items));
int i = -1;
for (CredentialItem item : items) {
if (item instanceof CredentialItem.StringType) {
CredentialItem.StringType stringType = (CredentialItem.StringType) item;
int idx = ++i < sshkeys.size() ? i : 0;
if (idx < sshkeys.size()) {
IOpenShiftSSHKey sshKey = sshkeys.get(idx);
String passphrase = sshKey.getPublicKey();
LOGGER.info("For item " + item + " index " + i + " using passphrase: " + passphrase);
stringType.setValue(passphrase);
} else {
LOGGER.warn("No ssh keys we can pass into git!");
}
continue;
} else {
LOGGER.warn("Unknown CredentialItem " + item);
}
}
return true;
}
};
final DeploymentUpdater finalDeployTask = deployTask;
SshSessionFactoryUtils.useOpenShiftSessionFactory(new Callable<Object>() {
@Override
public Object call() throws Exception {
repo.cloneOrPull(gitUrl, credentials);
finalDeployTask.updateDeployment(repo.getGit(), repo.getLocalRepo(), credentials);
return null;
}
});
}
}
} catch (Exception e) {
LOGGER.error("Failed to update container " + containerId + ". Reason: " + e, e);
} finally {
OpenShiftUtils.close(connection);
}
}
}
}
}
}
Also used :
URIish(org.eclipse.jgit.transport.URIish)
MalformedURLException(java.net.MalformedURLException)
CreateOpenshiftContainerOptions(io.fabric8.openshift.CreateOpenshiftContainerOptions)
CredentialItem(org.eclipse.jgit.transport.CredentialItem)
UnsupportedCredentialItem(org.eclipse.jgit.errors.UnsupportedCredentialItem)
CredentialsProvider(org.eclipse.jgit.transport.CredentialsProvider)
IOpenShiftSSHKey(com.openshift.client.IOpenShiftSSHKey)
Profile(io.fabric8.api.Profile)
MalformedURLException(java.net.MalformedURLException)
Container(io.fabric8.api.Container)
IApplication(com.openshift.client.IApplication)
IOpenShiftConnection(com.openshift.client.IOpenShiftConnection)
Aggregations
IOException (java.io.IOException)17
HashMap (java.util.HashMap)9
File (java.io.File)8
Test (org.junit.Test)8
ByteArrayInputStream (java.io.ByteArrayInputStream)5
MalformedURLException (java.net.MalformedURLException)5
Map (java.util.Map)5
FabricService (io.fabric8.api.FabricService)4
RuntimeProperties (io.fabric8.api.RuntimeProperties)4
AbstractRuntimeProperties (io.fabric8.api.scr.AbstractRuntimeProperties)4
MavenResolver (io.fabric8.maven.MavenResolver)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
Date (java.util.Date)4
CountDownLatch (java.util.concurrent.CountDownLatch)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3
Container (io.fabric8.api.Container)3
NameValidator (io.fabric8.api.NameValidator)3
FileInputStream (java.io.FileInputStream)3
