update expired certificate

OWNERS

@@ -1,9 +1,9 @@
 approvers:
-    - shaowenchen
-    - linuxsuren
+    - chilianyi
+    - zheng1
+    - yudong2015
 
 reviewers:
-    - magicsong
-    - runzexia
-    - shaowenchen
-    - JohnNiang
+    - chilianyi
+    - zheng1
+    - yudong2015

hack/certs.sh

@@ -48,9 +48,21 @@ csrName=${service}.${namespace}
 CERTSDIR="config/certs"
 
 if [ ! -d ${CERTSDIR} ]; then
-  mkdir ${CERTSDIR}
+  mkdir -p ${CERTSDIR}
 fi
 
+cat > v3.ext <<-EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1=${service}.${namespace}.svc
+DNS.2=${service}.${namespace}
+DNS.3=hostname
+EOF
+
 echo "creating certs in certsdir ${CERTSDIR} "
 
 # create cakey
@@ -64,4 +76,4 @@ openssl genrsa -out ${CERTSDIR}/server.key 2048
 
 # create server.crt
 openssl req -new -sha256 -key ${CERTSDIR}/server.key -subj "/C=CN/ST=HB/O=QC/CN=${service}.${namespace}.svc" -out ${CERTSDIR}/server.csr
-openssl x509 -req -in ${CERTSDIR}/server.csr -CA ${CERTSDIR}/ca.crt -CAkey ${CERTSDIR}/ca.key -CAcreateserial -out ${CERTSDIR}/server.crt -days 10000 -sha256
+openssl x509 -req -in ${CERTSDIR}/server.csr -extfile v3.ext -CA ${CERTSDIR}/ca.crt -CAkey ${CERTSDIR}/ca.key -CAcreateserial -out ${CERTSDIR}/server.crt -days 10000 -sha256

hack/config/certs/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgIUYi+KIMA4h5fpbgTwY/7NHWNQvQ4wDQYJKoZIhvcNAQEL
+BQAwSDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhCMQswCQYDVQQKDAJRQzEfMB0G
+A1UEAwwWd2ViaG9vay1zZXJ2ZXItc2VydmljZTAgFw0yNDAyMjAwNDI4MzFaGA8y
+MDUxMDcwODA0MjgzMVowSDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhCMQswCQYD
+VQQKDAJRQzEfMB0GA1UEAwwWd2ViaG9vay1zZXJ2ZXItc2VydmljZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqyOmdFhCZws43R4azfyAX23YgMd4PI
+ZgfjGuroeDlVsRRrFJZKWmQiz+KyzZjmP2/JWDZZ20kg9i0AYTodZdn3pTQj1rcU
+wYO43idK6Jf2rSiXFAi3nwr6G4jtyOuf4ZTDjFDe4wRFByStZU473YYPBFgLwZBa
+P2O4I11ZzfHIjSt+oGdcLYFQJ2kqcan9ZIj5w5/I/NxfGEBaEWhX1MyK820cavpL
+xVn1icO6AK1BJMy4yxXU6IYkBWZqoBd6hUYjbHZYO88Unt5+f1kNlp1euFi4vBeD
+voa5gZVsK6zNvrJoCatt+zxJzvsBiA/vCUg5nlTNYGj/NEJVbM5xMw8CAwEAAaNT
+MFEwHQYDVR0OBBYEFNqyC4zRRnpuqhhARO4VF1NQmJWZMB8GA1UdIwQYMBaAFNqy
+C4zRRnpuqhhARO4VF1NQmJWZMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADggEBAFCJVHFqElJSLSZfYMTRBAWP4DxrAXAB4uOHumlLT4UzySbxBPzafmJD
++Th7oguHWU/eks2BQulstiqjwZ25pH5MU3cykJsrVCYsrPeeO3t9GstOeFY9zS/H
+fN5cdap9sPAWwRlAK7spTafCyYPSm8d+LXE5rhc2OPYFAWqLCXPNnwjvawJwAJbo
+qobEHQ+CDZIVjQDcgNJVa0Qx1vGkDHhhkicLP1EeG2QmazeZupJ3DsC42gJRa41h
+J9rpCu3Yduk3nqF9hS8O4NwffsXwyr+toEX9fl0Ew7gF37qx+L34BIYTXBfkPceZ
+vG22oAx9ZNIQrJbYTZr8QP9KPK+krXU=
+-----END CERTIFICATE-----

hack/config/certs/server.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECjCCAvKgAwIBAgIUWNbcbhB3WmQeaE2EE6XZ6h9o5j0wDQYJKoZIhvcNAQEL
+BQAwSDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhCMQswCQYDVQQKDAJRQzEfMB0G
+A1UEAwwWd2ViaG9vay1zZXJ2ZXItc2VydmljZTAgFw0yNDAyMjAwNDI4MzFaGA8y
+MDUxMDcwODA0MjgzMVowZTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhCMQswCQYD
+VQQKDAJRQzE8MDoGA1UEAwwzd2ViaG9vay1zZXJ2ZXItc2VydmljZS5rdWJlc3Bo
+ZXJlLWRldm9wcy1zeXN0ZW0uc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzy/izqghKOE5Ttvs6ZLQB0QK2Irkl9aUGLWI9f6D2PmtW51nIjrRtzZb
+1Y2MciF3MJEXc1ZO3iEIS2vdn8jx8I/vs8DWJMBGGkiw8k5VUhh1gUJI6DfFpHjF
+iOB4XnLgzdkPQ6YjUQabTp3RFSjVph/6aHHhtvLrZ1MpD7lSZkeq6p4Dxdi1pihF
+vmX6AXMdBEFKv5v2EX8oe7qfJUXtM2Sai+HRVJJPNzjerPBfvqj47K9jQk9vt1aH
+oSUBf7c4Fr7WoqHBq2hdE4TTtNLs66BX1USIfumXdnm3tSp/8wO4sQJAkkB5hIg5
+qzIWA8+H3s2wCyFnkYwVorodYLHYbwIDAQABo4HMMIHJMB8GA1UdIwQYMBaAFNqy
+C4zRRnpuqhhARO4VF1NQmJWZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMBMHkGA1UdEQRyMHCCM3dlYmhvb2stc2VydmVyLXNlcnZp
+Y2Uua3ViZXNwaGVyZS1kZXZvcHMtc3lzdGVtLnN2Y4Ivd2ViaG9vay1zZXJ2ZXIt
+c2VydmljZS5rdWJlc3BoZXJlLWRldm9wcy1zeXN0ZW2CCGhvc3RuYW1lMA0GCSqG
+SIb3DQEBCwUAA4IBAQCLUFqV4rppDmquyLYNsfC1i3YYlDRq6wvJ9LF+p6/RjH1G
+hCxHvuUfUqVU5TjQaVmuXIuVUUXoPAEgU5RQNoMzQCMCyGmIJOqGVqJIieKlPwhV
+v5mCiCBJuRPNVIQTizodDX3UzEHjz2G+zejrttuUcwvGKx5Gm5topVXnSeHxfzFz
+kE8jl1MXue2vyB78FIVMRNkAMpzkS5knhVDMflkVYLLYNHB+svcNbMlz2aiKJjgK
+pPFvftHdX6+OrT+FrPledE9qaqF4GlOaqYn4WbXtj+sg4v4WyPuum/P5FESb1bxo
+faliszxNx37r14JHMus9JAPds6VJb3oilOoqAGWQ
+-----END CERTIFICATE-----

hack/config/certs/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzy/izqghKOE5Ttvs6ZLQB0QK2Irkl9aUGLWI9f6D2PmtW51n
+IjrRtzZb1Y2MciF3MJEXc1ZO3iEIS2vdn8jx8I/vs8DWJMBGGkiw8k5VUhh1gUJI
+6DfFpHjFiOB4XnLgzdkPQ6YjUQabTp3RFSjVph/6aHHhtvLrZ1MpD7lSZkeq6p4D
+xdi1pihFvmX6AXMdBEFKv5v2EX8oe7qfJUXtM2Sai+HRVJJPNzjerPBfvqj47K9j
+Qk9vt1aHoSUBf7c4Fr7WoqHBq2hdE4TTtNLs66BX1USIfumXdnm3tSp/8wO4sQJA
+kkB5hIg5qzIWA8+H3s2wCyFnkYwVorodYLHYbwIDAQABAoIBAHf2KAK0Ao8i6QWp
+/SC4qs6qLQV4Vic8TP+JjMWyGjE1T5TuLFr7Z5YHWWDq1lj224Y5XDSh0oR259CT
+ofz0YnGBRa70hok88tohIKMLjAc+tjqjYIdkU4GJlAZOwiMdrOBDP71Ror01cBMy
++W6g+CN5/Ikg9ynwuTBYTDwYd4dUCOCOb9lJ7oHG7CEyZa1hjppquJoRBQRNzXcn
+vMtr6ndKjmuv56p+zbPRlcIdCmrTN/VmeBfbeYSVVKzt54eXh7A5SVVxPXTfpt1d
+m1e0l1Pl6uKClg1ysAVJ5KGz7feshGsm7fHsrGxPl/6G7gjh3D7dAdHi/AtRfxDd
+3BFBhFECgYEA7g9yh9GFRWEYjxsI4FOi4Cs0eiVUjkK8ApeYgCFB3RoPrGGC11bO
+5VAJ/NM+HN/8lkwxrJ/bXIv8kE+icM8S6D6Cb8NdP3eeIVAw5Sfm/uCCxNHUf6KD
+EsjYtyG1MF3lKub1VPQ4mhtZ/HAG4Dp8xxeOIHQqXX+Xy7eba9+SYwMCgYEA3szY
+VqYDzhnf5Tb1X/OFz6nwA6QM4TGoz78L+s54rrMJFsONoC4a5mk0gvh7TRyfHdKZ
+xLt/w4+jW9aj4D9O5Ln96135pOe5JzvGgidLORLrY5i9W79Rf/8SiB1PnTIzLw7h
+xrxN9zuMM45RrKjmj0gYvMH9AO709fai9SL1gyUCgYEAwiIOv/t4tu9LW8gsIOOT
+e0NAdCtlHO4G7AY78qEsWOYbyfNrA7hi2FXBD1Ak4t812EsiZyeld38g435Ndbko
+LgRr0kB7FnqxlXETrowvr8HeYirLI5qfUP5A3Ha8j0jCzY2ymyjdz65mX5nrwYdw
+odrvqD+THNQkMZj1Qa78bYkCgYA3fCowQf3WmOkCS1KGR74+PiLwtS0j89sHiZtx
+JXQ2hY2w5phhmLnIQdD7AOisBoG1ypnSvaMOz7muCGEdWobKPWt37xpZr/+TPrar
++R8pooWOcx5NN/MS/jHeRfZqvnKyuHEPrht4g5Lh0AKVDicE7b6DW4gncFr+2iIx
+DDi6JQKBgEGjo/rfT3oZf/CCapjfMFuzyUGW+vzNlYpZkn7RUAzJimO4AgWD+D4I
+j4NP6nPhHS916qNGitlpQg+1kjcDyYG8xRmBuimK58nE5s01PQTl7Jr0N4M6vNx1
+UbQZ99usIkPy2CSjh7cC5mOHE79miF1dwtNpUYHACz3MgYaKG5Vn
+-----END RSA PRIVATE KEY-----

hack/s2iruns.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+ACTION_COUNT="count"
+ACTION_CLEAN="clean"
+
+ACTION=$1
+DELETE_NUMBER=10
+
+while getopts ":n:h" optname
+do
+    case "$optname" in
+      "n")
+        DELETE_NUMBER=$OPTARG
+        ;;
+      "h")
+        printf "Usage:\n# count the si2runs with job without pod \n./s2iruns.sh count \n# clean the si2runs with job without pod \n./s2iruns.sh clean -n 100 \n    -n: the number of cleaning s2iruns\n"
+        exit 0
+        ;;
+      ":")
+        echo "No argument value for option $OPTARG"
+        ;;
+      "?")
+        ;;
+      *)
+        echo "Unknown error while processing options"
+        ;;
+    esac
+done
+
+if [[ "${ACTION}" != "${ACTION_COUNT}" ]] && [[ "${ACTION}" != "${ACTION_CLEAN}" ]]; then
+  echo "un-support action $ACTION!!"
+  exit 1
+fi
+
+
+
+
+POD_NAME=""
+operate() {
+  NAMESPACE=$1
+  RUN=$2
+  STATE=$3
+  JOB=$4
+
+  if [[ "${STATE}" != "Successful" ]] && [[ "${STATE}" != "Failed" ]]; then
+    echo "the s2irun(${RUN}) not complete, ignore .. "
+    return 0
+  fi
+
+  if [ ! -n "${JOB}" ]; then
+    echo "there is no job for s2irun(${RUN}), ignore .. "
+    return 0
+  fi
+
+  getpod ${NAMESPACE} ${JOB}
+  if [ ! -n "${POD_NAME}" ]; then
+    COUNT=$(expr $COUNT + 1)
+    if [[ "${ACTION}" == "${ACTION_CLEAN}" ]]; then
+      echo "!!there is no pod for s2irun(${RUN}/${JOB})"
+      echo "[`date "+%Y-%m-%d %H:%M:%S"`] deleting s2irun ${RUN}/${JOB}" >> ~/s2irun-clean.log
+      kubectl -n ${NAMESPACE} delete s2iruns.devops.kubesphere.io ${RUN}
+    fi
+  fi
+}
+
+
+getpod() {
+  ns=$1
+  job=$2
+  POD_NAME=""
+  while read pod; do
+    pod_job=$(echo ${pod} | awk '{print $7}')
+    pod_ns=$(echo ${pod} | awk '{print $1}')
+    if [[ "$job" == "$pod_job" ]] && [[ "$ns" == "$pod_ns" ]]; then
+      POD_NAME=$(echo ${pod} | awk '{print $2}')
+      break
+    fi
+  done <$POD_FILE
+}
+
+
+
+
+S2IRUN_FILE=/tmp/s2iruns.txt
+POD_FILE=/tmp/pods.txt
+kubectl get s2iruns.devops.kubesphere.io -A --no-headers=true --ignore-not-found=true > ${S2IRUN_FILE}
+kubectl get pod -A --label-columns=job-name --no-headers=true --ignore-not-found=true | awk '{if (length($7) > 0) print $0}' > ${POD_FILE}
+
+COUNT=0
+POD_NAME=""
+while read s2irun; do
+  operate ${s2irun}
+  if [ $COUNT -ge $DELETE_NUMBER ]; then
+    exit 0
+  fi
+done <$S2IRUN_FILE
+
+if [[ "${ACTION}" == "${ACTION_CLEAN}" ]]; then
+  echo "clean count: ${COUNT}"
+else
+  echo "count: ${COUNT}"
+fi

hack/update-s2i-cert.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+CaBundle=$(< ./config/certs/ca.crt base64 -w 0)
+TLSKey=$(< ./config/certs/server.key base64 -w 0)
+TLSCrt=$(< ./config/certs/server.crt base64 -w 0)
+
+echo "Update Secret: s2i-webhook-server-cert.."
+kubectl -n kubesphere-devops-system patch secret s2i-webhook-server-cert --type='json' -p="[\
+{\"op\": \"replace\", \"path\": \"/data/caBundle\", \"value\": \"${CaBundle}\"},\
+{\"op\": \"replace\", \"path\": \"/data/tls.key\", \"value\": \"${TLSKey}\"},\
+{\"op\": \"replace\", \"path\": \"/data/tls.crt\", \"value\": \"${TLSCrt}\"}\
+]"
+
+echo "Update ValidatingWebhookConfiguration validating-webhook-configuration.."
+kubectl -n kubesphere-devops-system patch validatingwebhookconfigurations validating-webhook-configuration --type='json' -p="[\
+{\"op\": \"replace\", \"path\": \"/webhooks/0/clientConfig/caBundle\", \"value\": \"${CaBundle}\"},\
+{\"op\": \"replace\", \"path\": \"/webhooks/1/clientConfig/caBundle\", \"value\": \"${CaBundle}\"},\
+{\"op\": \"replace\", \"path\": \"/webhooks/2/clientConfig/caBundle\", \"value\": \"${CaBundle}\"}\
+]"
+
+echo "Update MutatingWebhookConfiguration mutating-webhook-configuration.."
+kubectl -n kubesphere-devops-system patch mutatingwebhookconfigurations mutating-webhook-configuration --type='json' -p="[{\"op\": \"replace\", \"path\": \"/webhooks/0/clientConfig/caBundle\", \"value\": \"${CaBundle}\"}]"
+
+echo "Restart s2ioperator server.."
+sleep 5
+kubectl -n kubesphere-devops-system rollout restart sts s2ioperator
+
+
+echo "Done."