Add a kubeconfig and additional binaries

pkg/cluster/cluster.go

@@ -32,9 +32,11 @@ func New(settings *ClusterSettings, node *NodeSettings) *Cluster {
 }
 
 func (c *Cluster) Run() {
-	// Initialize components
+	// Initialize components, certs must be initialized before
+	// environment, which references master keys
 	c.initVPN()
 	c.initCerts()
+	c.initEnv()
 	c.ml.Meta.Role = string(c.node.Role)
 	// Start waiting for events
 	events := c.ml.Events()

pkg/cluster/env.go

+package cluster
+
+import (
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/sirupsen/logrus"
+)
+
+const homeDir = "/root"
+const binDir = "/bin"
+
+// Initialize hepto environment:
+// - deploy subcommand symlinks
+func (c *Cluster) initEnv() {
+	// Remove all binaries and configs
+	err := os.RemoveAll(binDir)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	err = os.RemoveAll(homeDir)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	// Create bin directory and all useful symlinks
+	err = os.Setenv("PATH", binDir)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	err = os.MkdirAll(binDir, 0o755)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	for _, name := range []string{"kubectl", "ctr", "mount", "containerd-shim", "containerd-shim-runc-v2"} {
+		err = os.Symlink("/proc/1/exe", path.Join(binDir, name))
+	}
+	// Create the admin kubeconfig on master only
+	if c.node.Role == Master {
+		err = os.MkdirAll(path.Join(homeDir, ".kube"), 0o755)
+		if err != nil {
+			logrus.Fatal(err)
+		}
+		rootConfig := KubeConfig{
+			URL:        fmt.Sprintf("https://[%s]:6443", c.networking.NodeAddress.IP.String()),
+			CACert:     c.pki.TLS.CertPath(),
+			ClientKey:  c.masterCerts.RootClient.KeyPath(),
+			ClientCert: c.masterCerts.RootClient.CertPath(),
+		}
+		err = rootConfig.Write(path.Join(homeDir, ".kube/config"))
+		if err != nil {
+			logrus.Fatal(err)
+		}
+	}
+}

pkg/pki/master.go

@@ -20,6 +20,8 @@ type MasterCerts struct {
 	ControllersAPI *pekahi.Certificate
 	// API client certificate for the scheduler
 	SchedulerAPI *pekahi.Certificate
+	// Root access to the API server
+	RootClient *pekahi.Certificate
 }
 
 func NewMasterCerts(path string, ip net.IP) (*MasterCerts, error) {
@@ -67,6 +69,10 @@ func NewMasterCerts(path string, ip net.IP) (*MasterCerts, error) {
 	if err != nil {
 		return nil, err
 	}
+	// Root client certificate
+	rootClientCert, err := bundle.GetCertOrCSR("root",
+		pekahi.NewClientTemplate("root", "system:masters"),
+	)
 	return &MasterCerts{
 		TLS:            tlsCert,
 		Tokens:         tokenKey,
@@ -74,6 +80,7 @@ func NewMasterCerts(path string, ip net.IP) (*MasterCerts, error) {
 		ControllersTLS: controllersTLSCert,
 		ControllersAPI: controllersAPICert,
 		SchedulerAPI:   schedulerAPICert,
+		RootClient:     rootClientCert,
 	}, nil
 }
 
@@ -83,4 +90,5 @@ func (ca *ClusterCA) SignMasterCerts(m *MasterCerts) {
 	signCert(ca.TLS, m.ControllersTLS, pekahi.NewServerTemplate(m.ControllersTLS.CSR.DNSNames, m.ControllersTLS.CSR.IPAddresses))
 	signCert(ca.API, m.ControllersAPI, pekahi.NewClientTemplate(m.ControllersAPI.CSR.Subject.CommonName, ""))
 	signCert(ca.API, m.SchedulerAPI, pekahi.NewClientTemplate(m.SchedulerAPI.CSR.Subject.CommonName, ""))
+	signCert(ca.API, m.RootClient, pekahi.NewClientTemplate(m.RootClient.CSR.Subject.CommonName, "system:masters"))
 }