1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
|
#!/bin/bash
##############################################################################
# Copyright (c) 2017 Nokia and others.
#
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
# A script to create virtual hosts in Apache2 to proxy communication
# to the web dashboards/consoles which might be on private networks. In case
# of frequent access to these services, this approach is simpler than using
# SSH tunneling each time.
# Additionally, this script creates a customized homepage for the jumphost
# with links to the dashboards and information about the credentials.
#
# Note that this script is meant for test deployments and might pose
# security risks for other uses (the SSL certificates are not validated,
# passwords are displayed in plaintext etc).
#
# Usage: ./setupproxy.sh [-v] openstack
# ./setupproxy.sh [-v] kubernetes
# ./setupproxy.sh --help
# Options:
# -v verbose (xtrace)
#
# Author: Martin Kulhavy
##############################################################################
# Imports
source common/tools.sh
# Halt on error
set -e
# CONFIGURATION
## JOID
JOID_CONFIG_DIR=../../joid_config
## Apache config directories
A2_DIR=/etc/apache2
A2_SSL_DIR=$A2_DIR/ssl/joid
A2_SITES_ENABLED_DIR=$A2_DIR/sites-enabled
## Juju
JUJU_LOCAL_PORT=17070
## OpenStack
OS_LOCAL_PORT=17080
OS_LOCAL_PORT_SSL=17443
# Kubernetes
KUBE_LOCAL_PORT=17080
# end of CONFIGURATION
# Other global vars
VERBOSE=false
MAAS_WUI_PATH='/MAAS'
MAAS_CREDENTIALS=('ubuntu' 'ubuntu')
SETUP_JUJU=true
SETUP_OPENSTACK=false
SETUP_KUBERNETES=false
JUJU_GUI_PATH='/gui'
JUJU_GUI_CREDENTIALS=()
OS_DB_CREDENTIALS=()
KUBE_DB_PATH='/ui'
KUBE_DB_CREDENTIALS=()
EXTERNAL_HOST=jumphost
# Print out usage information and exit.
# $1 - exit code [optional, default 0]
usage() {
# no xtrace output
{ set +x; } 2> /dev/null
echo "Usage: $0 [-v] openstack"
echo " $0 [-v] kubernetes"
echo " $0 --help"
echo "Options:"
echo " -v verbose (xtrace)"
echo ""
echo "Sets up Apache proxy to the Juju and OpenStack or Kubernetes "
echo "dashboards, so that they are accessible through the jumphost, "
echo "even when on private networks."
exit ${1-0}
}
# Parse the arguments of the script
# $@ - script arguments
parse_args() {
# Print usage help message if requested
if [ "$1" = "help" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
usage
fi
# Parse args
if [ "-v" = "$1" ]; then
VERBOSE=true
shift
set -x
fi
if [ "openstack" = "$1" ]; then
SETUP_OPENSTACK=true
elif [ "kubernetes" = "$1" ]; then
SETUP_KUBERNETES=true
else
usage 1
fi
}
# Get a value from a script exporting variables, i.e. consisting of lines
# in format `export VAR=value`.
# $1 - filename
# $2 - variable name
get_export_var_value() {
value=$(cat $1 | grep -Px "export $2=.+" | cut -d '=' -f 2)
echo "$value"
}
# Attempt to find the external IP address.
# Takes the source address for traffic on default route.
get_external_ip() {
# Look for the source IP when trying to request outside address
ext_ip=$(ip route get 8.8.8.8 | awk '/src/{print $7}')
if [ -n "ext_ip" ]; then
EXTERNAL_HOST=$ext_ip
fi
}
# Enable Apache mods needed for the proxy.
enable_mods() {
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod deflate
sudo a2enmod headers
sudo a2enmod ssl
}
# Generate SSL keys and certificate to allow serving content over https.
generate_ssl_keys_cert() {
if [ ! -e $A2_SSL_DIR ]; then
sudo mkdir -p $A2_SSL_DIR
fi
sudo openssl genrsa -out $A2_SSL_DIR/ca.key 2048
sudo openssl req -nodes -new \
-subj "/C=OS/ST=None/L=None/O=OS/CN=localhost" \
-key $A2_SSL_DIR/ca.key -out $A2_SSL_DIR/ca.csr
sudo openssl x509 -req -days 365 \
-in $A2_SSL_DIR/ca.csr -signkey $A2_SSL_DIR/ca.key \
-out $A2_SSL_DIR/ca.crt
}
# Remove the Apache configuration file for the default virtual host.
remove_default_site() {
def_site_conf=$A2_SITES_ENABLED_DIR/000-default.conf
if [ -e $def_site_conf ]; then
sudo rm $def_site_conf
fi
}
# Add a port for Apache to listen on. Only added if not yet present
# $1 - port number
add_listening_port() {
if [ -z "$1" ]; then
echo_error "No port to add specified"
exit 1
fi
# Add the port only if not already added
if [ $(cat $A2_DIR/ports.conf | grep -Fx "Listen $1" | wc -l) -eq 0 ]; then
echo "Listen $1" | sudo tee -a $A2_DIR/ports.conf
fi
}
# Setup a proxy for requests to the Juju GUI.
setup_juju_gui_proxy() {
# Get Juju GUI info
juju_gui_info=$(juju gui 2>&1)
juju_gui_url=$(echo "$juju_gui_info" | grep -Po 'https://[^\s]+')
juju_socket=$(echo "$juju_gui_url" | grep -Po 'https://\K[^/]+')
JUJU_GUI_PATH=$(echo "$juju_gui_url" | grep -Po 'https://[^/]+\K/.+')
juju_gui_username=$(echo "$juju_gui_info" | grep -Po 'username: .+' \
| cut -d ' ' -f 2)
juju_gui_password=$(echo "$juju_gui_info" | grep -Po 'password: .+' \
| cut -d ' ' -f 2)
JUJU_GUI_CREDENTIALS=("$juju_gui_username" "$juju_gui_password")
# Virtual host settings
sudo tee "${A2_DIR}/sites-enabled/juju-gui.conf" > /dev/null <<-EOF
<VirtualHost *:${JUJU_LOCAL_PORT}>
ServerName localhost
ServerAlias *
SSLEngine On
SSLCertificateFile ${A2_SSL_DIR}/ca.crt
SSLCertificateKeyFile ${A2_SSL_DIR}/ca.key
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) wss://${juju_socket}/\$1 [P,L]
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://${juju_socket}/
ProxyPassReverse / https://${juju_socket}/
</VirtualHost>
EOF
# Add the local port to listen on
add_listening_port ${JUJU_LOCAL_PORT}
}
# Setup a proxy for requests to the OpenStack dashboard.
setup_openstack_dashboard_proxy() {
# Get OpenStack dashboard info
os_ip=$(juju status | awk '/openstack-dashboard\/0/ {print $5}')
if [ -z "$os_ip" ]; then
echo_error "Unable to find unit openstack-dashboard/0. Is this an OpenStack deployment?"
exit 1
fi
# Virtual host settings
sudo tee "${A2_DIR}/sites-enabled/openstack-dashboard.conf" > /dev/null \
<<-EOF
<VirtualHost *:${OS_LOCAL_PORT}>
ServerName localhost
ServerAlias *
ProxyPass / http://${os_ip}/
ProxyPassReverse / http://${os_ip}/
</VirtualHost>
<VirtualHost *:${OS_LOCAL_PORT_SSL}>
ServerName localhost
ServerAlias *
SSLEngine On
SSLCertificateFile ${A2_SSL_DIR}/ca.crt
SSLCertificateKeyFile ${A2_SSL_DIR}/ca.key
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://${os_ip}/
ProxyPassReverse / https://${os_ip}/
</VirtualHost>
EOF
# Add the local ports to listen on
add_listening_port ${OS_LOCAL_PORT}
add_listening_port ${OS_LOCAL_PORT_SSL}
# Collect login credentials
openrc=${JOID_CONFIG_DIR}/admin-openrc
OS_DB_CREDENTIALS[0]=$(get_export_var_value $openrc 'OS_USERNAME')
OS_DB_CREDENTIALS[1]=$(get_export_var_value $openrc 'OS_PASSWORD')
OS_DB_CREDENTIALS[2]=$(get_export_var_value $openrc 'OS_USER_DOMAIN_NAME')
}
# Attempt to start the Kubernetes Web UI (Dashboard)
start_kubernetes_dashboard() {
# See docs: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
machine_num=$(juju status | awk '/kubernetes-master\/0/ {print $4}')
if [ -z "$machine_num" ]; then
echo_error "Unable to find unit kubernetes-master/0. Is this a Kubernetes deployment?"
exit 1
fi
echo "Attempting to start Kubernetes Web UI proxy. A timeout error can be expected here."
juju run --machine="$machine_num" --timeout=5s "kubectl proxy --address='' --accept-hosts='' &" || true
}
# Setup a proxy for requests to the Kubernetes dashboard.
setup_kubernetes_dashboard_proxy() {
# Get Kubernetes master ip (where dashboard is running)
kube_ip=$(juju status | awk '/kubernetes-master\/0/ {print $5}')
# Note: Maybe the port discovery can be automated. Port 8001 is default.
kube_socket="$kube_ip:8001"
# Virtual host settings
sudo tee "${A2_DIR}/sites-enabled/kubernetes-dashboard.conf" > /dev/null \
<<-EOF
<VirtualHost *:${KUBE_LOCAL_PORT}>
ServerName localhost
ServerAlias *
ProxyPass / http://${kube_socket}/
ProxyPassReverse / http://${kube_socket}/
</VirtualHost>
EOF
# Add the local port to listen on
add_listening_port ${KUBE_LOCAL_PORT}
}
print_info_message() {
# no xtrace output
{ set +x; } 2> /dev/null
echo ''
echo_info -n "JOID deployment overview page";
echo " is now accessible on the following url (jumphost):"
echo -n " Address: "; echo_info "http://${EXTERNAL_HOST}/"
echo ''
if [ "$SETUP_JUJU" = true ]; then
echo_info -n "Juju GUI";
echo " is now accessible with the following url and credentials:"
echo -n " Address: "; echo_info "https://${EXTERNAL_HOST}:${JUJU_LOCAL_PORT}${JUJU_GUI_PATH}"
echo -n " Username: "; echo_info "${JUJU_GUI_CREDENTIALS[0]}"
echo -n " Password: "; echo_info "${JUJU_GUI_CREDENTIALS[1]}"
echo ''
fi
if [ "$SETUP_OPENSTACK" = true ]; then
echo_info -n "OpenStack dashboard"
echo " is now accessible with the following url and credentials:"
echo -n " Address: "; echo_info -n "https://${EXTERNAL_HOST}:${OS_LOCAL_PORT_SSL}/";
echo -n " or "; echo_info "http://${EXTERNAL_HOST}:${OS_LOCAL_PORT}/"
echo -n " Domain: "; echo_info "${OS_DB_CREDENTIALS[2]}"
echo -n " User Name: "; echo_info "${OS_DB_CREDENTIALS[0]}"
echo -n " Password: "; echo_info "${OS_DB_CREDENTIALS[1]}"
echo ''
fi
if [ "$SETUP_KUBERNETES" = true ]; then
echo_info -n "Kubernetes dashboard"
echo " is now accessible with the following url and credentials:"
echo -n " Address: "; echo_info "http://${EXTERNAL_HOST}:${KUBE_LOCAL_PORT}${KUBE_DB_PATH}";
echo " No credentials needed if started on kubernetes-master/0 with command:"
echo " kubectl proxy --address='' --accept-hosts='' &"
echo ''
fi
}
# Create a homepage for the jumphost with links to the dashboards
create_homepage() {
# Note: If this function is about to get any more complicated,
# it might be worth using template rendering instead.
juju_origin="10.21.19.100:17070"
juju_url="https://10.21.19.100:17070/gui/u/admin/default"
os_origin="https://10.21.19.100:17443/"
os_url="10.21.19.100:17443"
kube_origin="https://10.21.19.100:17443/"
kube_url="10.21.19.100:17443"
sudo tee "/var/www/html/index.html" > /dev/null <<EOF
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>OPNFV - deployed with JOID</title>
<script src="https://cdn.rawgit.com/zenorocha/clipboard.js/v1.7.1/dist/clipboard.min.js"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/7.0.0/normalize.css" />
<style>
body { text-align: center; padding-top: 15%; line-height: 1.3;
font-size: 14pt; font-family: Helvetica, Arial, sans-serif;
color: #383a35; }
* { box-sizing: border-box; }
#logo { max-width: 600px; margin: auto; }
fieldset { display: inline-block; width: 400px; min-height: 150pt;
text-align: center; border: 2px solid #383a35;
vertical-align: top; }
legend { font-size: 16pt; font-weight: bold; padding: 0 5pt; }
table { width: 100%; }
a { font-weight: bold; text-decoration: none; display: block;
padding: 5px; margin: 10px; }
a:hover, a:active { background-color: #eef; }
th { width: 40%; text-align: right; }
td { width: 60%; text-align: left; }
input { width: 170px; height: 16pt; color: #000; background: #fff;
border: 1px solid #ddd; vertical-align: bottom; }
button.copy { width: 16pt; height: 16pt; vertical-align: bottom;
background: white url('https://cdnjs.cloudflare.com/ajax/libs/octicons/4.4.0/svg/clippy.svg') no-repeat center; }
p { font-size: 12pt; text-align: left; }
pre { font-size: 10pt }
</style>
</head>
<body>
<img src="https://www.opnfv.org/wp-content/uploads/sites/12/2016/11/opnfv_logo_wp.png"
id="logo" alt="OPNFV logo" />
<h1>Deployed with JOID</h1>
EOF
# MAAS info box
origin="${EXTERNAL_HOST}:80"
url="http://${origin}${MAAS_WUI_PATH}"
user="${MAAS_CREDENTIALS[0]}"
pass="${MAAS_CREDENTIALS[1]}"
sudo tee -a "/var/www/html/index.html" > /dev/null <<EOF
<fieldset><legend>MAAS dashboard</legend>
<a href="${url}" target="_blank" title="Open MAAS dashboard">${origin}</a>
<table><tr><th>Username:</th><td><input type="text" id="maas-user" value="${user}"
/><button class="copy" data-clipboard-target="#maas-user"></button></td></tr>
<tr><th>Password:</th><td><input type="text" id="maas-pass" value="${pass}"
/><button class="copy" data-clipboard-target="#maas-pass"></button></td></tr>
</tbody></table>
</fieldset>
EOF
if [ "$SETUP_JUJU" = true ]; then
origin="${EXTERNAL_HOST}:${JUJU_LOCAL_PORT}"
url="https://${origin}${JUJU_GUI_PATH}"
user="${JUJU_GUI_CREDENTIALS[0]}"
pass="${JUJU_GUI_CREDENTIALS[1]}"
sudo tee -a "/var/www/html/index.html" > /dev/null <<EOF
<fieldset><legend>Juju GUI</legend>
<a href="${url}" target="_blank" title="Open Juju GUI">${origin}</a>
<table><tr><th>Username:</th><td><input type="text" id="juju-user" value="${user}"
/><button class="copy" data-clipboard-target="#juju-user"></button></td></tr>
<tr><th>Password:</th><td><input type="text" id="juju-pass" value="${pass}"
/><button class="copy" data-clipboard-target="#juju-pass"></button></td></tr>
</table>
</fieldset>
EOF
fi
if [ "$SETUP_OPENSTACK" = true ]; then
origin="${EXTERNAL_HOST}:${OS_LOCAL_PORT_SSL}"
url="https://${origin}/"
user="${OS_DB_CREDENTIALS[0]}"
pass="${OS_DB_CREDENTIALS[1]}"
domain="${OS_DB_CREDENTIALS[2]}"
sudo tee -a "/var/www/html/index.html" > /dev/null <<EOF
<fieldset><legend>OpenStack dashboard</legend>
<a href="${url}" target="_blank" title="Open OpenStack dashboard">${origin}</a>
<table><tr><th>Domain:</th><td><input type="text" id="os-domain" value="${domain}"
/><button class="copy" data-clipboard-target="#os-domain"></button></td></tr>
<tr><th>User Name:</th><td><input type="text" id="os-user" value="${user}"
/><button class="copy" data-clipboard-target="#os-user"></button></td></tr>
<tr><th>Password:</th><td><input type="text" id="os-pass" value="${pass}"
/><button class="copy" data-clipboard-target="#os-pass"></button></td></tr>
</table>
</fieldset>
EOF
fi
if [ "$SETUP_KUBERNETES" = true ]; then
origin="${EXTERNAL_HOST}:${KUBE_LOCAL_PORT}"
url="http://${origin}${KUBE_DB_PATH}"
user="${KUBE_DB_CREDENTIALS[0]}"
pass="${KUBE_DB_CREDENTIALS[1]}"
sudo tee -a "/var/www/html/index.html" > /dev/null <<EOF
<fieldset><legend>Kubernetes dashboard</legend>
<a href="${url}" target="_blank" title="Open Kubernetes dashboard">${origin}</a>
<div>
<p>No credentials needed if started with command</p>
<pre>kubectl proxy --address='' --accept-hosts='' &</pre>
</div>
</fieldset>
EOF
fi
sudo tee -a "/var/www/html/index.html" > /dev/null <<EOF
<script>new Clipboard('button.copy');</script>
</body>
</html>
EOF
}
main() {
# Do not run script as root (causes later permission issues with Juju)
if [ "$(id -u)" == "0" ]; then
echo_error "Must not be run with sudo or by root"
exit 77
fi
parse_args "$@"
get_external_ip
echo_info "Enabling Apache mods"
enable_mods
echo_info "Generating SSL keys and certificates"
generate_ssl_keys_cert
remove_default_site
if [ "$SETUP_JUJU" = true ]; then
echo_info "Setting up proxy configuration for Juju GUI"
setup_juju_gui_proxy
fi
if [ "$SETUP_OPENSTACK" = true ]; then
echo_info "Setting up proxy configuration for OpenStack dashboard"
setup_openstack_dashboard_proxy
fi
if [ "$SETUP_KUBERNETES" = true ]; then
echo_info "Starting Kubernetes dashboard"
start_kubernetes_dashboard
echo_info "Setting up proxy configuration for Kubernetes dashboard"
setup_kubernetes_dashboard_proxy
fi
echo_info "Creating the homepage for jumphost"
create_homepage
echo_info "Restarting HTTP server"
sudo service apache2 restart
# Print info message
echo_info "Setup finished."
print_info_message
}
# Start the script with the main() function
main "$@"
|
