cluster/clustercfg: add clustercfg-nocerts

cluster/clustercfg/clustercfg.py

@@ -129,7 +129,7 @@ def admincreds(args):
     configure_k8s(username, ca_kube._cert, local_crt, local_key)
 
 
-def nodestrap(args):
+def nodestrap(args, nocerts=False):
     if len(args) != 1:
         sys.stderr.write("Usage: nodestrap bc01n01.hswaw.net\n")
         return 1
@@ -138,67 +138,68 @@ def nodestrap(args):
     logger.info("Nodestrapping {}...".format(fqdn))
     r = fabric.Connection('root@{}'.format(fqdn))
 
-    cfg = dict((k, pki_config(k)) for k in [
-        'etcdPeer', 'etcd.server', 'etcd.kube'
-    ])
-    certs_root = os.path.join(local_root, 'cluster/certs')
+    if not nocerts:
+        cfg = dict((k, pki_config(k)) for k in [
+            'etcdPeer', 'etcd.server', 'etcd.kube'
+        ])
+        certs_root = os.path.join(local_root, 'cluster/certs')
 
-    # Make etcd peer certificate for node.
-    ca_etcd_peer = ca.CA(ss, certs_root, 'etcdpeer', 'etcd peer ca')
-    ca_etcd_peer.upload(r, cfg['etcdPeer']['ca'])
-    c = ca_etcd_peer.make_cert('etcdpeer-{}'.format(fqdn), hosts=[fqdn], ou='node etcd peer certificate')
-    c.upload_pki(r, cfg['etcdPeer'])
+        # Make etcd peer certificate for node.
+        ca_etcd_peer = ca.CA(ss, certs_root, 'etcdpeer', 'etcd peer ca')
+        ca_etcd_peer.upload(r, cfg['etcdPeer']['ca'])
+        c = ca_etcd_peer.make_cert('etcdpeer-{}'.format(fqdn), hosts=[fqdn], ou='node etcd peer certificate')
+        c.upload_pki(r, cfg['etcdPeer'])
 
-    # Make etcd server certificate for node and client certificate for kube.
-    ca_etcd = ca.CA(ss, certs_root, 'etcd', 'etcd ca')
-    ca_etcd.upload(r, cfg['etcd.server']['ca'])
+        # Make etcd server certificate for node and client certificate for kube.
+        ca_etcd = ca.CA(ss, certs_root, 'etcd', 'etcd ca')
+        ca_etcd.upload(r, cfg['etcd.server']['ca'])
 
-    c = ca_etcd.make_cert('etcd-{}'.format(fqdn), hosts=[fqdn], ou='node etcd server certificate')
-    c.upload_pki(r, cfg['etcd.server'])
+        c = ca_etcd.make_cert('etcd-{}'.format(fqdn), hosts=[fqdn], ou='node etcd server certificate')
+        c.upload_pki(r, cfg['etcd.server'])
 
-    c = ca_etcd.make_cert('etcd-kube', hosts=['kube'], ou='kube etcd client certificate')
-    c.upload_pki(r, cfg['etcd.kube'])
+        c = ca_etcd.make_cert('etcd-kube', hosts=['kube'], ou='kube etcd client certificate')
+        c.upload_pki(r, cfg['etcd.kube'])
 
-    # Make root etcd client (do not upload).
-    ca_etcd.make_cert('etcd-root', hosts=['root'], ou='root etcd client certificate')
+        # Make root etcd client (do not upload).
+        ca_etcd.make_cert('etcd-root', hosts=['root'], ou='root etcd client certificate')
 
-    # Make calico etcd client (do not upload, used by jsonnet).
-    ca_etcd.make_cert('etcd-calico', hosts=['calico'], ou='root etcd client certificate')
+        # Make calico etcd client (do not upload, used by jsonnet).
+        ca_etcd.make_cert('etcd-calico', hosts=['calico'], ou='root etcd client certificate')
 
-    ## Make kube certificates.
-    ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
+        ## Make kube certificates.
+        ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
 
-    # Make kubelet certificate (per node).
-    c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
-    c.upload_pki(r, pki_config('kube.kubelet'))
+        # Make kubelet certificate (per node).
+        c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
+        c.upload_pki(r, pki_config('kube.kubelet'))
 
-    # Make apiserver certificate.
-    c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
-    c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
+        # Make apiserver certificate.
+        c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
+        c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
 
-    # Make service accounts decryption key (as cert for consistency).
-    c = ca_kube.make_cert('kube-serviceaccounts', ou='Kubernetes Service Accounts Signer', hosts=['serviceaccounts'])
-    c.upload_pki(r, pki_config('kube.serviceaccounts'))
+        # Make service accounts decryption key (as cert for consistency).
+        c = ca_kube.make_cert('kube-serviceaccounts', ou='Kubernetes Service Accounts Signer', hosts=['serviceaccounts'])
+        c.upload_pki(r, pki_config('kube.serviceaccounts'))
 
-    # Make kube component certificates.
-    kube_components = ['controllermanager', 'scheduler', 'proxy']
-    cfg = dict((k, pki_config('kube.' + k)) for k in kube_components)
-    for k in kube_components:
-        ca_kube.upload(r, cfg[k]['ca'])
-        # meh 
-        if k == 'controllermanager':
-            o = 'system:kube-controller-manager'
-        else:
-            o = 'system:kube-'+k
-        ou = 'Kubernetes Component '+k
-        c = ca_kube.make_cert('kube-'+k, ou=ou, o=o, hosts=[o,])
-        c.upload_pki(r, cfg[k])
+        # Make kube component certificates.
+        kube_components = ['controllermanager', 'scheduler', 'proxy']
+        cfg = dict((k, pki_config('kube.' + k)) for k in kube_components)
+        for k in kube_components:
+            ca_kube.upload(r, cfg[k]['ca'])
+            # meh 
+            if k == 'controllermanager':
+                o = 'system:kube-controller-manager'
+            else:
+                o = 'system:kube-'+k
+            ou = 'Kubernetes Component '+k
+            c = ca_kube.make_cert('kube-'+k, ou=ou, o=o, hosts=[o,])
+            c.upload_pki(r, cfg[k])
 
-    ## Make kubefront certificates.
-    ca_kubefront = ca.CA(ss, certs_root, 'kubefront', 'kubernetes frontend CA')
-    ca_kubefront.upload(r, pki_config('kubeFront.apiserver')['ca'])
-    c = ca_kubefront.make_cert('kubefront-apiserver', ou='Kubernetes Frontend', hosts=['apiserver'])
-    c.upload_pki(r, pki_config('kubeFront.apiserver'))
+        ## Make kubefront certificates.
+        ca_kubefront = ca.CA(ss, certs_root, 'kubefront', 'kubernetes frontend CA')
+        ca_kubefront.upload(r, pki_config('kubeFront.apiserver')['ca'])
+        c = ca_kubefront.make_cert('kubefront-apiserver', ou='Kubernetes Frontend', hosts=['apiserver'])
+        c.upload_pki(r, pki_config('kubeFront.apiserver'))
 
     # Upload NixOS config
     for f in ['toplevel', 'cluster-configuration']:
@@ -220,6 +221,8 @@ def main():
     mode = sys.argv[1]
     if mode == "nodestrap":
         return nodestrap(sys.argv[2:])
+    elif mode == "nodestrap-nocerts":
+        return nodestrap(sys.argv[2:], nocerts=True)
     elif mode == "admincreds":
         return admincreds(sys.argv[2:])
     elif mode == "config":