Make it more automation

Signed-off-by: JenTing Hsiao <[email protected]>

.gitignore

@@ -0,0 +1,2 @@
+metrics-server/
+kubernetes-ca.crt

README.md

@@ -2,13 +2,52 @@
 
 Official [metrics-server](https://github.com/kubernetes-sigs/metrics-server) deploys onto [Kubernetes](https://github.com/kubernetes-sigs/metrics-server/blob/master/deploy/kubernetes/metrics-apiservice.yaml) is _insecure_.
 
-This repo provides a way to generate metrics-server certificate/key by Kubernetes CA.
+This repo provides a way to generate metrics-server server certificate and key by Kubernetes CA.
 Then, deploys metrics-server _in secure_.
 
-## Deployments
+## Prerequisite
 
-```
-git clone [email protected]:kubernetes-sigs/metrics-server.git
-kubectl apply -f metrics-server/deploy/kubernetes
-./gen-metrics-server-cert-key.sh
-```
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl-on-linux) CLI
+- [kustomize](https://github.com/kubernetes-sigs/kustomize) CLI
+
+## Demo
+
+### KIND
+
+1. Clone upstream metrics-server manifests.
+
+   At here, we clone the current latest metrics-server tag `v0.4.1`, you could switch to your preferred metrics-server release version.
+   ```shell
+   git clone -b v0.4.1 [email protected]:kubernetes-sigs/metrics-server.git
+   cd metrics-server/manifests
+   git clone [email protected]:jenting/secure-metrics-server.git
+   cd secure-metrics-server
+   ```
+
+2. Copy the Kubernetes CA certificate from remote machine to local machine.
+
+   ```shell
+   NODE_NAME=`kind get nodes`
+   CONTAINER_ID=`docker ps --filter "name=$NODE_NAME" -q`
+   docker cp $CONTAINER_ID:/etc/kubernetes/pki/ca.crt kubernetes-ca.crt
+   ```
+
+3. Run generate secure metrics-server patch manifests.
+
+   ```shell
+   ./secure-metrics-server.sh
+   ```
+
+4. Apply the _kustomization.yaml_ file
+
+    ```shell
+    cd ../
+    kustomize build secure-metrics-server | kubectl apply -f -
+    ```
+
+5. Check the metrics-server bahavior
+
+    ```shell
+    kubectl top nodes
+    kubectl top pods
+    ```

secure-metrics-server.sh

@@ -0,0 +1,143 @@
+#!/bin/sh
+set -e
+
+# generate metrics-server server key, csr, and certifcate
+gen_server_cert_key() {
+  cat > server.conf <<EOF
+  [req]
+  distinguished_name = req_distinguished_name
+  req_extensions = v3_req
+  prompt = no
+
+  [req_distinguished_name]
+  CN = metrics-server.kube-system.svc
+
+  [v3_req]
+  basicConstraints = critical,CA:FALSE
+  keyUsage = critical,digitalSignature,keyEncipherment
+  extendedKeyUsage = serverAuth
+  subjectAltName = @alt_names
+
+  [alt_names]
+  DNS.1 = metrics-server.kube-system.svc
+EOF
+
+  openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout server.key -subj "/CN=metrics-server.kube-system.svc"
+  openssl req -new -sha256 -key server.key -config server.conf -out server.csr
+
+  # Generate csr manifest
+  cat > metrics-server.csr.yaml <<EOF
+  apiVersion: certificates.k8s.io/v1beta1
+  kind: CertificateSigningRequest
+  metadata:
+    name: metrics-server.kube-system.svc
+  spec:
+    request: $(cat server.csr | base64 | tr -d '\n')
+    usages:
+    - digital signature
+    - key encipherment
+    - server auth
+EOF
+
+  # Delete all csr
+  kubectl delete csr --all
+
+  # Apply csr manifest
+  kubectl apply -f metrics-server.csr.yaml
+
+  rm metrics-server.csr.yaml
+
+  # Get csr
+  kubectl get csr
+
+  # Approve csr
+  kubectl certificate approve metrics-server.kube-system.svc
+
+  # Get csr again
+  kubectl get csr
+
+  # Retrieve cert after approval
+  kubectl -n kube-system get csr metrics-server.kube-system.svc -o jsonpath='{.status.certificate}' | base64 --decode > server.crt
+
+  # Create secret with key and cert
+  kubectl -n kube-system create secret tls metrics-server-cert --cert=server.crt --key=server.key || true
+}
+
+# generate Deployment patch manifest
+gen_deployment_patch_manifest() {
+  cat > patch-deployment.yaml <<EOF
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: metrics-server
+    namespace: kube-system
+  spec:
+    template:
+      spec:
+        volumes:
+        - name: metrics-server-cert-path
+          secret:
+            secretName: metrics-server-cert
+        containers:
+        - name: metrics-server              
+          volumeMounts:
+          - name: metrics-server-cert-path
+            mountPath: /etc/metrics-server/pki
+            readOnly: true
+EOF
+}
+
+# generate APIService patch manifest
+gen_apiservice_patch_manifest() {
+  cat > patch-apiservice.yaml <<EOF
+  apiVersion: apiregistration.k8s.io/v1
+  kind: APIService
+  metadata:
+    name: v1beta1.metrics.k8s.io
+  spec:
+    service:
+      name: metrics-server
+      namespace: kube-system
+    group: metrics.k8s.io
+    version: v1beta1
+    insecureSkipTLSVerify: false
+    groupPriorityMinimum: 100
+    versionPriority: 100
+    caBundle: $(cat kubernetes-ca.crt | base64 -w 0 && echo)
+EOF
+}
+
+# generate kustomize kustomization.yaml
+gen_kustomization_manifest() {
+  cp ../release/kustomization.yaml .
+
+  cat >> kustomization.yaml <<EOF
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: metrics-server
+    namespace: kube-system
+  patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/args/0
+      value: --tls-cert-file=/etc/metrics-server/pki/tls.crt
+    - op: add 
+      path: /spec/template/spec/containers/0/args/1
+      value: --tls-private-key-file=/etc/metrics-server/pki/tls.key
+    - op: add 
+      path: /spec/template/spec/containers/0/args/-
+      value: --kubelet-insecure-tls
+patches:
+- patch-deployment.yaml
+- patch-apiservice.yaml	  
+EOF
+}
+
+{
+  gen_server_cert_key
+  gen_deployment_patch_manifest
+  gen_apiservice_patch_manifest
+  gen_kustomization_manifest
+}