k8s: Add virtual environment for testing

This patch adds simplified ONAP deployment environment (Kubernetes
cluster managed by Rancher). Its purpose is to provide cluster defaults
for inspection without the need to access actual ONAP application
deployment.

Default node customization scripts were extracted
("tools/get_customization_scripts.sh" run within "tools/imported/"
directory) from official documentation [1] and imported here in order
not to introduce runtime online dependencies.

This environment should probably be migrated in future to more
appropriate place like devtool [2] (or at least use the same Vagrant
boxes).

[1] https://docs.onap.org/en/casablanca/submodules/oom.git/docs/oom_setup_kubernetes_rancher.html
[2] https://git.onap.org/integration/devtool

Issue-ID: SECCOM-235
Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/tools/get_customization_scripts.sh b/test/security/k8s/tools/get_customization_scripts.sh
new file mode 100755 (executable)
index 0000000..028f002
--- /dev/null
+++ b/test/security/k8s/tools/get_customization_scripts.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+wget \
+  'https://docs.onap.org/en/casablanca/_downloads/0b365a2342af5abd655f1724b962f5b5/openstack-rancher.sh' \
+  'https://docs.onap.org/en/casablanca/_downloads/b20b581d56982e9f15a72527a358d56b/openstack-k8s-node.sh'

diff --git a/test/security/k8s/tools/imported/openstack-k8s-node.sh b/test/security/k8s/tools/imported/openstack-k8s-node.sh
new file mode 100644 (file)
index 0000000..b8462aa
--- /dev/null
+++ b/test/security/k8s/tools/imported/openstack-k8s-node.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+DOCKER_VERSION=17.03
+KUBECTL_VERSION=1.11.2
+HELM_VERSION=2.9.1
+
+# setup root access - default login: oom/oom - comment out to restrict access too ssh key only
+sed -i 's/PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
+sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+service sshd restart
+echo -e "oom\noom" | passwd root
+
+apt-get update
+curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh
+mkdir -p /etc/systemd/system/docker.service.d/
+cat > /etc/systemd/system/docker.service.d/docker.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001
+EOF
+systemctl daemon-reload
+systemctl restart docker
+apt-mark hold docker-ce
+
+IP_ADDY=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'`
+HOSTNAME=`hostname`
+
+echo "$IP_ADDY $HOSTNAME" >> /etc/hosts
+
+docker login -u docker -p docker nexus3.onap.org:10001
+
+sudo apt-get install make -y
+
+sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl
+sudo chmod +x ./kubectl
+sudo mv ./kubectl /usr/local/bin/kubectl
+sudo mkdir ~/.kube
+wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz
+sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz
+sudo mv linux-amd64/helm /usr/local/bin/helm
+
+# install nfs
+sudo apt-get install nfs-common -y
+
+
+exit 0

diff --git a/test/security/k8s/tools/imported/openstack-rancher.sh b/test/security/k8s/tools/imported/openstack-rancher.sh
new file mode 100644 (file)
index 0000000..bcf542a
--- /dev/null
+++ b/test/security/k8s/tools/imported/openstack-rancher.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+DOCKER_VERSION=17.03
+RANCHER_VERSION=1.6.22
+KUBECTL_VERSION=1.11.2
+HELM_VERSION=2.9.1
+
+# setup root access - default login: oom/oom - comment out to restrict access too ssh key only
+sed -i 's/PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
+sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
+service sshd restart
+echo -e "oom\noom" | passwd root
+
+apt-get update
+curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh
+mkdir -p /etc/systemd/system/docker.service.d/
+cat > /etc/systemd/system/docker.service.d/docker.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001
+EOF
+systemctl daemon-reload
+systemctl restart docker
+apt-mark hold docker-ce
+
+IP_ADDY=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'`
+HOSTNAME=`hostname`
+
+echo "$IP_ADDY $HOSTNAME" >> /etc/hosts
+
+docker login -u docker -p docker nexus3.onap.org:10001
+
+sudo apt-get install make -y
+
+sudo docker run -d --restart=unless-stopped -p 8080:8080 --name rancher_server rancher/server:v$RANCHER_VERSION
+sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl
+sudo chmod +x ./kubectl
+sudo mv ./kubectl /usr/local/bin/kubectl
+sudo mkdir ~/.kube
+wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz
+sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz
+sudo mv linux-amd64/helm /usr/local/bin/helm
+
+# nfs server
+sudo apt-get install nfs-kernel-server -y
+
+sudo mkdir -p /nfs_share
+sudo chown nobody:nogroup /nfs_share/
+
+
+exit 0

diff --git a/test/security/k8s/vagrant/Vagrantfile b/test/security/k8s/vagrant/Vagrantfile
new file mode 100644 (file)
index 0000000..83499b7
--- /dev/null
+++ b/test/security/k8s/vagrant/Vagrantfile
@@ -0,0 +1,41 @@
+# -*- mode: ruby -*-
+# -*- coding: utf-8 -*-
+
+vm_memory = 2 * 1024
+vm_cpus = 1
+
+cluster = [
+  { name: 'master', hostname: 'master', ip: '172.17.0.100' },
+  { name: 'worker', hostname: 'worker', ip: '172.17.0.101' }
+]
+
+Vagrant.configure('2') do |config|
+  cluster.each do |node|
+    config.vm.define node[:name] do |config|
+      config.vm.box = "generic/ubuntu1604"
+      config.vm.hostname = node[:hostname]
+
+      config.vm.provider :virtualbox do |v|
+        v.name = node[:name]
+        v.memory = vm_memory
+        v.cpus = vm_cpus
+      end
+
+      config.vm.provider :libvirt do |v|
+        v.memory = vm_memory
+        v.cpus = vm_cpus
+      end
+
+      config.vm.network :private_network, ip: node[:ip]
+
+      if node[:name] == 'master'
+        config.vm.network "forwarded_port", guest: 8080, host: 8080
+        config.vm.provision :shell, path: "../tools/imported/openstack-rancher.sh"
+      end
+
+      if node[:name] == 'worker'
+        config.vm.provision :shell, path: "../tools/imported/openstack-k8s-node.sh"
+      end
+    end
+  end
+end