keptn · agrimmer · Aug 13, 2019 · Aug 12, 2019 · Aug 12, 2019 · Aug 12, 2019
diff --git a/cli/cmd/configure_domain.go b/cli/cmd/configure_domain.go
@@ -223,20 +223,26 @@ func updateKeptnAPIVirtualService(path, domain string) error {
 
 func updateCertificate(path, domain string) error {
 
-	template := &x509.Certificate{
-		IsCA:                  true,
-		BasicConstraintsValid: true,
-		SubjectKeyId:          []byte(domain),
-		SerialNumber:          big.NewInt(1234),
+	// Source: https://golang.org/src/crypto/tls/generate_cert.go
+	// We can verify the generated key with 'openssl rsa -in key.pem -check'
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
-			Country:      []string{"Austria"},
-			Organization: []string{"keptn"},
+			Organization: []string{"Keptn"},
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().AddDate(1, 0, 0),
-		// see http://golang.org/pkg/crypto/x509/#KeyUsage
-		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{domain},
 	}
 
 	// generate private key
@@ -247,31 +253,38 @@ func updateCertificate(path, domain string) error {
 
 	publickey := &privatekey.PublicKey
 
-	// create a self-signed certificate. template = parent
-	var parent = template
-	cert, err := x509.CreateCertificate(rand.Reader, template, parent, publickey, privatekey)
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publickey, privatekey)
 	if err != nil {
 		return err
 	}
 
 	privateKeyPath := path + "private.key"
-	keyfile, _ := os.Create(privateKeyPath)
-	var pemkey = &pem.Block{
-		Type:  "PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(privatekey)}
-	pem.Encode(keyfile, pemkey)
-	keyfile.Close()
-	defer os.Remove(privateKeyPath)
-
 	certPath := path + "cert.pem"
-	pemfile, _ := os.Create(certPath)
-	var pemCert = &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: cert}
-	pem.Encode(pemfile, pemCert)
-	pemfile.Close()
+
+	certOut, err := os.Create(certPath)
+	if err != nil {
+		return err
+	}
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return err
+	}
+	if err := certOut.Close(); err != nil {
+		return err
+	}
 	defer os.Remove(certPath)
 
+	keyOut, err := os.OpenFile(privateKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey)}); err != nil {
+		return err
+	}
+	if err := keyOut.Close(); err != nil {
+		return err
+	}
+	defer os.Remove(privateKeyPath)
+
 	// First delete secret
 	o := options{"delete", "--namespace", "istio-system", "secret", "istio-ingressgateway-certs"}
 	o.appendIfNotEmpty(kubectlOptions)

diff --git a/cli/cmd/install.go b/cli/cmd/install.go
@@ -39,6 +39,7 @@ var platformIdentifier *string
 
 const gke = "gke"
 const aks = "aks"
+const eks = "eks"
 const openshift = "openshift"
 const kubernetes = "kubernetes"
 
@@ -106,11 +107,20 @@ Please see https://kubernetes.io/docs/tasks/tools/install-kubectl/`)
 			if err != nil {
 				return err
 			}
-			// Verify the provided config
-			// Check whether all data is provided
-			if p.getGithubCreds().GithubPersonalAccessToken == "" ||
-				p.getGithubCreds().GithubOrg == "" || p.getGithubCreds().GithubUserName == "" {
-				return errors.New("Incomplete credential file " + *configFilePath)
+
+			_, eks := p.(*eksPlatform)
+			if !eks {
+				// Verify the provided config
+				// Check whether all data is provided
+				if p.getGithubCreds().GithubPersonalAccessToken == "" ||
+					p.getGithubCreds().GithubOrg == "" || p.getGithubCreds().GithubUserName == "" {
+					return errors.New("Incomplete credential file " + *configFilePath)
+				}
+
+				err = checkGithubCreds()
+				if err != nil {
+					return err
+				}
 			}
 
 			// Check whether the authentication at the cluster is valid
@@ -119,10 +129,6 @@ Please see https://kubernetes.io/docs/tasks/tools/install-kubectl/`)
 				return err
 			}
 
-			err = checkGithubCreds()
-			if err != nil {
-				return err
-			}
 		}
 
 		return nil
@@ -176,14 +182,17 @@ func setPlatform() error {
 	case aks:
 		p = newAKSPlatform()
 		return nil
+	case eks:
+		p = newEKSPlatform()
+		return nil
 	case openshift:
 		p = newOpenShiftPlatform()
 		return nil
 	case kubernetes:
 		p = newKubernetesPlatform()
 		return nil
 	default:
-		return errors.New("Unsupported platform '" + *platformIdentifier + "'. The following platforms are supported: gke, aks, openshift, and kubernetes")
+		return errors.New("Unsupported platform '" + *platformIdentifier + "'. The following platforms are supported: aks, eks, gke, openshift, and kubernetes")
 	}
 }
 
@@ -193,7 +202,7 @@ func init() {
 	installCmd.Flags().MarkHidden("creds")
 	installerVersion = installCmd.Flags().StringP("keptn-version", "k", "master", "The branch or tag of the version which is installed")
 	installCmd.Flags().MarkHidden("keptn-version")
-	platformIdentifier = installCmd.Flags().StringP("platform", "p", "gke", "The platform to run keptn on [gke,openshift,aks,kubernetes]")
+	platformIdentifier = installCmd.Flags().StringP("platform", "p", "gke", "The platform to run keptn on [aks,eks,gke,openshift,kubernetes]")
 	installCmd.PersistentFlags().BoolVarP(&insecureSkipTLSVerify, "insecure-skip-tls-verify", "s", false, "Skip tls verification for kubectl commands")
 }
 
@@ -244,10 +253,11 @@ func doInstallation() error {
 		return err
 	}
 
-	_, gke := p.(*gkePlatform)
 	_, aks := p.(*aksPlatform)
+	_, eks := p.(*eksPlatform)
+	_, gke := p.(*gkePlatform)
 	_, k8s := p.(*kubernetesPlatform)
-	if gke || aks || k8s {
+	if gke || aks || k8s || eks {
 		options := options{"apply", "-f", getRbacURL()}
 		options.appendIfNotEmpty(kubectlOptions)
 		_, err = keptnutils.ExecuteCommand("kubectl", options)
@@ -259,9 +269,9 @@ func doInstallation() error {
 
 	utils.PrintLog("Deploying keptn installer pod...", utils.InfoLevel)
 
-	options := options{"apply", "-f", installerPath}
-	options.appendIfNotEmpty(kubectlOptions)
-	_, err = keptnutils.ExecuteCommand("kubectl", options)
+	o := options{"apply", "-f", installerPath}
+	o.appendIfNotEmpty(kubectlOptions)
+	_, err = keptnutils.ExecuteCommand("kubectl", o)
 
 	if err != nil {
 		return fmt.Errorf("Error while deploying keptn installer pod: %s \nAborting installation", err.Error())
@@ -279,17 +289,29 @@ func doInstallation() error {
 		return err
 	}
 
-	// installation finished, get auth token and endpoint
-	err = authUsingKube()
-	if err != nil {
-		return err
-	}
-	err = configure(p.getGithubCreds().GithubOrg,
-		p.getGithubCreds().GithubUserName, p.getGithubCreds().GithubPersonalAccessToken)
-	if err != nil {
-		return err
-	}
+	if eks {
+		o = options{"get", "svc", "istio-ingressgateway", "-n", "istio-system",
+			"-ojsonpath={.status.loadBalancer.ingress[0].hostname}"}
+		o.appendIfNotEmpty(kubectlOptions)
+		hostname, err := keptnutils.ExecuteCommand("kubectl", o)
+		if err != nil {
+			return err
+		}
 
+		fmt.Println("Please create a Route53 Hosted Zone with a wildcard record set for " + hostname)
+		fmt.Println("Afterwards, call 'keptn configure domain YOUR_ROUTE53_DOMAIN'")
+	} else {
+		// installation finished, get auth token and endpoint
+		err = authUsingKube()
+		if err != nil {
+			return err
+		}
+		err = configure(p.getGithubCreds().GithubOrg,
+			p.getGithubCreds().GithubUserName, p.getGithubCreds().GithubPersonalAccessToken)
+		if err != nil {
+			return err
+		}
+	}
 	return os.Remove(installerPath)
 }
 
@@ -312,34 +334,38 @@ func readCreds() error {
 
 	fmt.Print("Please enter the following information or press enter to keep the old value:\n")
 
+	_, eks := p.(*eksPlatform)
+
 	for {
 		p.readCreds()
 
-		readGithubUserName(p.getGithubCreds())
+		if !eks {
+			readGithubUserName(p.getGithubCreds())
 
-		// Check if the access token has the necessary permissions and the github org exists
-		validScopeRes := false
-		for !validScopeRes {
-			readGithubPersonalAccessToken(p.getGithubCreds())
-			validScopeRes, err = utils.HasTokenRepoScope(p.getGithubCreds().GithubPersonalAccessToken)
-			if err != nil {
-				return err
-			}
-			if !validScopeRes {
-				fmt.Println("GitHub Personal Access Token requies at least a 'repo'-scope")
-				p.getGithubCreds().GithubPersonalAccessToken = ""
-			}
-		}
-		validOrg := false
-		for !validOrg {
-			readGithubOrg(p.getGithubCreds())
-			validOrg, err = utils.IsOrgExisting(p.getGithubCreds().GithubPersonalAccessToken, p.getGithubCreds().GithubOrg)
-			if err != nil {
-				return err
+			// Check if the access token has the necessary permissions and the github org exists
+			validScopeRes := false
+			for !validScopeRes {
+				readGithubPersonalAccessToken(p.getGithubCreds())
+				validScopeRes, err = utils.HasTokenRepoScope(p.getGithubCreds().GithubPersonalAccessToken)
+				if err != nil {
+					return err
+				}
+				if !validScopeRes {
+					fmt.Println("GitHub Personal Access Token requies at least a 'repo'-scope")
+					p.getGithubCreds().GithubPersonalAccessToken = ""
+				}
 			}
-			if !validOrg {
-				fmt.Println("Provided GitHub Organization " + p.getGithubCreds().GithubOrg + " does not exist.")
-				p.getGithubCreds().GithubOrg = ""
+			validOrg := false
+			for !validOrg {
+				readGithubOrg(p.getGithubCreds())
+				validOrg, err = utils.IsOrgExisting(p.getGithubCreds().GithubPersonalAccessToken, p.getGithubCreds().GithubOrg)
+				if err != nil {
+					return err
+				}
+				if !validOrg {
+					fmt.Println("Provided GitHub Organization " + p.getGithubCreds().GithubOrg + " does not exist.")
+					p.getGithubCreds().GithubOrg = ""
+				}
 			}
 		}
 
@@ -348,9 +374,11 @@ func readCreds() error {
 
 		p.printCreds()
 
-		fmt.Println("GitHub User Name: " + p.getGithubCreds().GithubUserName)
-		fmt.Println("GitHub Personal Access Token: " + p.getGithubCreds().GithubPersonalAccessToken)
-		fmt.Println("GitHub Organization: " + p.getGithubCreds().GithubOrg)
+		if !eks {
+			fmt.Println("GitHub User Name: " + p.getGithubCreds().GithubUserName)
+			fmt.Println("GitHub Personal Access Token: " + p.getGithubCreds().GithubPersonalAccessToken)
+			fmt.Println("GitHub Organization: " + p.getGithubCreds().GithubOrg)
+		}
 
 		fmt.Println()
 		fmt.Println("Is this all correct? (y/n)")

diff --git a/cli/cmd/installAKS.go b/cli/cmd/installAKS.go
@@ -54,7 +54,7 @@ func (p aksPlatform) checkRequirements() error {
 
 func (p aksPlatform) checkCreds() error {
 	if p.creds.ClusterName == "" || p.creds.AzureResourceGroup == "" || p.creds.AzureSubscription == "" {
-		return errors.New("Incomplete credential file " + *configFilePath)
+		return errors.New("Incomplete credentials")
 	}
 
 	authenticated, err := p.authenticateAtCluster()