Automating DC/OS OSS Installs
Here at StackRox, we create temporary Kubernetes clusters on a lot of different platforms for development and testing. This process needs to be fully automated, but doing a totally hands-off install of open-source DC/OS clusters to enable testing on their Kubernetes platform proved a bit tricky.
DC/OS OSS only has the built-in OAUTH2 provider enabled at cluster creation time. After creating a cluster with the Mesosphere Universal Installer, using the dcos CLI or another API client still involves navigating to the cluster’s admin endpoint in a browser and clicking through the implicit OAUTH2 grant flow to generate a token for use with the cluster API. While DC/OS Enterprise creates a “local” DC/OS user as part of the install, the OSS version does not. Since we need the dcos CLI authenticated and working to install the DC/OS Kubernetes framework without human intervention, that manual OAUTH grant was not really going to work for us.
While the installer won’t create a local user for OSS installs, the OSS version starting with DC/OS 1.13 does support local users. Obviously, it wasn’t possible to create a local user through the admin API without getting a token first via OAUTH2, but what about going directly to the master node and seeing how user login information is stored? Sure enough, DC/OS’s IAM data is stored in a CockroachDB on the master.
Now we can ssh into the master, create a local user, and authenticate with the dcos tool against the new cluster’s admin API, all from a shell script and without any human intervention.
Note this only works for DC/OS versions ≥ 1.13. Previous OSS releases didn’t use the IAM system or support local users.
$ bootstrap_dcos.sh
[ ... terraform output deleted ... ]
SSH to master to add IAM user
Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts.
INSERT 1
Run dcos cluster setup
dcos-core-cli [============================================] 17.4 MiB / 17.4 MiB
New commands available: job, marathon, node, package, service, task
You probably want to change the password for myuser now...
$Obviously, this is not terribly secure as-is, certainly not for production use. It can be hardened and customized as needed.
