/
bootstrap.go
96 lines (84 loc) · 2.73 KB
/
bootstrap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/*
Copyright 2018 The Multicluster-Service-Account Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package bootstrap
import (
"admiralty.io/multicluster-service-account/pkg/apis"
"fmt"
"k8s.io/client-go/kubernetes/scheme"
)
var namespace = "multicluster-service-account"
var deployName = "service-account-import-controller"
var clusterRoleName = "service-account-import-controller-remote"
func Bootstrap(srcCtx, srcKubeconfig, srcClusterName, dstCtx, dstKubeconfig, dstClusterName string) error {
src, err := newCluster(srcClusterName, srcKubeconfig, srcCtx)
if err != nil {
return fmt.Errorf("cannot load source cluster: %v", err)
}
dst, err := newCluster(dstClusterName, dstKubeconfig, dstCtx)
if err != nil {
return fmt.Errorf("cannot load target cluster: %v", err)
}
return bootstrapClusters(src, dst)
}
func bootstrapClusters(source, target cluster) error {
srcCluster := sourceCluster{source}
dstCluster := targetCluster{target}
if err := apis.AddToScheme(scheme.Scheme); err != nil {
return err
}
// The source cluster may not have have multicluster-service-account installed,
// but it needs a service account that can read other service accounts and their token secrets.
// We create that service account in the multicluster-service-account namespace,
// and create that namespace if it doesn't exist.
err := srcCluster.createNamespace()
if err != nil {
return err
}
err = srcCluster.createClusterRole()
if err != nil {
return err
}
err = srcCluster.createServiceAccount(dstCluster.name)
if err != nil {
return err
}
err = srcCluster.createClusterRoleBinding(dstCluster.name)
if err != nil {
return err
}
secretName, err := srcCluster.waitForServiceAccountToken(dstCluster.name)
if err != nil {
return err
}
saSecret, err := srcCluster.getServiceAccountToken(secretName)
if err != nil {
return err
}
sai, err := dstCluster.createServiceAccountImport(srcCluster.name)
if err != nil {
return err
}
err = dstCluster.createServiceAccountImportToken(sai, saSecret, srcCluster.cfg)
if err != nil {
return err
}
err = dstCluster.waitForServiceAccountImportTokenAdoption(srcCluster.name)
if err != nil {
return err
}
err = dstCluster.annotateServiceAccountController(srcCluster.name)
if err != nil {
return err
}
return nil
}