Skip to content

Commit

Permalink
fix: README.md, gen_cert.sh, deployment.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
PokIsemaine committed Feb 10, 2023
1 parent a57a7e9 commit 1bd4a88
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 8 deletions.
14 changes: 12 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,26 @@ Before proceeding, make sure to have the following-
```
./gen_cert.sh
```
- Export environment variable `CA_BUNDLE`
```
export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n')
```
- Use `envsubst` to pass environment variables to `deployment.yaml.template`, generating `deployment.yaml`
```
cat manifests/deployment.yaml.template | envsubst > manifests/deployment.yaml
```


- Build the docker image from the [Dockerfile](https://github.com/casbin/k8s-authz/blob/master/Dockerfile) manually by running the following command and then change the build version here and at the deployment [file](https://github.com/casbin/k8s-authz/blob/718f58c46e3dbf79063b5b1c18348c2fee5de9e9/manifests/deployment.yaml#L18), as per the builds.
```
docker build -t casbin/k8s_authz:0.1 .
docker build -t casbin/k8s_authz:latest .
```
- Define the casbin policies in the [model.conf](https://github.com/casbin/k8s-authz/blob/master/config/model.conf) and [policy.csv](https://github.com/casbin/k8s-authz/blob/master/config/policy.csv). You can refer the [docs](https://casbin.org/docs/how-it-works) to get to know more about the working of these policies.

- Before deploying, you can change the ports in [main.go](https://github.com/casbin/k8s-authz/blob/master/main.go) and also in the validation webhook configuration [file](https://github.com/casbin/k8s-authz/blob/master/manifests/deployment.yaml) depending on your usage.
- Deploy the validation controller and the webhook on k8s cluster by running:-
```
kubectl apply -f deployment.yaml
kubectl apply -f manifests/deployment.yaml
```
- For a production server, we need to create a k8s `secret` to place the certificates for security purposes.
```
Expand Down
5 changes: 1 addition & 4 deletions gen_cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,4 @@ openssl genrsa -out certs/casbin-key.pem 2048

openssl req -new -key certs/casbin-key.pem -subj "/CN=casbin.default.svc" -out casbin.csr

openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem

export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n')
cat deployment.yaml | envsubst > deployment.yaml
openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,14 @@ spec:
port: 443
targetPort: 8080
selector:
name: casbin
name: casbin
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: casbin
webhooks:
- name: casbin.org
- name: casin.casbin.org
clientConfig:
service:
name: server
Expand All @@ -68,3 +68,5 @@ webhooks:
apiVersions: ["v1"]
resources: ["*/*"]
failurePolicy: Fail
admissionReviewVersions: ["v1"]
sideEffects: None

0 comments on commit 1bd4a88

Please sign in to comment.