forked from rancher/rancher
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First pass at migration scaffolding, enough to do GUID -> DN lookups
There is still much work to do, but at the very least we can read the relevant auth configuration details from k8s and use those details to make LDAP queries, and that's nearly all of what we need to perform the migration.
- Loading branch information
Showing
4 changed files
with
481 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#!/bin/bash | ||
# set -x | ||
set -e | ||
|
||
CLEAR='\033[0m' | ||
RED='\033[0;31m' | ||
|
||
# Location of the yaml to use to deploy the cleanup job | ||
yaml_url=https://raw.githubusercontent.com/rancher/rancher/master/cleanup/ad-guid-unmigration.yaml | ||
|
||
# 120 is equal to a minute as the sleep is half a second | ||
timeout=120 | ||
|
||
# Agent image to use in the yaml file | ||
agent_image="$1" | ||
|
||
show_usage() { | ||
if [ -n "$1" ]; then | ||
echo -e "${RED}👉 $1${CLEAR}\n"; | ||
fi | ||
echo -e "Usage: $0 [AGENT_IMAGE] [FLAGS]" | ||
echo "AGENT_IMAGE is a required argument" | ||
echo "" | ||
echo "Flags:" | ||
echo -e "\t-dry-run Display the resources that would will be updated without making changes" | ||
} | ||
|
||
if [ $# -lt 1 ] | ||
then | ||
show_usage "AGENT_IMAGE is a required argument" | ||
exit 1 | ||
fi | ||
|
||
if [[ $1 == "-h" ||$1 == "--help" ]] | ||
then | ||
show_usage | ||
exit 0 | ||
fi | ||
|
||
# Pull the yaml and replace the agent_image holder with the passed in image | ||
# yaml=$(curl --insecure -sfL $yaml_url | sed -e 's=agent_image='"$agent_image"'=') | ||
# Except it isn't pushed anywhere useful yet, so instead read the local file | ||
yaml=$(cat ad-guid-unmigration.yaml | sed -e 's=agent_image='"$agent_image"'=') | ||
|
||
if [ "$2" = "-dry-run" ] | ||
then | ||
# Uncomment the env var for dry-run mode | ||
yaml=$(sed -e 's/# // ' <<< "$yaml") | ||
fi | ||
|
||
echo "$yaml" | kubectl apply -f - | ||
|
||
# Get the pod ID to tail the logs | ||
pod_id=$(kubectl get pod -l job-name=cattle-cleanup-job -o jsonpath="{.items[0].metadata.name}") | ||
|
||
declare -i count=0 | ||
until kubectl logs $pod_id -f | ||
do | ||
if [ $count -gt $timeout ] | ||
then | ||
echo "Timout reached, check the job by running kubectl get jobs" | ||
exit 1 | ||
fi | ||
sleep 0.5 | ||
count+=1 | ||
done | ||
|
||
# Cleanup after it completes successfully | ||
echo "$yaml" | kubectl delete -f - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: cattle-cleanup-sa | ||
namespace: default | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: cattle-cleanup-binding | ||
namespace: default | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cattle-cleanup-role | ||
subjects: | ||
- kind: ServiceAccount | ||
name: cattle-cleanup-sa | ||
namespace: default | ||
--- | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: cattle-cleanup-job | ||
namespace: default | ||
labels: | ||
rancher-cleanup: "true" | ||
spec: | ||
backoffLimit: 6 | ||
completions: 1 | ||
parallelism: 1 | ||
selector: | ||
template: | ||
metadata: | ||
creationTimestamp: null | ||
spec: | ||
containers: | ||
- env: | ||
- name: AD_GUID_CLEANUP | ||
value: "true" | ||
# - name: DRY_RUN | ||
# value: "true" | ||
image: agent_image | ||
imagePullPolicy: Always | ||
command: ["agent"] | ||
name: cleanup-agent | ||
resources: {} | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
dnsPolicy: ClusterFirst | ||
restartPolicy: OnFailure | ||
schedulerName: default-scheduler | ||
securityContext: {} | ||
serviceAccountName: cattle-cleanup-sa | ||
terminationGracePeriodSeconds: 30 | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: cattle-cleanup-role | ||
namespace: default | ||
rules: | ||
- apiGroups: | ||
- '' | ||
resources: | ||
- secrets | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- management.cattle.io | ||
resources: | ||
- authconfigs | ||
- clusterroletemplatebindings | ||
- projectroletemplatebindings | ||
- users | ||
verbs: | ||
- '*' | ||
- apiGroups: | ||
- rbac.authorization.k8s.io | ||
resources: | ||
- rolebindings | ||
- clusterrolebindings | ||
verbs: | ||
- list | ||
- get | ||
- delete | ||
- apiGroups: | ||
- batch | ||
resources: | ||
- jobs | ||
verbs: | ||
- list | ||
- get | ||
- delete |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.