-
Notifications
You must be signed in to change notification settings - Fork 230
/
enable-keystone-auth.sh
166 lines (155 loc) · 4.23 KB
/
enable-keystone-auth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/bin/sh
. /etc/sysconfig/heat-params
step="enable-keystone-auth"
printf "Starting to run ${step}\n"
if [ "$(echo $KEYSTONE_AUTH_ENABLED | tr '[:upper:]' '[:lower:]')" != "false" ]; then
_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
CERT_DIR=/etc/kubernetes/certs
# Create policy configmap for keystone auth
KEYSTONE_AUTH_POLICY=/srv/magnum/kubernetes/keystone-auth-policy.yaml
[ -f ${KEYSTONE_AUTH_POLICY} ] || {
echo "Writing File: $KEYSTONE_AUTH_POLICY"
mkdir -p $(dirname ${KEYSTONE_AUTH_POLICY})
cat << EOF > ${KEYSTONE_AUTH_POLICY}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-keystone-auth
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:k8s-keystone-auth
rules:
- apiGroups:
- ""
resources:
- configmaps
- services
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:k8s-keystone-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:k8s-keystone-auth
subjects:
- kind: ServiceAccount
name: k8s-keystone-auth
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-keystone-auth-policy
namespace: kube-system
data:
policies: |
$KEYSTONE_AUTH_DEFAULT_POLICY
EOF
}
# Generate k8s-keystone-auth service manifest file
KEYSTONE_AUTH_DEPLOY=/srv/magnum/kubernetes/manifests/k8s-keystone-auth.yaml
[ -f ${KEYSTONE_AUTH_DEPLOY} ] || {
echo "Writing File: $KEYSTONE_AUTH_DEPLOY"
mkdir -p $(dirname ${KEYSTONE_AUTH_DEPLOY})
cat << EOF > ${KEYSTONE_AUTH_DEPLOY}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
component: k8s-keystone-auth
tier: control-plane
name: k8s-keystone-auth
namespace: kube-system
spec:
# The controllers can only have a single active instance.
template:
metadata:
name: k8s-keystone-auth
namespace: kube-system
labels:
k8s-app: k8s-keystone-auth
spec:
serviceAccountName: k8s-keystone-auth
tolerations:
# Make sure the pod can be scheduled on master kubelet.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
containers:
- name: k8s-keystone-auth
image: ${_prefix}k8s-keystone-auth:${K8S_KEYSTONE_AUTH_TAG}
imagePullPolicy: Always
args:
- ./bin/k8s-keystone-auth
- --tls-cert-file
- ${CERT_DIR}/server.crt
- --tls-private-key-file
- ${CERT_DIR}/server.key
- --policy-configmap-name
- k8s-keystone-auth-policy
- --keystone-url
- ${AUTH_URL}
- --keystone-ca-file
- /etc/kubernetes/ca-bundle.crt
- --listen
- 127.0.0.1:8443
volumeMounts:
- mountPath: ${CERT_DIR}
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes
name: ca-certs
readOnly: true
resources:
requests:
cpu: 200m
ports:
- containerPort: 8443
hostPort: 8443
name: https
protocol: TCP
hostNetwork: true
volumes:
- hostPath:
path: ${CERT_DIR}
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes
type: DirectoryOrCreate
name: ca-certs
EOF
}
until [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
do
echo "Waiting for Kubernetes API..."
sleep 5
done
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_POLICY}
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_DEPLOY}
fi
printf "Finished running ${step}\n"