Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds RBAC, user creation demo--will likely need reworking, use the be…
…st-practice cfssl, etc. tools
- Loading branch information
Joseph D. Marhee
committed
Apr 24, 2019
1 parent
2b2fc12
commit 6c755a5
Showing
10 changed files
with
114 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
#!/bin/bash | ||
|
||
echo "[controllers]" | tee deploy_demo/inventory.yaml && \ | ||
echo "[controllers]" | tee demos/inventory.yaml && \ | ||
|
||
for host in `cd ../ ; terraform state list | grep primary | xargs -n1 -I% terraform state show % | grep network.0.address | awk '{print $3}'` ; do \ | ||
echo root@$host | tee -a deploy_demo/inventory.yaml ; done | ||
echo root@$host | tee -a demos/inventory.yaml ; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
- hosts: | ||
- controllers | ||
become: true | ||
roles: | ||
- { role: demo_app, fqdn: packet.dev } | ||
- { role: rbac_demo, kube_users: ["user1","user2"] } |
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
--- | ||
kind: Namespace | ||
apiVersion: v1 | ||
metadata: | ||
name: application | ||
labels: | ||
name: application | ||
--- | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
namespace: application | ||
name: operator | ||
rules: | ||
- apiGroups: ["", "extensions", "apps"] | ||
resources: ["deployments", "replicasets", "pods"] | ||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | ||
--- | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
namespace: application | ||
name: user | ||
rules: | ||
- apiGroups: ["", "extensions", "apps"] | ||
resources: ["deployments", "replicasets", "pods"] | ||
verbs: ["get", "list", "watch", "create"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
- name: Install Pip | ||
package: | ||
name: python-pip | ||
state: present | ||
- name: Install pyOpenSSL | ||
pip: | ||
name: pyopenssl | ||
- name: Creates cert path | ||
file: | ||
path: "{{ item }}" | ||
state: directory | ||
with_items: | ||
- "/etc/ssl/cert" | ||
- "/etc/ssl/csr" | ||
- "/etc/ssl/private" | ||
- name: CSR for kube_admin | ||
openssl_csr: | ||
path: /etc/ssl/csr/kube_admin.csr | ||
privatekey_path: /var/lib/rancher/k3s/server/tls/ca.key | ||
common_name: kube_admin | ||
organization_name: packet-k8s | ||
- name: CSR for Kubernetes Users | ||
openssl_csr: | ||
path: "/etc/ssl/csr/{{ item }}.csr" | ||
privatekey_path: /var/lib/rancher/k3s/server/tls/ca.key | ||
common_name: "{{ item }}" | ||
organization_name: packet-k8s | ||
with_items: "{{ kube_users }}" | ||
- name: Generate certificate for kube_admin | ||
openssl_certificate: | ||
path: /etc/ssl/cert/kube_admin.crt | ||
csr_path: /etc/ssl/csr/kube_admin.csr | ||
ownca_path: /var/lib/rancher/k3s/server/tls/ca.crt | ||
ownca_privatekey_path: /var/lib/rancher/k3s/server/tls/ca.key | ||
provider: ownca | ||
- name: Generate certificate for kube users | ||
openssl_certificate: | ||
path: "/etc/ssl/cert/{{ item }}.crt" | ||
csr_path: "/etc/ssl/csr/{{ item }}.csr" | ||
ownca_path: /var/lib/rancher/k3s/server/tls/ca.crt | ||
ownca_privatekey_path: /var/lib/rancher/k3s/server/tls/ca.key | ||
provider: ownca | ||
with_items: "{{ kube_users }}" | ||
- name: Create kube contexts for users | ||
command: kubectl config set-credentials {{ item }} --client-certificate=/etc/ssl/cert/{{ item }}.crt --client-key=/var/lib/rancher/k3s/server/tls/ca.key | ||
with_items: "{{ kube_users }}" | ||
- name: Set context | ||
command: kubectl config set-context {{ item }}-context --namespace=application --user={{ item }} | ||
with_items: "{{ kube_users }}" | ||
- name: Roles Creation | ||
copy: | ||
src: "{{ role_path }}/files/roles.yaml" | ||
dest: /var/lib/rancher/k3s/server/manifests/roles.yaml | ||
- name: Creates Role Binding for kube_users | ||
template: | ||
src: templates/binding.yaml.j2 | ||
dest: /var/lib/rancher/k3s/server/manifests/{{ item }}-binding.yaml | ||
vars: | ||
user: "{{ item }}" | ||
with_items: "{{ kube_users}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
name: user-binding | ||
namespace: office | ||
subjects: | ||
- kind: User | ||
name: {{ user }} | ||
apiGroup: "" | ||
roleRef: | ||
kind: Role | ||
name: user | ||
apiGroup: "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
user: "" |
This file was deleted.
Oops, something went wrong.