Browse Source

Add support in Armada CLI to pass user bearer tokens to tiller

Added a new option --bearer-token TEXT in the Armada CLI to allow
the users or applications to pass kubernetes-api bearertokens via
tiller to the kubernetes cluster. This is to allow armada to interact
with a kubernetes cluster that has been configured with an external
Auth-Backend like Openstack-keystone or OpenId Connect.

Bearer Tokens are Auth tokens issued by the identity backends
such as keystone which represent a users authorized access.
For better understanding of bearer tokens, an example case
of how they works can be found here
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#putting-a-bearer-token-in-a-request
https://docs.docker.com/registry/spec/auth/token/

Change-Id: I03623c7d3b58eda421a0660da8ec3ac2e86915f0
Signed-off-by: Shoaib Nasir <shoaib.nasir@windriver.com>
changes/54/630754/12
Shoaib Nasir 4 months ago
parent
commit
7fb3b8d9ca

+ 6
- 3
armada/cli/apply.py View File

@@ -129,17 +129,18 @@ SHORT_DESC = "Command installs manifest charts."
129 129
     help=("The target manifest to run. Required for specifying "
130 130
           "which manifest to run when multiple are available."),
131 131
     default=None)
132
+@click.option('--bearer-token', help="User Bearer token", default=None)
132 133
 @click.option('--debug', help="Enable debug logging.", is_flag=True)
133 134
 @click.pass_context
134 135
 def apply_create(ctx, locations, api, disable_update_post, disable_update_pre,
135 136
                  dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host,
136 137
                  tiller_port, tiller_namespace, timeout, values, wait,
137
-                 target_manifest, debug):
138
+                 target_manifest, bearer_token, debug):
138 139
     CONF.debug = debug
139 140
     ApplyManifest(ctx, locations, api, disable_update_post, disable_update_pre,
140 141
                   dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host,
141 142
                   tiller_port, tiller_namespace, timeout, values, wait,
142
-                  target_manifest).safe_invoke()
143
+                  target_manifest, bearer_token).safe_invoke()
143 144
 
144 145
 
145 146
 class ApplyManifest(CliAction):
@@ -147,7 +148,7 @@ class ApplyManifest(CliAction):
147 148
     def __init__(self, ctx, locations, api, disable_update_post,
148 149
                  disable_update_pre, dry_run, enable_chart_cleanup,
149 150
                  use_doc_ref, set, tiller_host, tiller_port, tiller_namespace,
150
-                 timeout, values, wait, target_manifest):
151
+                 timeout, values, wait, target_manifest, bearer_token):
151 152
         super(ApplyManifest, self).__init__()
152 153
         self.ctx = ctx
153 154
         # Filename can also be a URL reference
@@ -166,6 +167,7 @@ class ApplyManifest(CliAction):
166 167
         self.values = values
167 168
         self.wait = wait
168 169
         self.target_manifest = target_manifest
170
+        self.bearer_token = bearer_token
169 171
 
170 172
     def output(self, resp):
171 173
         for result in resp:
@@ -203,6 +205,7 @@ class ApplyManifest(CliAction):
203 205
                     tiller_host=self.tiller_host,
204 206
                     tiller_port=self.tiller_port,
205 207
                     tiller_namespace=self.tiller_namespace,
208
+                    bearer_token=self.bearer_token,
206 209
                     dry_run=self.dry_run) as tiller:
207 210
                 armada = Armada(
208 211
                     documents,

+ 7
- 4
armada/cli/delete.py View File

@@ -65,19 +65,20 @@ SHORT_DESC = "Command deletes releases."
65 65
 @click.option('--tiller-host', help="Tiller host IP.")
66 66
 @click.option(
67 67
     '--tiller-port', help="Tiller host port.", type=int, default=44134)
68
+@click.option('--bearer-token', help="User Bearer token.", default=None)
68 69
 @click.option('--debug', help="Enable debug logging.", is_flag=True)
69 70
 @click.pass_context
70 71
 def delete_charts(ctx, manifest, releases, no_purge, tiller_host, tiller_port,
71
-                  debug):
72
+                  bearer_token, debug):
72 73
     CONF.debug = debug
73 74
     DeleteChartManifest(ctx, manifest, releases, no_purge, tiller_host,
74
-                        tiller_port).safe_invoke()
75
+                        tiller_port, bearer_token).safe_invoke()
75 76
 
76 77
 
77 78
 class DeleteChartManifest(CliAction):
78 79
 
79 80
     def __init__(self, ctx, manifest, releases, no_purge, tiller_host,
80
-                 tiller_port):
81
+                 tiller_port, bearer_token):
81 82
 
82 83
         super(DeleteChartManifest, self).__init__()
83 84
         self.ctx = ctx
@@ -86,11 +87,13 @@ class DeleteChartManifest(CliAction):
86 87
         self.purge = not no_purge
87 88
         self.tiller_host = tiller_host
88 89
         self.tiller_port = tiller_port
90
+        self.bearer_token = bearer_token
89 91
 
90 92
     def invoke(self):
91 93
         with Tiller(
92 94
                 tiller_host=self.tiller_host,
93
-                tiller_port=self.tiller_port) as tiller:
95
+                tiller_port=self.tiller_port,
96
+                bearer_token=self.bearer_token) as tiller:
94 97
             self.handle(tiller)
95 98
 
96 99
     def handle(self, tiller):

+ 7
- 4
armada/cli/rollback.py View File

@@ -80,22 +80,23 @@ SHORT_DESC = "Command performs a release rollback."
80 80
     '--recreate-pods',
81 81
     help=("Restarts pods for the resource if applicable."),
82 82
     is_flag=True)
83
+@click.option('--bearer-token', help=("User bearer token."), default=None)
83 84
 @click.option('--debug', help="Enable debug logging.", is_flag=True)
84 85
 @click.pass_context
85 86
 def rollback_charts(ctx, release, version, dry_run, tiller_host, tiller_port,
86 87
                     tiller_namespace, timeout, wait, force, recreate_pods,
87
-                    debug):
88
+                    bearer_token, debug):
88 89
     CONF.debug = debug
89 90
     Rollback(ctx, release, version, dry_run, tiller_host, tiller_port,
90
-             tiller_namespace, timeout, wait, force,
91
-             recreate_pods).safe_invoke()
91
+             tiller_namespace, timeout, wait, force, recreate_pods,
92
+             bearer_token).safe_invoke()
92 93
 
93 94
 
94 95
 class Rollback(CliAction):
95 96
 
96 97
     def __init__(self, ctx, release, version, dry_run, tiller_host,
97 98
                  tiller_port, tiller_namespace, timeout, wait, force,
98
-                 recreate_pods):
99
+                 recreate_pods, bearer_token):
99 100
         super(Rollback, self).__init__()
100 101
         self.ctx = ctx
101 102
         self.release = release
@@ -108,12 +109,14 @@ class Rollback(CliAction):
108 109
         self.wait = wait
109 110
         self.force = force
110 111
         self.recreate_pods = recreate_pods
112
+        self.bearer_token = bearer_token
111 113
 
112 114
     def invoke(self):
113 115
         with Tiller(
114 116
                 tiller_host=self.tiller_host,
115 117
                 tiller_port=self.tiller_port,
116 118
                 tiller_namespace=self.tiller_namespace,
119
+                bearer_token=self.bearer_token,
117 120
                 dry_run=self.dry_run) as tiller:
118 121
 
119 122
             response = tiller.rollback_release(

+ 7
- 4
armada/cli/tiller.py View File

@@ -61,19 +61,20 @@ SHORT_DESC = "Command gets Tiller information."
61 61
     default=CONF.tiller_namespace)
62 62
 @click.option('--releases', help="List of deployed releases.", is_flag=True)
63 63
 @click.option('--status', help="Status of Tiller services.", is_flag=True)
64
+@click.option('--bearer-token', help="User bearer token.", default=None)
64 65
 @click.option('--debug', help="Enable debug logging.", is_flag=True)
65 66
 @click.pass_context
66 67
 def tiller_service(ctx, tiller_host, tiller_port, tiller_namespace, releases,
67
-                   status, debug):
68
+                   status, bearer_token, debug):
68 69
     CONF.debug = debug
69 70
     TillerServices(ctx, tiller_host, tiller_port, tiller_namespace, releases,
70
-                   status).safe_invoke()
71
+                   status, bearer_token).safe_invoke()
71 72
 
72 73
 
73 74
 class TillerServices(CliAction):
74 75
 
75 76
     def __init__(self, ctx, tiller_host, tiller_port, tiller_namespace,
76
-                 releases, status):
77
+                 releases, status, bearer_token):
77 78
         super(TillerServices, self).__init__()
78 79
         self.ctx = ctx
79 80
         self.tiller_host = tiller_host
@@ -81,13 +82,15 @@ class TillerServices(CliAction):
81 82
         self.tiller_namespace = tiller_namespace
82 83
         self.releases = releases
83 84
         self.status = status
85
+        self.bearer_token = bearer_token
84 86
 
85 87
     def invoke(self):
86 88
 
87 89
         with Tiller(
88 90
                 tiller_host=self.tiller_host,
89 91
                 tiller_port=self.tiller_port,
90
-                tiller_namespace=self.tiller_namespace) as tiller:
92
+                tiller_namespace=self.tiller_namespace,
93
+                bearer_token=self.bearer_token) as tiller:
91 94
 
92 95
             self.handle(tiller)
93 96
 

+ 16
- 6
armada/handlers/k8s.py View File

@@ -41,20 +41,30 @@ class K8s(object):
41 41
     Object to obtain the local kube config file
42 42
     '''
43 43
 
44
-    def __init__(self):
44
+    def __init__(self, bearer_token=None):
45 45
         '''
46 46
         Initialize connection to Kubernetes
47 47
         '''
48
+        self.bearer_token = bearer_token
49
+        api_client = None
50
+
48 51
         try:
49 52
             config.load_incluster_config()
50 53
         except config.config_exception.ConfigException:
51 54
             config.load_kube_config()
52 55
 
53
-        self.client = client.CoreV1Api()
54
-        self.batch_api = client.BatchV1Api()
55
-        self.batch_v1beta1_api = client.BatchV1beta1Api()
56
-        self.extension_api = client.ExtensionsV1beta1Api()
57
-        self.apps_v1_api = client.AppsV1Api()
56
+        if self.bearer_token:
57
+            # Configure API key authorization: Bearer Token
58
+            configuration = client.Configuration()
59
+            configuration.api_key_prefix['authorization'] = 'Bearer'
60
+            configuration.api_key['authorization'] = self.bearer_token
61
+            api_client = client.ApiClient(configuration)
62
+
63
+        self.client = client.CoreV1Api(api_client)
64
+        self.batch_api = client.BatchV1Api(api_client)
65
+        self.batch_v1beta1_api = client.BatchV1beta1Api(api_client)
66
+        self.extension_api = client.ExtensionsV1beta1Api(api_client)
67
+        self.apps_v1_api = client.AppsV1Api(api_client)
58 68
 
59 69
     def delete_job_action(self,
60 70
                           name,

+ 3
- 1
armada/handlers/tiller.py View File

@@ -80,14 +80,16 @@ class Tiller(object):
80 80
                  tiller_host=None,
81 81
                  tiller_port=None,
82 82
                  tiller_namespace=None,
83
+                 bearer_token=None,
83 84
                  dry_run=None):
84 85
         self.tiller_host = tiller_host
85 86
         self.tiller_port = tiller_port or CONF.tiller_port
86 87
         self.tiller_namespace = tiller_namespace or CONF.tiller_namespace
88
+        self.bearer_token = bearer_token
87 89
         self.dry_run = dry_run or False
88 90
 
89 91
         # init k8s connectivity
90
-        self.k8s = K8s()
92
+        self.k8s = K8s(bearer_token=self.bearer_token)
91 93
 
92 94
         # init Tiller channel
93 95
         self.channel = self.get_channel()

+ 1
- 0
doc/source/commands/apply.rst View File

@@ -54,6 +54,7 @@ Commands
54 54
       --target-manifest TEXT        The target manifest to run. Required for
55 55
                                     specifying which manifest to run when multiple
56 56
                                     are available.
57
+      --bearer-token                User bearer token.
57 58
       --debug                       Enable debug logging.
58 59
       --help                        Show this message and exit.
59 60
 

+ 1
- 0
doc/source/commands/rollback.rst View File

@@ -24,6 +24,7 @@ Commands
24 24
       --timeout INTEGER             Tiller Host IP
25 25
       --version INTEGER             Version of release to rollback to. 0 represents the previous release
26 26
       --wait                        Version of release to rollback to. 0 represents the previous release
27
+      --bearer-token                User bearer token
27 28
       --help                        Show this message and exit.
28 29
 
29 30
 Synopsis

+ 1
- 0
doc/source/commands/tiller.rst View File

@@ -27,6 +27,7 @@ Commands
27 27
       -tn, --tiller-namespace TEXT  Tiller namespace
28 28
       --releases                    list of deployed releses
29 29
       --status                      Status of Armada services
30
+      --bearer-token                User bearer token
30 31
       --help                        Show this message and exit.
31 32
 
32 33
 Synopsis

+ 22
- 0
doc/source/operations/guide-use-armada.rst View File

@@ -224,3 +224,25 @@ for example:
224 224
       description: Change value deploy
225 225
       chart_group:
226 226
         - blog-1
227
+
228
+User bearer token
229
+-----------------
230
+It is possible to pass the user bearer token from the armada CLI to interact
231
+with a kubernetes cluster that has been configured with an external Auth-backend
232
+like openstack-keystone.
233
+
234
+.. code:: bash
235
+
236
+    Example:
237
+
238
+    armada apply --bearer-token [ TOKEN ] --values [ path_to_yaml ] [ FILE ]
239
+
240
+    armada tiller --bearer-token [ TOKEN ] --status
241
+
242
+.. note::
243
+    The bearer token option is available for the following commands
244
+
245
+    armada apply
246
+    armada delete
247
+    armada tiller
248
+    armada rollback

Loading…
Cancel
Save