Remove kubectl & credentials on join
This behavior can be disabled with the `leave_kubectl` query parameter to the `join-scripts` endpoint. Change-Id: Ia2d9d11f2e900aed0b69394de6ba30442921d5a0
This commit is contained in:
parent
01d0b17d8e
commit
702f5dcb11
|
@ -26,14 +26,19 @@ def promenade(*, verbose):
|
||||||
required=True,
|
required=True,
|
||||||
help='Location to write complete cluster configuration.')
|
help='Location to write complete cluster configuration.')
|
||||||
@click.option('--validators', is_flag=True, help='Generate validation scripts')
|
@click.option('--validators', is_flag=True, help='Generate validation scripts')
|
||||||
|
@click.option(
|
||||||
|
'--leave-kubectl',
|
||||||
|
is_flag=True,
|
||||||
|
help='Leave behind kubectl on joined nodes')
|
||||||
@click.argument('config_files', nargs=-1, type=click.File('rb'))
|
@click.argument('config_files', nargs=-1, type=click.File('rb'))
|
||||||
def build_all(*, config_files, output_dir, validators):
|
def build_all(*, config_files, leave_kubectl, output_dir, validators):
|
||||||
debug = _debug()
|
debug = _debug()
|
||||||
try:
|
try:
|
||||||
c = config.Configuration.from_streams(
|
c = config.Configuration.from_streams(
|
||||||
debug=debug,
|
debug=debug,
|
||||||
substitute=True,
|
substitute=True,
|
||||||
allow_missing_substitutions=False,
|
allow_missing_substitutions=False,
|
||||||
|
leave_kubectl=leave_kubectl,
|
||||||
streams=config_files)
|
streams=config_files)
|
||||||
b = builder.Builder(c, validators=validators)
|
b = builder.Builder(c, validators=validators)
|
||||||
b.build_all(output_dir=output_dir)
|
b.build_all(output_dir=output_dir)
|
||||||
|
|
|
@ -19,6 +19,7 @@ class Configuration:
|
||||||
debug=False,
|
debug=False,
|
||||||
substitute=True,
|
substitute=True,
|
||||||
allow_missing_substitutions=True,
|
allow_missing_substitutions=True,
|
||||||
|
leave_kubectl=False,
|
||||||
validate=True):
|
validate=True):
|
||||||
LOG.info("Parsing document schemas.")
|
LOG.info("Parsing document schemas.")
|
||||||
schema_set = validation.load_schemas_from_docs(documents)
|
schema_set = validation.load_schemas_from_docs(documents)
|
||||||
|
@ -43,6 +44,7 @@ class Configuration:
|
||||||
validation.check_schemas(documents, schemas=schema_set)
|
validation.check_schemas(documents, schemas=schema_set)
|
||||||
self.debug = debug
|
self.debug = debug
|
||||||
self.documents = documents
|
self.documents = documents
|
||||||
|
self.leave_kubectl = leave_kubectl
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def from_streams(cls, *, streams, **kwargs):
|
def from_streams(cls, *, streams, **kwargs):
|
||||||
|
@ -111,6 +113,7 @@ class Configuration:
|
||||||
return Configuration(
|
return Configuration(
|
||||||
debug=self.debug,
|
debug=self.debug,
|
||||||
documents=documents,
|
documents=documents,
|
||||||
|
leave_kubectl=self.leave_kubectl,
|
||||||
substitute=False,
|
substitute=False,
|
||||||
validate=False)
|
validate=False)
|
||||||
|
|
||||||
|
@ -133,6 +136,7 @@ class Configuration:
|
||||||
return Configuration(
|
return Configuration(
|
||||||
debug=self.debug,
|
debug=self.debug,
|
||||||
documents=documents,
|
documents=documents,
|
||||||
|
leave_kubectl=self.leave_kubectl,
|
||||||
substitute=False,
|
substitute=False,
|
||||||
validate=False)
|
validate=False)
|
||||||
|
|
||||||
|
|
|
@ -35,6 +35,7 @@ class JoinScriptsResource(BaseResource):
|
||||||
|
|
||||||
@policy.ApiEnforcer('kubernetes_provisioner:get_join_scripts')
|
@policy.ApiEnforcer('kubernetes_provisioner:get_join_scripts')
|
||||||
def on_get(self, req, resp):
|
def on_get(self, req, resp):
|
||||||
|
leave_kubectl = req.get_param_as_bool('leave_kubectl')
|
||||||
design_ref = req.get_param('design_ref', required=True)
|
design_ref = req.get_param('design_ref', required=True)
|
||||||
ip = req.get_param('ip', required=True)
|
ip = req.get_param('ip', required=True)
|
||||||
hostname = req.get_param('hostname', required=True)
|
hostname = req.get_param('hostname', required=True)
|
||||||
|
@ -46,7 +47,9 @@ class JoinScriptsResource(BaseResource):
|
||||||
|
|
||||||
try:
|
try:
|
||||||
config = Configuration.from_design_ref(
|
config = Configuration.from_design_ref(
|
||||||
design_ref, allow_missing_substitutions=False)
|
design_ref,
|
||||||
|
allow_missing_substitutions=False,
|
||||||
|
leave_kubectl=leave_kubectl)
|
||||||
except exceptions.DeckhandException as e:
|
except exceptions.DeckhandException as e:
|
||||||
raise falcon.HTTPInternalServerError(description=str(e))
|
raise falcon.HTTPInternalServerError(description=str(e))
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,18 @@
|
||||||
{% include "header.sh" with context %}
|
{% include "header.sh" with context %}
|
||||||
|
|
||||||
|
{%- if not config.leave_kubectl %}
|
||||||
|
function delete_kubectl() {
|
||||||
|
set +x
|
||||||
|
log
|
||||||
|
log === Removing kubectl and credentials ===
|
||||||
|
set -x
|
||||||
|
rm -rf /etc/kubernetes/admin
|
||||||
|
rm -f /usr/local/bin/kubectl
|
||||||
|
}
|
||||||
|
|
||||||
|
trap delete_kubectl EXIT
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
{% include "basic-host-validation.sh" with context %}
|
{% include "basic-host-validation.sh" with context %}
|
||||||
|
|
||||||
{% include "up.sh" with context %}
|
{% include "up.sh" with context %}
|
||||||
|
|
|
@ -70,7 +70,7 @@ render_curl_url() {
|
||||||
fi
|
fi
|
||||||
HOST_PARAMS="hostname=${NAME}&ip=$(config_vm_ip "${NAME}")"
|
HOST_PARAMS="hostname=${NAME}&ip=$(config_vm_ip "${NAME}")"
|
||||||
|
|
||||||
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
|
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}&leave_kubectl=true${LABEL_PARAMS}"
|
||||||
}
|
}
|
||||||
|
|
||||||
render_validate_body() {
|
render_validate_body() {
|
||||||
|
|
|
@ -60,6 +60,7 @@ docker run --rm -t \
|
||||||
promenade \
|
promenade \
|
||||||
build-all \
|
build-all \
|
||||||
--validators \
|
--validators \
|
||||||
|
--leave-kubectl \
|
||||||
-o promenade-bundle \
|
-o promenade-bundle \
|
||||||
config/*.yaml
|
config/*.yaml
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue