Remove kubectl & credentials on join
This behavior can be disabled with the `leave_kubectl` query parameter to the `join-scripts` endpoint. Change-Id: Ia2d9d11f2e900aed0b69394de6ba30442921d5a0
This commit is contained in:
parent
01d0b17d8e
commit
702f5dcb11
@ -26,14 +26,19 @@ def promenade(*, verbose):
|
||||
required=True,
|
||||
help='Location to write complete cluster configuration.')
|
||||
@click.option('--validators', is_flag=True, help='Generate validation scripts')
|
||||
@click.option(
|
||||
'--leave-kubectl',
|
||||
is_flag=True,
|
||||
help='Leave behind kubectl on joined nodes')
|
||||
@click.argument('config_files', nargs=-1, type=click.File('rb'))
|
||||
def build_all(*, config_files, output_dir, validators):
|
||||
def build_all(*, config_files, leave_kubectl, output_dir, validators):
|
||||
debug = _debug()
|
||||
try:
|
||||
c = config.Configuration.from_streams(
|
||||
debug=debug,
|
||||
substitute=True,
|
||||
allow_missing_substitutions=False,
|
||||
leave_kubectl=leave_kubectl,
|
||||
streams=config_files)
|
||||
b = builder.Builder(c, validators=validators)
|
||||
b.build_all(output_dir=output_dir)
|
||||
|
@ -19,6 +19,7 @@ class Configuration:
|
||||
debug=False,
|
||||
substitute=True,
|
||||
allow_missing_substitutions=True,
|
||||
leave_kubectl=False,
|
||||
validate=True):
|
||||
LOG.info("Parsing document schemas.")
|
||||
schema_set = validation.load_schemas_from_docs(documents)
|
||||
@ -43,6 +44,7 @@ class Configuration:
|
||||
validation.check_schemas(documents, schemas=schema_set)
|
||||
self.debug = debug
|
||||
self.documents = documents
|
||||
self.leave_kubectl = leave_kubectl
|
||||
|
||||
@classmethod
|
||||
def from_streams(cls, *, streams, **kwargs):
|
||||
@ -111,6 +113,7 @@ class Configuration:
|
||||
return Configuration(
|
||||
debug=self.debug,
|
||||
documents=documents,
|
||||
leave_kubectl=self.leave_kubectl,
|
||||
substitute=False,
|
||||
validate=False)
|
||||
|
||||
@ -133,6 +136,7 @@ class Configuration:
|
||||
return Configuration(
|
||||
debug=self.debug,
|
||||
documents=documents,
|
||||
leave_kubectl=self.leave_kubectl,
|
||||
substitute=False,
|
||||
validate=False)
|
||||
|
||||
|
@ -35,6 +35,7 @@ class JoinScriptsResource(BaseResource):
|
||||
|
||||
@policy.ApiEnforcer('kubernetes_provisioner:get_join_scripts')
|
||||
def on_get(self, req, resp):
|
||||
leave_kubectl = req.get_param_as_bool('leave_kubectl')
|
||||
design_ref = req.get_param('design_ref', required=True)
|
||||
ip = req.get_param('ip', required=True)
|
||||
hostname = req.get_param('hostname', required=True)
|
||||
@ -46,7 +47,9 @@ class JoinScriptsResource(BaseResource):
|
||||
|
||||
try:
|
||||
config = Configuration.from_design_ref(
|
||||
design_ref, allow_missing_substitutions=False)
|
||||
design_ref,
|
||||
allow_missing_substitutions=False,
|
||||
leave_kubectl=leave_kubectl)
|
||||
except exceptions.DeckhandException as e:
|
||||
raise falcon.HTTPInternalServerError(description=str(e))
|
||||
|
||||
|
@ -1,5 +1,18 @@
|
||||
{% include "header.sh" with context %}
|
||||
|
||||
{%- if not config.leave_kubectl %}
|
||||
function delete_kubectl() {
|
||||
set +x
|
||||
log
|
||||
log === Removing kubectl and credentials ===
|
||||
set -x
|
||||
rm -rf /etc/kubernetes/admin
|
||||
rm -f /usr/local/bin/kubectl
|
||||
}
|
||||
|
||||
trap delete_kubectl EXIT
|
||||
{%- endif %}
|
||||
|
||||
{% include "basic-host-validation.sh" with context %}
|
||||
|
||||
{% include "up.sh" with context %}
|
||||
|
@ -70,7 +70,7 @@ render_curl_url() {
|
||||
fi
|
||||
HOST_PARAMS="hostname=${NAME}&ip=$(config_vm_ip "${NAME}")"
|
||||
|
||||
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
|
||||
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}&leave_kubectl=true${LABEL_PARAMS}"
|
||||
}
|
||||
|
||||
render_validate_body() {
|
||||
|
@ -60,6 +60,7 @@ docker run --rm -t \
|
||||
promenade \
|
||||
build-all \
|
||||
--validators \
|
||||
--leave-kubectl \
|
||||
-o promenade-bundle \
|
||||
config/*.yaml
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user