181 lines
4.5 KiB
Bash
181 lines
4.5 KiB
Bash
. /etc/sysconfig/heat-params
|
|
|
|
step="enable-keystone-auth"
|
|
printf "Starting to run ${step}\n"
|
|
|
|
if [ "$(echo $KEYSTONE_AUTH_ENABLED | tr '[:upper:]' '[:lower:]')" != "false" ]; then
|
|
_prefix=${CONTAINER_INFRA_PREFIX:-registry.k8s.io/provider-os/}
|
|
CERT_DIR=/etc/kubernetes/certs
|
|
|
|
# Create policy configmap for keystone auth
|
|
KEYSTONE_AUTH_POLICY=/srv/magnum/kubernetes/keystone-auth-policy.yaml
|
|
|
|
[ -f ${KEYSTONE_AUTH_POLICY} ] || {
|
|
echo "Writing File: $KEYSTONE_AUTH_POLICY"
|
|
mkdir -p $(dirname ${KEYSTONE_AUTH_POLICY})
|
|
cat << EOF > ${KEYSTONE_AUTH_POLICY}
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: k8s-keystone-auth
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:k8s-keystone-auth
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
- services
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:k8s-keystone-auth
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:k8s-keystone-auth
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: k8s-keystone-auth
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: k8s-keystone-auth-policy
|
|
namespace: kube-system
|
|
data:
|
|
policies: |
|
|
$KEYSTONE_AUTH_DEFAULT_POLICY
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: keystone-sync-policy
|
|
namespace: kube-system
|
|
data:
|
|
syncConfig: |
|
|
role-mappings:
|
|
- keystone-role: member
|
|
groups: []
|
|
EOF
|
|
}
|
|
|
|
# Generate k8s-keystone-auth service manifest file
|
|
KEYSTONE_AUTH_DEPLOY=/srv/magnum/kubernetes/manifests/k8s-keystone-auth.yaml
|
|
|
|
[ -f ${KEYSTONE_AUTH_DEPLOY} ] || {
|
|
echo "Writing File: $KEYSTONE_AUTH_DEPLOY"
|
|
mkdir -p $(dirname ${KEYSTONE_AUTH_DEPLOY})
|
|
cat << EOF > ${KEYSTONE_AUTH_DEPLOY}
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
labels:
|
|
component: k8s-keystone-auth
|
|
tier: control-plane
|
|
name: k8s-keystone-auth
|
|
namespace: kube-system
|
|
spec:
|
|
# The controllers can only have a single active instance.
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: k8s-keystone-auth
|
|
template:
|
|
metadata:
|
|
name: k8s-keystone-auth
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: k8s-keystone-auth
|
|
spec:
|
|
serviceAccountName: k8s-keystone-auth
|
|
tolerations:
|
|
# Make sure the pod can be scheduled on master kubelet.
|
|
- effect: NoSchedule
|
|
operator: Exists
|
|
# Mark the pod as a critical add-on for rescheduling.
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
- effect: NoExecute
|
|
operator: Exists
|
|
nodeSelector:
|
|
node-role.kubernetes.io/master: ""
|
|
containers:
|
|
- name: k8s-keystone-auth
|
|
image: ${_prefix}k8s-keystone-auth:${K8S_KEYSTONE_AUTH_TAG}
|
|
imagePullPolicy: Always
|
|
args:
|
|
- ./bin/k8s-keystone-auth
|
|
- --tls-cert-file
|
|
- ${CERT_DIR}/server.crt
|
|
- --tls-private-key-file
|
|
- ${CERT_DIR}/server.key
|
|
- --policy-configmap-name
|
|
- k8s-keystone-auth-policy
|
|
- --keystone-url
|
|
- ${AUTH_URL}
|
|
- --sync-configmap-name
|
|
- keystone-sync-policy
|
|
- --keystone-ca-file
|
|
- /etc/kubernetes/ca-bundle.crt
|
|
- --listen
|
|
- 127.0.0.1:8443
|
|
volumeMounts:
|
|
- mountPath: ${CERT_DIR}
|
|
name: k8s-certs
|
|
readOnly: true
|
|
- mountPath: /etc/kubernetes
|
|
name: ca-certs
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
cpu: 200m
|
|
ports:
|
|
- containerPort: 8443
|
|
hostPort: 8443
|
|
name: https
|
|
protocol: TCP
|
|
hostNetwork: true
|
|
volumes:
|
|
- hostPath:
|
|
path: ${CERT_DIR}
|
|
type: DirectoryOrCreate
|
|
name: k8s-certs
|
|
- hostPath:
|
|
path: /etc/kubernetes
|
|
type: DirectoryOrCreate
|
|
name: ca-certs
|
|
EOF
|
|
}
|
|
|
|
until [ "ok" = "$(kubectl get --raw='/healthz')" ]
|
|
do
|
|
echo "Waiting for Kubernetes API..."
|
|
sleep 5
|
|
done
|
|
|
|
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_POLICY}
|
|
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_DEPLOY}
|
|
|
|
fi
|
|
|
|
printf "Finished running ${step}\n"
|