Container Infrastructure Management Service for OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

166 lines
4.2 KiB

#!/bin/sh
. /etc/sysconfig/heat-params
step="enable-keystone-auth"
printf "Starting to run ${step}\n"
if [ "$(echo $KEYSTONE_AUTH_ENABLED | tr '[:upper:]' '[:lower:]')" != "false" ]; then
_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
CERT_DIR=/etc/kubernetes/certs
# Create policy configmap for keystone auth
KEYSTONE_AUTH_POLICY=/srv/magnum/kubernetes/keystone-auth-policy.yaml
[ -f ${KEYSTONE_AUTH_POLICY} ] || {
echo "Writing File: $KEYSTONE_AUTH_POLICY"
mkdir -p $(dirname ${KEYSTONE_AUTH_POLICY})
cat << EOF > ${KEYSTONE_AUTH_POLICY}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-keystone-auth
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:k8s-keystone-auth
rules:
- apiGroups:
- ""
resources:
- configmaps
- services
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:k8s-keystone-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:k8s-keystone-auth
subjects:
- kind: ServiceAccount
name: k8s-keystone-auth
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-keystone-auth-policy
namespace: kube-system
data:
policies: |
$KEYSTONE_AUTH_DEFAULT_POLICY
EOF
}
# Generate k8s-keystone-auth service manifest file
KEYSTONE_AUTH_DEPLOY=/srv/magnum/kubernetes/manifests/k8s-keystone-auth.yaml
[ -f ${KEYSTONE_AUTH_DEPLOY} ] || {
echo "Writing File: $KEYSTONE_AUTH_DEPLOY"
mkdir -p $(dirname ${KEYSTONE_AUTH_DEPLOY})
cat << EOF > ${KEYSTONE_AUTH_DEPLOY}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
component: k8s-keystone-auth
tier: control-plane
name: k8s-keystone-auth
namespace: kube-system
spec:
# The controllers can only have a single active instance.
template:
metadata:
name: k8s-keystone-auth
namespace: kube-system
labels:
k8s-app: k8s-keystone-auth
spec:
serviceAccountName: k8s-keystone-auth
tolerations:
# Make sure the pod can be scheduled on master kubelet.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
containers:
- name: k8s-keystone-auth
image: ${_prefix}k8s-keystone-auth:${K8S_KEYSTONE_AUTH_TAG}
imagePullPolicy: Always
args:
- ./bin/k8s-keystone-auth
- --tls-cert-file
- ${CERT_DIR}/server.crt
- --tls-private-key-file
- ${CERT_DIR}/server.key
- --policy-configmap-name
- k8s-keystone-auth-policy
- --keystone-url
- ${AUTH_URL}
- --keystone-ca-file
- /etc/kubernetes/ca-bundle.crt
- --listen
- 127.0.0.1:8443
volumeMounts:
- mountPath: ${CERT_DIR}
name: k8s-certs
readOnly: true
- mountPath: /etc/kubernetes
name: ca-certs
readOnly: true
resources:
requests:
cpu: 200m
ports:
- containerPort: 8443
hostPort: 8443
name: https
protocol: TCP
hostNetwork: true
volumes:
- hostPath:
path: ${CERT_DIR}
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /etc/kubernetes
type: DirectoryOrCreate
name: ca-certs
EOF
}
until [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
do
echo "Waiting for Kubernetes API..."
sleep 5
done
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_POLICY}
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_DEPLOY}
fi
printf "Finished running ${step}\n"