236 lines
6.0 KiB
Bash
236 lines
6.0 KiB
Bash
. /etc/sysconfig/heat-params
|
|
|
|
step="enable-helm-tiller"
|
|
printf "Starting to run ${step}\n"
|
|
|
|
if [ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" == "true" ]; then
|
|
CERTS_DIR="/etc/kubernetes/helm/certs/"
|
|
mkdir -p "${CERTS_DIR}"
|
|
|
|
# Private CA key
|
|
openssl genrsa -out "${CERTS_DIR}/ca.key.pem" 4096
|
|
|
|
# CA public cert
|
|
openssl req -key "${CERTS_DIR}/ca.key.pem" -new -x509 -days 7300 -sha256 -out "${CERTS_DIR}/ca.cert.pem" -extensions v3_ca -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller"
|
|
|
|
# Private tiller-server key
|
|
openssl genrsa -out "${CERTS_DIR}/tiller.key.pem" 4096
|
|
|
|
# Private helm-client key
|
|
openssl genrsa -out "${CERTS_DIR}/helm.key.pem" 4096
|
|
|
|
# Request for tiller-server cert
|
|
openssl req -key "${CERTS_DIR}/tiller.key.pem" -new -sha256 -out "${CERTS_DIR}/tiller.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller-server"
|
|
|
|
# Request for helm-client cert
|
|
openssl req -key "${CERTS_DIR}/helm.key.pem" -new -sha256 -out "${CERTS_DIR}/helm.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=helm-client"
|
|
|
|
# Sign tiller-server cert
|
|
openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/tiller.csr.pem" -out "${CERTS_DIR}/tiller.cert.pem" -days 365
|
|
|
|
# Sign helm-client cert
|
|
openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/helm.csr.pem" -out "${CERTS_DIR}/helm.cert.pem" -days 365
|
|
|
|
_tiller_prefix=${CONTAINER_INFRA_PREFIX:-gcr.io/kubernetes-helm/}
|
|
TILLER_RBAC=/srv/magnum/kubernetes/manifests/tiller-rbac.yaml
|
|
TILLER_DEPLOYER=/srv/magnum/kubernetes/manifests/deploy-tiller.yaml
|
|
|
|
TILLER_IMAGE="${_tiller_prefix}tiller:${TILLER_TAG}"
|
|
|
|
[ -f ${TILLER_RBAC} ] || {
|
|
echo "Writing File: $TILLER_RBAC"
|
|
mkdir -p $(dirname ${TILLER_RBAC})
|
|
cat << EOF > ${TILLER_RBAC}
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: ${TILLER_NAMESPACE}
|
|
---
|
|
# Tiller service account
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: tiller
|
|
namespace: ${TILLER_NAMESPACE}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: tiller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: tiller
|
|
namespace: ${TILLER_NAMESPACE}
|
|
EOF
|
|
}
|
|
|
|
[ -f ${TILLER_DEPLOYER} ] || {
|
|
echo "Writing File: $TILLER_DEPLOYER"
|
|
mkdir -p $(dirname ${TILLER_DEPLOYER})
|
|
cat << EOF > ${TILLER_DEPLOYER}
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: tiller
|
|
name: tiller-deploy
|
|
namespace: ${TILLER_NAMESPACE}
|
|
spec:
|
|
replicas: 1
|
|
strategy: {}
|
|
selector:
|
|
matchLabels:
|
|
app: helm
|
|
name: tiller
|
|
template:
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: tiller
|
|
spec:
|
|
automountServiceAccountToken: true
|
|
containers:
|
|
- env:
|
|
- name: TILLER_NAMESPACE
|
|
value: ${TILLER_NAMESPACE}
|
|
- name: TILLER_HISTORY_MAX
|
|
value: "0"
|
|
- name: TILLER_TLS_VERIFY
|
|
value: "1"
|
|
- name: TILLER_TLS_ENABLE
|
|
value: "1"
|
|
- name: TILLER_TLS_CERTS
|
|
value: /etc/certs
|
|
image: ${TILLER_IMAGE}
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /liveness
|
|
port: 44135
|
|
initialDelaySeconds: 1
|
|
timeoutSeconds: 1
|
|
name: tiller
|
|
ports:
|
|
- containerPort: 44134
|
|
name: tiller
|
|
- containerPort: 44135
|
|
name: http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readiness
|
|
port: 44135
|
|
initialDelaySeconds: 1
|
|
timeoutSeconds: 1
|
|
resources: {}
|
|
volumeMounts:
|
|
- mountPath: /etc/certs
|
|
name: tiller-certs
|
|
readOnly: true
|
|
serviceAccountName: tiller
|
|
tolerations:
|
|
# Make sure the pod can be scheduled on master kubelet.
|
|
- effect: NoSchedule
|
|
operator: Exists
|
|
# Mark the pod as a critical add-on for rescheduling.
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
- effect: NoExecute
|
|
operator: Exists
|
|
# run only on master nodes
|
|
nodeSelector:
|
|
node-role.kubernetes.io/master: ""
|
|
volumes:
|
|
- name: tiller-certs
|
|
secret:
|
|
secretName: tiller-secret
|
|
status: {}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: tiller
|
|
name: tiller-deploy
|
|
namespace: ${TILLER_NAMESPACE}
|
|
spec:
|
|
ports:
|
|
- name: tiller
|
|
port: 44134
|
|
targetPort: tiller
|
|
selector:
|
|
app: helm
|
|
name: tiller
|
|
type: ClusterIP
|
|
status:
|
|
loadBalancer: {}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: tiller
|
|
name: tiller-secret
|
|
namespace: ${TILLER_NAMESPACE}
|
|
data:
|
|
ca.crt: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
|
|
tls.crt: $(cat "${CERTS_DIR}/tiller.cert.pem" | base64 --wrap=0)
|
|
tls.key: $(cat "${CERTS_DIR}/tiller.key.pem" | base64 --wrap=0)
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: tiller-ca-key
|
|
name: tiller-ca-key
|
|
namespace: ${TILLER_NAMESPACE}
|
|
data:
|
|
ca.key.pem: $(cat "${CERTS_DIR}/ca.key.pem" | base64 --wrap=0)
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
app: helm
|
|
name: helm-client
|
|
name: helm-client-secret
|
|
namespace: ${TILLER_NAMESPACE}
|
|
data:
|
|
ca.pem: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
|
|
cert.pem: $(cat "${CERTS_DIR}/helm.cert.pem" | base64 --wrap=0)
|
|
key.pem: $(cat "${CERTS_DIR}/helm.key.pem" | base64 --wrap=0)
|
|
EOF
|
|
}
|
|
|
|
until [ "ok" = "$(kubectl get --raw='/healthz')" ]
|
|
do
|
|
echo "Waiting for Kubernetes API..."
|
|
sleep 5
|
|
done
|
|
|
|
kubectl apply -f ${TILLER_RBAC}
|
|
kubectl apply -f ${TILLER_DEPLOYER}
|
|
fi
|
|
|
|
printf "Finished running ${step}\n"
|