76d01bb325
By now, qinling connects to the Kubernetes API server insecurely. kubectl proxy is used for testing purpose. However, in real production deployments, it is not a good idea to let qinling connect to the Kubernetes API server without any authentication and authorization. This commit adds the support in qinling for it to connect to the Kubernetes API server with X509 Client Certs for authentication [1]. An example file is also added for users to grant specific access to the Kubernetes API for qinling using the RBAC authorization of Kubernetes [2]. With these users can control qinling's access to the Kubernetes API [3] and ensure qinling uses a secure connection to talk with the Kubernetes API. Devstack plugin also setups qinling to connect to Kubernetes API server using TLS certificates by default. This makes the deployment with devstack closer to a production-ready environment. For testing purpose, user can set the QINLING_K8S_APISERVER_TLS variable to False in devstack's local.conf. Note: a HOTWO document will be added in a follow-up commit. [1] https://kubernetes.io/docs/admin/authentication/#x509-client-certs [2] https://kubernetes.io/docs/admin/authorization/rbac/ [3] https://kubernetes.io/docs/admin/accessing-the-api/ Change-Id: I532f131abbfc8ed90de398cc135e9b8248d2757a
50 lines
1.6 KiB
Bash
Executable File
50 lines
1.6 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
set -ex
|
|
export WORK_DIR=$(pwd)
|
|
source ${WORK_DIR}/tools/gate/kubeadm/vars.sh
|
|
source ${WORK_DIR}/tools/gate/kubeadm/funcs/common.sh
|
|
source ${WORK_DIR}/tools/gate/kubeadm/funcs/network.sh
|
|
|
|
# Do the basic node setup for running the gate
|
|
gate_base_setup
|
|
net_resolv_pre_kube
|
|
net_hosts_pre_kube
|
|
|
|
# Setup the K8s Cluster
|
|
ansible-playbook ${WORK_DIR}/tools/gate/kubeadm/playbook/deploy_k8s.yaml
|
|
|
|
# waits until kubectl can access the api server
|
|
mkdir -p ${HOME}/.kube
|
|
sudo cp /etc/kubernetes/admin.conf ${HOME}/.kube/config
|
|
sudo chown $(id -u):$(id -g) ${HOME}/.kube/config
|
|
end=$(($(date +%s) + 600))
|
|
READY="False"
|
|
while true; do
|
|
READY=$(kubectl get nodes --no-headers=true | awk "{ print \$2 }" | head -1)
|
|
[ "$READY" == "Ready" ] && break || true
|
|
sleep 2
|
|
now=$(date +%s)
|
|
[ $now -gt $end ] && echo "Failed to setup kubernetes cluster in time" && exit -1
|
|
done
|
|
|
|
if [ "$QINLING_K8S_APISERVER_TLS" != "True" ]; then
|
|
# Kubernetes proxy is needed if we don't use secure connections.
|
|
create_k8s_screen
|
|
fi
|
|
|
|
#net_hosts_post_kube
|
|
#net_resolv_post_kube
|