From 48f674094ca438cfb066d8f246552948be81df8a Mon Sep 17 00:00:00 2001
From: Pengfei Ni <feiskyer@gmail.com>
Date: Tue, 1 Aug 2017 11:14:26 +0800
Subject: [PATCH] Add service account and generate kubernetes config

This PR adds a new service account for kubestack. It also

- creates essential cluster role for the service account
- generate kubernetes config based on the service account secrets
- add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env varibles

Change-Id: I33679efba982f23dd32c9e5632b3e16580f177ea
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
---
 deployment/kubestack/10-kubestack.conf | 12 ++---
 deployment/kubestack/install-cni.sh    | 30 +++++++++++-
 deployment/stackube.yaml               | 65 ++++++++++++++++++++++++--
 3 files changed, 96 insertions(+), 11 deletions(-)

diff --git a/deployment/kubestack/10-kubestack.conf b/deployment/kubestack/10-kubestack.conf
index 510f763..205949f 100644
--- a/deployment/kubestack/10-kubestack.conf
+++ b/deployment/kubestack/10-kubestack.conf
@@ -1,7 +1,7 @@
 {
-   "cniVersion": "0.3.1",
-   "name": "net",
-   "type": "kubestack",
-   "kubestack-config": "/etc/kubestack.conf"
-   "kubernetes-config": "/etc/kubernetes/admin.conf"
-}
+    "cniVersion": "0.3.1",
+    "name": "net",
+    "type": "kubestack",
+    "kubestack-config": "/etc/kubestack/kubestack.conf",
+    "kubernetes-config": "/etc/kubestack/kubernetes.conf"
+}
\ No newline at end of file
diff --git a/deployment/kubestack/install-cni.sh b/deployment/kubestack/install-cni.sh
index c4a2fb7..f1b7d4a 100755
--- a/deployment/kubestack/install-cni.sh
+++ b/deployment/kubestack/install-cni.sh
@@ -34,6 +34,10 @@ if [ -w "/host/opt/cni/bin/" ]; then
 	echo "CNI plugin version: $(/host/opt/cni/bin/kubestack -v)"
 fi
 
+if [ ! -d /host/etc/kubestack ]; then
+	mkdir -p /host/etc/kubestack
+fi
+
 # Place the new CNI network config if the directory is writeable.
 if [ -w "/host/etc/cni/net.d/" ]; then
 	cp /etc/cni/net.d/10-kubestack.conf /host/etc/cni/net.d/
@@ -63,10 +67,34 @@ sed -i s/_PLUGIN_NAME_/${PLUGIN_NAME:-}/g $TMP_CONF
 sed -i s/_INTEGRATION_BRIDGE_/${INTEGRATION_BRIDGE:-}/g $TMP_CONF
 
 # Move the temporary kubestack config into place.
-KUBESTACK_CONFIG_PATH='/host/etc/kubestack.conf'
+KUBESTACK_CONFIG_PATH='/host/etc/kubestack/kubestack.conf'
 mv $TMP_CONF $KUBESTACK_CONFIG_PATH
 echo "Wrote kubestack config: $(cat ${KUBESTACK_CONFIG_PATH})"
 
+KUBERNETES_CONFIG_PATH='/host/etc/kubestack/kubernetes.conf'
+token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+cacert=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d '\n')
+cat > ${KUBERNETES_CONFIG_PATH} <<EOF
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: ${cacert}
+    server: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes
+  name: kubernetes
+current-context: kubernetes
+kind: Config
+preferences: {}
+users:
+- name: kubernetes
+  user:
+    token: ${token}
+EOF
+
 while true; do
 	sleep 3600;
 done
diff --git a/deployment/stackube.yaml b/deployment/stackube.yaml
index 56e034c..ab59562 100644
--- a/deployment/stackube.yaml
+++ b/deployment/stackube.yaml
@@ -29,8 +29,8 @@ data:
   integration-bridge: "br-int"
   user-cidr: "10.244.0.0/16"
   user-gateway: "10.244.0.1"
-  kubernetes-host: "<Your-external-kubernetes-host>"
-  kubernetes-port: "<Your-external-kubernetes-port>"
+  kubernetes-host: "<Your-kubernetes-host>"
+  kubernetes-port: "<Your-kubernetes-port>"
 
 ---
 
@@ -58,6 +58,7 @@ spec:
            {"key":"CriticalAddonsOnly", "operator":"Exists"}]
     spec:
       hostNetwork: true
+      serviceAccountName: kubestack
       containers:
         # This container installs the kubestack CNI binaries
         # and CNI network config file on each node.
@@ -113,6 +114,18 @@ spec:
                 configMapKeyRef:
                   name: stackube-config
                   key: integration-bridge
+            # The kubernetes service host.
+            - name: KUBERNETES_SERVICE_HOST
+              valueFrom:
+                configMapKeyRef:
+                  name: stackube-config
+                  key: kubernetes-host
+            # The kubernetes service port.
+            - name: KUBERNETES_SERVICE_PORT
+              valueFrom:
+                configMapKeyRef:
+                  name: stackube-config
+                  key: kubernetes-port
           volumeMounts:
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
@@ -215,13 +228,13 @@ spec:
                 configMapKeyRef:
                   name: stackube-config
                   key: user-gateway
-            # The kubernetes external service host.
+            # The kubernetes service host.
             - name: KUBERNETES_SERVICE_HOST
               valueFrom:
                 configMapKeyRef:
                   name: stackube-config
                   key: kubernetes-host
-            # The kubernetes external service port.
+            # The kubernetes service port.
             - name: KUBERNETES_SERVICE_PORT
               valueFrom:
                 configMapKeyRef:
@@ -299,3 +312,47 @@ kind: ServiceAccount
 metadata:
   name: stackube-controller
   namespace: kube-system
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubestack
+  namespace: kube-system
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kubestack
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubestack
+subjects:
+- kind: ServiceAccount
+  name: kubestack
+  namespace: kube-system
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kubestack
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - stackube.kubernetes.io
+  resources:
+  - tenants
+  - networks
+  verbs:
+  - "*"