Add service account and generate kubernetes config
This PR adds a new service account for kubestack. It also - creates essential cluster role for the service account - generate kubernetes config based on the service account secrets - add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env varibles Change-Id: I33679efba982f23dd32c9e5632b3e16580f177ea Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
This commit is contained in:
parent
82b659963e
commit
48f674094c
@ -2,6 +2,6 @@
|
|||||||
"cniVersion": "0.3.1",
|
"cniVersion": "0.3.1",
|
||||||
"name": "net",
|
"name": "net",
|
||||||
"type": "kubestack",
|
"type": "kubestack",
|
||||||
"kubestack-config": "/etc/kubestack.conf"
|
"kubestack-config": "/etc/kubestack/kubestack.conf",
|
||||||
"kubernetes-config": "/etc/kubernetes/admin.conf"
|
"kubernetes-config": "/etc/kubestack/kubernetes.conf"
|
||||||
}
|
}
|
@ -34,6 +34,10 @@ if [ -w "/host/opt/cni/bin/" ]; then
|
|||||||
echo "CNI plugin version: $(/host/opt/cni/bin/kubestack -v)"
|
echo "CNI plugin version: $(/host/opt/cni/bin/kubestack -v)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ ! -d /host/etc/kubestack ]; then
|
||||||
|
mkdir -p /host/etc/kubestack
|
||||||
|
fi
|
||||||
|
|
||||||
# Place the new CNI network config if the directory is writeable.
|
# Place the new CNI network config if the directory is writeable.
|
||||||
if [ -w "/host/etc/cni/net.d/" ]; then
|
if [ -w "/host/etc/cni/net.d/" ]; then
|
||||||
cp /etc/cni/net.d/10-kubestack.conf /host/etc/cni/net.d/
|
cp /etc/cni/net.d/10-kubestack.conf /host/etc/cni/net.d/
|
||||||
@ -63,10 +67,34 @@ sed -i s/_PLUGIN_NAME_/${PLUGIN_NAME:-}/g $TMP_CONF
|
|||||||
sed -i s/_INTEGRATION_BRIDGE_/${INTEGRATION_BRIDGE:-}/g $TMP_CONF
|
sed -i s/_INTEGRATION_BRIDGE_/${INTEGRATION_BRIDGE:-}/g $TMP_CONF
|
||||||
|
|
||||||
# Move the temporary kubestack config into place.
|
# Move the temporary kubestack config into place.
|
||||||
KUBESTACK_CONFIG_PATH='/host/etc/kubestack.conf'
|
KUBESTACK_CONFIG_PATH='/host/etc/kubestack/kubestack.conf'
|
||||||
mv $TMP_CONF $KUBESTACK_CONFIG_PATH
|
mv $TMP_CONF $KUBESTACK_CONFIG_PATH
|
||||||
echo "Wrote kubestack config: $(cat ${KUBESTACK_CONFIG_PATH})"
|
echo "Wrote kubestack config: $(cat ${KUBESTACK_CONFIG_PATH})"
|
||||||
|
|
||||||
|
KUBERNETES_CONFIG_PATH='/host/etc/kubestack/kubernetes.conf'
|
||||||
|
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
||||||
|
cacert=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d '\n')
|
||||||
|
cat > ${KUBERNETES_CONFIG_PATH} <<EOF
|
||||||
|
apiVersion: v1
|
||||||
|
clusters:
|
||||||
|
- cluster:
|
||||||
|
certificate-authority-data: ${cacert}
|
||||||
|
server: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
|
||||||
|
name: kubernetes
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: kubernetes
|
||||||
|
user: kubernetes
|
||||||
|
name: kubernetes
|
||||||
|
current-context: kubernetes
|
||||||
|
kind: Config
|
||||||
|
preferences: {}
|
||||||
|
users:
|
||||||
|
- name: kubernetes
|
||||||
|
user:
|
||||||
|
token: ${token}
|
||||||
|
EOF
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
sleep 3600;
|
sleep 3600;
|
||||||
done
|
done
|
||||||
|
@ -29,8 +29,8 @@ data:
|
|||||||
integration-bridge: "br-int"
|
integration-bridge: "br-int"
|
||||||
user-cidr: "10.244.0.0/16"
|
user-cidr: "10.244.0.0/16"
|
||||||
user-gateway: "10.244.0.1"
|
user-gateway: "10.244.0.1"
|
||||||
kubernetes-host: "<Your-external-kubernetes-host>"
|
kubernetes-host: "<Your-kubernetes-host>"
|
||||||
kubernetes-port: "<Your-external-kubernetes-port>"
|
kubernetes-port: "<Your-kubernetes-port>"
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -58,6 +58,7 @@ spec:
|
|||||||
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
|
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
serviceAccountName: kubestack
|
||||||
containers:
|
containers:
|
||||||
# This container installs the kubestack CNI binaries
|
# This container installs the kubestack CNI binaries
|
||||||
# and CNI network config file on each node.
|
# and CNI network config file on each node.
|
||||||
@ -113,6 +114,18 @@ spec:
|
|||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: stackube-config
|
name: stackube-config
|
||||||
key: integration-bridge
|
key: integration-bridge
|
||||||
|
# The kubernetes service host.
|
||||||
|
- name: KUBERNETES_SERVICE_HOST
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: stackube-config
|
||||||
|
key: kubernetes-host
|
||||||
|
# The kubernetes service port.
|
||||||
|
- name: KUBERNETES_SERVICE_PORT
|
||||||
|
valueFrom:
|
||||||
|
configMapKeyRef:
|
||||||
|
name: stackube-config
|
||||||
|
key: kubernetes-port
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /host/opt/cni/bin
|
- mountPath: /host/opt/cni/bin
|
||||||
name: cni-bin-dir
|
name: cni-bin-dir
|
||||||
@ -215,13 +228,13 @@ spec:
|
|||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: stackube-config
|
name: stackube-config
|
||||||
key: user-gateway
|
key: user-gateway
|
||||||
# The kubernetes external service host.
|
# The kubernetes service host.
|
||||||
- name: KUBERNETES_SERVICE_HOST
|
- name: KUBERNETES_SERVICE_HOST
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
name: stackube-config
|
name: stackube-config
|
||||||
key: kubernetes-host
|
key: kubernetes-host
|
||||||
# The kubernetes external service port.
|
# The kubernetes service port.
|
||||||
- name: KUBERNETES_SERVICE_PORT
|
- name: KUBERNETES_SERVICE_PORT
|
||||||
valueFrom:
|
valueFrom:
|
||||||
configMapKeyRef:
|
configMapKeyRef:
|
||||||
@ -299,3 +312,47 @@ kind: ServiceAccount
|
|||||||
metadata:
|
metadata:
|
||||||
name: stackube-controller
|
name: stackube-controller
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: kubestack
|
||||||
|
namespace: kube-system
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: kubestack
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: kubestack
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: kubestack
|
||||||
|
namespace: kube-system
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: kubestack
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "*"
|
||||||
|
resources:
|
||||||
|
- "*"
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiGroups:
|
||||||
|
- stackube.kubernetes.io
|
||||||
|
resources:
|
||||||
|
- tenants
|
||||||
|
- networks
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
Loading…
Reference in New Issue
Block a user