From 9e1928465f8606f0694d83f9129fb7bfee3efc27 Mon Sep 17 00:00:00 2001 From: Ankit Gohil Date: Fri, 7 Oct 2022 15:31:43 -0700 Subject: [PATCH] Add get-kubeconfig.sh script, fix documentation & sample config --- config/sv_kubeconfig | 6 +- config/vc_creds.json | 4 +- docs/book/deployment/basicauth.md | 6 +- docs/book/deployment/oauth2.md | 6 +- scripts/get-kubeconfig.sh | 216 ++++++++++++++++++++++++++++++ 5 files changed, 227 insertions(+), 11 deletions(-) create mode 100755 scripts/get-kubeconfig.sh diff --git a/config/sv_kubeconfig b/config/sv_kubeconfig index 6efcca9..6963f39 100644 --- a/config/sv_kubeconfig +++ b/config/sv_kubeconfig @@ -1,7 +1,7 @@ apiVersion: v1 clusters: - cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EWXhNekU1TkRneU1sb1hEVE15TURZeE1ERTVORGd5TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGc5CnZNMk5rRzhMRFhDVzJFWTlNOEVVS0YwaWM4NHlKNjB3WmJMcjBjSk5pTy91blVPcy9YTGY4ODRucm9jbXFRWmUKZFBaU29mYzdrMHR2Wk83UDU3WXNDV3J6U1duU3RBaUdyWTB1UVJhVXJnK1FEK09HV0wydHpPTG5ac2xFR0FOMApvVXVDaDJHL3FCYWI1YkpiUE04RmovOEJYMkNGd1pLRTBzQi9MdEF4eVh0ZnBLYmJCVHVHdEdxbkZoaEJXQWhYCjUwNzJLY0tIclNHc2FEVHNuSzhhOHlML3lrZmZXWEVocVdBUmlxNXZxUHc1ZWorV3c2RTdJcTQvRjZoTkpMY28Kd0paallYeHBIZHBUcXF5bHhJWUJGdTNoWi8rMm5OL2hCTjg1NU1idzNpU0xjcHNzQmkrSVF6Zjc4V0EvVWxTdQpweFpLTHFKMmhMSHhZeFBtNUFjQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZGVHVDbHBUWG1jY1pZcWlyU1dIQ05nZ1owUWhNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTYwcHZOanBSVXM3VEtTZ3h0LwowQlc1MWxmRC9QVGRrNDB1U0hHZFJGc3h4S1h3VXVGTkphOHF3d2FPV2tvb1Q4VmZVZTJCNGJyVHhLNFJDUWRlCmU1VFc4bzRzZ2pSeHBHVVFEbnFBRUNzNHlmRzRxenIwYzZONW1hTDZJN0IxOFJjcVVMSFlUeUxGdHJLUXNuN3IKNmdMaWt5cDZFTW1tcStyRmpHZ3p3QkprQTk5NFRtcEQ5VGxXajlzem1VeGJ0YjByZG9RZWwxcVkzZmsrWWNQWgowZTV3WHBJMWJhMHhkYTVSdkxNR2lTQnRVZk92eTNTeTFDRFdXR1lBc2tMMUg4eWhtY2RGSDd2YkpDWGE5bmJXCnFNd0lPTzhuMHhmUHl6V0lBbDFYK3pKaUJmMmtUUzFLZldXODR1aU5pRW9rS3ZEeEk3cjViZkRKMU1FSk9TRXgKeTV3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + certificate-authority-data: server: name: kubernetes contexts: @@ -15,5 +15,5 @@ preferences: {} users: - name: kubernetes-admin user: - client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJTDFCc0RaTHRKQUV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TWpBMk1UTXhPVFE0TWpKYUZ3MHlNekEyTVRNeE9UUTRNalZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTgra2gyeW02ek12a3p3SVYKZk90ajhwRlBLRUhvdXQxUmErYWZFSEZmN1M2RFZmMG53RjhnUGMrU1p0Sk1sTzAraitSQXdhamIxcFZSenJHKwp0NEIzK2tZUjNJdTdoUjIrVW5ySE1ScmpnMDFycC8rU01lRmZKTDFrZjZsRjhwTFlhSHZWZVAveDBvSTMxZENRCnorM2dzVmYrZ0ozY3JMSUR6aEsxUTAraXlSUVNiRXVEaDN3bHp0UWI3dm9iZ0pQamwxK2ErOEVMdnQ3RWo0NHYKQVZsOHdrMFl5eW9HZEdPdk9PeVFSbmlIT2RWbFAwVTBnajdJQnQ2NDFNV3BkU1pJVHJ5bTRVb2FwcUVMVXVrWQozWUVEUG0xdzNDV3Y3VFQ1bVJLNWRVZGN5Mk9sTHYzWUxiMWtDWlNYWFd1ekQyRGVKdVBDWWhYQmVLU3MxR0UwCkNPQy9Td0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JSVTdncGFVMTVuSEdXS29xMGxod2pZSUdkRQpJVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBampKN3daK2RYc2VBOVB5Ukh3RFB4QnpoTGM0UkI4Z3F6TjBxCmhqa3dnYnJIUkVyeEFrWm5yNkE5M1N6eTJ6NjZPYkRGS3ltTTNXUEZWRmVIMWx2VCt0T0tXSitFdzgyNVNmZU8KUGVmdWY1cXBnNndkcDlUTXo4NjBDcTN1eTBSNlJCUlFtYUtYUUprUWtqNTZHWTlEUzF3UlhxeUovaXN0ZEhjZApmOFRnS3ZsbWZwQ3QzdzBwaWdGbmdPN0VKc2VoK2RuUDgvc0xLRVpoYVpDYStXVVRIMTIwM05XWWhPWFB0T1c2CmlTdG5NelpQeXY1YiswOGFtZ2FwcHUvZTk4SHozM3NYbUcwWHI1NHpQWHhtSnNZTzVOS1NUQUF3VHBJbXovNWwKeEVKYldTVTlSandqcVZvcGhDZEVhSnFvMkwvWXdzeTg5aDEvTmdsWVJ4WWRJTkVuZUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOCtraDJ5bTZ6TXZrendJVmZPdGo4cEZQS0VIb3V0MVJhK2FmRUhGZjdTNkRWZjBuCndGOGdQYytTWnRKTWxPMCtqK1JBd2FqYjFwVlJ6ckcrdDRCMytrWVIzSXU3aFIyK1VuckhNUnJqZzAxcnAvK1MKTWVGZkpMMWtmNmxGOHBMWWFIdlZlUC94MG9JMzFkQ1F6KzNnc1ZmK2dKM2NyTElEemhLMVEwK2l5UlFTYkV1RApoM3dsenRRYjd2b2JnSlBqbDErYSs4RUx2dDdFajQ0dkFWbDh3azBZeXlvR2RHT3ZPT3lRUm5pSE9kVmxQMFUwCmdqN0lCdDY0MU1XcGRTWklUcnltNFVvYXBxRUxVdWtZM1lFRFBtMXczQ1d2N1RUNW1SSzVkVWRjeTJPbEx2M1kKTGIxa0NaU1hYV3V6RDJEZUp1UENZaFhCZUtTczFHRTBDT0MvU3dJREFRQUJBb0lCQVFDbUVTd1ErVGVMS3FPdAo0Z0JaWGpkZHQxdkswQjB4NVhBRFpERVcwK3A1SlhzY2Q5R3g0OUtpNHdvTjRjOXNjcDl1L3Z5c0hsa1huL0RrCkp4YnYvNU13bnJhWWo3YnNLbFVqK1I1WUs3T04rWTk4QWNFN0h2UlZvbkdqamMvbkdkNG9QWEFhQTBGVmozMk8Kb1lPSFhySG1iVUFGdC9YQXl5OVdCbHpONkpHd0R4c3RGWmJsWTVYVFFUQm8yZEpWN0pldmV3NU5UNjZHdW81WApsRnZyWnp1LzRiK1JjL0kvQzYvSkUzRXFnN0Rwd3RjNURHVkIwbEpKN1d6blNlN3JyWjE3dVY4aGVRdFVNVm5PCjhXdlI2TTh6c3Y3RmtWOVNZWC9WenNTVUh0RFgvdGNDdlQva1Y0L0dxdzFNUmlxeXFaeWc2TmF6M3lVV0VwWnEKV2FDM1JXOXBBb0dCQVA1WEYwOEpXQzdYazRIMCtXYWJ0VHFBZnV4WWhjMzg3Qk8vVktlNnlYc29yMlR3MjVxSgovR3d1aE1oandzcTlVeHNVZlZsRXdvS0tMdVZJUnZHbExiRk03QWdJOG9NRlh5TUNjOGd3YmMxeWhRRno0U3JaClRWRDZQNGFId2tnYW5yZUd4TktmZlliblVpL0s3UGJud1Q3dUMzeTlGK21sU2svLzdYK2xmYi8zQW9HQkFQV0EKbmdjcHhhWkYzUTZkSWh1S05mZENKNmlQVDltb2ZkVzFaalQ2QzJQSk52eVpjekZyU2tkSm5HVTJLZ2JzanR3cgpFZHBwcTR1ZmZZanpFOFQrTkVMNzFQUHlMUUdTWk9rQnZoQjJuU1M3SzkrVmJoMS81YjIvc0tRNkV5eXEyYXNYCk9CSko4MzFKWk5WeGsvbHE3TWttL21GOUpFekJJTE5zQkc1Y1JZNU5Bb0dCQUtkQzZQNCtPL0xhTEpTTFlUU2MKYzZ0Y2M1dkVmNEkrc1pZdS9tSXIwWEtnQi9DUEFTeDVVRHBvd1VQemIxZmE5L3RZRnpNTXFBb25DNzRYTVNpYgpJeGgxYU1mRDhwQTlpUnBCODVpVVdMR0NmWHUrRkRjVW51Y0JHNlBDUmY4YkdvUEJLbEVGT0F6dXRUcmU3Y1ZXCkZkem51VUE0THJDbDFlQVVnOEN0T2F4ekFvR0FKYmpyajBJMTRvU2RvTjg0SEc4eU41bnNxaFBMT3pDT2xVWFkKUEkrbkxHQUFtUE9qSlpiTXhRTmtpcEMyQ0haVXhUUEEvSVI4SFdvV1NmSy91T2N1ZEpScGRrcGg2L25vazN6MwpEV1NNWk5aMXVWY21vbFhDb1ZOUSt3c0pZeldsV0lxcXpQU2IrMFpKdmhwRG1IRjdqTFQzSlZlck9qZjZwRmNXCm56YUNZWWtDZ1lBb1BMbEVCejk3RzNhQWt0dzdzKy96TVg4Wlo0TTZSZ3ZXeEV2NXY5a0JRS2dJSjVyZmU4c0EKeEdOWFBCUUludk85SDdUTnlCZkk1K0JlRG5MRUNHVjVUbmQ5ODJhTytUbnJEV01XV3hGUnhZZkxqclNQRVUrZApvNmpXK0tZU1JFb0lwY3JSdExXVi9wYXJ6dlNYTDBNd2hYOTE0T01SWk0wNFRENDZ5ZEo0RHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + client-certificate-data: + client-key-data: diff --git a/config/vc_creds.json b/config/vc_creds.json index 5a45cb5..43fb71f 100644 --- a/config/vc_creds.json +++ b/config/vc_creds.json @@ -1,5 +1,5 @@ { "vc": "", - "user": "", - "password": "" + "user": "", + "password": "" } \ No newline at end of file diff --git a/docs/book/deployment/basicauth.md b/docs/book/deployment/basicauth.md index cb17301..2c73f52 100644 --- a/docs/book/deployment/basicauth.md +++ b/docs/book/deployment/basicauth.md @@ -10,9 +10,9 @@ Refer to sample config file provided under config folder. Refer to sample config file provided under config folder. ``` { - "vc": "10.187.99.154", - "user": "vc-user@domain", - "password": "vc-password" + "vc": "", + "user": "", + "password": "" } ``` diff --git a/docs/book/deployment/oauth2.md b/docs/book/deployment/oauth2.md index 0e850da..8f0ee71 100644 --- a/docs/book/deployment/oauth2.md +++ b/docs/book/deployment/oauth2.md @@ -12,9 +12,9 @@ Refer to sample config file provided under config folder. Refer to sample config file provided under config folder. ``` { - "vc": "vc-ip", - "user": "vc-user@domain", - "password": "vc-password" + "vc": "", + "user": "", + "password": "" } ``` diff --git a/scripts/get-kubeconfig.sh b/scripts/get-kubeconfig.sh new file mode 100755 index 0000000..4b21ed9 --- /dev/null +++ b/scripts/get-kubeconfig.sh @@ -0,0 +1,216 @@ +#!/bin/sh + +if [ $# -lt 2 ] +then + echo "Usage: ./get-kubeconfig.sh " + exit 1 +fi + +if [ $# -eq 3 ] +then + echo "Invalid input params. Server URL is a mandatory input param if K8s context is provided." + exit 1 +fi + +KUBECONFIG_FILE_PATH=$1 +OUTPUT_FILE=$2 +CONTEXT=$3 +SERVER_URL=$4 + +export KUBECONFIG=$KUBECONFIG_FILE_PATH + +# If context is provided, set it +if [ -n "$CONTEXT" ] +then + kubectl config use-context $CONTEXT + if [ $? -ne 0 ] + then + echo "Error occurred in setting context" + exit 1 + fi + +fi + +# This clean up function is called to clean up all resources that were created as part of this script. +clean_up() +{ + kubectl delete sa cnsmanager-sa > /dev/null 2>&1 + kubectl delete ClusterRole cnsmanager-sa-role > /dev/null 2>&1 + kubectl delete ClusterRoleBinding cnsmanager-sa-rb > /dev/null 2>&1 + kubectl config delete-user cnsmanager-sa > /dev/null 2>&1 + rm -f cnsmanagerrbac.yaml > /dev/null 2>&1 + rm -f cnsmanagerkubeconfig > /dev/null 2>&1 + rm -f secret_output > /dev/null 2>&1 + rm cnsmanagerkubeconfig.bak > /dev/null 2>&1 +} + +# Clean up env before proceeding +clean_up + +echo "Starting creation of kubeconfig..." + +# Create service account for kubeconfig +kubectl create sa cnsmanager-sa +if [ $? -ne 0 ] +then + echo "Failed to create service account. Cleaning up resources before exiting." + clean_up + exit 1 +fi + +token_secretname=$(kubectl get secret 2> /dev/null | grep "cnsmanager-sa-token" | awk '{print $1}') + +# Contents of token secret if required to be created explicitly +cat < cnsmanager-token-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cnsmgr-sa-token + annotations: + kubernetes.io/service-account.name: cnsmanager-sa +type: kubernetes.io/service-account-token +EOF + +# If token secret is not autogenerated, create it +if [ -z "$token_secretname" ] +then + token_secretname="cnsmgr-sa-token" + # Create token secret for cnsmanager-sa + kubectl apply -f cnsmanager-token-secret.yaml + if [ $? -ne 0 ] + then + echo "Failed to create token secret for service account. Cleaning up resources before exiting." + clean_up + exit 1 + fi +fi + +sleep 3 + +# Get the token secret created for CNS manager SA +kubectl get secret $token_secretname -oyaml > secret_output +if [ $? -ne 0 ] +then + echo "Failed to find token secret for cnsmanager service account. Cleaning up resources before exiting." + clean_up + exit 1 +fi + +token=$(cat secret_output | grep "token:" | awk -F ' ' '{print $2}' | base64 -d) + +# Set config for cns manager SA +kubectl config set-credentials cnsmanager-sa --token=$token +if [ $? -ne 0 ] +then + echo "Failed to set credentials in config. Cleaning up resources before exiting" + clean_up + exit 1 +fi + +# Extract values needed to contruct canmanager kubeconfig +clusterAuthData=$(cat secret_output | grep "ca.crt:" | awk -F ' ' '{print $2}') + +# If server URL was provided in input, we don't need to extract it from kubeconfig file +if [ -z $SERVER_URL ] +then + + num_of_clusters=$(cat $KUBECONFIG_FILE_PATH | grep -c "server:") + + if [ $num_of_clusters -ne 1 ] + then + echo "Invalid configuration provided. If multiple clusters are concerned, provide the context and server URL also in input parameters." + clean_up + exit 1 + fi + + serverUrl=$(cat $KUBECONFIG_FILE_PATH | grep "server:" | awk -F ' ' '{print $2}') +else + serverUrl=$SERVER_URL +fi + +cat < cnsmanagerkubeconfig +apiVersion: v1 +kind: Config +clusters: +- cluster: + certificate-authority-data: clusterAuthDataPlaceholder + server: serverUrlPlaceholder + name: cnsmgr-cluster +contexts: +- context: + cluster: cnsmgr-cluster + user: cnsmanager-sa + name: cnsmanager-sa +current-context: cnsmanager-sa +users: +- name: cnsmanager-sa + user: + token: tokenPlaceholder +EOF + +sed -i'.bak' -e "s~clusterAuthDataPlaceholder~$clusterAuthData~g" cnsmanagerkubeconfig +sed -i'.bak' -r "s~serverUrlPlaceholder~$serverUrl~g" cnsmanagerkubeconfig +sed -i'.bak' -e "s/tokenPlaceholder/$token/g" cnsmanagerkubeconfig + +cat < cnsmanagerrbac.yaml +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cnsmanager-sa-role +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "update", "escalate", "patch", "delete"] +- apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +- apiGroups: ["cns.vmware.com"] + resources: ["cnsvspherevolumemigrations"] + verbs: ["get", "list"] +- apiGroups: ["cns.vmware.com"] + resources: ["csinodetopologies"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cnsmanager-sa-rb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cnsmanager-sa-role +subjects: +- kind: ServiceAccount + name: cnsmanager-sa + namespace: default +EOF + +# Apply RBAC rules +kubectl create -f cnsmanagerrbac.yaml +if [ $? -ne 0 ] +then + echo "Failed to create RBAC rules. Cleaning up resources before exiting" + clean_up + exit 1 +fi + +echo "\n" +cat cnsmanagerkubeconfig > $OUTPUT_FILE +echo "Generated kubeconfig stored in output file $OUTPUT_FILE" +echo '\n' + +rm cnsmanagerrbac.yaml +rm cnsmanagerkubeconfig +rm secret_output +rm cnsmanager-token-secret.yaml +rm cnsmanagerkubeconfig.bak