diff --git a/jmphost/README.md b/jmphost/README.md new file mode 100644 index 00000000..ab50cdeb --- /dev/null +++ b/jmphost/README.md @@ -0,0 +1,165 @@ +# Jump host installation + +The install will Kubernetes client and the corresponding dependencies in order +to able to connect to K8S cluster remotely. It will also create a generic +kubectl configuration file with appropriate attributes required. + +This revision covers the implementation as described. [k8s-keystone-auth]( +https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md#new-kubectl-clients-from-v1110-and-later) + +## 1. Pre-requisites + +* Ubuntu OS version 14.x or higher +* Connectivity to the Internet +* The installer has sudo ability without prompting for password +* Installer's Git profile setup accordingly + +## 2. Installation + +### 2.1 Clone Porthole main project + + $git clone https://review.opendev.org/airship/porthole + + Cloning into 'porthole'... + remote: Counting objects: 362, done + remote: Finding sources: 100% (362/362) + remote: Total 362 (delta 185), reused 311 (delta 185) + Receiving objects: 100% (362/362), 98.30 KiB | 0 bytes/s, done. + Resolving deltas: 100% (185/185), done. + Checking connectivity... done. + +### 2.2 Pull PatchSet (optional) + + $cd porthole + $git pull https://review.opendev.org/airship/porthole refs/changes/92/674892/[latest change set] + + remote: Counting objects: 10, done + remote: Finding sources: 100% (8/8) + remote: Total 8 (delta 2), reused 7 (delta 2) + Unpacking objects: 100% (8/8), done. + From https://review.opendev.org/airship/porthole + branch refs/changes/92/674892/9 -> FETCH_HEAD + Merge made by the 'recursive' strategy. + jmphost/README.md | 130 ++++++++++++++++++++++++++++++++++++++++ + jmphost/funs_uc.sh | 57 ++++++++++++++++++++++++++++++++++++++++ + jmphost/setup-access.sh | 132 ++++++++++++++++++++++++++++++++++++++++ + zuul.d/jmphost-utility.yaml | 35 ++++++++++++++++++++++++++++++++++++++++ + + 4 files changed, 354 insertions(+) + create mode 100644 jmphost/README.md + create mode 100755 jmphost/funs_uc.sh + create mode 100755 jmphost/setup-access.sh + create mode 100644 zuul.d/jmphost-utility.yaml + +### 2.3 Run Setup + + $sudo -s + $cd jmphost + $./setup-access.sh "site" "userid" "namespace" + + [Kubectl binary] is not found on this system.. + Checking user[johnSmith] sudo ability + Looking good. You [johnSmith] are root now + deb https://apt.kubernetes.io/ kubernetes-xenial main + OK + ........................ + ........................ + ........................ + ........................ + Installing [kubectl] dependency required... + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following package was automatically installed and is no longer required: + libclamav6 + Use 'apt-get autoremove' to remove it. + The following NEW packages will be installed: + kubectl + 0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded. + Need to get 9,231 kB of archives. + After this operation, 46.7 MB of additional disk space will be used. + Fetched 9,231 kB in 12s (732 kB/s) + Selecting previously unselected package kubectl. + (Reading database ... 114982 files and directories currently installed.) + Preparing to unpack .../kubectl_1.16.0-00_amd64.deb ... + Unpacking kubectl (1.16.0-00) ... + Setting up kubectl (1.16.0-00) ... + ........................ + ........................ + W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main amd64 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-amd64_Packages) + W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main i386 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-i386_Packages) + ........................ + W: You may want to run apt-get update to correct these problems + + --- + apiVersion: v1 + namespace: utility + Authentication via API WebHook Ingress service endpoint + clusters: + - cluster: + server: https:// + name: + contexts: + - context: + cluster: + user: + name: @ + current-context: @ + kind: Config + preferences: {} + users: + - name: + user: + exec: + command: "/usr/local/uc/bin/client-keystone-auth" + apiVersion: "client.authentication.k8s.io/v1beta1" + env: + - name: "OS_DOMAIN_NAME" + value: default + - name: "OS_INTERFACE" + value: public + - name: "OS_USERNAME" + value: + - name: "OS_PASSWORD" + value: "" + - name: "OS_PROJECT_NAME" + value: + - name: "OS_REGION_NAME" + value: + - name: "OS_IDENTITY_API_VERSION" + value: "3" + args: + - "--keystone-url=https:///v3" + +## Validation + +- Now log out and log back in as the user. +- Update the configuration file with user corresponding credentials. + +For testing purposes: +- Replacing **"OS_USERNAME"** and **"OS_PASSWORD"** with UCP Keystone credentials +- Set the **"OS_PROJECT_NAME"** value accordingly + +### List pods + + $kubectl get pods -n utility + + NAME READY STATUS RESTARTS AGE + clcp-calicoctl-utility-6457864fc8-zpfxk 1/1 Running 0 4h27m + clcp-ncct-utility-6588ff5566-8mqsb 1/1 Running 0 4h27m + clcp-tenant-ceph-utility-7b8f6d45f8-5q4ts 1/1 Running 0 99m + clcp-tenant-ceph-utility-config-ceph-ns-key-generator-hd9rb 0/1 Completed 0 99m + clcp-ucp-ceph-utility-6f4bbd4569-vrm7c 1/1 Running 0 4h11m + clcp-ucp-ceph-utility-config-ceph-ns-key-generator-pvfcl 0/1 Completed 0 4h12m + clcp-ucp-ceph-utility-config-test 0/1 Completed 0 4h12m + +### Execute into the pod + + $kubectl exec -it [pod-name] -n utility /bin/bash + + rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:247: starting container process caused "exec: \"/bin/\": permission denied" + + command terminated with exit code 126 + +Because the user id entered in the configuration file is not a member in UCP keystone +RBAC to execute into the pod, it's expecting to see "permission denied". \ No newline at end of file diff --git a/jmphost/funs_uc.sh b/jmphost/funs_uc.sh new file mode 100755 index 00000000..144a3eed --- /dev/null +++ b/jmphost/funs_uc.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# +# Author: Trung Thai, tt2189@att.com +# +# Purpose: Common shared functions defined and used on jumphost server. +# + +# Author Krishna Venkata, kv988c@att.com +# +# Purpose - kubectl wrapper providing some of overwriting behavior from Kubectl +# when users to exectute into utility container. + +declare -frx kubectl + +function kubectl() { +if [[ $* == *"exec"* ]] && [[ $* == *"bash"* ]]; then + aft_bash=$(echo "$*" | awk -F'bash' '{print $2}') + bef_bash=$(echo "$*" | awk -F'bash' '{print $1}') + if [[ -z $aft_bash ]]; then + if [[ $* == *"--"* ]]; then + $(which kubectl) $bef_bash bash -c "export AUSER=$USER;bash;" + else + $(which kubectl) $bef_bash -- bash -c "export AUSER=$USER;bash;" + fi + else + command=$(echo $aft_bash | cut -d' ' -f2-) + $(which kubectl) $bef_bash bash -c "export AUSER=$USER;$command;" + fi +elif [[ $* == *"exec"* ]] && [[ $* == *"sh"* ]]; then + aft_sh=$(echo "$*" | awk -F'sh' '{print $2}') + bef_sh=$(echo "$*" | awk -F'sh' '{print $1}') + if [[ -z $aft_sh ]]; then + if [[ $* == *"--"* ]]; then + $(which kubectl) $bef_sh sh -c "export AUSER=$USER;sh;" + else + $(which kubectl) $bef_sh -- sh -c "export AUSER=$USER;sh;" + fi + else + command=$(echo $aft_sh | cut -d' ' -f2-) + `which kubectl` $bef_sh sh -c "export AUSER=$USER;$command;" + fi +elif [[ $* == *"exec"* ]] && [[ $* == *"utilscli"* ]]; then + aft_utilscli=$(echo "$*" | awk -F'utilscli' '{print $2}') + bef_utilscli=$(echo "$*" | awk -F'utilscli' '{print $1}') + if [[ -z $aft_utilscli ]]; then + echo "Invalid Command" + else + if [[ $* == *"--"* ]]; then + $(which kubectl) $bef_utilscli bash -c "export AUSER=$USER;utilscli $aft_utilscli;" + else + $(which kubectl) $bef_utilscli -- bash -c "export AUSER=$USER;utilscli $aft_utilscli;" + fi + fi +else + $(which kubectl) $* +fi +} \ No newline at end of file diff --git a/jmphost/setup-access.sh b/jmphost/setup-access.sh new file mode 100755 index 00000000..649c5242 --- /dev/null +++ b/jmphost/setup-access.sh @@ -0,0 +1,136 @@ +#!/bin/bash + +# Script installs Kubectl latest binary and K8S-Keystone-Auth provider. +# It will generate a default 'kubectl' configuration file for the user with the appropriate +# settings to remotely connect to K8S cluster through Keystone authentication mechanism. + + +if [[ ${#} -lt 2 ]] ; then + echo "Abort - Usage $0 " + exit 1 +fi + +SITE_NAME=$1 ; LOGNAME=$2 ; NAMESPACE=$3 + +LOGNAME_GRP=$(grep ${LOGNAME} /etc/passwd |cut -d":" -f3) + +# set default env variables +: ${USER_HOME:=$HOME} +: ${USER_KUBECFG:=$USER_HOME/.kube/config} + +function _addSourceList() { + echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | \ + tee -a /etc/apt/sources.list.d/kubernetes.list + curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - + apt-get update +} + +# Install dependencies once +function _installDep () { + + # kubectl + if [[ $1 == 'kubectl' ]] ; then + echo "Installing [${1}] dependency required..." + apt-get install -y kubectl + fi +} + +# Create kubeconfig skelton file +function _createConfig() { + tee ${USER_KUBECFG} < + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: ${LOGNAME} + name: ${LOGNAME}@kubernetes +current-context: ${LOGNAME}@kubernetes +kind: Config +preferences: {} +users: +- name: ${LOGNAME} + user: + exec: + command: "/usr/local/uc/bin/client-keystone-auth" + apiVersion: "client.authentication.k8s.io/v1beta1" + + env: + - name: "OS_DOMAIN_NAME" + value: default + - name: "OS_INTERFACE" + value: public + - name: "OS_USERNAME" + value: ${LOGNAME} + - name: "OS_PASSWORD" + value: "" + - name: "OS_PROJECT_NAME" + value: admin + - name: "OS_REGION_NAME" + value: ${SITE_NAME} + - name: "OS_IDENTITY_API_VERSION" + value: "3" + + args: + - "--keystone-url=/v3" + +EOF +} + +# checking and installing 'kubectl' +if [[ ! -x /usr/bin/kubectl ]] ; then + echo "[Kubectl binary] is not found on this system.." + echo "Checking user[${LOGNAME}] sudo ability" + let num=$(id -u) + if [ $num -ne '0' ]; then + echo "Abort dependencies installation. You [$LOGNAME] are not root yet" + exit 1 + else + echo "Looking good. You [$LOGNAME] are root now" + _addSourceList + _installDep "kubectl" + fi +fi + +if [[ ! -d ${USER_HOME}/.kube ]]; then + mkdir ${USER_HOME}/.kube + chown -R ${LOGNAME}:${LOGNAME_GRP} ${USER_HOME}/.kube +fi + +# create config if it does not exit +if [[ ! -f ${USER_KUBECFG} ]]; then + _createConfig + chown ${LOGNAME}:${LOGNAME_GRP} ${USER_HOME}/.kube/config +fi + +# staging uc functions to a common area +if [[ ! -d /usr/local/uc/bin/ ]]; then + mkdir -p /usr/local/uc/bin/ + cp -p funs_uc.sh /usr/local/uc/bin/ + echo "Installing [k8s-keystone-authentication] component" + curl -SL# https://api.nz-por-1.catalystcloud.io:8443/v1/AUTH_b23a5e41d1af4c20974bf58b4dff8e5a/lingxian-public/client-keystone-auth \ + -o /usr/local/uc/bin/client-keystone-auth + chmod 755 -R /usr/local/uc + chown root:root -R /usr/local/uc +fi + +# Update user bash rc script to include uc funcions +if [[ -f ${HOME}/.bashrc ]]; then + cp -p ${HOME}/.bashrc ${HOME}/.bashrc.jmp.bck.$(date +%s) + egrep funs_uc ${HOME}/.bashrc + if [[ $? -eq '1' ]] ; then + tee -a ${HOME}/.bashrc <