airship/porthole
Code Issues Proposed changes

The script creates and sets up of user K8S profile

Browse Source 
*  Allow users the ability to connect K8S cluster remotely
  *  Authenthicate to UCP Keystone
  *  Then able remotely execute into containers
  *  Install all required software components

Change-Id: I1062ab14d1c643e1161b6fcfb870eaee55f5e64b
This commit is contained in:
Trung Thai 2019-04-04 15:53:42 -04:00
parent 4b71275e37
commit 5f3ce78d7f
3 changed files with 358 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
jmphost/README.md Normal file
View File

@ -0,0 +1,165 @@
# Jump host installation
The install will Kubernetes client and the corresponding dependencies in order
to able to connect to K8S cluster remotely. It will also create a generic
kubectl configuration file with appropriate attributes required.
This revision covers the implementation as described. [k8s-keystone-auth](
https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md#new-kubectl-clients-from-v1110-and-later)
## 1. Pre-requisites
* Ubuntu OS version 14.x or higher
* Connectivity to the Internet
* The installer has sudo ability without prompting for password
* Installer's Git profile setup accordingly
## 2. Installation
### 2.1 Clone Porthole main project
$git clone https://review.opendev.org/airship/porthole
Cloning into 'porthole'...
remote: Counting objects: 362, done
remote: Finding sources: 100% (362/362)
remote: Total 362 (delta 185), reused 311 (delta 185)
Receiving objects: 100% (362/362), 98.30 KiB | 0 bytes/s, done.
Resolving deltas: 100% (185/185), done.
Checking connectivity... done.
### 2.2 Pull PatchSet (optional)
$cd porthole
$git pull https://review.opendev.org/airship/porthole refs/changes/92/674892/[latest change set]
remote: Counting objects: 10, done
remote: Finding sources: 100% (8/8)
remote: Total 8 (delta 2), reused 7 (delta 2)
Unpacking objects: 100% (8/8), done.
From https://review.opendev.org/airship/porthole
branch refs/changes/92/674892/9 -> FETCH_HEAD
Merge made by the 'recursive' strategy.
jmphost/README.md | 130 ++++++++++++++++++++++++++++++++++++++++
jmphost/funs_uc.sh | 57 ++++++++++++++++++++++++++++++++++++++++
jmphost/setup-access.sh | 132 ++++++++++++++++++++++++++++++++++++++++
zuul.d/jmphost-utility.yaml | 35 ++++++++++++++++++++++++++++++++++++++++
4 files changed, 354 insertions(+)
create mode 100644 jmphost/README.md
create mode 100755 jmphost/funs_uc.sh
create mode 100755 jmphost/setup-access.sh
create mode 100644 zuul.d/jmphost-utility.yaml
### 2.3 Run Setup
$sudo -s
$cd jmphost
$./setup-access.sh "site" "userid" "namespace"
[Kubectl binary] is not found on this system..
Checking user[johnSmith] sudo ability
Looking good. You [johnSmith] are root now
deb https://apt.kubernetes.io/ kubernetes-xenial main
OK
........................
........................
........................
........................
Installing [kubectl] dependency required...
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libclamav6
Use 'apt-get autoremove' to remove it.
The following NEW packages will be installed:
kubectl
0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded.
Need to get 9,231 kB of archives.
After this operation, 46.7 MB of additional disk space will be used.
Fetched 9,231 kB in 12s (732 kB/s)
Selecting previously unselected package kubectl.
(Reading database ... 114982 files and directories currently installed.)
Preparing to unpack .../kubectl_1.16.0-00_amd64.deb ...
Unpacking kubectl (1.16.0-00) ...
Setting up kubectl (1.16.0-00) ...
........................
........................
W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main amd64 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-amd64_Packages)
W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main i386 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-i386_Packages)
........................
W: You may want to run apt-get update to correct these problems
---
apiVersion: v1
namespace: utility
Authentication via API WebHook Ingress service endpoint
clusters:
- cluster:
server: https://<FQDN-WEBHOOK-APISERVER>
name: <CLUSTER_NAME>
contexts:
- context:
cluster: <CLUSTER_NAME>
user: <USERID>
name: <USERID>@<CLUSTER_NAME>
current-context: <USERID>@<CLUSTER_NAME>
kind: Config
preferences: {}
users:
- name: <USERID>
user:
exec:
command: "/usr/local/uc/bin/client-keystone-auth"
apiVersion: "client.authentication.k8s.io/v1beta1"
env:
- name: "OS_DOMAIN_NAME"
value: default
- name: "OS_INTERFACE"
value: public
- name: "OS_USERNAME"
value: <USER_ID>
- name: "OS_PASSWORD"
value: "<USER-PASSWORD>"
- name: "OS_PROJECT_NAME"
value: <admin-project>
- name: "OS_REGION_NAME"
value: <SITE>
- name: "OS_IDENTITY_API_VERSION"
value: "3"
args:
- "--keystone-url=https://<FQDN TO UCP KEYSTONE>/v3"
## Validation
- Now log out and log back in as the user.
- Update the configuration file with user corresponding credentials.
For testing purposes:
- Replacing **"OS_USERNAME"** and **"OS_PASSWORD"** with UCP Keystone credentials
- Set the **"OS_PROJECT_NAME"** value accordingly
### List pods
$kubectl get pods -n utility
NAME READY STATUS RESTARTS AGE
clcp-calicoctl-utility-6457864fc8-zpfxk 1/1 Running 0 4h27m
clcp-ncct-utility-6588ff5566-8mqsb 1/1 Running 0 4h27m
clcp-tenant-ceph-utility-7b8f6d45f8-5q4ts 1/1 Running 0 99m
clcp-tenant-ceph-utility-config-ceph-ns-key-generator-hd9rb 0/1 Completed 0 99m
clcp-ucp-ceph-utility-6f4bbd4569-vrm7c 1/1 Running 0 4h11m
clcp-ucp-ceph-utility-config-ceph-ns-key-generator-pvfcl 0/1 Completed 0 4h12m
clcp-ucp-ceph-utility-config-test 0/1 Completed 0 4h12m
### Execute into the pod
$kubectl exec -it [pod-name] -n utility /bin/bash
rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:247: starting container process caused "exec: \"/bin/\": permission denied"
command terminated with exit code 126
Because the user id entered in the configuration file is not a member in UCP keystone
RBAC to execute into the pod, it's expecting to see "permission denied".

57
jmphost/funs_uc.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
#
# Author: Trung Thai, tt2189@att.com
#
# Purpose: Common shared functions defined and used on jumphost server.
#
# Author Krishna Venkata, kv988c@att.com
#
# Purpose - kubectl wrapper providing some of overwriting behavior from Kubectl
# when users to exectute into utility container.
declare -frx kubectl
function kubectl() {
if [[ $* == *"exec"* ]] && [[ $* == *"bash"* ]]; then
aft_bash=$(echo "$*" | awk -F'bash' '{print $2}')
bef_bash=$(echo "$*" | awk -F'bash' '{print $1}')
if [[ -z $aft_bash ]]; then
if [[ $* == *"--"* ]]; then
$(which kubectl) $bef_bash bash -c "export AUSER=$USER;bash;"
else
$(which kubectl) $bef_bash -- bash -c "export AUSER=$USER;bash;"
fi
else
command=$(echo $aft_bash | cut -d' ' -f2-)
$(which kubectl) $bef_bash bash -c "export AUSER=$USER;$command;"
fi
elif [[ $* == *"exec"* ]] && [[ $* == *"sh"* ]]; then
aft_sh=$(echo "$*" | awk -F'sh' '{print $2}')
bef_sh=$(echo "$*" | awk -F'sh' '{print $1}')
if [[ -z $aft_sh ]]; then
if [[ $* == *"--"* ]]; then
$(which kubectl) $bef_sh sh -c "export AUSER=$USER;sh;"
else
$(which kubectl) $bef_sh -- sh -c "export AUSER=$USER;sh;"
fi
else
command=$(echo $aft_sh | cut -d' ' -f2-)
`which kubectl` $bef_sh sh -c "export AUSER=$USER;$command;"
fi
elif [[ $* == *"exec"* ]] && [[ $* == *"utilscli"* ]]; then
aft_utilscli=$(echo "$*" | awk -F'utilscli' '{print $2}')
bef_utilscli=$(echo "$*" | awk -F'utilscli' '{print $1}')
if [[ -z $aft_utilscli ]]; then
echo "Invalid Command"
else
if [[ $* == *"--"* ]]; then
$(which kubectl) $bef_utilscli bash -c "export AUSER=$USER;utilscli $aft_utilscli;"
else
$(which kubectl) $bef_utilscli -- bash -c "export AUSER=$USER;utilscli $aft_utilscli;"
fi
fi
else
$(which kubectl) $*
fi
}

136
jmphost/setup-access.sh Executable file
View File

@ -0,0 +1,136 @@
#!/bin/bash
# Script installs Kubectl latest binary and K8S-Keystone-Auth provider.
# It will generate a default 'kubectl' configuration file for the user with the appropriate
# settings to remotely connect to K8S cluster through Keystone authentication mechanism.
if [[ ${#} -lt 2 ]] ; then
echo "Abort - Usage $0 <SITE NAME> <USER_ID> <NAMESPACE>"
exit 1
fi
SITE_NAME=$1 ; LOGNAME=$2 ; NAMESPACE=$3
LOGNAME_GRP=$(grep ${LOGNAME} /etc/passwd |cut -d":" -f3)
# set default env variables
: ${USER_HOME:=$HOME}
: ${USER_KUBECFG:=$USER_HOME/.kube/config}
function _addSourceList() {
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | \
tee -a /etc/apt/sources.list.d/kubernetes.list
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
apt-get update
}
# Install dependencies once
function _installDep () {
# kubectl
if [[ $1 == 'kubectl' ]] ; then
echo "Installing [${1}] dependency required..."
apt-get install -y kubectl
fi
}
# Create kubeconfig skelton file
function _createConfig() {
tee ${USER_KUBECFG} <<EOF
---
apiVersion: v1
namespace: ${NAMESPACE}
# Authentication via API WebHook Ingress service endpoint
clusters:
- cluster:
server: https://<WEBHOOK-API-INGRESS-FQDN>
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: ${LOGNAME}
name: ${LOGNAME}@kubernetes
current-context: ${LOGNAME}@kubernetes
kind: Config
preferences: {}
users:
- name: ${LOGNAME}
user:
exec:
command: "/usr/local/uc/bin/client-keystone-auth"
apiVersion: "client.authentication.k8s.io/v1beta1"
env:
- name: "OS_DOMAIN_NAME"
value: default
- name: "OS_INTERFACE"
value: public
- name: "OS_USERNAME"
value: ${LOGNAME}
- name: "OS_PASSWORD"
value: "<USER-PASSWORD>"
- name: "OS_PROJECT_NAME"
value: admin
- name: "OS_REGION_NAME"
value: ${SITE_NAME}
- name: "OS_IDENTITY_API_VERSION"
value: "3"
args:
- "--keystone-url=<UCP-KEYSTONE-INGRESS-FQDN>/v3"
EOF
}
# checking and installing 'kubectl'
if [[ ! -x /usr/bin/kubectl ]] ; then
echo "[Kubectl binary] is not found on this system.."
echo "Checking user[${LOGNAME}] sudo ability"
let num=$(id -u)
if [ $num -ne '0' ]; then
echo "Abort dependencies installation. You [$LOGNAME] are not root yet"
exit 1
else
echo "Looking good. You [$LOGNAME] are root now"
_addSourceList
_installDep "kubectl"
fi
fi
if [[ ! -d ${USER_HOME}/.kube ]]; then
mkdir ${USER_HOME}/.kube
chown -R ${LOGNAME}:${LOGNAME_GRP} ${USER_HOME}/.kube
fi
# create config if it does not exit
if [[ ! -f ${USER_KUBECFG} ]]; then
_createConfig
chown ${LOGNAME}:${LOGNAME_GRP} ${USER_HOME}/.kube/config
fi
# staging uc functions to a common area
if [[ ! -d /usr/local/uc/bin/ ]]; then
mkdir -p /usr/local/uc/bin/
cp -p funs_uc.sh /usr/local/uc/bin/
echo "Installing [k8s-keystone-authentication] component"
curl -SL# https://api.nz-por-1.catalystcloud.io:8443/v1/AUTH_b23a5e41d1af4c20974bf58b4dff8e5a/lingxian-public/client-keystone-auth \
-o /usr/local/uc/bin/client-keystone-auth
chmod 755 -R /usr/local/uc
chown root:root -R /usr/local/uc
fi
# Update user bash rc script to include uc funcions
if [[ -f ${HOME}/.bashrc ]]; then
cp -p ${HOME}/.bashrc ${HOME}/.bashrc.jmp.bck.$(date +%s)
egrep funs_uc ${HOME}/.bashrc
if [[ $? -eq '1' ]] ; then
tee -a ${HOME}/.bashrc <<EOF
# Utility container common functions
if [[ -f /usr/local/uc/bin/funs_uc.sh ]]; then
. /usr/local/uc/bin/funs_uc.sh
fi
EOF
fi
fi