apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Local mode for kubernetes object generators (#75)

Browse Source 
This allows operation in environemnts where direct installation of objects into
kubernetes cluster is not desired or possible. For example when using sealedsecrets
or SOPS, where the secrets are firs encrypted and then commited into repository
and deployed latter by some other deployment system.

Co-authored-by: Jiří Pinkava <jiri.pinkava@rossum.ai>
This commit is contained in:
Jiří Pinkava 2020-11-13 04:32:40 +01:00 committed by GitHub
parent ebc40c3382
commit eb63a19964
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 76 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
scripts/pulsar/generate_token.sh
View File

@ -32,6 +32,7 @@ Options:
-k,--release the pulsar helm release name
-r,--role the pulsar role
-s,--symmetric use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
EOF
@ -63,6 +64,10 @@ case $key in
symmetric=true
shift
;;
-l|--local)
local=true
shift
;;
-h|--help)
usage
exit 0
@ -88,6 +93,17 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
function pulsar::jwt::get_secret() {
local type=$1
local tmpfile=$2
if [[ "${local}" == "true" ]]; then
cp ${type} ${tmpfile}
else
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
fi
}
function pulsar::jwt::generate_symmetric_token() {
local token_name="${release}-token-${role}"
local secret_name="${release}-token-symmetric-key"
@ -96,11 +112,11 @@ function pulsar::jwt::generate_symmetric_token() {
trap "test -f $tmpfile && rm $tmpfile" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile}
pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric"
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
}
function pulsar::jwt::generate_asymmetric_token() {
@ -111,11 +127,11 @@ function pulsar::jwt::generate_asymmetric_token() {
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile}
pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
}
if [[ "${symmetric}" == "true" ]]; then

20
scripts/pulsar/generate_token_secret_key.sh
View File

@ -31,6 +31,7 @@ Options:
-n,--namespace the k8s namespace to install the pulsar helm chart
-k,--release the pulsar helm release name
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev
EOF
@ -57,6 +58,10 @@ case $key in
symmetric=true
shift
;;
-l|--local)
local=true
shift
;;
-h|--help)
usage
exit 0
@ -75,6 +80,7 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
function pulsar::jwt::generate_symmetric_key() {
local secret_name="${release}-token-symmetric-key"
@ -83,8 +89,10 @@ function pulsar::jwt::generate_symmetric_key() {
trap "test -f $tmpfile && rm $tmpfile" RETURN
${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
mv $tmpfile SECRETKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY
rm SECRETKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
if [[ "${local}" != "true" ]]; then
rm SECRETKEY
fi
}
function pulsar::jwt::generate_asymmetric_key() {
@ -97,9 +105,11 @@ function pulsar::jwt::generate_asymmetric_key() {
${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
mv $privatekeytmpfile PRIVATEKEY
mv $publickeytmpfile PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY
rm PRIVATEKEY
rm PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
if [[ "${local}" != "true" ]]; then
rm PRIVATEKEY
rm PUBLICKEY
fi
}
if [[ "${symmetric}" == "true" ]]; then

44
scripts/pulsar/prepare_helm_release.sh
View File

@ -31,6 +31,7 @@ Options:
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
--pulsar-superusers the superusers of pulsar cluster. a comma separated list of super users.
-c,--create-namespace flag to create k8s namespace.
-l,--local read and write output from local filesystem, do not deploy to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-release
EOF
@ -67,6 +68,10 @@ case $key in
symmetric=true
shift
;;
-l|--local)
local=true
shift
;;
-h|--help)
usage
exit 0
@ -83,9 +88,16 @@ namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"}
function new_k8s_object() {
if [[ "${local}" == "true" ]]; then
echo ---
fi
}
function do_create_namespace() {
if [[ "${create_namespace}" == "true" ]]; then
kubectl create namespace ${namespace}
new_k8s_object
kubectl create namespace ${namespace} ${local:+ -o yaml --dry-run=client}
fi
}
@ -96,32 +108,38 @@ if [[ "${symmetric}" == "true" ]]; then
extra_opts="${extra_opts} -s"
fi
echo "generate the token keys for the pulsar cluster"
if [[ "${local}" == "true" ]]; then
extra_opts="${extra_opts} -l"
fi
echo "generate the token keys for the pulsar cluster" >&2
new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
echo "generate the tokens for the super-users: ${pulsar_superusers}"
echo "generate the tokens for the super-users: ${pulsar_superusers}" >&2
IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
for user in "${superusers[@]}"
do
echo "generate the token for $user"
echo "generate the token for $user" >&2
new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts}
done
echo "-------------------------------------"
echo
echo "The jwt token secret keys are generated under:"
echo "-------------------------------------" >&2
echo >&2
echo "The jwt token secret keys are generated under:" >&2
if [[ "${symmetric}" == "true" ]]; then
echo " - '${release}-token-symmetric-key'"
echo " - '${release}-token-symmetric-key'" >&2
else
echo " - '${release}-token-asymmetric-key'"
echo " - '${release}-token-asymmetric-key'" >&2
fi
echo
echo >&2
echo "The jwt tokens for superusers are generated and stored as below:"
echo "The jwt tokens for superusers are generated and stored as below:" >&2
for user in "${superusers[@]}"
do
echo " - '${user}':secret('${release}-token-${user}')"
echo " - '${user}':secret('${release}-token-${user}')" >&2
done
echo
echo >&2

13
scripts/pulsar/upload_tls.sh
View File

@ -40,6 +40,7 @@ Options:
-d,--dir the dir for storing tls certs. Default to ${tlsdir}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev
EOF
@ -75,6 +76,10 @@ case $key in
shift
shift
;;
-l|--local)
local=true
shift
;;
-h|--help)
usage
exit 0
@ -91,7 +96,7 @@ ca_cert_file=${tlsdir}/certs/ca.cert.pem
function upload_ca() {
local tls_ca_secret="${release}-ca-tls"
kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}"
kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
}
function upload_server_cert() {
@ -104,7 +109,8 @@ function upload_server_cert() {
-n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \
--from-file="ca.crt=${ca_cert_file}"
--from-file="ca.crt=${ca_cert_file}" \
${local:+ -o yaml --dry-run=client}
}
function upload_client_cert() {
@ -117,7 +123,8 @@ function upload_client_cert() {
-n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \
--from-file="ca.crt=${ca_cert_file}"
--from-file="ca.crt=${ca_cert_file}" \
${local:+ -o yaml --dry-run=client}
}
upload_ca