diff --git a/scripts/pulsar/generate_token.sh b/scripts/pulsar/generate_token.sh index faf9f6b..86b3190 100755 --- a/scripts/pulsar/generate_token.sh +++ b/scripts/pulsar/generate_token.sh @@ -32,6 +32,7 @@ Options: -k,--release the pulsar helm release name -r,--role the pulsar role -s,--symmetric use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used. + -l,--local read and write output from local filesystem, do not install secret to kubernetes Usage: $0 --namespace pulsar --release pulsar-dev -c EOF @@ -63,6 +64,10 @@ case $key in symmetric=true shift ;; + -l|--local) + local=true + shift + ;; -h|--help) usage exit 0 @@ -88,6 +93,17 @@ pulsar::ensure_pulsarctl namespace=${namespace:-pulsar} release=${release:-pulsar-dev} +function pulsar::jwt::get_secret() { + local type=$1 + local tmpfile=$2 + + if [[ "${local}" == "true" ]]; then + cp ${type} ${tmpfile} + else + kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile} + fi +} + function pulsar::jwt::generate_symmetric_token() { local token_name="${release}-token-${role}" local secret_name="${release}-token-symmetric-key" @@ -96,11 +112,11 @@ function pulsar::jwt::generate_symmetric_token() { trap "test -f $tmpfile && rm $tmpfile" RETURN tokentmpfile=$(mktemp) trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN - kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile} + pulsar::jwt::get_secret SECRETKEY ${tmpfile} ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile} newtokentmpfile=$(mktemp) tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} - kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" + kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client} } function pulsar::jwt::generate_asymmetric_token() { @@ -111,11 +127,11 @@ function pulsar::jwt::generate_asymmetric_token() { trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN tokentmpfile=$(mktemp) trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN - kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile} + pulsar::jwt::get_secret SECRETKEY ${tmpfile} ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile} newtokentmpfile=$(mktemp) tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} - kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" + kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client} } if [[ "${symmetric}" == "true" ]]; then diff --git a/scripts/pulsar/generate_token_secret_key.sh b/scripts/pulsar/generate_token_secret_key.sh index be2f76e..ba4d4f4 100755 --- a/scripts/pulsar/generate_token_secret_key.sh +++ b/scripts/pulsar/generate_token_secret_key.sh @@ -31,6 +31,7 @@ Options: -n,--namespace the k8s namespace to install the pulsar helm chart -k,--release the pulsar helm release name -s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated. + -l,--local read and write output from local filesystem, do not install secret to kubernetes Usage: $0 --namespace pulsar --release pulsar-dev EOF @@ -57,6 +58,10 @@ case $key in symmetric=true shift ;; + -l|--local) + local=true + shift + ;; -h|--help) usage exit 0 @@ -75,6 +80,7 @@ pulsar::ensure_pulsarctl namespace=${namespace:-pulsar} release=${release:-pulsar-dev} +local_cmd=${file:+-o yaml --dry-run=client >secret.yaml} function pulsar::jwt::generate_symmetric_key() { local secret_name="${release}-token-symmetric-key" @@ -83,8 +89,10 @@ function pulsar::jwt::generate_symmetric_key() { trap "test -f $tmpfile && rm $tmpfile" RETURN ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile} mv $tmpfile SECRETKEY - kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY - rm SECRETKEY + kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client} + if [[ "${local}" != "true" ]]; then + rm SECRETKEY + fi } function pulsar::jwt::generate_asymmetric_key() { @@ -97,9 +105,11 @@ function pulsar::jwt::generate_asymmetric_key() { ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile} mv $privatekeytmpfile PRIVATEKEY mv $publickeytmpfile PUBLICKEY - kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY - rm PRIVATEKEY - rm PUBLICKEY + kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client} + if [[ "${local}" != "true" ]]; then + rm PRIVATEKEY + rm PUBLICKEY + fi } if [[ "${symmetric}" == "true" ]]; then diff --git a/scripts/pulsar/prepare_helm_release.sh b/scripts/pulsar/prepare_helm_release.sh index 482bd49..2dd6bff 100755 --- a/scripts/pulsar/prepare_helm_release.sh +++ b/scripts/pulsar/prepare_helm_release.sh @@ -31,6 +31,7 @@ Options: -s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated. --pulsar-superusers the superusers of pulsar cluster. a comma separated list of super users. -c,--create-namespace flag to create k8s namespace. + -l,--local read and write output from local filesystem, do not deploy to kubernetes Usage: $0 --namespace pulsar --release pulsar-release EOF @@ -67,6 +68,10 @@ case $key in symmetric=true shift ;; + -l|--local) + local=true + shift + ;; -h|--help) usage exit 0 @@ -83,9 +88,16 @@ namespace=${namespace:-pulsar} release=${release:-pulsar-dev} pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"} +function new_k8s_object() { + if [[ "${local}" == "true" ]]; then + echo --- + fi +} + function do_create_namespace() { if [[ "${create_namespace}" == "true" ]]; then - kubectl create namespace ${namespace} + new_k8s_object + kubectl create namespace ${namespace} ${local:+ -o yaml --dry-run=client} fi } @@ -96,32 +108,38 @@ if [[ "${symmetric}" == "true" ]]; then extra_opts="${extra_opts} -s" fi -echo "generate the token keys for the pulsar cluster" +if [[ "${local}" == "true" ]]; then + extra_opts="${extra_opts} -l" +fi + +echo "generate the token keys for the pulsar cluster" >&2 +new_k8s_object ${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts} -echo "generate the tokens for the super-users: ${pulsar_superusers}" +echo "generate the tokens for the super-users: ${pulsar_superusers}" >&2 IFS=', ' read -r -a superusers <<< "$pulsar_superusers" for user in "${superusers[@]}" do - echo "generate the token for $user" + echo "generate the token for $user" >&2 + new_k8s_object ${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts} done -echo "-------------------------------------" -echo -echo "The jwt token secret keys are generated under:" +echo "-------------------------------------" >&2 +echo >&2 +echo "The jwt token secret keys are generated under:" >&2 if [[ "${symmetric}" == "true" ]]; then - echo " - '${release}-token-symmetric-key'" + echo " - '${release}-token-symmetric-key'" >&2 else - echo " - '${release}-token-asymmetric-key'" + echo " - '${release}-token-asymmetric-key'" >&2 fi -echo +echo >&2 -echo "The jwt tokens for superusers are generated and stored as below:" +echo "The jwt tokens for superusers are generated and stored as below:" >&2 for user in "${superusers[@]}" do - echo " - '${user}':secret('${release}-token-${user}')" + echo " - '${user}':secret('${release}-token-${user}')" >&2 done -echo +echo >&2 diff --git a/scripts/pulsar/upload_tls.sh b/scripts/pulsar/upload_tls.sh index c4e6a4e..3485089 100755 --- a/scripts/pulsar/upload_tls.sh +++ b/scripts/pulsar/upload_tls.sh @@ -40,6 +40,7 @@ Options: -d,--dir the dir for storing tls certs. Default to ${tlsdir}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. + -l,--local read and write output from local filesystem, do not install secret to kubernetes Usage: $0 --namespace pulsar --release pulsar-dev EOF @@ -75,6 +76,10 @@ case $key in shift shift ;; + -l|--local) + local=true + shift + ;; -h|--help) usage exit 0 @@ -91,7 +96,7 @@ ca_cert_file=${tlsdir}/certs/ca.cert.pem function upload_ca() { local tls_ca_secret="${release}-ca-tls" - kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" + kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client} } function upload_server_cert() { @@ -104,7 +109,8 @@ function upload_server_cert() { -n ${namespace} \ --from-file="tls.crt=${tls_cert_file}" \ --from-file="tls.key=${tls_key_file}" \ - --from-file="ca.crt=${ca_cert_file}" + --from-file="ca.crt=${ca_cert_file}" \ + ${local:+ -o yaml --dry-run=client} } function upload_client_cert() { @@ -117,7 +123,8 @@ function upload_client_cert() { -n ${namespace} \ --from-file="tls.crt=${tls_cert_file}" \ --from-file="tls.key=${tls_key_file}" \ - --from-file="ca.crt=${ca_cert_file}" + --from-file="ca.crt=${ca_cert_file}" \ + ${local:+ -o yaml --dry-run=client} } upload_ca