From eb63a19964d7a4dab84278ceede0c61b996e5ebc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Pinkava?= <j-pi@seznam.cz>
Date: Fri, 13 Nov 2020 04:32:40 +0100
Subject: [PATCH] Local mode for kubernetes object generators (#75)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This allows operation in environemnts where direct installation of objects into
kubernetes cluster is not desired or possible. For example when using sealedsecrets
or SOPS, where the secrets are firs encrypted and then commited into repository
and deployed latter by some other deployment system.

Co-authored-by: Jiří Pinkava <jiri.pinkava@rossum.ai>
---
 scripts/pulsar/generate_token.sh            | 24 +++++++++--
 scripts/pulsar/generate_token_secret_key.sh | 20 +++++++---
 scripts/pulsar/prepare_helm_release.sh      | 44 +++++++++++++++------
 scripts/pulsar/upload_tls.sh                | 13 ++++--
 4 files changed, 76 insertions(+), 25 deletions(-)

diff --git a/scripts/pulsar/generate_token.sh b/scripts/pulsar/generate_token.sh
index faf9f6b..86b3190 100755
--- a/scripts/pulsar/generate_token.sh
+++ b/scripts/pulsar/generate_token.sh
@@ -32,6 +32,7 @@ Options:
        -k,--release                     the pulsar helm release name
        -r,--role                        the pulsar role
        -s,--symmetric                   use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
+       -l,--local                       read and write output from local filesystem, do not install secret to kubernetes
 Usage:
     $0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
 EOF
@@ -63,6 +64,10 @@ case $key in
     symmetric=true
     shift
     ;;
+    -l|--local)
+    local=true
+    shift
+    ;;
     -h|--help)
     usage
     exit 0
@@ -88,6 +93,17 @@ pulsar::ensure_pulsarctl
 namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}
 
+function pulsar::jwt::get_secret() {
+    local type=$1
+    local tmpfile=$2
+
+    if [[ "${local}" == "true" ]]; then
+        cp ${type} ${tmpfile}
+    else
+        kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
+    fi
+}
+
 function pulsar::jwt::generate_symmetric_token() {
     local token_name="${release}-token-${role}"
     local secret_name="${release}-token-symmetric-key"
@@ -96,11 +112,11 @@ function pulsar::jwt::generate_symmetric_token() {
     trap "test -f $tmpfile && rm $tmpfile" RETURN
     tokentmpfile=$(mktemp)
     trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
-    kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile}
+    pulsar::jwt::get_secret SECRETKEY ${tmpfile}
     ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
     newtokentmpfile=$(mktemp)
     tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
-    kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric"
+    kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
 }
 
 function pulsar::jwt::generate_asymmetric_token() {
@@ -111,11 +127,11 @@ function pulsar::jwt::generate_asymmetric_token() {
     trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
     tokentmpfile=$(mktemp)
     trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
-    kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile}
+    pulsar::jwt::get_secret SECRETKEY ${tmpfile}
     ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
     newtokentmpfile=$(mktemp)
     tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
-    kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
+    kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
 }
 
 if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/generate_token_secret_key.sh b/scripts/pulsar/generate_token_secret_key.sh
index be2f76e..ba4d4f4 100755
--- a/scripts/pulsar/generate_token_secret_key.sh
+++ b/scripts/pulsar/generate_token_secret_key.sh
@@ -31,6 +31,7 @@ Options:
        -n,--namespace                   the k8s namespace to install the pulsar helm chart
        -k,--release                     the pulsar helm release name
        -s,--symmetric                   generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+       -l,--local                       read and write output from local filesystem, do not install secret to kubernetes
 Usage:
     $0 --namespace pulsar --release pulsar-dev
 EOF
@@ -57,6 +58,10 @@ case $key in
     symmetric=true
     shift
     ;;
+    -l|--local)
+    local=true
+    shift
+    ;;
     -h|--help)
     usage
     exit 0
@@ -75,6 +80,7 @@ pulsar::ensure_pulsarctl
 
 namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}
+local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
 
 function pulsar::jwt::generate_symmetric_key() {
     local secret_name="${release}-token-symmetric-key"
@@ -83,8 +89,10 @@ function pulsar::jwt::generate_symmetric_key() {
     trap "test -f $tmpfile && rm $tmpfile" RETURN
     ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
     mv $tmpfile SECRETKEY
-    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY
-    rm SECRETKEY
+    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
+    if [[ "${local}" != "true" ]]; then
+        rm SECRETKEY
+    fi
 }
 
 function pulsar::jwt::generate_asymmetric_key() {
@@ -97,9 +105,11 @@ function pulsar::jwt::generate_asymmetric_key() {
     ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
     mv $privatekeytmpfile PRIVATEKEY
     mv $publickeytmpfile PUBLICKEY
-    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY
-    rm PRIVATEKEY
-    rm PUBLICKEY
+    kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
+    if [[ "${local}" != "true" ]]; then
+        rm PRIVATEKEY
+        rm PUBLICKEY
+    fi
 }
 
 if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/prepare_helm_release.sh b/scripts/pulsar/prepare_helm_release.sh
index 482bd49..2dd6bff 100755
--- a/scripts/pulsar/prepare_helm_release.sh
+++ b/scripts/pulsar/prepare_helm_release.sh
@@ -31,6 +31,7 @@ Options:
        -s,--symmetric                   generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
        --pulsar-superusers              the superusers of pulsar cluster. a comma separated list of super users.
        -c,--create-namespace            flag to create k8s namespace.
+       -l,--local                       read and write output from local filesystem, do not deploy to kubernetes
 Usage:
     $0 --namespace pulsar --release pulsar-release
 EOF
@@ -67,6 +68,10 @@ case $key in
     symmetric=true
     shift
     ;;
+    -l|--local)
+    local=true
+    shift
+    ;;
     -h|--help)
     usage
     exit 0
@@ -83,9 +88,16 @@ namespace=${namespace:-pulsar}
 release=${release:-pulsar-dev}
 pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"}
 
+function new_k8s_object() {
+    if [[ "${local}" == "true" ]]; then
+        echo ---
+    fi
+}
+
 function do_create_namespace() {
     if [[ "${create_namespace}" == "true" ]]; then
-        kubectl create namespace ${namespace}
+        new_k8s_object
+        kubectl create namespace ${namespace} ${local:+ -o yaml --dry-run=client}
     fi
 }
 
@@ -96,32 +108,38 @@ if [[ "${symmetric}" == "true" ]]; then
   extra_opts="${extra_opts} -s"
 fi
 
-echo "generate the token keys for the pulsar cluster"
+if [[ "${local}" == "true" ]]; then
+  extra_opts="${extra_opts} -l"
+fi
+
+echo "generate the token keys for the pulsar cluster" >&2
+new_k8s_object
 ${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
 
-echo "generate the tokens for the super-users: ${pulsar_superusers}"
+echo "generate the tokens for the super-users: ${pulsar_superusers}" >&2
 
 IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
 for user in "${superusers[@]}"
 do
-    echo "generate the token for $user"
+    echo "generate the token for $user" >&2
+    new_k8s_object
     ${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts} 
 done
 
-echo "-------------------------------------"
-echo
-echo "The jwt token secret keys are generated under:"
+echo "-------------------------------------" >&2
+echo >&2
+echo "The jwt token secret keys are generated under:" >&2
 if [[ "${symmetric}" == "true" ]]; then
-    echo "    - '${release}-token-symmetric-key'"
+    echo "    - '${release}-token-symmetric-key'" >&2
 else
-    echo "    - '${release}-token-asymmetric-key'"
+    echo "    - '${release}-token-asymmetric-key'" >&2
 fi
-echo
+echo >&2
 
-echo "The jwt tokens for superusers are generated and stored as below:"
+echo "The jwt tokens for superusers are generated and stored as below:" >&2
 for user in "${superusers[@]}"
 do
-    echo "    - '${user}':secret('${release}-token-${user}')"
+    echo "    - '${user}':secret('${release}-token-${user}')" >&2
 done
-echo
+echo >&2
 
diff --git a/scripts/pulsar/upload_tls.sh b/scripts/pulsar/upload_tls.sh
index c4e6a4e..3485089 100755
--- a/scripts/pulsar/upload_tls.sh
+++ b/scripts/pulsar/upload_tls.sh
@@ -40,6 +40,7 @@ Options:
        -d,--dir                         the dir for storing tls certs. Default to ${tlsdir}.
        -c,--client-components           the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
        -s,--server-components           the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+       -l,--local                       read and write output from local filesystem, do not install secret to kubernetes
 Usage:
     $0 --namespace pulsar --release pulsar-dev
 EOF
@@ -75,6 +76,10 @@ case $key in
     shift
     shift
     ;;
+    -l|--local)
+    local=true
+    shift
+    ;;
     -h|--help)
     usage
     exit 0
@@ -91,7 +96,7 @@ ca_cert_file=${tlsdir}/certs/ca.cert.pem
 
 function upload_ca() {
     local tls_ca_secret="${release}-ca-tls"
-    kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}"
+    kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
 }
 
 function upload_server_cert() {
@@ -104,7 +109,8 @@ function upload_server_cert() {
         -n ${namespace} \
         --from-file="tls.crt=${tls_cert_file}" \
         --from-file="tls.key=${tls_key_file}" \
-        --from-file="ca.crt=${ca_cert_file}"
+        --from-file="ca.crt=${ca_cert_file}" \
+        ${local:+ -o yaml --dry-run=client}
 }
 
 function upload_client_cert() {
@@ -117,7 +123,8 @@ function upload_client_cert() {
         -n ${namespace} \
         --from-file="tls.crt=${tls_cert_file}" \
         --from-file="tls.key=${tls_key_file}" \
-        --from-file="ca.crt=${ca_cert_file}"
+        --from-file="ca.crt=${ca_cert_file}" \
+        ${local:+ -o yaml --dry-run=client}
 }
 
 upload_ca