apache/pulsar-helm-chart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Local mode for kubernetes object generators (#75)

Browse Source 
This allows operation in environemnts where direct installation of objects into
kubernetes cluster is not desired or possible. For example when using sealedsecrets
or SOPS, where the secrets are firs encrypted and then commited into repository
and deployed latter by some other deployment system.

Co-authored-by: Jiří Pinkava <jiri.pinkava@rossum.ai>
This commit is contained in:
Jiří Pinkava 2020-11-13 04:32:40 +01:00 committed by GitHub
parent ebc40c3382
commit eb63a19964
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 76 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
scripts/pulsar/generate_token.sh
View File

@ -32,6 +32,7 @@ Options:
-k,--release the pulsar helm release name -k,--release the pulsar helm release name
-r,--role the pulsar role -r,--role the pulsar role
-s,--symmetric use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used. -s,--symmetric use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage: Usage:
$0 --namespace pulsar --release pulsar-dev -c <pulsar-role> $0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
EOF EOF
@ -63,6 +64,10 @@ case $key in
symmetric=true symmetric=true
shift shift
;; ;;
-l|--local)
local=true
shift
;;
-h|--help) -h|--help)
usage usage
exit 0 exit 0
@ -88,6 +93,17 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
function pulsar::jwt::get_secret() {
local type=$1
local tmpfile=$2
if [[ "${local}" == "true" ]]; then
cp ${type} ${tmpfile}
else
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
fi
}
function pulsar::jwt::generate_symmetric_token() { function pulsar::jwt::generate_symmetric_token() {
local token_name="${release}-token-${role}" local token_name="${release}-token-${role}"
local secret_name="${release}-token-symmetric-key" local secret_name="${release}-token-symmetric-key"
@ -96,11 +112,11 @@ function pulsar::jwt::generate_symmetric_token() {
trap "test -f $tmpfile && rm $tmpfile" RETURN trap "test -f $tmpfile && rm $tmpfile" RETURN
tokentmpfile=$(mktemp) tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile} pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile} ${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp) newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
} }
function pulsar::jwt::generate_asymmetric_token() { function pulsar::jwt::generate_asymmetric_token() {
@ -111,11 +127,11 @@ function pulsar::jwt::generate_asymmetric_token() {
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
tokentmpfile=$(mktemp) tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile} pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile} ${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp) newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile} tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
} }
if [[ "${symmetric}" == "true" ]]; then if [[ "${symmetric}" == "true" ]]; then

20
scripts/pulsar/generate_token_secret_key.sh
View File

@ -31,6 +31,7 @@ Options:
-n,--namespace the k8s namespace to install the pulsar helm chart -n,--namespace the k8s namespace to install the pulsar helm chart
-k,--release the pulsar helm release name -k,--release the pulsar helm release name
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated. -s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage: Usage:
$0 --namespace pulsar --release pulsar-dev $0 --namespace pulsar --release pulsar-dev
EOF EOF
@ -57,6 +58,10 @@ case $key in
symmetric=true symmetric=true
shift shift
;; ;;
-l|--local)
local=true
shift
;;
-h|--help) -h|--help)
usage usage
exit 0 exit 0
@ -75,6 +80,7 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar} namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
function pulsar::jwt::generate_symmetric_key() { function pulsar::jwt::generate_symmetric_key() {
local secret_name="${release}-token-symmetric-key" local secret_name="${release}-token-symmetric-key"
@ -83,8 +89,10 @@ function pulsar::jwt::generate_symmetric_key() {
trap "test -f $tmpfile && rm $tmpfile" RETURN trap "test -f $tmpfile && rm $tmpfile" RETURN
${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile} ${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
mv $tmpfile SECRETKEY mv $tmpfile SECRETKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
rm SECRETKEY if [[ "${local}" != "true" ]]; then
rm SECRETKEY
fi
} }
function pulsar::jwt::generate_asymmetric_key() { function pulsar::jwt::generate_asymmetric_key() {
@ -97,9 +105,11 @@ function pulsar::jwt::generate_asymmetric_key() {
${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile} ${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
mv $privatekeytmpfile PRIVATEKEY mv $privatekeytmpfile PRIVATEKEY
mv $publickeytmpfile PUBLICKEY mv $publickeytmpfile PUBLICKEY
kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
rm PRIVATEKEY if [[ "${local}" != "true" ]]; then
rm PUBLICKEY rm PRIVATEKEY
rm PUBLICKEY
fi
} }
if [[ "${symmetric}" == "true" ]]; then if [[ "${symmetric}" == "true" ]]; then

44
scripts/pulsar/prepare_helm_release.sh
View File

@ -31,6 +31,7 @@ Options:
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated. -s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
--pulsar-superusers the superusers of pulsar cluster. a comma separated list of super users. --pulsar-superusers the superusers of pulsar cluster. a comma separated list of super users.
-c,--create-namespace flag to create k8s namespace. -c,--create-namespace flag to create k8s namespace.
-l,--local read and write output from local filesystem, do not deploy to kubernetes
Usage: Usage:
$0 --namespace pulsar --release pulsar-release $0 --namespace pulsar --release pulsar-release
EOF EOF
@ -67,6 +68,10 @@ case $key in
symmetric=true symmetric=true
shift shift
;; ;;
-l|--local)
local=true
shift
;;
-h|--help) -h|--help)
usage usage
exit 0 exit 0
@ -83,9 +88,16 @@ namespace=${namespace:-pulsar}
release=${release:-pulsar-dev} release=${release:-pulsar-dev}
pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"} pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"}
function new_k8s_object() {
if [[ "${local}" == "true" ]]; then
echo ---
fi
}
function do_create_namespace() { function do_create_namespace() {
if [[ "${create_namespace}" == "true" ]]; then if [[ "${create_namespace}" == "true" ]]; then
kubectl create namespace ${namespace} new_k8s_object
kubectl create namespace ${namespace} ${local:+ -o yaml --dry-run=client}
fi fi
} }
@ -96,32 +108,38 @@ if [[ "${symmetric}" == "true" ]]; then
extra_opts="${extra_opts} -s" extra_opts="${extra_opts} -s"
fi fi
echo "generate the token keys for the pulsar cluster" if [[ "${local}" == "true" ]]; then
extra_opts="${extra_opts} -l"
fi
echo "generate the token keys for the pulsar cluster" >&2
new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts} ${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
echo "generate the tokens for the super-users: ${pulsar_superusers}" echo "generate the tokens for the super-users: ${pulsar_superusers}" >&2
IFS=', ' read -r -a superusers <<< "$pulsar_superusers" IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
for user in "${superusers[@]}" for user in "${superusers[@]}"
do do
echo "generate the token for $user" echo "generate the token for $user" >&2
new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts} ${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts}
done done
echo "-------------------------------------" echo "-------------------------------------" >&2
echo echo >&2
echo "The jwt token secret keys are generated under:" echo "The jwt token secret keys are generated under:" >&2
if [[ "${symmetric}" == "true" ]]; then if [[ "${symmetric}" == "true" ]]; then
echo " - '${release}-token-symmetric-key'" echo " - '${release}-token-symmetric-key'" >&2
else else
echo " - '${release}-token-asymmetric-key'" echo " - '${release}-token-asymmetric-key'" >&2
fi fi
echo echo >&2
echo "The jwt tokens for superusers are generated and stored as below:" echo "The jwt tokens for superusers are generated and stored as below:" >&2
for user in "${superusers[@]}" for user in "${superusers[@]}"
do do
echo " - '${user}':secret('${release}-token-${user}')" echo " - '${user}':secret('${release}-token-${user}')" >&2
done done
echo echo >&2

13
scripts/pulsar/upload_tls.sh
View File

@ -40,6 +40,7 @@ Options:
-d,--dir the dir for storing tls certs. Default to ${tlsdir}. -d,--dir the dir for storing tls certs. Default to ${tlsdir}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}. -c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}. -s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
-l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage: Usage:
$0 --namespace pulsar --release pulsar-dev $0 --namespace pulsar --release pulsar-dev
EOF EOF
@ -75,6 +76,10 @@ case $key in
shift shift
shift shift
;; ;;
-l|--local)
local=true
shift
;;
-h|--help) -h|--help)
usage usage
exit 0 exit 0
@ -91,7 +96,7 @@ ca_cert_file=${tlsdir}/certs/ca.cert.pem
function upload_ca() { function upload_ca() {
local tls_ca_secret="${release}-ca-tls" local tls_ca_secret="${release}-ca-tls"
kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
} }
function upload_server_cert() { function upload_server_cert() {
@ -104,7 +109,8 @@ function upload_server_cert() {
-n ${namespace} \ -n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \ --from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \ --from-file="tls.key=${tls_key_file}" \
--from-file="ca.crt=${ca_cert_file}" --from-file="ca.crt=${ca_cert_file}" \
${local:+ -o yaml --dry-run=client}
} }
function upload_client_cert() { function upload_client_cert() {
@ -117,7 +123,8 @@ function upload_client_cert() {
-n ${namespace} \ -n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \ --from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \ --from-file="tls.key=${tls_key_file}" \
--from-file="ca.crt=${ca_cert_file}" --from-file="ca.crt=${ca_cert_file}" \
${local:+ -o yaml --dry-run=client}
} }
upload_ca upload_ca