Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 8cbd53ed64
Branches Tags
okd
/
roles
/
openshift_bootstrap_autoapprover
/
files
/
openshift-bootstrap-controller.yaml

openshift-bootstrap-controller.yaml 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. kind: StatefulSet
    2. 

  2. apiVersion: apps/v1beta1
    3. 

  3. metadata:
    4. 

  4.   name: bootstrap-autoapprover
    5. 

  5.   namespace: openshift-infra
    6. 

  6. spec:
    7. 

  7.   updateStrategy:
    8. 

  8.     type: RollingUpdate
    9. 

  9.   template:
    10. 

  10.     metadata:
    11. 

  11.       labels:
    12. 

  12.         app: bootstrap-autoapprover
    13. 

  13.     spec:
    14. 

  14.       serviceAccountName: bootstrap-autoapprover
    15. 

  15.       terminationGracePeriodSeconds: 1
    16. 

  16.       containers:
    17. 

  17.       - name: signer
    18. 

  18.         image: openshift/node:v3.7.0-rc.0
    19. 

  19.         command:
    20. 

  20.         - /bin/bash
    21. 

  21.         - -c
    22. 

  22.         args:
    23. 

  23.         - |
    24. 

  24.           #!/bin/bash
    25. 

  25.           set -o errexit
    26. 

  26.           set -o nounset
    27. 

  27.           set -o pipefail
    28. 

  28. 

  29.           unset KUBECONFIG
    30. 

  30.           cat <<SCRIPT > /tmp/signer
    31. 

  31.           #!/bin/bash
    32. 

  32.           #
    33. 

  33.           # It will approve any CSR that is not approved yet, and delete any CSR that expired more than 60 seconds
    34. 

  34.           # ago.
    35. 

  35.           #
    36. 

  36. 

  37.           set -o errexit
    38. 

  38.           set -o nounset
    39. 

  39.           set -o pipefail
    40. 

  40. 

  41.           name=\${1}
    42. 

  42.           condition=\${2}
    43. 

  43.           certificate=\${3}
    44. 

  44.           username=\${4}
    45. 

  45. 

  46.           # auto approve
    47. 

  47.           if [[ -z "\${condition}" && ("\${username}" == "system:serviceaccount:openshift-infra:node-bootstrapper" || "\${username}" == "system:node:"* ) ]]; then
    48. 

  48.             oc adm certificate approve "\${name}"
    49. 

  49.             exit 0
    50. 

  50.           fi
    51. 

  51. 

  52.           # check certificate age
    53. 

  53.           if [[ -n "\${certificate}" ]]; then
    54. 

  54.             text="\$( echo "\${certificate}" | base64 -d - )"
    55. 

  55.             if ! echo "\${text}" | openssl x509 -noout; then
    56. 

  56.               echo "error: Unable to parse certificate" 2>&1
    57. 

  57.               exit 1
    58. 

  58.             fi 
    59. 

  59.             if ! echo "\${text}" | openssl x509 -checkend -60 > /dev/null; then
    60. 

  60.               echo "Certificate is expired, deleting"
    61. 

  61.               oc delete csr "\${name}"
    62. 

  62.             fi
    63. 

  63.             exit 0
    64. 

  64.           fi
    65. 

  65.           SCRIPT
    66. 

  66.           chmod u+x /tmp/signer
    67. 

  67. 

  68.           exec oc observe csr --maximum-errors=1 --resync-period=10m -a '{.status.conditions[*].type}' -a '{.status.certificate}' -a '{.spec.username}' -- /tmp/signer
    69.