Начало Каталог Помощ
Регистрация Вход
shixiong
/
okd
1
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: 93eb9ba8fc
Клонове Маркери
okd
/
roles
/
nuage_master
/
files
/
serviceaccount.sh

serviceaccount.sh 2.2 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. #!/bin/bash
    2. 

  2. # Parse CLI options
    3. 

  3. for i in "$@"; do
    4. 

  4.     case $i in
    5. 

  5.         --master-cert-dir=*)
    6. 

  6.             MASTER_DIR="${i#*=}"
    7. 

  7.             CA_CERT=${MASTER_DIR}/ca.crt
    8. 

  8.             CA_KEY=${MASTER_DIR}/ca.key
    9. 

  9.             CA_SERIAL=${MASTER_DIR}/ca.serial.txt
    10. 

  10.             ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig
    11. 

  11.         ;;
    12. 

  12.         --server=*)
    13. 

  13.             SERVER="${i#*=}"
    14. 

  14.         ;;
    15. 

  15.         --output-cert-dir=*)
    16. 

  16.             OUTDIR="${i#*=}"
    17. 

  17.             CONFIG_FILE=${OUTDIR}/nuage.kubeconfig
    18. 

  18.         ;;
    19. 

  19.     esac
    20. 

  20. done
    21. 

  21. 

  22. # If any are missing, print the usage and exit
    23. 

  23. if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then
    24. 

  24.     echo "Invalid syntax: $@"
    25. 

  25.     echo "Usage:"
    26. 

  26.     echo "  $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/"
    27. 

  27.     echo "--master-cert-dir:  Directory where the master's configuration is held"
    28. 

  28.     echo "--server:           Address of Kubernetes API server (default port is 8443)"
    29. 

  29.     echo "--output-cert-dir:  Directory to put artifacts in"
    30. 

  30.     echo ""
    31. 

  31.     echo "All options are required"
    32. 

  32.     exit 1
    33. 

  33. fi
    34. 

  34. 

  35. # Login as admin so that we can create the service account
    36. 

  36. oc login -u system:admin --config=$ADMIN_FILE || exit 1
    37. 

  37. oc project default --config=$ADMIN_FILE
    38. 

  38. 

  39. ACCOUNT_CONFIG='
    40. 

  40. {
    41. 

  41.   "apiVersion": "v1",
    42. 

  42.   "kind": "ServiceAccount",
    43. 

  43.   "metadata": {
    44. 

  44.     "name": "nuage"
    45. 

  45.   }
    46. 

  46. }
    47. 

  47. '
    48. 

  48. 

  49. # Create the account with the included info
    50. 

  50. echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f -
    51. 

  51. 

  52. # Add the cluser-reader role, which allows this service account read access to
    53. 

  53. # everything in the cluster except secrets
    54. 

  54. oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE
    55. 

  55. 

  56. # Generate certificates and a kubeconfig for the service account
    57. 

  57. oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage'
    58. 

  58. 

  59. # Verify the finalized kubeconfig
    60. 

  60. if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then
    61. 

  61.     echo "Service account creation failed!"
    62. 

  62.     exit 1
    63. 

  63. fi
    64.