Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a5dd4b4861
Branches Tags
okd
/
roles
/
openshift_bootstrap_autoapprover
/
files
/
openshift-bootstrap-controller.yaml

openshift-bootstrap-controller.yaml 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. kind: StatefulSet
    2. 

  2. apiVersion: apps/v1beta1
    3. 

  3. metadata:
    4. 

  4.   name: bootstrap-autoapprover
    5. 

  5.   namespace: openshift-infra
    6. 

  6.   annotations:
    7. 

  7.     image.openshift.io/triggers: |
    8. 

  8.       [{"from":{"kind":"ImageStreamTag","name":"node:v3.11"},"fieldPath":"spec.template.spec.containers[?(@.name==\"signer\")].image"}]
    9. 

  9. spec:
    10. 

  10.   updateStrategy:
    11. 

  11.     type: RollingUpdate
    12. 

  12.   template:
    13. 

  13.     metadata:
    14. 

  14.       labels:
    15. 

  15.         app: bootstrap-autoapprover
    16. 

  16.     spec:
    17. 

  17.       nodeSelector:
    18. 

  18.         node-role.kubernetes.io/master: 'true'
    19. 

  19.       serviceAccountName: bootstrap-autoapprover
    20. 

  20.       terminationGracePeriodSeconds: 1
    21. 

  21.       containers:
    22. 

  22.       - name: signer
    23. 

  23.         image: " "
    24. 

  24.         command:
    25. 

  25.         - /bin/bash
    26. 

  26.         - -c
    27. 

  27.         args:
    28. 

  28.         - |
    29. 

  29.           #!/bin/bash
    30. 

  30.           set -o errexit
    31. 

  31.           set -o nounset
    32. 

  32.           set -o pipefail
    33. 

  33. 

  34.           unset KUBECONFIG
    35. 

  35.           cat <<SCRIPT > /tmp/signer
    36. 

  36.           #!/bin/bash
    37. 

  37.           #
    38. 

  38.           # It will approve any CSR that is not approved yet, and delete any CSR that expired more than 60 seconds
    39. 

  39.           # ago.
    40. 

  40.           #
    41. 

  41. 

  42.           set -o errexit
    43. 

  43.           set -o nounset
    44. 

  44.           set -o pipefail
    45. 

  45. 

  46.           name=\${1}
    47. 

  47.           condition=\${2}
    48. 

  48.           certificate=\${3}
    49. 

  49.           username=\${4}
    50. 

  50. 

  51.           # auto approve
    52. 

  52.           if [[ -z "\${condition}" && ("\${username}" == "system:serviceaccount:openshift-infra:node-bootstrapper" || "\${username}" == "system:node:"* ) ]]; then
    53. 

  53.             oc adm certificate approve "\${name}"
    54. 

  54.             exit 0
    55. 

  55.           fi
    56. 

  56. 

  57.           # check certificate age
    58. 

  58.           if [[ -n "\${certificate}" ]]; then
    59. 

  59.             text="\$( echo "\${certificate}" | base64 -d - )"
    60. 

  60.             if ! echo "\${text}" | openssl x509 -noout; then
    61. 

  61.               echo "error: Unable to parse certificate" 2>&1
    62. 

  62.               exit 1
    63. 

  63.             fi
    64. 

  64.             if ! echo "\${text}" | openssl x509 -checkend -60 > /dev/null; then
    65. 

  65.               echo "Certificate is expired, deleting"
    66. 

  66.               oc delete csr "\${name}"
    67. 

  67.             fi
    68. 

  68.             exit 0
    69. 

  69.           fi
    70. 

  70.           SCRIPT
    71. 

  71.           chmod u+x /tmp/signer
    72. 

  72. 

  73.           exec oc observe csr --maximum-errors=1 --resync-period=10m -a '{.status.conditions[*].type}' -a '{.status.certificate}' -a '{.spec.username}' -- /tmp/signer
    74.