Commit 0c98f1f9 authored by Mikhail Shishatskiy's avatar Mikhail Shishatskiy
Browse files

add keystone auth service role

parent 87fee0cc
Pipeline #31213 failed with stage
in 0 seconds
---
keystone_enabled: false
keystone_auth_url: "{{ lookup('env','OS_AUTH_URL') }}"
---
- name: Webhook Keystone | Generate certificate
shell: "openssl req -x509 -newkey rsa:4096 -keyout {{ kube_cert_dir }}/keystone-auth-key.pem -out {{ kube_cert_dir }}/keystone-auth-cert.pem -days 365 -nodes -subj /CN=k8s-keystone-auth.kube-system/"
when: inventory_hostname == groups['kube_control_plane'][0]
tags: webhook-keystone
- name: Webhook Keystone | Add Keystone auth certs to Kubernetes
shell: "{{ bin_dir }}/kubectl -n kube-system create secret tls keystone-auth-certs --cert={{ kube_cert_dir }}/keystone-auth-cert.pem --key={{ kube_cert_dir }}/keystone-auth-key.pem"
when: inventory_hostname == groups['kube_control_plane'][0]
tags: webhook-keystone
- name: Webhook Keystone | Generate Manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
group: "{{ kube_cert_group }}"
mode: 0640
with_items:
- {name: keystone-auth-rbac, file: keystone-auth-rbac.yaml}
- {name: keystone-auth-policy, file: keystone-auth-policy.yaml}
- {name: keystone-auth-deployment, file: keystone-auth-deployment.yaml}
- {name: keystone-auth-service, file: keystone-auth-service.yaml}
register: webhook_keystone_manifests
when: inventory_hostname == groups['kube_control_plane'][0]
tags: webhook-keystone
- name: Webhook Keystone | Apply Manifests
kube:
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
state: "latest"
with_items:
- "{{ webhook_keystone_manifests.results }}"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- not item is skipped
loop_control:
label: "{{ item.item.file }}"
tags: webhook-keystone
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-keystone-auth
namespace: kube-system
labels:
app: k8s-keystone-auth
spec:
replicas: 2
selector:
matchLabels:
app: k8s-keystone-auth
template:
metadata:
labels:
app: k8s-keystone-auth
spec:
serviceAccountName: k8s-keystone
containers:
- name: k8s-keystone-auth
image: k8scloudprovider/k8s-keystone-auth:latest
args:
- ./bin/k8s-keystone-auth
- --tls-cert-file
- /etc/pki/tls.crt
- --tls-private-key-file
- /etc/pki/tls.key
- --policy-configmap-name
- k8s-auth-policy
- --keystone-url
- {{ keystone_auth_url }}
volumeMounts:
- mountPath: /etc/pki
name: certs
readOnly: true
ports:
- containerPort: 8443
volumes:
- name: certs
secret:
secretName: keystone-auth-certs
apiVersion: v1
kind: ConfigMap
metadata:
name: k8s-auth-policy
namespace: kube-system
data:
policies: |
[
{
"users": {
"projects": ["sandbox"],
"roles": ["member"]
},
"resource_permissions": {
"*/pods": ["get", "list", "watch"]
}
}
]
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: k8s-keystone-auth
name: k8s-keystone-auth
rules:
# Allow k8s-keystone-auth to get k8s-auth-policy configmap
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-keystone-auth
labels:
k8s-app: k8s-keystone-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-keystone-auth
subjects:
- kind: ServiceAccount
name: k8s-keystone
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-keystone
namespace: kube-system
kind: Service
apiVersion: v1
metadata:
name: k8s-keystone-auth-service
namespace: kube-system
spec:
selector:
app: k8s-keystone-auth
ports:
- protocol: TCP
port: 8443
targetPort: 8443
......@@ -110,3 +110,10 @@ dependencies:
- inventory_hostname == groups['kube_control_plane'][0]
tags:
- metallb
- role: kubernetes-apps/keystone
when:
- keystone_enabled
- inventory_hostname == groups['kube_control_plane'][0]
tags:
- webhook-keystone
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment