Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
cloud
charms
kubernetes-keystone
Commits
104493c4
Commit
104493c4
authored
Jan 31, 2019
by
Alberto Colla
Browse files
2019-01-30 Colla: bugfixes
parent
4f657e88
Changes
5
Hide whitespace changes
Inline
Side-by-side
Makefile
View file @
104493c4
...
...
@@ -30,5 +30,6 @@ publish: lint
OUTPUT
=
`
charm push
.
cs:~
$(USER)
/
$(NAME)
`
echo
$$
OUTPUT
REV
=
`
echo
$$
OUTPUT |
sed
's/.*
$(NAME)
-\([0-9]*\).*/\1/'
`
echo
$$
REV
charm release cs:~
$(USER)
/
$(NAME)
-
$(REV)
--channel
stable
charm grant cs:~
$(USER)
/
$(NAME)
-
$(REV)
everyone
--channel
stable
reactive/kubernetes-keystone.py
View file @
104493c4
...
...
@@ -84,6 +84,7 @@ def setup_authentication():
k8s_keystone_auth_url
=
hookenv
.
config
(
'k8s-keystone-auth-url'
)
hookenv
.
log
(
'Downloading %s'
%
k8s_keystone_auth_url
)
handler
.
download
(
k8s_keystone_auth_url
,
k8s_keystone_auth_path
)
check_call
([
'chmod'
,
'+x'
,
k8s_keystone_auth_path
])
check_call
([
'chmod'
,
'+x'
,
k8s_keystone_auth_start
])
...
...
@@ -108,11 +109,20 @@ def setup_authentication():
def
setup_authentication_server
():
''' Start k8s_keystone_auth '''
check_call
([
'chmod'
,
'+x'
,
k8s_keystone_auth_path
])
check_call
([
'chmod'
,
'+x'
,
k8s_keystone_auth_start
])
hookenv
.
status_set
(
'maintenance'
,
'Starting authentication server.'
)
command
=
[
'systemctl'
,
'enable'
,
'k8s-keystone-auth'
]
check_call
(
command
)
command
=
[
'systemctl'
,
'restart'
,
'k8s-keystone-auth.service'
]
check_call
(
command
)
set_state
(
'authentication.server'
)
...
...
templates/k8s-keystone-auth.sh
View file @
104493c4
...
...
@@ -12,6 +12,6 @@ KUBE_CONFIG=/home/ubuntu/config
$K8S_KEYSTONE_AUTH
--tls-cert-file
$APISERVER_CERT
\
--tls-private-key-file
$APISERVER_KEY
\
--keystone-url
$KEYSTONE_URL
\
--keystone-policy-file
$KEYSTONE_POLICY
\
#
--keystone-policy-file $KEYSTONE_POLICY \
--sync-config-file
$SYNC_CONFIG
\
--kubeconfig
$KUBE_CONFIG
templates/webhook-policy.json
View file @
104493c4
##
The
Kubernetes
cluster
can
only
be
accessed
by
the
users
in
kubernetes
project,
##
users
with
k
8
s-admin
or
k
8
s-user
role
have
both
write
and
read
permissions
##
to
the
pod
resource,
but
users
with
k
8
s-admin
role
can
also
assign
roles
##
to
others.
[
{
"resource"
:
{
...
...
templates/webhook-policy.json.comment
0 → 100644
View file @
104493c4
// N.B. Hash is not allowed for comments in json files
// The Kubernetes cluster can only be accessed by the users in kubernetes project,
// users with k8s-admin or k8s-user role have both write and read permissions
// to the pod resource, but users with k8s-admin role can also assign roles
// to others
[
{
"resource": {
"verbs": ["get", "list", "watch", "create", "update", "delete"],
"resources": ["pods"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-admin", "k8s-user"]
},
{
"type": "project",
"values": ["{{ kubernetes_project }}"]
}
]
},
{
"resource": {
"verbs": ["bind"],
"resources": ["clusterroles"],
"resourceNames": ["admin", "edit", "view"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-admin"]
},
{
"type": "project",
"values": ["{{ kubernetes_project }}"]
}
]
}
]
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment