2019-01-30 Colla: bugfixes

104493c4 · Alberto Colla · 4f657e88 · 104493c4 · 104493c4 · 104493c4
Commit 104493c4 authored Jan 31, 2019 by Alberto Colla
--- a/Makefile
+++ b/Makefile
@@ -30,5 +30,6 @@ publish: lint
 	OUTPUT=`charm push . cs:~$(USER)/$(NAME)`
 	echo $$OUTPUT
 	REV=`echo $$OUTPUT | sed 's/.*$(NAME)-\([0-9]*\).*/\1/'`
+	echo $$REV
 	charm release cs:~$(USER)/$(NAME)-$(REV) --channel stable
 	charm grant cs:~$(USER)/$(NAME)-$(REV) everyone --channel stable
--- a/reactive/kubernetes-keystone.py
+++ b/reactive/kubernetes-keystone.py
@@ -84,6 +84,7 @@ def setup_authentication():
    k8s_keystone_auth_url = hookenv.config('k8s-keystone-auth-url')
    hookenv.log('Downloading %s' % k8s_keystone_auth_url)
    handler.download(k8s_keystone_auth_url, k8s_keystone_auth_path)
+
    check_call(['chmod', '+x', k8s_keystone_auth_path])
    check_call(['chmod', '+x', k8s_keystone_auth_start])

@@ -108,11 +109,20 @@ def setup_authentication():
 def setup_authentication_server():
    ''' Start k8s_keystone_auth '''

+
+    check_call(['chmod', '+x', k8s_keystone_auth_path])
+    check_call(['chmod', '+x', k8s_keystone_auth_start])
+
    hookenv.status_set('maintenance', 'Starting authentication server.')

    command = ['systemctl', 'enable', 'k8s-keystone-auth']
    check_call(command)

+
+    command = ['systemctl', 'restart', 'k8s-keystone-auth.service']
+    check_call(command)
+
+
    set_state('authentication.server')



--- a/templates/k8s-keystone-auth.sh
+++ b/templates/k8s-keystone-auth.sh
@@ -12,6 +12,6 @@ KUBE_CONFIG=/home/ubuntu/config
 $K8S_KEYSTONE_AUTH --tls-cert-file $APISERVER_CERT \
    --tls-private-key-file $APISERVER_KEY \
    --keystone-url $KEYSTONE_URL \
-    --keystone-policy-file $KEYSTONE_POLICY \
+#    --keystone-policy-file $KEYSTONE_POLICY \
    --sync-config-file $SYNC_CONFIG \
    --kubeconfig $KUBE_CONFIG
--- a/templates/webhook-policy.json
+++ b/templates/webhook-policy.json
-## The Kubernetes cluster can only be accessed by the users in kubernetes project,
-## users with k8s-admin or k8s-user role have both write and read permissions
-## to the pod resource, but users with k8s-admin role can also assign roles
-## to others.
-
 [
  {
    "resource": {

--- a/templates/webhook-policy.json.comment
+++ b/templates/webhook-policy.json.comment
+// N.B. Hash is not allowed for comments in json files
+// The Kubernetes cluster can only be accessed by the users in kubernetes project,
+// users with k8s-admin or k8s-user role have both write and read permissions
+// to the pod resource, but users with k8s-admin role can also assign roles
+// to others
+
+[
+  {
+    "resource": {
+      "verbs": ["get", "list", "watch", "create", "update", "delete"],
+      "resources": ["pods"],
+      "version": "*",
+      "namespace": "default"
+    },
+    "match": [
+      {
+        "type": "role",
+        "values": ["k8s-admin", "k8s-user"]
+      },
+      {
+        "type": "project",
+        "values": ["{{ kubernetes_project }}"]
+      }
+    ]
+  },
+  {
+    "resource": {
+        "verbs": ["bind"],
+        "resources": ["clusterroles"],
+        "resourceNames": ["admin", "edit", "view"],
+      "version": "*",
+      "namespace": "default"
+    },
+    "match": [
+      {
+        "type": "role",
+        "values": ["k8s-admin"]
+      },
+      {
+        "type": "project",
+        "values": ["{{ kubernetes_project }}"]
+      }
+    ]
+  }
+]