You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by si...@apache.org on 2020/11/13 03:32:49 UTC
[pulsar-helm-chart] branch master updated: Local mode for
kubernetes object generators (#75)
This is an automated email from the ASF dual-hosted git repository.
sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new eb63a19 Local mode for kubernetes object generators (#75)
eb63a19 is described below
commit eb63a19964d7a4dab84278ceede0c61b996e5ebc
Author: Jiří Pinkava <j-...@seznam.cz>
AuthorDate: Fri Nov 13 04:32:40 2020 +0100
Local mode for kubernetes object generators (#75)
This allows operation in environemnts where direct installation of objects into
kubernetes cluster is not desired or possible. For example when using sealedsecrets
or SOPS, where the secrets are firs encrypted and then commited into repository
and deployed latter by some other deployment system.
Co-authored-by: Jiří Pinkava <ji...@rossum.ai>
---
scripts/pulsar/generate_token.sh | 24 +++++++++++++---
scripts/pulsar/generate_token_secret_key.sh | 20 +++++++++----
scripts/pulsar/prepare_helm_release.sh | 44 ++++++++++++++++++++---------
scripts/pulsar/upload_tls.sh | 13 +++++++--
4 files changed, 76 insertions(+), 25 deletions(-)
diff --git a/scripts/pulsar/generate_token.sh b/scripts/pulsar/generate_token.sh
index faf9f6b..86b3190 100755
--- a/scripts/pulsar/generate_token.sh
+++ b/scripts/pulsar/generate_token.sh
@@ -32,6 +32,7 @@ Options:
-k,--release the pulsar helm release name
-r,--role the pulsar role
-s,--symmetric use symmetric secret key for generating the token. If not provided, the private key of an asymmetric pair of keys is used.
+ -l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev -c <pulsar-role>
EOF
@@ -63,6 +64,10 @@ case $key in
symmetric=true
shift
;;
+ -l|--local)
+ local=true
+ shift
+ ;;
-h|--help)
usage
exit 0
@@ -88,6 +93,17 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
+function pulsar::jwt::get_secret() {
+ local type=$1
+ local tmpfile=$2
+
+ if [[ "${local}" == "true" ]]; then
+ cp ${type} ${tmpfile}
+ else
+ kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['${type}']}" | base64 --decode > ${tmpfile}
+ fi
+}
+
function pulsar::jwt::generate_symmetric_token() {
local token_name="${release}-token-${role}"
local secret_name="${release}-token-symmetric-key"
@@ -96,11 +112,11 @@ function pulsar::jwt::generate_symmetric_token() {
trap "test -f $tmpfile && rm $tmpfile" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
- kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['SECRETKEY']}" | base64 --decode > ${tmpfile}
+ pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a HS256 --secret-key-file ${tmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
- kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric"
+ kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=symmetric" ${local:+ -o yaml --dry-run=client}
}
function pulsar::jwt::generate_asymmetric_token() {
@@ -111,11 +127,11 @@ function pulsar::jwt::generate_asymmetric_token() {
trap "test -f $privatekeytmpfile && rm $privatekeytmpfile" RETURN
tokentmpfile=$(mktemp)
trap "test -f $tokentmpfile && rm $tokentmpfile" RETURN
- kubectl get -n ${namespace} secrets ${secret_name} -o jsonpath="{.data['PRIVATEKEY']}" | base64 --decode > ${privatekeytmpfile}
+ pulsar::jwt::get_secret SECRETKEY ${tmpfile}
${PULSARCTL_BIN} token create -a RS256 --private-key-file ${privatekeytmpfile} --subject ${role} 2&> ${tokentmpfile}
newtokentmpfile=$(mktemp)
tr -d '\n' < ${tokentmpfile} > ${newtokentmpfile}
- kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric"
+ kubectl create secret generic ${token_name} -n ${namespace} --from-file="TOKEN=${newtokentmpfile}" --from-literal="TYPE=asymmetric" ${local:+ -o yaml --dry-run=client}
}
if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/generate_token_secret_key.sh b/scripts/pulsar/generate_token_secret_key.sh
index be2f76e..ba4d4f4 100755
--- a/scripts/pulsar/generate_token_secret_key.sh
+++ b/scripts/pulsar/generate_token_secret_key.sh
@@ -31,6 +31,7 @@ Options:
-n,--namespace the k8s namespace to install the pulsar helm chart
-k,--release the pulsar helm release name
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
+ -l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev
EOF
@@ -57,6 +58,10 @@ case $key in
symmetric=true
shift
;;
+ -l|--local)
+ local=true
+ shift
+ ;;
-h|--help)
usage
exit 0
@@ -75,6 +80,7 @@ pulsar::ensure_pulsarctl
namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
+local_cmd=${file:+-o yaml --dry-run=client >secret.yaml}
function pulsar::jwt::generate_symmetric_key() {
local secret_name="${release}-token-symmetric-key"
@@ -83,8 +89,10 @@ function pulsar::jwt::generate_symmetric_key() {
trap "test -f $tmpfile && rm $tmpfile" RETURN
${PULSARCTL_BIN} token create-secret-key --output-file ${tmpfile}
mv $tmpfile SECRETKEY
- kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY
- rm SECRETKEY
+ kubectl create secret generic ${secret_name} -n ${namespace} --from-file=SECRETKEY ${local:+ -o yaml --dry-run=client}
+ if [[ "${local}" != "true" ]]; then
+ rm SECRETKEY
+ fi
}
function pulsar::jwt::generate_asymmetric_key() {
@@ -97,9 +105,11 @@ function pulsar::jwt::generate_asymmetric_key() {
${PULSARCTL_BIN} token create-key-pair -a RS256 --output-private-key ${privatekeytmpfile} --output-public-key ${publickeytmpfile}
mv $privatekeytmpfile PRIVATEKEY
mv $publickeytmpfile PUBLICKEY
- kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY
- rm PRIVATEKEY
- rm PUBLICKEY
+ kubectl create secret generic ${secret_name} -n ${namespace} --from-file=PRIVATEKEY --from-file=PUBLICKEY ${local:+ -o yaml --dry-run=client}
+ if [[ "${local}" != "true" ]]; then
+ rm PRIVATEKEY
+ rm PUBLICKEY
+ fi
}
if [[ "${symmetric}" == "true" ]]; then
diff --git a/scripts/pulsar/prepare_helm_release.sh b/scripts/pulsar/prepare_helm_release.sh
index 482bd49..2dd6bff 100755
--- a/scripts/pulsar/prepare_helm_release.sh
+++ b/scripts/pulsar/prepare_helm_release.sh
@@ -31,6 +31,7 @@ Options:
-s,--symmetric generate symmetric secret key. If not provided, an asymmetric pair of keys are generated.
--pulsar-superusers the superusers of pulsar cluster. a comma separated list of super users.
-c,--create-namespace flag to create k8s namespace.
+ -l,--local read and write output from local filesystem, do not deploy to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-release
EOF
@@ -67,6 +68,10 @@ case $key in
symmetric=true
shift
;;
+ -l|--local)
+ local=true
+ shift
+ ;;
-h|--help)
usage
exit 0
@@ -83,9 +88,16 @@ namespace=${namespace:-pulsar}
release=${release:-pulsar-dev}
pulsar_superusers=${pulsar_superusers:-"proxy-admin,broker-admin,admin"}
+function new_k8s_object() {
+ if [[ "${local}" == "true" ]]; then
+ echo ---
+ fi
+}
+
function do_create_namespace() {
if [[ "${create_namespace}" == "true" ]]; then
- kubectl create namespace ${namespace}
+ new_k8s_object
+ kubectl create namespace ${namespace} ${local:+ -o yaml --dry-run=client}
fi
}
@@ -96,32 +108,38 @@ if [[ "${symmetric}" == "true" ]]; then
extra_opts="${extra_opts} -s"
fi
-echo "generate the token keys for the pulsar cluster"
+if [[ "${local}" == "true" ]]; then
+ extra_opts="${extra_opts} -l"
+fi
+
+echo "generate the token keys for the pulsar cluster" >&2
+new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token_secret_key.sh -n ${namespace} -k ${release} ${extra_opts}
-echo "generate the tokens for the super-users: ${pulsar_superusers}"
+echo "generate the tokens for the super-users: ${pulsar_superusers}" >&2
IFS=', ' read -r -a superusers <<< "$pulsar_superusers"
for user in "${superusers[@]}"
do
- echo "generate the token for $user"
+ echo "generate the token for $user" >&2
+ new_k8s_object
${CHART_HOME}/scripts/pulsar/generate_token.sh -n ${namespace} -k ${release} -r ${user} ${extra_opts}
done
-echo "-------------------------------------"
-echo
-echo "The jwt token secret keys are generated under:"
+echo "-------------------------------------" >&2
+echo >&2
+echo "The jwt token secret keys are generated under:" >&2
if [[ "${symmetric}" == "true" ]]; then
- echo " - '${release}-token-symmetric-key'"
+ echo " - '${release}-token-symmetric-key'" >&2
else
- echo " - '${release}-token-asymmetric-key'"
+ echo " - '${release}-token-asymmetric-key'" >&2
fi
-echo
+echo >&2
-echo "The jwt tokens for superusers are generated and stored as below:"
+echo "The jwt tokens for superusers are generated and stored as below:" >&2
for user in "${superusers[@]}"
do
- echo " - '${user}':secret('${release}-token-${user}')"
+ echo " - '${user}':secret('${release}-token-${user}')" >&2
done
-echo
+echo >&2
diff --git a/scripts/pulsar/upload_tls.sh b/scripts/pulsar/upload_tls.sh
index c4e6a4e..3485089 100755
--- a/scripts/pulsar/upload_tls.sh
+++ b/scripts/pulsar/upload_tls.sh
@@ -40,6 +40,7 @@ Options:
-d,--dir the dir for storing tls certs. Default to ${tlsdir}.
-c,--client-components the client components of pulsar cluster. a comma separated list of components. Default to ${clientComponents}.
-s,--server-components the server components of pulsar cluster. a comma separated list of components. Default to ${serverComponents}.
+ -l,--local read and write output from local filesystem, do not install secret to kubernetes
Usage:
$0 --namespace pulsar --release pulsar-dev
EOF
@@ -75,6 +76,10 @@ case $key in
shift
shift
;;
+ -l|--local)
+ local=true
+ shift
+ ;;
-h|--help)
usage
exit 0
@@ -91,7 +96,7 @@ ca_cert_file=${tlsdir}/certs/ca.cert.pem
function upload_ca() {
local tls_ca_secret="${release}-ca-tls"
- kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}"
+ kubectl create secret generic ${tls_ca_secret} -n ${namespace} --from-file="ca.crt=${ca_cert_file}" ${local:+ -o yaml --dry-run=client}
}
function upload_server_cert() {
@@ -104,7 +109,8 @@ function upload_server_cert() {
-n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \
- --from-file="ca.crt=${ca_cert_file}"
+ --from-file="ca.crt=${ca_cert_file}" \
+ ${local:+ -o yaml --dry-run=client}
}
function upload_client_cert() {
@@ -117,7 +123,8 @@ function upload_client_cert() {
-n ${namespace} \
--from-file="tls.crt=${tls_cert_file}" \
--from-file="tls.key=${tls_key_file}" \
- --from-file="ca.crt=${ca_cert_file}"
+ --from-file="ca.crt=${ca_cert_file}" \
+ ${local:+ -o yaml --dry-run=client}
}
upload_ca