122 lines
5.0 KiB
YAML
122 lines
5.0 KiB
YAML
{{- $resourceName := "keystone-fernet-rotate-job" }}
|
|
{{- $searchPath := ":global.kolla.keystone.fernet.rotate.job:global.kolla.fernet.all:global.kolla.keystone.all:global.kolla.all" }}
|
|
{{- $c := dict "searchPath" $searchPath "Values" .Values }}
|
|
{{- $_ := set $c "contName" "keystone" }}
|
|
{{- $_ := set $c "imageName" "image_full" }}
|
|
{{- $_ := set $c "tagName" "image_tag" }}
|
|
{{- $imageFull := include "kolla_build_image_full" $c }}
|
|
{{- $imagePullPolicy := include "kolla_val_get_str" (dict "key" "image_pull_policy" "searchPath" $searchPath "Values" .Values ) }}
|
|
{{- $selectorKey := include "kolla_val_get_str" (dict "key" "selector_key" "searchPath" $searchPath "Values" .Values ) }}
|
|
{{- $selectorValue := include "kolla_val_get_str" (dict "key" "selector_value" "searchPath" $searchPath "Values" .Values ) }}
|
|
{{- $netHostTrue := false }}
|
|
{{- $podTypeBootstrap := false }}
|
|
{{- with $env := dict "netHostTrue" $netHostTrue "podTypeBootstrap" false "resourceName" $resourceName "Values" .Values "Release" .Release "searchPath" $searchPath }}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: keystone-fernet-rotate-job
|
|
spec:
|
|
template:
|
|
spec:
|
|
nodeSelector:
|
|
{{ $selectorKey }}: {{ $selectorValue | quote }}
|
|
initContainers:
|
|
{{- include "common_dependency_container" . | indent 8 }}
|
|
containers:
|
|
- image: {{ $imageFull | quote }}
|
|
imagePullPolicy: {{ $imagePullPolicy | quote }}
|
|
name: main
|
|
securityContext:
|
|
runAsUser: 0
|
|
command:
|
|
- /bin/bash
|
|
- -ec
|
|
- |
|
|
KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
|
|
KUBE_NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace)
|
|
curl -f --tlsv1.2 -sS --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
|
|
-H "Authorization: Bearer $KUBE_TOKEN" -o /tmp/tokens.json \
|
|
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$KUBE_NAMESPACE/secrets/keystone-fernet-keys
|
|
|
|
mkdir -p /etc/keystone/fernet-keys
|
|
cp -a /config/..data/* /etc/keystone
|
|
python - <<"EOF"
|
|
import base64
|
|
import json
|
|
import os.path
|
|
j = json.load(open("/tmp/tokens.json"));
|
|
for (k,v) in j["data"].items():
|
|
f = open(os.path.join("/etc/keystone/fernet-keys", k), "w")
|
|
f.write(base64.b64decode(v))
|
|
f.close()
|
|
EOF
|
|
|
|
chown --recursive keystone.keystone /etc/keystone
|
|
chmod 770 /etc/keystone/fernet-keys
|
|
chmod --recursive 660 /etc/keystone/fernet-keys/*
|
|
mkdir -p /var/log/kolla/keystone
|
|
chown keystone.keystone /var/log/kolla/keystone
|
|
echo Before
|
|
ls -l /etc/keystone/fernet-keys/
|
|
keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone
|
|
echo After
|
|
ls -l /etc/keystone/fernet-keys/
|
|
|
|
python - <<"EOF"
|
|
import base64
|
|
import datetime
|
|
import dateutil.parser
|
|
import json
|
|
import os
|
|
import os.path
|
|
p = "/etc/keystone/fernet-keys"
|
|
j = json.load(open("/tmp/tokens.json"));
|
|
a = j["metadata"].get("annotations", {})
|
|
if "lastmod" in a:
|
|
d = int(dateutil.parser.parse(a["lastmod"]).strftime("%s"))
|
|
now = int(datetime.datetime.utcnow().strftime("%s"))
|
|
if now < d + 5*60:
|
|
os.exit(0)
|
|
now = datetime.datetime.utcnow().replace(microsecond=0).isoformat() + 'Z'
|
|
a["lastmod"] = now
|
|
j["metadata"]["annotations"] = a
|
|
j["data"] = {}
|
|
del j["metadata"]["creationTimestamp"]
|
|
for k in os.listdir(p):
|
|
f = open(os.path.join(p, k), "r")
|
|
j["data"][k] = base64.b64encode(f.read())
|
|
f.close()
|
|
f = open("/tmp/tokens2.json", "w");
|
|
f.write(json.dumps(j))
|
|
f.close()
|
|
EOF
|
|
|
|
[ ! -f /tmp/tokens2.json ] && exit
|
|
|
|
curl_flags=""
|
|
{{- if .Values.upload_debug }}
|
|
cat /tmp/tokens2.json
|
|
curl_flags=-vvv
|
|
{{- end }}
|
|
curl -f --tlsv1.2 -sS --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
|
|
-X PUT \
|
|
-d '@/tmp/tokens2.json' \
|
|
-H 'Content-type:application/json' \
|
|
-H "Authorization: Bearer $KUBE_TOKEN" \
|
|
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$KUBE_NAMESPACE/secrets/keystone-fernet-keys $curl_flags
|
|
|
|
env:
|
|
{{- include "common_bootstrap_env_vars" . | indent 12 }}
|
|
volumeMounts:
|
|
{{- include "common_volume_mounts" $env | indent 12 }}
|
|
- mountPath: /config
|
|
name: keystone
|
|
readOnly: true
|
|
volumes:
|
|
{{- include "common_volumes" $env | indent 8 }}
|
|
- name: keystone
|
|
configMap:
|
|
name: keystone
|
|
restartPolicy: OnFailure
|
|
{{- end }}
|