openstack
/
kolla-kubernetes
Code Issues Proposed changes
kolla-kubernetes/helm/microservice/keystone-fernet-rotate-job/templates/keystone-fernet-rotate-job....

122 lines
5.0 KiB
YAML
Raw Blame History

{{- $resourceName := "keystone-fernet-rotate-job" }}
{{- $searchPath := ":global.kolla.keystone.fernet.rotate.job:global.kolla.fernet.all:global.kolla.keystone.all:global.kolla.all" }}
{{- $c := dict "searchPath" $searchPath "Values" .Values }}
{{- $_ := set $c "contName" "keystone" }}
{{- $_ := set $c "imageName" "image_full" }}
{{- $_ := set $c "tagName" "image_tag" }}
{{- $imageFull := include "kolla_build_image_full" $c }}
{{- $imagePullPolicy := include "kolla_val_get_str" (dict "key" "image_pull_policy" "searchPath" $searchPath "Values" .Values ) }}
{{- $selectorKey := include "kolla_val_get_str" (dict "key" "selector_key" "searchPath" $searchPath "Values" .Values ) }}
{{- $selectorValue := include "kolla_val_get_str" (dict "key" "selector_value" "searchPath" $searchPath "Values" .Values ) }}
{{- $netHostTrue := false }}
{{- $podTypeBootstrap := false }}
{{- with $env := dict "netHostTrue" $netHostTrue "podTypeBootstrap" false "resourceName" $resourceName "Values" .Values "Release" .Release "searchPath" $searchPath }}
apiVersion: batch/v1
kind: Job
metadata:
name: keystone-fernet-rotate-job
spec:
template:
spec:
nodeSelector:
{{ $selectorKey }}: {{ $selectorValue | quote }}
initContainers:
{{- include "common_dependency_container" . | indent 8 }}
containers:
- image: {{ $imageFull | quote }}
imagePullPolicy: {{ $imagePullPolicy | quote }}
name: main
securityContext:
runAsUser: 0
command:
- /bin/bash
- -ec
- |
KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace)
curl -f --tlsv1.2 -sS --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-H "Authorization: Bearer $KUBE_TOKEN" -o /tmp/tokens.json \
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$KUBE_NAMESPACE/secrets/keystone-fernet-keys
mkdir -p /etc/keystone/fernet-keys
cp -a /config/..data/* /etc/keystone
python - <<"EOF"
import base64
import json
import os.path
j = json.load(open("/tmp/tokens.json"));
for (k,v) in j["data"].items():
f = open(os.path.join("/etc/keystone/fernet-keys", k), "w")
f.write(base64.b64decode(v))
f.close()
EOF
chown --recursive keystone.keystone /etc/keystone
chmod 770 /etc/keystone/fernet-keys
chmod --recursive 660 /etc/keystone/fernet-keys/*
mkdir -p /var/log/kolla/keystone
chown keystone.keystone /var/log/kolla/keystone
echo Before
ls -l /etc/keystone/fernet-keys/
keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone
echo After
ls -l /etc/keystone/fernet-keys/
python - <<"EOF"
import base64
import datetime
import dateutil.parser
import json
import os
import os.path
p = "/etc/keystone/fernet-keys"
j = json.load(open("/tmp/tokens.json"));
a = j["metadata"].get("annotations", {})
if "lastmod" in a:
d = int(dateutil.parser.parse(a["lastmod"]).strftime("%s"))
now = int(datetime.datetime.utcnow().strftime("%s"))
if now < d + 5*60:
os.exit(0)
now = datetime.datetime.utcnow().replace(microsecond=0).isoformat() + 'Z'
a["lastmod"] = now
j["metadata"]["annotations"] = a
j["data"] = {}
del j["metadata"]["creationTimestamp"]
for k in os.listdir(p):
f = open(os.path.join(p, k), "r")
j["data"][k] = base64.b64encode(f.read())
f.close()
f = open("/tmp/tokens2.json", "w");
f.write(json.dumps(j))
f.close()
EOF
[ ! -f /tmp/tokens2.json ] && exit
curl_flags=""
{{- if .Values.upload_debug }}
cat /tmp/tokens2.json
curl_flags=-vvv
{{- end }}
curl -f --tlsv1.2 -sS --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-X PUT \
-d '@/tmp/tokens2.json' \
-H 'Content-type:application/json' \
-H "Authorization: Bearer $KUBE_TOKEN" \
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/$KUBE_NAMESPACE/secrets/keystone-fernet-keys $curl_flags
env:
{{- include "common_bootstrap_env_vars" . | indent 12 }}
volumeMounts:
{{- include "common_volume_mounts" $env | indent 12 }}
- mountPath: /config
name: keystone
readOnly: true
volumes:
{{- include "common_volumes" $env | indent 8 }}
- name: keystone
configMap:
name: keystone
restartPolicy: OnFailure
{{- end }}
View Git Blame Copy Permalink