services/userspace
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

version 1 release

Browse Source
This commit is contained in:
ducoterra
2021-12-24 15:42:07 -04:00
parent 9d7f8ad326
commit 18f62b5fb0
31 changed files with 104 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@@ -4,27 +4,23 @@
### Quickstart
1. Start Docker
2. Run createprojectspace.sh
```bash
./createprojectspace.sh <server_fqdn> <username>
# Create certsigner pod for all other operations
./setup.sh <server_fqdn>
# Create a user, use "admin" to create an admin user
./adduser <server_fqdn> <user>
# Create a namespace and allow <user> to access it
./createprojectspace <server_fqdn> <user> <project>
# Update a project namespace with the contents of ./namespace
./updateprojectspace <server_fqdn> <user> <project>
# Remove a user, their namespace, and their access
./removeuserspace <server_fqdn> <user>
```
### Update a user
```bash
export USER=user
helm template $USER ./namespace | kubectl --context admin apply -f -
```
### Objectives
1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart
2. Create an easy way for users to sign their certificates
3. Create a cleanup script without deleting user data
4. profit
### Userspace
#### Namespace
@@ -122,7 +118,8 @@ kubectl -n kube-system create secret generic certsigner --from-file /var/lib/ran
#### Set up the certsigner pod
```bash
kubectl --context admin apply -f certsigner
scp certsigner.yaml <server>:~/certsigner.yaml
kubectl apply -f certsigner.yaml
```
#### Generate a cert

26
adduser.sh
View File

@@ -1,15 +1,20 @@
#!/bin/bash
export USER=$1
export SERVER=$2
# Use
# ./adduser.sh <server_fqdn> <user>
export SERVER=$1
export USER=$2
export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
export CA_CERT_DIR=$HOME/.kube/$SERVER
export SERVER_USER_DIR="~/.kube/users/$USER"
export SERVER_NAME=$(echo "$SERVER" | sed 's/\./-/g')
export SERVER_USER="$USER-$SERVER_NAME"
if [ -z $USER ]; then
echo "No arguments supplied! Format is ./adduser.sh <USER> <SERVER_FQDN>"
echo "No arguments supplied! Format is ./adduser.sh <SERVER_FQDN> <USER>"
exit 1
fi
@@ -82,17 +87,15 @@ scp $SERVER:$SERVER_USER_DIR/$USER.crt $CERT_DIR/$USER.crt
echo "retrieving server ca"
wget --no-check-certificate https://$SERVER:6443/cacerts -O $CA_CERT_DIR/server-ca.pem
echo "adding server to config with new context $SERVER-$USER"
kubectl config set-cluster $SERVER --server=https://$SERVER:6443 --certificate-authority=$CA_CERT_DIR/server-ca.pem
kubectl config set-credentials $USER-$SERVER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
if [ $USER = "admin" ]; then
kubectl config set-context $SERVER-$USER --cluster=$SERVER --namespace=kube-system --user=$USER-$SERVER
else
kubectl config set-context $SERVER-$USER --cluster=$SERVER --namespace=$USER --user=$USER-$SERVER
fi
echo "adding user to config file"
kubectl config set-credentials $SERVER_USER --client-certificate=$CERT_DIR/$USER.crt --client-key=$CERT_DIR/$USER.key
kubectl config set current-context $SERVER-$USER
echo "setting context"
kubectl config set contexts.$(kubectl config current-context).user $SERVER_USER
if [ $USER = "admin" ]; then
echo "Admin user created, skipping namespace"
@@ -110,6 +113,9 @@ fi
echo "Creating namespace from template"
ssh $SERVER "kubectl apply -f $SERVER_USER_DIR/namespace.yaml"
echo "Setting namespace context"
kubectl config set contexts.$(kubectl config current-context).namespace $USER
if [ $? -ne 0 ]; then
echo "Failed to create namespace"
exit 1

4
charts/certsigner/0.0.1/templates/deploy.yaml → certsigner.yaml
View File

@@ -7,11 +7,11 @@ spec:
replicas: 1
selector:
matchLabels:
app: {{ .Release.Name }}
app: certsigner
template:
metadata:
labels:
app: {{ .Release.Name }}
app: certsigner
spec:
containers:
- name: certsigner

23
charts/certsigner/0.0.1/Chart.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v2
name: certsigner
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.0.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 1.16.0

3
charts/certsigner/0.0.1/app-readme.md
View File

@@ -1,3 +0,0 @@
# Certsigner
Signs your certs. What more could you want?

12
charts/certsigner/0.0.1/templates/clusterrolebinding.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
subjects:
- kind: Group
name: user
apiGroup: ""
roleRef:
kind: ClusterRole
name: cluster-readonly
apiGroup: ""

0
charts/certsigner/0.0.1/values.yaml
View File

3
charts/certsigner/item.yaml
View File

@@ -1,3 +0,0 @@
categories:
- generic
icon_url: "http://ix_url"

23
charts/namespace/0.0.1/.helmignore
View File

@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

211
charts/namespace/0.0.1/README.md
View File

@@ -1,211 +0,0 @@
# Project Userspace
## One provisioner to rule them all
### Quickstart
1. Start Docker
2. Run createprojectspace.sh
```bash
./createprojectspace.sh <server_fqdn> <username>
```
### Update a user
```bash
export USER=user
helm template $USER ./namespace | kubectl --context admin apply -f -
```
### Objectives
1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart
2. Create an easy way for users to sign their certificates
3. Create a cleanup script without deleting user data
4. profit
### Userspace
#### Namespace
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Name }}
```
#### Roles
```yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: namespace-manager
namespace: {{ .Release.Name }}
rules:
- apiGroups:
- ""
- extensions
- apps
- batch
- autoscaling
- networking.k8s.io
- traefik.containo.us
- rbac.authorization.k8s.io
- metrics.k8s.io
resources:
- deployments
- replicasets
- pods
- pods/exec
- pods/log
- pods/attach
- daemonsets
- statefulsets
- replicationcontrollers
- horizontalpodautoscalers
- services
- ingresses
- persistentvolumeclaims
- jobs
- cronjobs
- secrets
- configmaps
- serviceaccounts
- rolebindings
- ingressroutes
- middlewares
- endpoints
verbs:
- "*"
- apiGroups:
- ""
- metrics.k8s.io
- rbac.authorization.k8s.io
resources:
- resourcequotas
- roles
verbs:
- list
```
#### Rolebinding
```yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: {{ .Release.Name }}
name: namespace-manager
subjects:
- kind: User
name: {{ .Release.Name }}
apiGroup: ""
roleRef:
kind: ClusterRole
name: namespace-manager
apiGroup: ""
```
### Create a kubernetes certsigner pod
This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod
#### Create the certsigner secret
```bash
kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
```
#### Set up the certsigner pod
```bash
kubectl --context admin apply -f certsigner
```
#### Generate a cert
```bash
export USER=<user>
docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048
docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user"
```
#### Create a new Userspace
```bash
helm template $USER ./namespace | kubectl --context admin apply -f -
```
#### Sign the cert
```bash
export USER=<user>
kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr
kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000
kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt
```
#### Add to the config
```bash
kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key
kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
```
#### Delete
```bash
kubectl config delete-context $USER
helm template $USER ./namespace | kubectl --context admin delete -f -
```
### Signing a user cert - detailed notes
NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.*
```bash
# First we create the credentials
# /CN=<username> - the user
# /O=<group> - the group
# Navigate to the user directory
export USER=<username>
cd $USER
# Generate a private key
openssl genrsa -out $USER.key 2048
# Check the key
# openssl pkey -in ca.key -noout -text
# Generate and send me the CSR
# The "user" group is my default group
openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
# Check the CSR
# openssl req -in $USER.csr -noout -text
# If satisfactory, sign the CSR
# Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key
openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000
# Review the certificate
# openssl x509 -in $USER.crt -text -noout
# Send back the crt
# cp $USER.crt $USER.key ../server-ca.crt ~/.kube/
kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key
kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER
# Now we create the namespace, rolebindings, and resource quotas
# kubectl apply -f k8s/
# Add the cluster
# CA file can be found at https://3.14.3.100:6443/cacerts
- cluster:
certificate-authority: server-ca.crt
server: https://3.14.3.100:6443
name: mainframe
# Test if everything worked
kubectl --context=$USER-context get pods
```

37
charts/namespace/0.0.1/questions.yaml
View File

@@ -1,37 +0,0 @@
groups:
- name: "Container Images"
description: "Image to be used for container"
questions:
- variable: image
description: "Docker Image Details"
group: "Container Images"
label: "Docker Image"
schema:
type: dict
required: true
attrs:
- variable: repository
description: "Docker image repository"
label: "Image repository"
schema:
type: string
required: true
- variable: tag
description: "Tag to use for specified image"
label: "Image Tag"
schema:
type: string
default: "latest"
- variable: pullPolicy
description: "Docker Image Pull Policy"
label: "Image Pull Policy"
schema:
type: string
default: "IfNotPresent"
enum:
- value: "IfNotPresent"
description: "Only pull image if not present on host"
- value: "Always"
description: "Always pull image even if present on host"
- value: "Never"
description: "Never pull image even if it's not present on host"

14
charts/namespace/0.0.1/templates/limitrange.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: LimitRange
metadata:
name: default
namespace: {{ .Release.Name }}
spec:
limits:
- default:
memory: 128Mi
cpu: 100m
defaultRequest:
memory: 1Mi
cpu: 1m
type: Container

3
charts/namespace/item.yaml
View File

@@ -1,3 +0,0 @@
categories:
- generic
icon_url: "http://ix_url"

15
charts/certsigner/0.0.1/templates/clusterrole.yaml → cluster-readonly.yaml
View File

@@ -13,3 +13,18 @@ rules:
- storageclasses
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-readonly
subjects:
- kind: Group
name: user
apiGroup: ""
roleRef:
kind: ClusterRole
name: cluster-readonly
apiGroup: ""

15
createprojectspace.sh
View File

@@ -1,10 +1,15 @@
#!/bin/bash
export PROJECT=$1
# Use
# ./createprojectspace <server_fqdn> <user> <project>
export SERVER=$1
export USER=$2
export SERVER=$3
export PROJECT=$3
export SERVER_PROJECT_DIR="~/.kube/projects/$PROJECT"
export SERVER_NAME=$(echo "$SERVER" | sed 's/\./-/g')
export SERVER_USER="$USER-$SERVER_NAME"
echo "Checking if project namespace exists"
exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$PROJECT')].metadata.name}\"")
@@ -39,7 +44,7 @@ if [ $? -ne 0 ]; then
exit 1
fi
echo "adding server to config with new context $SERVER-$USER"
kubectl config set-context $SERVER-$USER-$PROJECT --cluster=$SERVER --namespace=$PROJECT --user=$USER-$SERVER
kubectl config set current-context $SERVER-$USER-$PROJECT
echo "Setting config"
kubectl config set contexts.$(kubectl config current-context).namespace $PROJECT
kubectl config set contexts.$(kubectl config current-context).user $SERVER_USER
echo "done"

0
charts/certsigner/0.0.1/.helmignore → namespace/.helmignore
View File

0
charts/namespace/0.0.1/Chart.yaml → namespace/Chart.yaml
View File

0
charts/certsigner/0.0.1/README.md → namespace/README.md
View File

0
charts/namespace/0.0.1/app-readme.md → namespace/app-readme.md
View File

0
charts/certsigner/0.0.1/questions.yaml → namespace/questions.yaml
View File

0
charts/namespace/0.0.1/templates/clusterrole.yaml → namespace/templates/clusterrole.yaml
View File

14
namespace/templates/limitrange.yaml Normal file
View File

@@ -0,0 +1,14 @@
# apiVersion: v1
# kind: LimitRange
# metadata:
# name: default
# namespace: {{ .Release.Name }}
# spec:
# limits:
# - default:
# memory: 128Mi
# cpu: 100m
# defaultRequest:
# memory: 1Mi
# cpu: 1m
# type: Container

0
charts/namespace/0.0.1/templates/namespace.yaml → namespace/templates/namespace.yaml
View File

0
charts/namespace/0.0.1/templates/resourcequota.yaml → namespace/templates/resourcequota.yaml
View File

0
charts/namespace/0.0.1/templates/role.yaml → namespace/templates/role.yaml
View File

0
charts/namespace/0.0.1/templates/rolebinding.yaml → namespace/templates/rolebinding.yaml
View File

0
charts/namespace/0.0.1/values.yaml → namespace/values.yaml
View File

20
removeuserspace.sh
View File

@@ -1,15 +1,20 @@
#!/bin/bash
export USER=$1
export SERVER=$2
# Use
# ./removeuserspace <server_fqdn> <user>
export SERVER=$1
export USER=$2
export CERT_DIR=$HOME/.kube/$SERVER/users/$USER
export CA_CERT_DIR=$HOME/.kube/$SERVER
export SERVER_USER_DIR="~/.kube/users/$USER"
export SERVER_NAME=$(echo "$SERVER" | sed 's/\./-/g')
export SERVER_USER="$USER-$SERVER_NAME"
echo "Checking if project namespace exists"
exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$PROJECT')].metadata.name}\"")
exists=$(ssh $SERVER "kubectl get namespace --output=jsonpath=\"{.items[?(@.metadata.name=='$USER')].metadata.name}\"")
if [ -z $exists ]; then
echo "Namespace not found, nothing to delete"
exit 1
@@ -17,12 +22,6 @@ else
echo "Namespace exists, deleting"
fi
echo "Removing server from config"
kubectl config delete-cluster $SERVER
kubectl config unset users.$USER-$SERVER
kubectl config delete-context $SERVER-$USER
kubectl config unset current-context
echo "Deleting user namespace"
ssh $SERVER "kubectl delete -f $SERVER_USER_DIR/namespace.yaml"
@@ -31,3 +30,6 @@ ssh $SERVER "rm -rf $SERVER_USER_DIR"
echo "Deleting local cert dir"
rm -rf $CERT_DIR
echo "Removing from kubeconfig"
kubectl config delete-user $SERVER_USER

1
setenv.sh
View File

@@ -1 +0,0 @@
kubectl config set current-context k3os-alpha.dnet-admin

10
setup.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Use
# ./setup.sh <server_fqdn>
export SERVER=$1
ssh $SERVER sudo kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key
scp certsigner.yaml $SERVER:~/certsigner.yaml
ssh $SERVER kubectl apply -f certsigner.yaml

7
updateprojectspace.sh
View File

@@ -1,8 +1,11 @@
#!/bin/bash
export PROJECT=$1
# Use
# ./updateprojectspace <server_fqdn> <user> <project>
export SERVER=$1
export USER=$2
export SERVER=$3
export PROJECT=$3
export SERVER_PROJECT_DIR="~/.kube/projects/$PROJECT"