Merge pull request #3 from razorpay/beta
script, readme: plugin_auth_mode: token
This commit is contained in:
commit
83b1e5d587
11
README.md
11
README.md
|
@ -4,10 +4,9 @@
|
||||||
|
|
||||||
This plugin allows to update a Kubernetes deployment.
|
This plugin allows to update a Kubernetes deployment.
|
||||||
- Cert based auth for tls
|
- Cert based auth for tls
|
||||||
|
- token based auth
|
||||||
- Insecure auth without tls
|
- Insecure auth without tls
|
||||||
|
|
||||||
This version deprecates token based auth
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
|
This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
|
||||||
|
@ -22,11 +21,12 @@ pipeline:
|
||||||
- docker_password
|
- docker_password
|
||||||
- server_url_<cluster>
|
- server_url_<cluster>
|
||||||
- server_cert_<cluster>
|
- server_cert_<cluster>
|
||||||
- client_cert_<cluster>
|
- client_cert_<cluster> / - server_token_<cluster>
|
||||||
- client_key_<cluster>
|
- client_key_<cluster> / - server_token_<cluster>
|
||||||
- ...
|
- ...
|
||||||
user: <kubernetes-user with a cluster-rolebinding>
|
user: <kubernetes-user with a cluster-rolebinding>
|
||||||
cluster: <kubernetes-cluster>
|
cluster: <kubernetes-cluster>
|
||||||
|
auth_mode: [ token | client-cert ] // provide only if providing server_cert_<cluster>
|
||||||
deployment: [<kubernetes-deployements, ...>]
|
deployment: [<kubernetes-deployements, ...>]
|
||||||
repo: <org/repo>
|
repo: <org/repo>
|
||||||
container: [ <containers,...> ]
|
container: [ <containers,...> ]
|
||||||
|
@ -46,6 +46,9 @@ pipeline:
|
||||||
## Required secrets
|
## Required secrets
|
||||||
|
|
||||||
- server_url
|
- server_url
|
||||||
|
- token:
|
||||||
|
- server_token
|
||||||
|
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'token:' > server.token`
|
||||||
- tls:
|
- tls:
|
||||||
- server_cert
|
- server_cert
|
||||||
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`
|
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`
|
||||||
|
|
61
update.sh
61
update.sh
|
@ -18,14 +18,10 @@ if [ ! -z ${PLUGIN_CLUSTER} ]; then
|
||||||
# create dynamic cert var names
|
# create dynamic cert var names
|
||||||
SERVER_URL_VAR=SERVER_URL_${CLUSTER}
|
SERVER_URL_VAR=SERVER_URL_${CLUSTER}
|
||||||
SERVER_CERT_VAR=SERVER_CERT_${CLUSTER}
|
SERVER_CERT_VAR=SERVER_CERT_${CLUSTER}
|
||||||
CLIENT_CERT_VAR=CLIENT_CERT_${CLUSTER}
|
|
||||||
CLIENT_KEY_VAR=CLIENT_KEY_${CLUSTER}
|
|
||||||
|
|
||||||
# expand the var contents
|
# expand the var contents
|
||||||
SERVER_URL=${!SERVER_URL_VAR}
|
SERVER_URL=${!SERVER_URL_VAR}
|
||||||
SERVER_CERT=${!SERVER_CERT_VAR}
|
SERVER_CERT=${!SERVER_CERT_VAR}
|
||||||
CLIENT_CERT=${!CLIENT_CERT_VAR}
|
|
||||||
CLIENT_KEY=${!CLIENT_KEY_VAR}
|
|
||||||
|
|
||||||
if [[ -z "${SERVER_URL}" ]]; then
|
if [[ -z "${SERVER_URL}" ]]; then
|
||||||
echo "[ERROR] drone secret: ${SERVER_URL_VAR} not added!"
|
echo "[ERROR] drone secret: ${SERVER_URL_VAR} not added!"
|
||||||
|
@ -35,32 +31,59 @@ if [ ! -z ${PLUGIN_CLUSTER} ]; then
|
||||||
if [[ ! -z "${SERVER_CERT}" ]]; then
|
if [[ ! -z "${SERVER_CERT}" ]]; then
|
||||||
echo "[INFO] Using secure connection with tls-certificate."
|
echo "[INFO] Using secure connection with tls-certificate."
|
||||||
echo ${SERVER_CERT} | base64 -d > ca.crt
|
echo ${SERVER_CERT} | base64 -d > ca.crt
|
||||||
kubectl config set-cluster default --server=${SERVER_URL} --certificate-authority=ca.crt
|
kubectl config set-cluster ${CLUSTER} --server=${SERVER_URL} --certificate-authority=ca.crt
|
||||||
|
|
||||||
if [[ ! -z "${CLIENT_CERT}" ]] && [[ ! -z "${CLIENT_KEY}" ]]; then
|
# vars based on auth_mode
|
||||||
echo "[INFO] Setting client credentials with signed-certificate and key."
|
if [ ! -z ${PLUGIN_AUTH_MODE} ]; then
|
||||||
echo ${CLIENT_CERT} | base64 -d > client.crt
|
if [[ "${PLUGIN_AUTH_MODE}" == "token" ]]; then
|
||||||
echo ${CLIENT_KEY} | base64 -d > client.key
|
echo "[INFO] Using Server token to authorize"
|
||||||
kubectl config set-credentials ${USER} --client-certificate=client.crt --client-key=client.key
|
SERVER_TOKEN_VAR=SERVER_TOKEN_${CLUSTER}
|
||||||
else
|
# expand
|
||||||
echo "[ERROR] Required plugin parameters:"
|
SERVER_TOKEN=${!SERVER_TOKEN_VAR}
|
||||||
echo " - client_cert"
|
if [[ ! -z "${SERVER_TOKEN}" ]]; then
|
||||||
echo " - client_key"
|
kubectl config set-credentials ${USER} --token=${SERVER_TOKEN}
|
||||||
echo "are not provided"
|
else
|
||||||
exit 1
|
echo "[ERROR] Required plugin param - server_token - not provided."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
elif [[ "${PLUGIN_AUTH_MODE}" == "client-cert" ]]; then
|
||||||
|
echo "[INFO] Using Client cert and Key to authorize"
|
||||||
|
CLIENT_CERT_VAR=CLIENT_CERT_${CLUSTER}
|
||||||
|
CLIENT_KEY_VAR=CLIENT_KEY_${CLUSTER}
|
||||||
|
# expand
|
||||||
|
CLIENT_CERT=${!CLIENT_CERT_VAR}
|
||||||
|
CLIENT_KEY=${!CLIENT_KEY_VAR}
|
||||||
|
|
||||||
|
if [[ ! -z "${CLIENT_CERT}" ]] && [[ ! -z "${CLIENT_KEY}" ]]; then
|
||||||
|
echo "[INFO] Setting client credentials with signed-certificate and key."
|
||||||
|
echo ${CLIENT_CERT} | base64 -d > client.crt
|
||||||
|
echo ${CLIENT_KEY} | base64 -d > client.key
|
||||||
|
kubectl config set-credentials ${USER} --client-certificate=client.crt --client-key=client.key
|
||||||
|
else
|
||||||
|
echo "[ERROR] Required plugin parameters:"
|
||||||
|
echo " - client_cert"
|
||||||
|
echo " - client_key"
|
||||||
|
echo "are not provided"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "[ERROR] Required plugin param - auth_mode - not provided"
|
||||||
|
echo "[INFO] Should be either [ token | client-cert ]"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "[WARNING] Required plugin parameter: ${SERVER_CERT_VAR} not added!"
|
echo "[WARNING] Required plugin parameter: ${SERVER_CERT_VAR} not added!"
|
||||||
echo "[WARNING] Using insecure connection to cluster"
|
echo "[WARNING] Using insecure connection to cluster"
|
||||||
kubectl config set-cluster default --server=${SERVER_URL} --insecure-skip-tls-verify=true
|
kubectl config set-cluster ${CLUSTER} --server=${SERVER_URL} --insecure-skip-tls-verify=true
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "[ERROR] Required pipeline parameter: cluster not provided"
|
echo "[ERROR] Required pipeline parameter: cluster not provided"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
kubectl config set-context default --cluster=default --user=${USER}
|
kubectl config set-context ${CLUSTER} --cluster=${CLUSTER} --user=${USER}
|
||||||
kubectl config use-context default
|
kubectl config use-context ${CLUSTER}
|
||||||
|
|
||||||
# kubectl version
|
# kubectl version
|
||||||
IFS=',' read -r -a DEPLOYMENTS <<< "${PLUGIN_DEPLOYMENT}"
|
IFS=',' read -r -a DEPLOYMENTS <<< "${PLUGIN_DEPLOYMENT}"
|
||||||
|
|
Loading…
Reference in New Issue