Merge pull request #3 from razorpay/beta

script, readme: plugin_auth_mode: token
This commit is contained in:
Hashfyre 2018-01-22 18:27:41 +05:30 committed by GitHub
commit 83b1e5d587
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 49 additions and 23 deletions

View File

@ -4,10 +4,9 @@
This plugin allows to update a Kubernetes deployment. This plugin allows to update a Kubernetes deployment.
- Cert based auth for tls - Cert based auth for tls
- token based auth
- Insecure auth without tls - Insecure auth without tls
This version deprecates token based auth
## Usage ## Usage
This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8` This pipeline will update the `my-deployment` deployment with the image tagged `DRONE_COMMIT_SHA:0:8`
@ -22,11 +21,12 @@ pipeline:
- docker_password - docker_password
- server_url_<cluster> - server_url_<cluster>
- server_cert_<cluster> - server_cert_<cluster>
- client_cert_<cluster> - client_cert_<cluster> / - server_token_<cluster>
- client_key_<cluster> - client_key_<cluster> / - server_token_<cluster>
- ... - ...
user: <kubernetes-user with a cluster-rolebinding> user: <kubernetes-user with a cluster-rolebinding>
cluster: <kubernetes-cluster> cluster: <kubernetes-cluster>
auth_mode: [ token | client-cert ] // provide only if providing server_cert_<cluster>
deployment: [<kubernetes-deployements, ...>] deployment: [<kubernetes-deployements, ...>]
repo: <org/repo> repo: <org/repo>
container: [ <containers,...> ] container: [ <containers,...> ]
@ -46,6 +46,9 @@ pipeline:
## Required secrets ## Required secrets
- server_url - server_url
- token:
- server_token
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'token:' > server.token`
- tls: - tls:
- server_cert - server_cert
- `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt` - `kubectl get secret [ your default secret name ] -o yaml | egrep 'ca.crt:' > ca.crt`

View File

@ -18,14 +18,10 @@ if [ ! -z ${PLUGIN_CLUSTER} ]; then
# create dynamic cert var names # create dynamic cert var names
SERVER_URL_VAR=SERVER_URL_${CLUSTER} SERVER_URL_VAR=SERVER_URL_${CLUSTER}
SERVER_CERT_VAR=SERVER_CERT_${CLUSTER} SERVER_CERT_VAR=SERVER_CERT_${CLUSTER}
CLIENT_CERT_VAR=CLIENT_CERT_${CLUSTER}
CLIENT_KEY_VAR=CLIENT_KEY_${CLUSTER}
# expand the var contents # expand the var contents
SERVER_URL=${!SERVER_URL_VAR} SERVER_URL=${!SERVER_URL_VAR}
SERVER_CERT=${!SERVER_CERT_VAR} SERVER_CERT=${!SERVER_CERT_VAR}
CLIENT_CERT=${!CLIENT_CERT_VAR}
CLIENT_KEY=${!CLIENT_KEY_VAR}
if [[ -z "${SERVER_URL}" ]]; then if [[ -z "${SERVER_URL}" ]]; then
echo "[ERROR] drone secret: ${SERVER_URL_VAR} not added!" echo "[ERROR] drone secret: ${SERVER_URL_VAR} not added!"
@ -35,32 +31,59 @@ if [ ! -z ${PLUGIN_CLUSTER} ]; then
if [[ ! -z "${SERVER_CERT}" ]]; then if [[ ! -z "${SERVER_CERT}" ]]; then
echo "[INFO] Using secure connection with tls-certificate." echo "[INFO] Using secure connection with tls-certificate."
echo ${SERVER_CERT} | base64 -d > ca.crt echo ${SERVER_CERT} | base64 -d > ca.crt
kubectl config set-cluster default --server=${SERVER_URL} --certificate-authority=ca.crt kubectl config set-cluster ${CLUSTER} --server=${SERVER_URL} --certificate-authority=ca.crt
if [[ ! -z "${CLIENT_CERT}" ]] && [[ ! -z "${CLIENT_KEY}" ]]; then # vars based on auth_mode
echo "[INFO] Setting client credentials with signed-certificate and key." if [ ! -z ${PLUGIN_AUTH_MODE} ]; then
echo ${CLIENT_CERT} | base64 -d > client.crt if [[ "${PLUGIN_AUTH_MODE}" == "token" ]]; then
echo ${CLIENT_KEY} | base64 -d > client.key echo "[INFO] Using Server token to authorize"
kubectl config set-credentials ${USER} --client-certificate=client.crt --client-key=client.key SERVER_TOKEN_VAR=SERVER_TOKEN_${CLUSTER}
else # expand
echo "[ERROR] Required plugin parameters:" SERVER_TOKEN=${!SERVER_TOKEN_VAR}
echo " - client_cert" if [[ ! -z "${SERVER_TOKEN}" ]]; then
echo " - client_key" kubectl config set-credentials ${USER} --token=${SERVER_TOKEN}
echo "are not provided" else
exit 1 echo "[ERROR] Required plugin param - server_token - not provided."
exit 1
fi
elif [[ "${PLUGIN_AUTH_MODE}" == "client-cert" ]]; then
echo "[INFO] Using Client cert and Key to authorize"
CLIENT_CERT_VAR=CLIENT_CERT_${CLUSTER}
CLIENT_KEY_VAR=CLIENT_KEY_${CLUSTER}
# expand
CLIENT_CERT=${!CLIENT_CERT_VAR}
CLIENT_KEY=${!CLIENT_KEY_VAR}
if [[ ! -z "${CLIENT_CERT}" ]] && [[ ! -z "${CLIENT_KEY}" ]]; then
echo "[INFO] Setting client credentials with signed-certificate and key."
echo ${CLIENT_CERT} | base64 -d > client.crt
echo ${CLIENT_KEY} | base64 -d > client.key
kubectl config set-credentials ${USER} --client-certificate=client.crt --client-key=client.key
else
echo "[ERROR] Required plugin parameters:"
echo " - client_cert"
echo " - client_key"
echo "are not provided"
exit 1
fi
else
echo "[ERROR] Required plugin param - auth_mode - not provided"
echo "[INFO] Should be either [ token | client-cert ]"
exit 1
fi
fi fi
else else
echo "[WARNING] Required plugin parameter: ${SERVER_CERT_VAR} not added!" echo "[WARNING] Required plugin parameter: ${SERVER_CERT_VAR} not added!"
echo "[WARNING] Using insecure connection to cluster" echo "[WARNING] Using insecure connection to cluster"
kubectl config set-cluster default --server=${SERVER_URL} --insecure-skip-tls-verify=true kubectl config set-cluster ${CLUSTER} --server=${SERVER_URL} --insecure-skip-tls-verify=true
fi fi
else else
echo "[ERROR] Required pipeline parameter: cluster not provided" echo "[ERROR] Required pipeline parameter: cluster not provided"
exit 1 exit 1
fi fi
kubectl config set-context default --cluster=default --user=${USER} kubectl config set-context ${CLUSTER} --cluster=${CLUSTER} --user=${USER}
kubectl config use-context default kubectl config use-context ${CLUSTER}
# kubectl version # kubectl version
IFS=',' read -r -a DEPLOYMENTS <<< "${PLUGIN_DEPLOYMENT}" IFS=',' read -r -a DEPLOYMENTS <<< "${PLUGIN_DEPLOYMENT}"