easzctl集成basic-auth配置

2019-04-07 20:38:23 +08:00 · 2019-04-07 20:38:23 +08:00 · 9b4ec4b656
parent 3c1c348544
commit 9b4ec4b656
4 changed files with 63 additions and 10 deletions
--- a/roles/kube-master/defaults/main.yml
+++ b/roles/kube-master/defaults/main.yml
@ -9,8 +9,10 @@ MASTER_CERT_HOSTS:
  #- "61.182.11.41"
  #- "www.test.com"

-# apiserver 基础认证（用户名/密码）配置
-# 在 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’ 可以查看密码
-BASIC_AUTH_ENABLE: "no"              # 是否启用 yes/no
-BASIC_AUTH_USER: "admin"
-BASIC_AUTH_PASS: "_pwd_"             # BASIC_AUTH_PASS 初次运行时会被随机密码覆盖
+# apiserver 基础认证（用户名/密码）配置，详见 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv’
+# 是否启用基础认证 yes/no
+BASIC_AUTH_ENABLE: 'no'
+# 用户名：
+BASIC_AUTH_USER: 'admin'
+# 密码：初次运行时会生成随机密码
+BASIC_AUTH_PASS: '_pwd_'
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@ -105,14 +105,14 @@
  tags: upgrade_k8s, restart_master

 - name: 配置{{ BASIC_AUTH_USER }}用户rbac权限
-  template: src=admin-user-binding.yaml.j2 dest=/opt/kube/admin-user-binding.yaml
+  template: src=basic-auth-rbac.yaml.j2 dest=/opt/kube/basic-auth-rbac.yaml
  when: 'BASIC_AUTH_ENABLE == "yes"'
  delegate_to: "{{ groups.deploy[0] }}"
  run_once: true
  tags: restart_master

 - name: 创建{{ BASIC_AUTH_USER }}用户rbac权限
-  shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/admin-user-binding.yaml"
+  shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/basic-auth-rbac.yaml"
  when: 'BASIC_AUTH_ENABLE == "yes"'
  delegate_to: "{{ groups.deploy[0] }}"
  run_once: true
--- a/roles/kube-master/templates/admin-user-binding.yaml.j2
+++ b/roles/kube-master/templates/admin-user-binding.yaml.j2
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: admin-user-binding
+  name: basic-auth-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/tools/easzctl
+++ b/tools/easzctl
@ -9,13 +9,15 @@ set -o errexit
 function usage() {
    cat <<EOF
 Usage: easzctl COMMAND [args]
-Commands 1 (cluster-wide operation):
+
+Cluster-wide operation:
    checkout		To switch to cluster <clustername> context, or create it if not existed
    destroy		To destroy the current cluster, with '--purge' option to also delete the context
    list		To list all of clusters managed
    setup		To setup a cluster using the current context
    start-aio		To quickly setup an all-in-one cluster for testing (like minikube)
-Commands 2 (in-cluster opration):
+
+In-cluster operation:
    add-etcd		To add a etcd-node to the etcd cluster
    add-master		To add a kube-master(master node) to the k8s cluster
    add-node		To add a kube-node(work node) to the k8s cluster
@ -23,6 +25,9 @@ Commands 2 (in-cluster opration):
    del-etcd		To delete a etcd-node from the etcd cluster
    upgrade		To upgrade the k8s cluster

+Extra operation:
+    basic-auth   	To enable/disable basic-auth for apiserver
+
 Use "easzctl help <command>" for more information about a given command.
 EOF
 }
@ -44,6 +49,9 @@ function help-info() {
        (clean-node)
            echo -e "Usage: easzctl clean-node <node_ip>\n\nread 'https://github.com/gjmzj/kubeasz/blob/master/docs/op/clean_one_node.md'"
            ;;
+        (basic-auth)
+            echo -e "Usage: easzctl basic-auth <options>\nOption:\t -s enable basic-auth\n\t -S disable basic-auth\n\t -u <user> set username\n\t -p <pass> set password"
+            ;;
        (*)
            usage
            return 0
@ -298,6 +306,43 @@ function start-aio(){
    setup
 }

+### extra operation functions ###################################
+function print-user-pass(){
+    echo -e "\n[INFO]basic auth for apiserver enabled\n"
+    sed -n '/BASIC_AUTH_USER/p' $BASEPATH/roles/kube-master/defaults/main.yml
+    sed -n '/BASIC_AUTH_PASS/p' $BASEPATH/roles/kube-master/defaults/main.yml
+}
+
+function basic-auth(){
+    OPTIND=2
+    while getopts "sSu:p:" OPTION; do
+        case $OPTION in
+          s)
+            grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep yes > /dev/null && { print-user-pass; return 0; }
+            sed -i "s/BASIC_AUTH_ENABLE.*$/BASIC_AUTH_ENABLE: 'yes'/g" $BASEPATH/roles/kube-master/defaults/main.yml
+            ;;
+          S)
+            grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; }
+            sed -i "s/BASIC_AUTH_ENABLE.*$/BASIC_AUTH_ENABLE: 'no'/g" $BASEPATH/roles/kube-master/defaults/main.yml
+            ;;
+          u)
+            grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; }
+            sed -i "s/BASIC_AUTH_USER.*$/BASIC_AUTH_USER: '$OPTARG'/g" $BASEPATH/roles/kube-master/defaults/main.yml
+            ;;
+          p)
+            grep BASIC_AUTH_ENABLE roles/kube-master/defaults/main.yml|grep no > /dev/null && { echo -e "\n[INFO]basic auth for apiserver disabled\n"; return 0; }
+            sed -i "s/BASIC_AUTH_PASS.*$/BASIC_AUTH_PASS: '$OPTARG'/g" $BASEPATH/roles/kube-master/defaults/main.yml
+            ;;
+          ?)
+            help-info basic-auth
+            return 1
+            ;;
+        esac
+    done
+
+    ansible-playbook $BASEPATH/04.kube-master.yml -t restart_master
+}
+
 ### Main Lines ##################################################

 BASEPATH=/etc/ansible
@ -366,6 +411,12 @@ case "$1" in
        help-info $2
        exit 0
        ;;
+    ### extra operations ##############################
+    (basic-auth)
+        [ "$#" -gt 1 ] || { help-info $1; exit 2; }
+        ACTION="Action: enable/disable apiserver's basic-auth"
+        CMD="basic-auth $*"
+        ;;
    (*)
        usage
        exit 0