| commit | author | age | ||
| bea30a | 1 | apiVersion: apps/v1 |
| WK | 2 | kind: DaemonSet |
| 3 | metadata: | |
| 4 | name: kubelet-bootstrap-cred-manager | |
| 5 | namespace: openshift-machine-config-operator | |
| 6 | labels: | |
| 7 | k8s-app: kubelet-bootrap-cred-manager | |
| 8 | spec: | |
| 9 | replicas: 1 | |
| 10 | selector: | |
| 11 | matchLabels: | |
| 12 | k8s-app: kubelet-bootstrap-cred-manager | |
| 13 | template: | |
| 14 | metadata: | |
| 15 | labels: | |
| 16 | k8s-app: kubelet-bootstrap-cred-manager | |
| 17 | spec: | |
| 18 | containers: | |
| 19 | - name: kubelet-bootstrap-cred-manager | |
| 20 | image: quay.io/openshift/origin-cli:v4.0 | |
| 21 | command: ['/bin/bash', '-ec'] | |
| 22 | args: | |
| 23 | - | | |
| 24 | #!/bin/bash | |
| 25 | ||
| 26 | set -eoux pipefail | |
| 27 | ||
| 28 | while true; do | |
| 29 | unset KUBECONFIG | |
| 30 | ||
| c5f736 | 31 | echo "----------------------------------------------------------------------" |
| bea30a | 32 | echo "Gather info..." |
| c5f736 | 33 | echo "----------------------------------------------------------------------" |
| bea30a | 34 | # context |
| WK | 35 | intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerURL}") |
| 36 | context="$(oc --config=/etc/kubernetes/kubeconfig config current-context)" | |
| 37 | # cluster | |
| 38 | cluster="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")" | |
| 39 | server="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")" | |
| 40 | # token | |
| 41 | ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)" | |
| 42 | namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.namespace}" | base64 --decode)" | |
| 43 | token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)" | |
| 44 | ||
| c5f736 | 45 | echo "----------------------------------------------------------------------" |
| WK | 46 | echo "Generate kubeconfig" |
| 47 | echo "----------------------------------------------------------------------" | |
| 48 | ||
| bea30a | 49 | export KUBECONFIG="$(mktemp)" |
| WK | 50 | kubectl config set-credentials "kubelet" --token="$token" >/dev/null |
| 51 | ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt | |
| 52 | kubectl config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null | |
| 53 | kubectl config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null | |
| 54 | kubectl config use-context kubelet >/dev/null | |
| c5f736 | 55 | |
| WK | 56 | echo "----------------------------------------------------------------------" |
| 57 | echo "Print kubeconfig" | |
| 58 | echo "----------------------------------------------------------------------" | |
| bea30a | 59 | cat "$KUBECONFIG" |
| c5f736 | 60 | |
| WK | 61 | echo "----------------------------------------------------------------------" |
| 62 | echo "Whoami?" | |
| 63 | echo "----------------------------------------------------------------------" | |
| bea30a | 64 | oc whoami |
| WK | 65 | whoami |
| c5f736 | 66 | |
| WK | 67 | echo "----------------------------------------------------------------------" |
| 68 | echo "Moving to real kubeconfig" | |
| 69 | echo "----------------------------------------------------------------------" | |
| bea30a | 70 | cp /etc/kubernetes/kubeconfig /etc/kubernetes/kubeconfig.prev |
| WK | 71 | mv "${KUBECONFIG}" /etc/kubernetes/kubeconfig |
| 72 | ||
| c5f736 | 73 | echo "----------------------------------------------------------------------" |
| WK | 74 | echo "Setting ca.crt" |
| 75 | echo "----------------------------------------------------------------------" | |
| 76 | cp /etc/kubernetes/ca.crt /etc/kubernetes/ca.crt.prev | |
| 77 | mv $ca_crt /etc/kubernetes/ca.crt | |
| 78 | ||
| 79 | echo "----------------------------------------------------------------------" | |
| 80 | echo "Sleep 60 seconds..." | |
| 81 | echo "----------------------------------------------------------------------" | |
| bea30a | 82 | sleep 60 |
| WK | 83 | done |
| 84 | securityContext: | |
| 85 | privileged: true | |
| 86 | runAsUser: 0 | |
| 87 | volumeMounts: | |
| 88 | - mountPath: /etc/kubernetes/ | |
| 89 | name: kubelet-dir | |
| 90 | nodeSelector: | |
| 91 | node-role.kubernetes.io/master: "" | |
| 92 | priorityClassName: "system-cluster-critical" | |
| 93 | restartPolicy: Always | |
| 94 | securityContext: | |
| 95 | runAsUser: 0 | |
| 96 | tolerations: | |
| 97 | - key: "node-role.kubernetes.io/master" | |
| 98 | operator: "Exists" | |
| 99 | effect: "NoSchedule" | |
| 100 | - key: "node.kubernetes.io/unreachable" | |
| 101 | operator: "Exists" | |
| 102 | effect: "NoExecute" | |
| 103 | tolerationSeconds: 120 | |
| 104 | - key: "node.kubernetes.io/not-ready" | |
| 105 | operator: "Exists" | |
| 106 | effect: "NoExecute" | |
| 107 | tolerationSeconds: 120 | |
| 108 | volumes: | |
| 109 | - hostPath: | |
| 110 | path: /etc/kubernetes/ | |
| 111 | type: Directory | |
| 112 | name: kubelet-dir | |
