github.com/verrazzano/verrazzano@v1.7.1/tests/e2e/config/scripts/register_managed_cluster.sh (about) 1 #!/bin/bash 2 # 3 # Copyright (c) 2021, 2022, Oracle and/or its affiliates. 4 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 5 # 6 7 set -e 8 9 if [ -z "${ADMIN_KUBECONFIG}" ] ; then 10 echo "ADMIN_KUBECONFIG env var must be set!'" 11 exit 1 12 fi 13 if [ -z "${MANAGED_CLUSTER_DIR}" ] ; then 14 echo "MANAGED_CLUSTER_DIR env var must be set!'" 15 exit 1 16 fi 17 if [ -z "${MANAGED_CLUSTER_NAME}" ] ; then 18 echo "MANAGED_CLUSTER_NAME env var must be set!'" 19 exit 1 20 fi 21 if [ -z "${MANAGED_KUBECONFIG}" ] ; then 22 echo "MANAGED_KUBECONFIG env var must be set!'" 23 exit 1 24 fi 25 if [ -z "${MANAGED_CLUSTER_ENV}" ] ; then 26 echo "MANAGED_CLUSTER_ENV env var must be set!'" 27 exit 1 28 fi 29 30 if [ -z "${ACME_ENVIRONMENT}" ] ; then 31 ACME_ENVIRONMENT="staging" 32 fi 33 34 echo ADMIN_KUBECONFIG: ${ADMIN_KUBECONFIG} 35 echo MANAGED_CLUSTER_NAME: ${MANAGED_CLUSTER_NAME} 36 echo MANAGED_KUBECONFIG: ${MANAGED_KUBECONFIG} 37 echo MANAGED_CLUSTER_ENV: ${MANAGED_CLUSTER_ENV} 38 echo ACME_ENVIRONMENT: ${ACME_ENVIRONMENT} 39 40 # create configmap "verrazzano-admin-cluster" on admin 41 if ! kubectl --kubeconfig ${ADMIN_KUBECONFIG} -n verrazzano-mc get configmap verrazzano-admin-cluster ; then 42 export ADMIN_K8S_SERVER_ADDRESS=$(cat ${ADMIN_KUBECONFIG} | grep "server:" | awk '{ print $2 }') 43 kubectl --kubeconfig ${ADMIN_KUBECONFIG} -n verrazzano-mc create configmap verrazzano-admin-cluster --from-literal=server=${ADMIN_K8S_SERVER_ADDRESS} 44 fi 45 46 # 'kubectl get vz' occasionally fails with 'error: the server doesn't have a resource type "vz"' but it always works the second time, so run 47 # it here to prevent the next invocation from failing 48 kubectl --kubeconfig ${ADMIN_KUBECONFIG} get vz 2> /dev/null || true 49 50 VERSION=$(kubectl --kubeconfig ${ADMIN_KUBECONFIG} get vz -o jsonpath='{.items[0].status.version}') 51 MAJOR_VERSION=$(echo ${VERSION} | cut -d. -f1) 52 MINOR_VERSION=$(echo ${VERSION} | cut -d. -f2) 53 54 # if installed VZ version is < 1.4, create the CA cert secret for the managed cluster, otherwise this is now automatic 55 if [ $((MAJOR_VERSION)) -eq 1 ] && [ $((MINOR_VERSION)) -lt 4 ] ; then 56 echo "Admin cluster VZ version is < 1.4, creating CA secret for managed cluster" 57 58 # create managed cluster ca secret yaml on managed 59 CA_SECRET_FILE=${MANAGED_CLUSTER_NAME}.yaml 60 TLS_SECRET=$(kubectl --kubeconfig ${MANAGED_KUBECONFIG} -n verrazzano-system get secret ${MANAGED_CLUSTER_ENV}-secret -o json | jq -r '.data."ca.crt"') 61 if [ ! -z "${TLS_SECRET%%*( )}" ] && [ "null" != "${TLS_SECRET}" ] ; then 62 CA_CERT=$(kubectl --kubeconfig ${MANAGED_KUBECONFIG} -n verrazzano-system get secret ${MANAGED_CLUSTER_ENV}-secret -o json | jq -r '.data."ca.crt"' | base64 --decode) 63 else 64 TLS_SECRET=$(kubectl --kubeconfig ${MANAGED_KUBECONFIG} -n verrazzano-system get secret verrazzano-tls -o json | jq -r '.data."ca.crt"') 65 if [ ! -z "${TLS_SECRET%%*( )}" ] && [ "null" != "${TLS_SECRET}" ] ; then 66 CA_CERT=$(kubectl --kubeconfig ${MANAGED_KUBECONFIG} -n verrazzano-system get secret verrazzano-tls -o json | jq -r '.data."ca.crt"' | base64 --decode) 67 fi 68 fi 69 70 if [ ! -z "${CA_CERT}" ] ; then 71 kubectl create secret generic "ca-secret-${MANAGED_CLUSTER_NAME}" -n verrazzano-mc --from-literal=cacrt="$CA_CERT" --dry-run=client -o yaml >> ${CA_SECRET_FILE} 72 else 73 # When the CA is publicly available/accessible, ca.crt would be empty in tls secret on the admin cluster. So, set an empty string for cacrt 74 if [ "production" == "${ACME_ENVIRONMENT}" ] ; then 75 kubectl create secret generic "ca-secret-${MANAGED_CLUSTER_NAME}" -n verrazzano-mc --from-literal=cacrt="" --dry-run=client -o yaml >> ${CA_SECRET_FILE} 76 else 77 echo "Failed to create CA secret file, required to create a secret on the admin cluster containing the certificate for the managed cluster." 78 exit 1 79 fi 80 fi 81 82 # create managed cluster ca secret on admin 83 kubectl --kubeconfig ${ADMIN_KUBECONFIG} apply -f ${CA_SECRET_FILE} 84 85 # create VerrazzanoManagedCluster on admin 86 kubectl --kubeconfig ${ADMIN_KUBECONFIG} apply -f <<EOF - 87 apiVersion: clusters.verrazzano.io/v1alpha1 88 kind: VerrazzanoManagedCluster 89 metadata: 90 name: ${MANAGED_CLUSTER_NAME} 91 namespace: verrazzano-mc 92 spec: 93 description: "VerrazzanoManagedCluster object for ${MANAGED_CLUSTER_NAME}" 94 caSecret: ca-secret-${MANAGED_CLUSTER_NAME} 95 EOF 96 97 # wait for VMC to be ready - that means the manifest has been created 98 echo "Creating VMC for ${MANAGED_CLUSTER_NAME}" 99 kubectl --kubeconfig ${ADMIN_KUBECONFIG} wait --for=condition=Ready --timeout=60s vmc ${MANAGED_CLUSTER_NAME} -n verrazzano-mc 100 if [ $? -ne 0 ]; then 101 echo "VMC ${MANAGED_CLUSTER_NAME} not ready after 60 seconds. Registration failed." 102 exit 1 103 fi 104 else 105 # create VerrazzanoManagedCluster on admin, note caSecret is not specified and will be auto populated 106 kubectl --kubeconfig ${ADMIN_KUBECONFIG} apply -f <<EOF - 107 apiVersion: clusters.verrazzano.io/v1alpha1 108 kind: VerrazzanoManagedCluster 109 metadata: 110 name: ${MANAGED_CLUSTER_NAME} 111 namespace: verrazzano-mc 112 spec: 113 description: "VerrazzanoManagedCluster object for ${MANAGED_CLUSTER_NAME}" 114 EOF 115 116 retries=0 117 while [ ${retries} -lt 10 ] && [ "$(kubectl --kubeconfig ${ADMIN_KUBECONFIG} get vmc -n verrazzano-mc ${MANAGED_CLUSTER_NAME} -o jsonpath='{.status.rancherRegistration.status}')" != 'Completed' ] ; do 118 echo "Verrazzano Rancher registration incomplete, checking again in 30s" 119 ((retries=retries+1)) 120 sleep 30 121 done 122 fi 123 124 echo "----------BEGIN VMC ${MANAGED_CLUSTER_NAME} contents----------" 125 kubectl --kubeconfig ${ADMIN_KUBECONFIG} get vmc -n verrazzano-mc ${MANAGED_CLUSTER_NAME} -o yaml 126 echo "----------END VMC ${MANAGED_CLUSTER_NAME} contents----------" 127 128 if [ $((MAJOR_VERSION)) -eq 1 ] && [ $((MINOR_VERSION)) -lt 5 ] ; then 129 kubectl --kubeconfig ${ADMIN_KUBECONFIG} get secret verrazzano-cluster-${MANAGED_CLUSTER_NAME}-manifest -n verrazzano-mc -o jsonpath={.data.yaml} | base64 --decode > register-${MANAGED_CLUSTER_NAME}.yaml 130 else 131 echo "Admin cluster VZ version is >= 1.5, getting the manifest directly from Rancher" 132 # get the admin user token from the Rancher API 133 RANCHER_URL=$(kubectl --kubeconfig ${ADMIN_KUBECONFIG} get vz -o jsonpath='{.items[0].status.instance.rancherUrl}') 134 echo "RANCHER_URL: ${RANCHER_URL}" 135 RANCHER_ADMIN_PASS=$(kubectl --kubeconfig ${ADMIN_KUBECONFIG} get secret -n cattle-system rancher-admin-secret -o jsonpath={.data.password} | base64 --decode) 136 echo "RANCHER_ADMIN_PASS: ${RANCHER_ADMIN_PASS}" 137 RANCHER_TOKEN=$(curl -s -k -X POST -H 'Content-Type: application/json' "${RANCHER_URL}/v3-public/localProviders/local?action=login" -d "{\"username\":\"admin\", \"password\":\"${RANCHER_ADMIN_PASS}\"}"| jq -r ".token") 138 echo "RANCHER_TOKEN: ${RANCHER_TOKEN}" 139 if [ -z "${RANCHER_TOKEN}" ] ; then 140 echo "Rancher token for admin user not found" 141 exit 1 142 fi 143 144 # Use the admin token to apply the manifest to the managed cluster 145 RANCHER_CLUSTER_ID=$(curl -s -k -X GET -H "Authorization: Bearer ${RANCHER_TOKEN}" "${RANCHER_URL}/v3/clusters?name=${MANAGED_CLUSTER_NAME}" | jq -r '.data[0].id') 146 echo "RANCHER_CLUSTER_ID: ${RANCHER_CLUSTER_ID}" 147 MC_RANCHER_TOKEN=$(curl -s -k -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${RANCHER_TOKEN}" "${RANCHER_URL}/v3/clusterregistrationtoken" \ 148 -d "{\"type\":\"clusterRegistrationToken\", \"clusterId\":\"${RANCHER_CLUSTER_ID}\"}"| jq -r ".token") 149 echo "MC_RANCHER_TOKEN: ${MC_RANCHER_TOKEN}" 150 curl -s -k -X GET -H "Authorization: Bearer ${RANCHER_TOKEN}" "${RANCHER_URL}/v3/import/${MC_RANCHER_TOKEN}_${RANCHER_CLUSTER_ID}.yaml" > register-"${MANAGED_CLUSTER_NAME}".yaml 151 fi 152 153 echo "----------BEGIN register-${MANAGED_CLUSTER_NAME}.yaml contents----------" 154 cat register-${MANAGED_CLUSTER_NAME}.yaml 155 echo "----------END register-${MANAGED_CLUSTER_NAME}.yaml contents----------" 156 157 echo "Applying register-${MANAGED_CLUSTER_NAME}.yaml" 158 # register using the manifest on managed 159 kubectl --kubeconfig ${MANAGED_KUBECONFIG} apply -f register-${MANAGED_CLUSTER_NAME}.yaml 160 161 # obtain permission-constrained version of kubeconfig to be used by managed cluster 162 kubectl --kubeconfig ${ADMIN_KUBECONFIG} get secret verrazzano-cluster-${MANAGED_CLUSTER_NAME}-agent -n verrazzano-mc -o jsonpath={.data.admin\-kubeconfig} | base64 --decode > ${MANAGED_CLUSTER_DIR}/managed_kube_config