Code Review / icn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Add SOPS support to cluster chart
[icn.git] / deploy / cluster / cluster.sh
1 #!/usr/bin/env bash
2 set -eux -o pipefail
3
4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
6
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
9
10 FLANNEL_VERSION="v0.15.0"
11
12 # This may be used to update the in-place addon YAML files from the
13 # upstream projects
14 function build_source {
15     mkdir -p ${SCRIPTDIR}/addons
16
17     # Flannel
18     curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
19     cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
20 {{- if eq .Values.cni "flannel" }}
21 ---
22 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
23 {{- end }}
24 EOF
25     sed -i -e 's/  name: flannel-addon/  name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
26     sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
27
28     # Flux
29     flux install --export >${SCRIPTDIR}/addons/flux-system.yaml
30     # The name "sync" must be sorted after "flux-system" to ensure
31     # Flux CRDs are instantiated first
32     cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
33 {{- if .Values.flux.decryptionSecret }}
34 ---
35 apiVersion: v1
36 type: Opaque
37 kind: Secret
38 metadata:
39   name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
40   namespace: flux-system
41 data:
42   sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
43 {{- end }}
44 ---
45 apiVersion: source.toolkit.fluxcd.io/v1beta1
46 kind: GitRepository
47 metadata:
48   name: {{ .Values.flux.repositoryName }}
49   namespace: flux-system
50 spec:
51   gitImplementation: go-git
52   interval: 1m0s
53   ref:
54     branch: {{ .Values.flux.branch }}
55   timeout: 20s
56   url: {{ .Values.flux.url }}
57 ---
58 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
59 kind: Kustomization
60 metadata:
61   name: {{ .Values.clusterName }}-flux-sync
62   namespace: flux-system
63 spec:
64   interval: 10m0s
65   path: {{ .Values.flux.path }}
66   prune: true
67   sourceRef:
68     kind: GitRepository
69     name: {{ .Values.flux.repositoryName }}
70 {{- if .Values.flux.decryptionSecret }}
71   decryption:
72     provider: sops
73     secretRef:
74       name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
75 {{- end }}
76 EOF
77     cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
78 {{- if .Values.flux }}
79 ---
80 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
81 {{- end }}
82 EOF
83     sed -i -e 's/  name: flux-addon/  name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
84
85     # PodSecurityPolicy is being replaced in future versions of K8s.
86     # The recommended practice is described by K8s at
87     # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
88     # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
89     # and provides three levels: privileged, baseline, and restricted.
90     #
91     # The question to answer here is how to reconcile the K8s levels
92     # against the Akraino security requirements.
93     #
94     # For the time being, the below populates the cluster with the K8s
95     # recommended levels and provides an additional policy (icn) bound
96     # to the system:authenticated group to meet the Akraino
97     # requirements.
98     cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
99 ---
100 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
101 ---
102 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
103 ---
104 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
105 ---
106 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
107   sed -e 's/  name: privileged/  name: icn/' |
108   sed -e '/^  allowedCapabilities:/,/^  [!-]/d')
109   allowedCapabilities:
110     - 'NET_ADMIN'
111     - 'SYS_ADMIN'
112     - 'SYS_NICE'
113     - 'SYS_PTRACE'
114   requiredDropCapabilities:
115     - 'NET_RAW'
116 ---
117 apiVersion: rbac.authorization.k8s.io/v1
118 kind: ClusterRole
119 metadata:
120   name: psp:privileged
121   labels:
122     addonmanager.kubernetes.io/mode: Reconcile
123 rules:
124 - apiGroups:
125   - policy
126   resourceNames:
127   - privileged
128   resources:
129   - podsecuritypolicies
130   verbs:
131   - use
132 ---
133 apiVersion: rbac.authorization.k8s.io/v1
134 kind: ClusterRole
135 metadata:
136   name: psp:baseline
137   labels:
138     addonmanager.kubernetes.io/mode: Reconcile
139 rules:
140 - apiGroups:
141   - policy
142   resourceNames:
143   - baseline
144   resources:
145   - podsecuritypolicies
146   verbs:
147   - use
148 ---
149 apiVersion: rbac.authorization.k8s.io/v1
150 kind: ClusterRole
151 metadata:
152   name: psp:icn
153   labels:
154     addonmanager.kubernetes.io/mode: Reconcile
155 rules:
156 - apiGroups:
157   - policy
158   resourceNames:
159   - icn
160   resources:
161   - podsecuritypolicies
162   verbs:
163   - use
164 ---
165 apiVersion: rbac.authorization.k8s.io/v1
166 kind: ClusterRole
167 metadata:
168   name: psp:restricted
169   labels:
170     addonmanager.kubernetes.io/mode: Reconcile
171 rules:
172 - apiGroups:
173   - policy
174   resourceNames:
175   - restricted
176   resources:
177   - podsecuritypolicies
178   verbs:
179   - use
180 ---
181 apiVersion: rbac.authorization.k8s.io/v1
182 kind: RoleBinding
183 metadata:
184   name: psp:privileged:nodes
185   namespace: kube-system
186   labels:
187     addonmanager.kubernetes.io/mode: Reconcile
188 roleRef:
189   apiGroup: rbac.authorization.k8s.io
190   kind: ClusterRole
191   name: psp:privileged
192 subjects:
193 - kind: Group
194   name: system:nodes
195   apiGroup: rbac.authorization.k8s.io
196 ---
197 apiVersion: rbac.authorization.k8s.io/v1
198 kind: RoleBinding
199 metadata:
200   name: psp:privileged:kube-system
201   namespace: kube-system
202 roleRef:
203   apiGroup: rbac.authorization.k8s.io
204   kind: ClusterRole
205   name: psp:privileged
206 subjects:
207 - kind: Group
208   name: system:serviceaccounts:kube-system
209   apiGroup: rbac.authorization.k8s.io
210 ---
211 apiVersion: rbac.authorization.k8s.io/v1
212 kind: ClusterRoleBinding
213 metadata:
214   name: psp:icn:any
215 roleRef:
216   kind: ClusterRole
217   name: psp:icn
218   apiGroup: rbac.authorization.k8s.io
219 subjects:
220 - kind: Group
221   name: system:authenticated
222   apiGroup: rbac.authorization.k8s.io
223 EOF
224     cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
225 ---
226 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
227 EOF
228     sed -i -e 's/  name: podsecurity-addon/  name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
229
230 }
231
232 case $1 in
233     "build-source") build_source ;;
234     *) cat <<EOF
235 Usage: $(basename $0) COMMAND
236
237 Commands:
238   build-source  - Rebuild the in-tree addon YAML files
239 EOF
240        ;;
241 esac