From 702f5dcb11ae4091fedd268bf6ca57b310796816 Mon Sep 17 00:00:00 2001
From: Mark Burnett <mark.m.burnett@gmail.com>
Date: Fri, 13 Apr 2018 13:40:19 -0500
Subject: [PATCH] Remove kubectl & credentials on join

This behavior can be disabled with the `leave_kubectl` query parameter
to the `join-scripts` endpoint.

Change-Id: Ia2d9d11f2e900aed0b69394de6ba30442921d5a0
---
 promenade/cli.py                    |  7 ++++++-
 promenade/config.py                 |  4 ++++
 promenade/control/join_scripts.py   |  5 ++++-
 promenade/templates/scripts/join.sh | 13 +++++++++++++
 tools/g2/stages/join-nodes.sh       |  2 +-
 tools/gate/build.sh                 |  1 +
 6 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/promenade/cli.py b/promenade/cli.py
index 9bd3e015..261fbaa2 100644
--- a/promenade/cli.py
+++ b/promenade/cli.py
@@ -26,14 +26,19 @@ def promenade(*, verbose):
     required=True,
     help='Location to write complete cluster configuration.')
 @click.option('--validators', is_flag=True, help='Generate validation scripts')
+@click.option(
+    '--leave-kubectl',
+    is_flag=True,
+    help='Leave behind kubectl on joined nodes')
 @click.argument('config_files', nargs=-1, type=click.File('rb'))
-def build_all(*, config_files, output_dir, validators):
+def build_all(*, config_files, leave_kubectl, output_dir, validators):
     debug = _debug()
     try:
         c = config.Configuration.from_streams(
             debug=debug,
             substitute=True,
             allow_missing_substitutions=False,
+            leave_kubectl=leave_kubectl,
             streams=config_files)
         b = builder.Builder(c, validators=validators)
         b.build_all(output_dir=output_dir)
diff --git a/promenade/config.py b/promenade/config.py
index 57ffc736..4a771be0 100644
--- a/promenade/config.py
+++ b/promenade/config.py
@@ -19,6 +19,7 @@ class Configuration:
                  debug=False,
                  substitute=True,
                  allow_missing_substitutions=True,
+                 leave_kubectl=False,
                  validate=True):
         LOG.info("Parsing document schemas.")
         schema_set = validation.load_schemas_from_docs(documents)
@@ -43,6 +44,7 @@ class Configuration:
             validation.check_schemas(documents, schemas=schema_set)
         self.debug = debug
         self.documents = documents
+        self.leave_kubectl = leave_kubectl
 
     @classmethod
     def from_streams(cls, *, streams, **kwargs):
@@ -111,6 +113,7 @@ class Configuration:
         return Configuration(
             debug=self.debug,
             documents=documents,
+            leave_kubectl=self.leave_kubectl,
             substitute=False,
             validate=False)
 
@@ -133,6 +136,7 @@ class Configuration:
         return Configuration(
             debug=self.debug,
             documents=documents,
+            leave_kubectl=self.leave_kubectl,
             substitute=False,
             validate=False)
 
diff --git a/promenade/control/join_scripts.py b/promenade/control/join_scripts.py
index 87c3cb19..f852a770 100644
--- a/promenade/control/join_scripts.py
+++ b/promenade/control/join_scripts.py
@@ -35,6 +35,7 @@ class JoinScriptsResource(BaseResource):
 
     @policy.ApiEnforcer('kubernetes_provisioner:get_join_scripts')
     def on_get(self, req, resp):
+        leave_kubectl = req.get_param_as_bool('leave_kubectl')
         design_ref = req.get_param('design_ref', required=True)
         ip = req.get_param('ip', required=True)
         hostname = req.get_param('hostname', required=True)
@@ -46,7 +47,9 @@ class JoinScriptsResource(BaseResource):
 
         try:
             config = Configuration.from_design_ref(
-                design_ref, allow_missing_substitutions=False)
+                design_ref,
+                allow_missing_substitutions=False,
+                leave_kubectl=leave_kubectl)
         except exceptions.DeckhandException as e:
             raise falcon.HTTPInternalServerError(description=str(e))
 
diff --git a/promenade/templates/scripts/join.sh b/promenade/templates/scripts/join.sh
index 0ee48c7a..88dfa6e8 100644
--- a/promenade/templates/scripts/join.sh
+++ b/promenade/templates/scripts/join.sh
@@ -1,5 +1,18 @@
 {% include "header.sh" with context %}
 
+{%- if not config.leave_kubectl %}
+function delete_kubectl() {
+    set +x
+    log
+    log === Removing kubectl and credentials ===
+    set -x
+    rm -rf /etc/kubernetes/admin
+    rm -f /usr/local/bin/kubectl
+}
+
+trap delete_kubectl EXIT
+{%- endif %}
+
 {% include "basic-host-validation.sh" with context %}
 
 {% include "up.sh" with context %}
diff --git a/tools/g2/stages/join-nodes.sh b/tools/g2/stages/join-nodes.sh
index 67686463..5a21316b 100755
--- a/tools/g2/stages/join-nodes.sh
+++ b/tools/g2/stages/join-nodes.sh
@@ -70,7 +70,7 @@ render_curl_url() {
     fi
     HOST_PARAMS="hostname=${NAME}&ip=$(config_vm_ip "${NAME}")"
 
-    echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
+    echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}&leave_kubectl=true${LABEL_PARAMS}"
 }
 
 render_validate_body() {
diff --git a/tools/gate/build.sh b/tools/gate/build.sh
index 62550561..dcc4301b 100755
--- a/tools/gate/build.sh
+++ b/tools/gate/build.sh
@@ -60,6 +60,7 @@ docker run --rm -t \
         promenade \
             build-all \
                 --validators \
+                --leave-kubectl \
                 -o promenade-bundle \
                 config/*.yaml