summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShoaib Nasir <shoaib.nasir@windriver.com>2019-01-14 13:07:29 -0500
committerShoaib Nasir <shoaib.nasir@windriver.com>2019-02-01 15:33:18 -0500
commit7fb3b8d9ca92ea74c6148f9d3875ee4196d575c5 (patch)
treeb5f38e811cfb1894b21432793f1c349a6c3da5ae
parent091dbd283dbd6e7d547af5f2a81a555c39d89167 (diff)
Add support in Armada CLI to pass user bearer tokens to tiller
Added a new option --bearer-token TEXT in the Armada CLI to allow the users or applications to pass kubernetes-api bearertokens via tiller to the kubernetes cluster. This is to allow armada to interact with a kubernetes cluster that has been configured with an external Auth-Backend like Openstack-keystone or OpenId Connect. Bearer Tokens are Auth tokens issued by the identity backends such as keystone which represent a users authorized access. For better understanding of bearer tokens, an example case of how they works can be found here https://kubernetes.io/docs/reference/access-authn-authz/authentication/#putting-a-bearer-token-in-a-request https://docs.docker.com/registry/spec/auth/token/ Change-Id: I03623c7d3b58eda421a0660da8ec3ac2e86915f0 Signed-off-by: Shoaib Nasir <shoaib.nasir@windriver.com>
Notes
Notes (review): Code-Review+1: Shoaib Nasir <shoaib.nasir@windriver.com> Code-Review+2: Sean Eagan <sean.eagan@att.com> Code-Review+1: chittibabu <chittibabu1299@gmail.com> Code-Review+1: Vladyslav Drok <vdrok@mirantis.com> Code-Review+1: Evgeniy L <eli@mirantis.com> Code-Review+2: Pete Birley <petebirley@gmail.com> Workflow+1: Pete Birley <petebirley@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Thu, 28 Feb 2019 14:47:02 +0000 Reviewed-on: https://review.openstack.org/630754 Project: openstack/airship-armada Branch: refs/heads/master
-rw-r--r--armada/cli/apply.py9
-rw-r--r--armada/cli/delete.py11
-rw-r--r--armada/cli/rollback.py11
-rw-r--r--armada/cli/tiller.py11
-rw-r--r--armada/handlers/k8s.py22
-rw-r--r--armada/handlers/tiller.py4
-rw-r--r--doc/source/commands/apply.rst1
-rw-r--r--doc/source/commands/rollback.rst1
-rw-r--r--doc/source/commands/tiller.rst1
-rw-r--r--doc/source/operations/guide-use-armada.rst22
10 files changed, 71 insertions, 22 deletions
diff --git a/armada/cli/apply.py b/armada/cli/apply.py
index 209b960..41fa771 100644
--- a/armada/cli/apply.py
+++ b/armada/cli/apply.py
@@ -129,17 +129,18 @@ SHORT_DESC = "Command installs manifest charts."
129 help=("The target manifest to run. Required for specifying " 129 help=("The target manifest to run. Required for specifying "
130 "which manifest to run when multiple are available."), 130 "which manifest to run when multiple are available."),
131 default=None) 131 default=None)
132@click.option('--bearer-token', help="User Bearer token", default=None)
132@click.option('--debug', help="Enable debug logging.", is_flag=True) 133@click.option('--debug', help="Enable debug logging.", is_flag=True)
133@click.pass_context 134@click.pass_context
134def apply_create(ctx, locations, api, disable_update_post, disable_update_pre, 135def apply_create(ctx, locations, api, disable_update_post, disable_update_pre,
135 dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host, 136 dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host,
136 tiller_port, tiller_namespace, timeout, values, wait, 137 tiller_port, tiller_namespace, timeout, values, wait,
137 target_manifest, debug): 138 target_manifest, bearer_token, debug):
138 CONF.debug = debug 139 CONF.debug = debug
139 ApplyManifest(ctx, locations, api, disable_update_post, disable_update_pre, 140 ApplyManifest(ctx, locations, api, disable_update_post, disable_update_pre,
140 dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host, 141 dry_run, enable_chart_cleanup, use_doc_ref, set, tiller_host,
141 tiller_port, tiller_namespace, timeout, values, wait, 142 tiller_port, tiller_namespace, timeout, values, wait,
142 target_manifest).safe_invoke() 143 target_manifest, bearer_token).safe_invoke()
143 144
144 145
145class ApplyManifest(CliAction): 146class ApplyManifest(CliAction):
@@ -147,7 +148,7 @@ class ApplyManifest(CliAction):
147 def __init__(self, ctx, locations, api, disable_update_post, 148 def __init__(self, ctx, locations, api, disable_update_post,
148 disable_update_pre, dry_run, enable_chart_cleanup, 149 disable_update_pre, dry_run, enable_chart_cleanup,
149 use_doc_ref, set, tiller_host, tiller_port, tiller_namespace, 150 use_doc_ref, set, tiller_host, tiller_port, tiller_namespace,
150 timeout, values, wait, target_manifest): 151 timeout, values, wait, target_manifest, bearer_token):
151 super(ApplyManifest, self).__init__() 152 super(ApplyManifest, self).__init__()
152 self.ctx = ctx 153 self.ctx = ctx
153 # Filename can also be a URL reference 154 # Filename can also be a URL reference
@@ -166,6 +167,7 @@ class ApplyManifest(CliAction):
166 self.values = values 167 self.values = values
167 self.wait = wait 168 self.wait = wait
168 self.target_manifest = target_manifest 169 self.target_manifest = target_manifest
170 self.bearer_token = bearer_token
169 171
170 def output(self, resp): 172 def output(self, resp):
171 for result in resp: 173 for result in resp:
@@ -203,6 +205,7 @@ class ApplyManifest(CliAction):
203 tiller_host=self.tiller_host, 205 tiller_host=self.tiller_host,
204 tiller_port=self.tiller_port, 206 tiller_port=self.tiller_port,
205 tiller_namespace=self.tiller_namespace, 207 tiller_namespace=self.tiller_namespace,
208 bearer_token=self.bearer_token,
206 dry_run=self.dry_run) as tiller: 209 dry_run=self.dry_run) as tiller:
207 armada = Armada( 210 armada = Armada(
208 documents, 211 documents,
diff --git a/armada/cli/delete.py b/armada/cli/delete.py
index c54d3b3..ee6a11b 100644
--- a/armada/cli/delete.py
+++ b/armada/cli/delete.py
@@ -65,19 +65,20 @@ SHORT_DESC = "Command deletes releases."
65@click.option('--tiller-host', help="Tiller host IP.") 65@click.option('--tiller-host', help="Tiller host IP.")
66@click.option( 66@click.option(
67 '--tiller-port', help="Tiller host port.", type=int, default=44134) 67 '--tiller-port', help="Tiller host port.", type=int, default=44134)
68@click.option('--bearer-token', help="User Bearer token.", default=None)
68@click.option('--debug', help="Enable debug logging.", is_flag=True) 69@click.option('--debug', help="Enable debug logging.", is_flag=True)
69@click.pass_context 70@click.pass_context
70def delete_charts(ctx, manifest, releases, no_purge, tiller_host, tiller_port, 71def delete_charts(ctx, manifest, releases, no_purge, tiller_host, tiller_port,
71 debug): 72 bearer_token, debug):
72 CONF.debug = debug 73 CONF.debug = debug
73 DeleteChartManifest(ctx, manifest, releases, no_purge, tiller_host, 74 DeleteChartManifest(ctx, manifest, releases, no_purge, tiller_host,
74 tiller_port).safe_invoke() 75 tiller_port, bearer_token).safe_invoke()
75 76
76 77
77class DeleteChartManifest(CliAction): 78class DeleteChartManifest(CliAction):
78 79
79 def __init__(self, ctx, manifest, releases, no_purge, tiller_host, 80 def __init__(self, ctx, manifest, releases, no_purge, tiller_host,
80 tiller_port): 81 tiller_port, bearer_token):
81 82
82 super(DeleteChartManifest, self).__init__() 83 super(DeleteChartManifest, self).__init__()
83 self.ctx = ctx 84 self.ctx = ctx
@@ -86,11 +87,13 @@ class DeleteChartManifest(CliAction):
86 self.purge = not no_purge 87 self.purge = not no_purge
87 self.tiller_host = tiller_host 88 self.tiller_host = tiller_host
88 self.tiller_port = tiller_port 89 self.tiller_port = tiller_port
90 self.bearer_token = bearer_token
89 91
90 def invoke(self): 92 def invoke(self):
91 with Tiller( 93 with Tiller(
92 tiller_host=self.tiller_host, 94 tiller_host=self.tiller_host,
93 tiller_port=self.tiller_port) as tiller: 95 tiller_port=self.tiller_port,
96 bearer_token=self.bearer_token) as tiller:
94 self.handle(tiller) 97 self.handle(tiller)
95 98
96 def handle(self, tiller): 99 def handle(self, tiller):
diff --git a/armada/cli/rollback.py b/armada/cli/rollback.py
index 89bf9f2..f3bc5e8 100644
--- a/armada/cli/rollback.py
+++ b/armada/cli/rollback.py
@@ -80,22 +80,23 @@ SHORT_DESC = "Command performs a release rollback."
80 '--recreate-pods', 80 '--recreate-pods',
81 help=("Restarts pods for the resource if applicable."), 81 help=("Restarts pods for the resource if applicable."),
82 is_flag=True) 82 is_flag=True)
83@click.option('--bearer-token', help=("User bearer token."), default=None)
83@click.option('--debug', help="Enable debug logging.", is_flag=True) 84@click.option('--debug', help="Enable debug logging.", is_flag=True)
84@click.pass_context 85@click.pass_context
85def rollback_charts(ctx, release, version, dry_run, tiller_host, tiller_port, 86def rollback_charts(ctx, release, version, dry_run, tiller_host, tiller_port,
86 tiller_namespace, timeout, wait, force, recreate_pods, 87 tiller_namespace, timeout, wait, force, recreate_pods,
87 debug): 88 bearer_token, debug):
88 CONF.debug = debug 89 CONF.debug = debug
89 Rollback(ctx, release, version, dry_run, tiller_host, tiller_port, 90 Rollback(ctx, release, version, dry_run, tiller_host, tiller_port,
90 tiller_namespace, timeout, wait, force, 91 tiller_namespace, timeout, wait, force, recreate_pods,
91 recreate_pods).safe_invoke() 92 bearer_token).safe_invoke()
92 93
93 94
94class Rollback(CliAction): 95class Rollback(CliAction):
95 96
96 def __init__(self, ctx, release, version, dry_run, tiller_host, 97 def __init__(self, ctx, release, version, dry_run, tiller_host,
97 tiller_port, tiller_namespace, timeout, wait, force, 98 tiller_port, tiller_namespace, timeout, wait, force,
98 recreate_pods): 99 recreate_pods, bearer_token):
99 super(Rollback, self).__init__() 100 super(Rollback, self).__init__()
100 self.ctx = ctx 101 self.ctx = ctx
101 self.release = release 102 self.release = release
@@ -108,12 +109,14 @@ class Rollback(CliAction):
108 self.wait = wait 109 self.wait = wait
109 self.force = force 110 self.force = force
110 self.recreate_pods = recreate_pods 111 self.recreate_pods = recreate_pods
112 self.bearer_token = bearer_token
111 113
112 def invoke(self): 114 def invoke(self):
113 with Tiller( 115 with Tiller(
114 tiller_host=self.tiller_host, 116 tiller_host=self.tiller_host,
115 tiller_port=self.tiller_port, 117 tiller_port=self.tiller_port,
116 tiller_namespace=self.tiller_namespace, 118 tiller_namespace=self.tiller_namespace,
119 bearer_token=self.bearer_token,
117 dry_run=self.dry_run) as tiller: 120 dry_run=self.dry_run) as tiller:
118 121
119 response = tiller.rollback_release( 122 response = tiller.rollback_release(
diff --git a/armada/cli/tiller.py b/armada/cli/tiller.py
index 7d73b15..22a3b15 100644
--- a/armada/cli/tiller.py
+++ b/armada/cli/tiller.py
@@ -61,19 +61,20 @@ SHORT_DESC = "Command gets Tiller information."
61 default=CONF.tiller_namespace) 61 default=CONF.tiller_namespace)
62@click.option('--releases', help="List of deployed releases.", is_flag=True) 62@click.option('--releases', help="List of deployed releases.", is_flag=True)
63@click.option('--status', help="Status of Tiller services.", is_flag=True) 63@click.option('--status', help="Status of Tiller services.", is_flag=True)
64@click.option('--bearer-token', help="User bearer token.", default=None)
64@click.option('--debug', help="Enable debug logging.", is_flag=True) 65@click.option('--debug', help="Enable debug logging.", is_flag=True)
65@click.pass_context 66@click.pass_context
66def tiller_service(ctx, tiller_host, tiller_port, tiller_namespace, releases, 67def tiller_service(ctx, tiller_host, tiller_port, tiller_namespace, releases,
67 status, debug): 68 status, bearer_token, debug):
68 CONF.debug = debug 69 CONF.debug = debug
69 TillerServices(ctx, tiller_host, tiller_port, tiller_namespace, releases, 70 TillerServices(ctx, tiller_host, tiller_port, tiller_namespace, releases,
70 status).safe_invoke() 71 status, bearer_token).safe_invoke()
71 72
72 73
73class TillerServices(CliAction): 74class TillerServices(CliAction):
74 75
75 def __init__(self, ctx, tiller_host, tiller_port, tiller_namespace, 76 def __init__(self, ctx, tiller_host, tiller_port, tiller_namespace,
76 releases, status): 77 releases, status, bearer_token):
77 super(TillerServices, self).__init__() 78 super(TillerServices, self).__init__()
78 self.ctx = ctx 79 self.ctx = ctx
79 self.tiller_host = tiller_host 80 self.tiller_host = tiller_host
@@ -81,13 +82,15 @@ class TillerServices(CliAction):
81 self.tiller_namespace = tiller_namespace 82 self.tiller_namespace = tiller_namespace
82 self.releases = releases 83 self.releases = releases
83 self.status = status 84 self.status = status
85 self.bearer_token = bearer_token
84 86
85 def invoke(self): 87 def invoke(self):
86 88
87 with Tiller( 89 with Tiller(
88 tiller_host=self.tiller_host, 90 tiller_host=self.tiller_host,
89 tiller_port=self.tiller_port, 91 tiller_port=self.tiller_port,
90 tiller_namespace=self.tiller_namespace) as tiller: 92 tiller_namespace=self.tiller_namespace,
93 bearer_token=self.bearer_token) as tiller:
91 94
92 self.handle(tiller) 95 self.handle(tiller)
93 96
diff --git a/armada/handlers/k8s.py b/armada/handlers/k8s.py
index 61a635d..33f1859 100644
--- a/armada/handlers/k8s.py
+++ b/armada/handlers/k8s.py
@@ -41,20 +41,30 @@ class K8s(object):
41 Object to obtain the local kube config file 41 Object to obtain the local kube config file
42 ''' 42 '''
43 43
44 def __init__(self): 44 def __init__(self, bearer_token=None):
45 ''' 45 '''
46 Initialize connection to Kubernetes 46 Initialize connection to Kubernetes
47 ''' 47 '''
48 self.bearer_token = bearer_token
49 api_client = None
50
48 try: 51 try:
49 config.load_incluster_config() 52 config.load_incluster_config()
50 except config.config_exception.ConfigException: 53 except config.config_exception.ConfigException:
51 config.load_kube_config() 54 config.load_kube_config()
52 55
53 self.client = client.CoreV1Api() 56 if self.bearer_token:
54 self.batch_api = client.BatchV1Api() 57 # Configure API key authorization: Bearer Token
55 self.batch_v1beta1_api = client.BatchV1beta1Api() 58 configuration = client.Configuration()
56 self.extension_api = client.ExtensionsV1beta1Api() 59 configuration.api_key_prefix['authorization'] = 'Bearer'
57 self.apps_v1_api = client.AppsV1Api() 60 configuration.api_key['authorization'] = self.bearer_token
61 api_client = client.ApiClient(configuration)
62
63 self.client = client.CoreV1Api(api_client)
64 self.batch_api = client.BatchV1Api(api_client)
65 self.batch_v1beta1_api = client.BatchV1beta1Api(api_client)
66 self.extension_api = client.ExtensionsV1beta1Api(api_client)
67 self.apps_v1_api = client.AppsV1Api(api_client)
58 68
59 def delete_job_action(self, 69 def delete_job_action(self,
60 name, 70 name,
diff --git a/armada/handlers/tiller.py b/armada/handlers/tiller.py
index 29c2b6c..a3892b4 100644
--- a/armada/handlers/tiller.py
+++ b/armada/handlers/tiller.py
@@ -80,14 +80,16 @@ class Tiller(object):
80 tiller_host=None, 80 tiller_host=None,
81 tiller_port=None, 81 tiller_port=None,
82 tiller_namespace=None, 82 tiller_namespace=None,
83 bearer_token=None,
83 dry_run=None): 84 dry_run=None):
84 self.tiller_host = tiller_host 85 self.tiller_host = tiller_host
85 self.tiller_port = tiller_port or CONF.tiller_port 86 self.tiller_port = tiller_port or CONF.tiller_port
86 self.tiller_namespace = tiller_namespace or CONF.tiller_namespace 87 self.tiller_namespace = tiller_namespace or CONF.tiller_namespace
88 self.bearer_token = bearer_token
87 self.dry_run = dry_run or False 89 self.dry_run = dry_run or False
88 90
89 # init k8s connectivity 91 # init k8s connectivity
90 self.k8s = K8s() 92 self.k8s = K8s(bearer_token=self.bearer_token)
91 93
92 # init Tiller channel 94 # init Tiller channel
93 self.channel = self.get_channel() 95 self.channel = self.get_channel()
diff --git a/doc/source/commands/apply.rst b/doc/source/commands/apply.rst
index fabc895..4e713b7 100644
--- a/doc/source/commands/apply.rst
+++ b/doc/source/commands/apply.rst
@@ -54,6 +54,7 @@ Commands
54 --target-manifest TEXT The target manifest to run. Required for 54 --target-manifest TEXT The target manifest to run. Required for
55 specifying which manifest to run when multiple 55 specifying which manifest to run when multiple
56 are available. 56 are available.
57 --bearer-token User bearer token.
57 --debug Enable debug logging. 58 --debug Enable debug logging.
58 --help Show this message and exit. 59 --help Show this message and exit.
59 60
diff --git a/doc/source/commands/rollback.rst b/doc/source/commands/rollback.rst
index a8620bd..aeb6da1 100644
--- a/doc/source/commands/rollback.rst
+++ b/doc/source/commands/rollback.rst
@@ -24,6 +24,7 @@ Commands
24 --timeout INTEGER Tiller Host IP 24 --timeout INTEGER Tiller Host IP
25 --version INTEGER Version of release to rollback to. 0 represents the previous release 25 --version INTEGER Version of release to rollback to. 0 represents the previous release
26 --wait Version of release to rollback to. 0 represents the previous release 26 --wait Version of release to rollback to. 0 represents the previous release
27 --bearer-token User bearer token
27 --help Show this message and exit. 28 --help Show this message and exit.
28 29
29Synopsis 30Synopsis
diff --git a/doc/source/commands/tiller.rst b/doc/source/commands/tiller.rst
index 276cb5a..7f84e57 100644
--- a/doc/source/commands/tiller.rst
+++ b/doc/source/commands/tiller.rst
@@ -27,6 +27,7 @@ Commands
27 -tn, --tiller-namespace TEXT Tiller namespace 27 -tn, --tiller-namespace TEXT Tiller namespace
28 --releases list of deployed releses 28 --releases list of deployed releses
29 --status Status of Armada services 29 --status Status of Armada services
30 --bearer-token User bearer token
30 --help Show this message and exit. 31 --help Show this message and exit.
31 32
32Synopsis 33Synopsis
diff --git a/doc/source/operations/guide-use-armada.rst b/doc/source/operations/guide-use-armada.rst
index c9b8e3f..567a67f 100644
--- a/doc/source/operations/guide-use-armada.rst
+++ b/doc/source/operations/guide-use-armada.rst
@@ -224,3 +224,25 @@ for example:
224 description: Change value deploy 224 description: Change value deploy
225 chart_group: 225 chart_group:
226 - blog-1 226 - blog-1
227
228User bearer token
229-----------------
230It is possible to pass the user bearer token from the armada CLI to interact
231with a kubernetes cluster that has been configured with an external Auth-backend
232like openstack-keystone.
233
234.. code:: bash
235
236 Example:
237
238 armada apply --bearer-token [ TOKEN ] --values [ path_to_yaml ] [ FILE ]
239
240 armada tiller --bearer-token [ TOKEN ] --status
241
242.. note::
243 The bearer token option is available for the following commands
244
245 armada apply
246 armada delete
247 armada tiller
248 armada rollback