-
Notifications
You must be signed in to change notification settings - Fork 8
/
create-namespace
executable file
·152 lines (137 loc) · 4.08 KB
/
create-namespace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/sh
# Based on https://docs.helm.sh/service_accounts/
set -e
if [ -z "$1" ]; then
echo "Usage: $0 <namespace(-stg|-prod)> [--dry-run]" >&2
exit 1
fi
NAMESPACE=$1
TILLER=tiller
DEPLOY_USER=deploy
# This makes sure that only the helm client can access tiller (using a portforward).
# Otherwise, any pod in the network can contact the tiller port and let it install random yml files.
HELM_OVERRIDE="spec.template.spec.containers[0].command={/tiller,--listen=localhost:44134}"
if [ "$2" == "--dry-run" ]; then
CMD="cat"
DRY_RUN="--dry-run -o yaml"
echo "Creating namespace: $NAMESPACE" >&2
echo "Creating service account: $NAMESPACE/$TILLER" >&2
echo "Creating role: $NAMESPACE/$TILLER-admin" >&2
echo "Installing tiller on namespace $NAMESPACE" >&2
elif [ -n "$2" ]; then
echo "Usage: $0 $1 [--dry-run]" >&2
exit 1
else
CMD="kubectl apply -f -"
DRY_RUN=""
fi
$CMD <<EOF
---
## Create namespace $NAMESPACE:
## kubectl create namespace $NAMESPACE --dry-run -o yaml
apiVersion: v1
kind: Namespace
metadata:
name: $NAMESPACE
---
## Create tiller service account:
## kubectl create serviceaccount $TILLER --namespace=$NAMESPACE --dry-run -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: $TILLER
namespace: $NAMESPACE
---
## Create admin role:
## kubectl create role $TILLER --namespace $NAMESPACE --resource=deployments,replicasets,... --verb=get,list,... --dry-run -o yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: $NAMESPACE
name: $TILLER
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods", "configmaps", "ingresses", "jobs", "secrets", "services", "namespaces", "persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
---
## Associate admin role with $TILLER account
## kubectl create rolebinding $TILLER --user=$TILLER --role=$TILLER --dry-run -o yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: $TILLER
namespace: $NAMESPACE
roleRef:
kind: Role
name: $TILLER
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: $TILLER
namespace: $NAMESPACE
---
## Create deploy account:
## kubectl create serviceaount $DEPLOY_USER --namespace=$NAMESPACE --dry-run -o yam
apiVersion: v1
kind: ServiceAccount
metadata:
name: $DEPLOY_USER
namespace: $NAMESPACE
---
## Create deploy role
## kubectl create role $DEPLOY_USER --namespace $NAMESPACE --resource=pods/portforward --verb=create ... --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: $DEPLOY_USER
namespace: $NAMESPACE
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
#- apiGroups: [""]
# resources: ["pods/exec"]
# verbs: ["create"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "list", "delete"]
- apiGroups: ["", "extensions"]
resources: ["deployments"]
verbs: ["get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get"]
---
## Associate deploy role with $DEPLOY_USER accout
## kubectl create rolebinding $DEPLOY_USER --user=$DEPLOY_USER --role=$DEPLOY_USER --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: $DEPLOY_USER
namespace: $NAMESPACE
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: $DEPLOY_USER
subjects:
- kind: ServiceAccount
name: $DEPLOY_USER
namespace: $NAMESPACE
---
## Install tiller in $NAMESPACE
## helm init --service-account $TILLER --tiller-namespace $NAMESPACE --history-max 5 --override="$HELM_OVERRIDE" --dry-run -o yaml
EOF
helm init --skip-refresh --upgrade --service-account $TILLER --tiller-namespace $NAMESPACE --history-max 5 --override="$HELM_OVERRIDE" $DRY_RUN
if [ "$DRY_RUN" == "" ]; then
echo "Namespace configured"
export NAMESPACE
./get-gitlab-settings $DEPLOY_USER --namespace=$NAMESPACE
echo
echo
echo "Or, create a KUBE_CONFIG to perform the deployment:"
echo
echo " create-kubeconfig $DEPLOY_USER --namespace=$NAMESPACE"
fi