Merge pull request #17 from itdove/service-account

Use service-account to join if not --use-bootstrap-token on init

Author: openshift-merge-robot

README.md

@@ -59,7 +59,7 @@ Display the clusteradm version and the kubeversion
 
 Initialize the hub by deploying the hub side resources to manage clusters.
 
-`clusteradm init`
+`clusteradm init [--use-bootstrap-token]`
 
 it returns the command line to launch on the spoke to join the hub.
 

build/run-functional-tests.sh

@@ -26,7 +26,7 @@ then
 fi
 
 kubectl config use-context kind-${CLUSTER_NAME}-hub 
-CMDINITRESULT=`clusteradm init`
+CMDINITRESULT=`clusteradm init --use-bootstrap-token`
 if [ $? != 0 ]
 then
    echo "init command result: "$CMDINITRESULT

pkg/cmd/init/cmd.go

@@ -44,6 +44,6 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 	}
 
 	cmd.Flags().StringVar(&o.outputFile, "output-file", "", "The generated resources will be copied in the specified file")
-
+	cmd.Flags().BoolVar(&o.useBootstrapToken, "use-bootstrap-token", false, "If set then the boostrap token will used instead of a service account token")
 	return cmd
 }

pkg/cmd/init/exec.go

@@ -5,15 +5,20 @@ import (
 	"fmt"
 	"time"
 
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"open-cluster-management.io/clusteradm/pkg/cmd/init/scenario"
+	"open-cluster-management.io/clusteradm/pkg/config"
 	"open-cluster-management.io/clusteradm/pkg/helpers"
 	"open-cluster-management.io/clusteradm/pkg/helpers/apply"
 
 	"github.com/spf13/cobra"
 
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
 )
 
@@ -32,6 +37,7 @@ func (o *Options) validate() error {
 }
 
 func (o *Options) run() error {
+	token := fmt.Sprintf("%s.%s", o.values.Hub.TokenID, o.values.Hub.TokenSecret)
 	output := make([]string, 0)
 	reader := scenario.GetScenarioResourcesReader()
 
@@ -60,22 +66,44 @@ func (o *Options) run() error {
 		WithDynamicClient(dynamicClient)
 
 	files := []string{
-		"init/bootstrap-token-secret.yaml",
-		"init/cluster_role_bootstrap.yaml",
-		"init/cluster_role_binding_bootstrap.yaml",
-		"init/cluster_role.yaml",
-		"init/cluster_role_binding.yaml",
-		"init/clustermanagers.crd.yaml",
 		"init/namespace.yaml",
-		"init/service_account.yaml",
+	}
+	if o.useBootstrapToken {
+		files = append(files,
+			"init/bootstrap-token-secret.yaml",
+			"init/bootstrap_cluster_role.yaml",
+			"init/bootstrap_cluster_role_binding.yaml",
+		)
+	} else {
+		files = append(files,
+			"init/bootstrap_sa.yaml",
+			"init/bootstrap_cluster_role.yaml",
+			"init/bootstrap_sa_cluster_role_binding.yaml",
+		)
 	}
 
+	files = append(files,
+		"init/clustermanager_cluster_role.yaml",
+		"init/clustermanager_cluster_role_binding.yaml",
+		"init/clustermanagers.crd.yaml",
+		"init/clustermanager_sa.yaml",
+	)
+
 	out, err := apply.ApplyDirectly(clientHolder, reader, o.values, o.ClusteradmFlags.DryRun, "", files...)
 	if err != nil {
 		return err
 	}
 	output = append(output, out...)
 
+	if !o.useBootstrapToken {
+		b := retry.DefaultBackoff
+		b.Duration = 100 * time.Millisecond
+		secret, err := waitForBootstrapSecret(kubeClient, b)
+		if err != nil {
+			return err
+		}
+		token = string(secret.Data["token"])
+	}
 	out, err = apply.ApplyDeployments(kubeClient, reader, o.values, o.ClusteradmFlags.DryRun, "", "init/operator.yaml")
 	if err != nil {
 		return err
@@ -92,18 +120,31 @@ func (o *Options) run() error {
 	}
 
 	discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(restConfig)
-	out, err = apply.ApplyCustomResouces(dynamicClient, discoveryClient, reader, o.values, o.ClusteradmFlags.DryRun, "", "init/clustermanagers.cr.yaml")
+	out, err = apply.ApplyCustomResouces(dynamicClient, discoveryClient, reader, o.values, o.ClusteradmFlags.DryRun, "", "init/clustermanager.cr.yaml")
 	if err != nil {
 		return err
 	}
 	output = append(output, out...)
 
-	fmt.Printf("please log on spoke and run:\n%s join --hub-token %s.%s --hub-apiserver %s --cluster-name <cluster_name>\n",
+	fmt.Printf("please log on spoke and run:\n%s join --hub-token %s --hub-apiserver %s --cluster-name <cluster_name>\n",
 		helpers.GetExampleHeader(),
-		o.values.Hub.TokenID,
-		o.values.Hub.TokenSecret,
+		token,
 		restConfig.Host,
 	)
 
 	return apply.WriteOutput(o.outputFile, output)
 }
+
+func waitForBootstrapSecret(kubeClient kubernetes.Interface, b wait.Backoff) (secret *corev1.Secret, err error) {
+	err = retry.OnError(b, func(err error) bool {
+		if err != nil {
+			fmt.Printf("Wait for sa %s secret to be ready\n", config.BootstrapSAName)
+			return true
+		}
+		return false
+	}, func() error {
+		secret, err = helpers.GetBootstrapSecret(kubeClient)
+		return err
+	})
+	return
+}

pkg/cmd/init/options.go

@@ -10,10 +10,11 @@ import (
 type Options struct {
 	//ClusteradmFlags: The generic optiosn from the clusteradm cli-runtime.
 	ClusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags
-	// factory         cmdutil.Factory
-	values Values
+	values          Values
 	//The file to output the resources will be sent to the file.
 	outputFile string
+	//If true the bootstrap token will be used instead of the service account token
+	useBootstrapToken bool
 }
 
 //Valus: The values used in the template

pkg/cmd/init/scenario/init/cluster_role_bootstrap.yaml renamed to pkg/cmd/init/scenario/init/bootstrap_cluster_role.yaml

@@ -0,0 +1,6 @@
+# Copyright Contributors to the Open Cluster Management project
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-bootstrap
+  namespace: open-cluster-management

pkg/cmd/init/scenario/init/cluster_role_binding_bootstrap.yaml renamed to pkg/cmd/init/scenario/init/bootstrap_cluster_role_binding.yaml

@@ -0,0 +1,13 @@
+# Copyright Contributors to the Open Cluster Management project
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-bootstrap
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:open-cluster-management:bootstrap
+subjects:
+- kind: ServiceAccount
+  name: cluster-bootstrap
+  namespace: open-cluster-management