added token helper for faster kubectl (#298)

hyder · web-flow · commit 46735e626079 · 2021-05-12T22:28:47.000+10:00
* added token helper for faster kubectl

* updated umask for TOKEN so it is writable by opc
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -10,21 +10,29 @@ The format is based on {uri-changelog}[Keep a Changelog].
 = Unreleased
 
 === Additions
-
+* Added faster kubectl script (Thanks @joelezell-conga, @rgmccaw, Richard Exley)
 * Added support for VCN native endpoint for Kubernetes
 ** Added a subnet for control plane (#270)
 ** Added 2 parameters (cluster_access and cluster_source) to control access to Kubernetes API endpoint (#270)
+* Added support for initial node labels (#265)
+** Node labels can now be specified in node pools
+* Added support for enforcing use of signed images from registry (#274)
+* Added ability to specify node_pool_os_version (#281)
+* Added cluster_id and nodepool_ids for improved reusability (Thanks @yasn77)
 
 === Changes
 
-* Changed base module version to 2.2.0. This allows choosing between Oracle Linux 7.X or 8 for the operator host as well as supporting custom route rules on the NAT gateway route table (#279). Custom route rules will make hybrid deployment easier to manage.
+* Updated permissions required in documentation (#292)
+* Made node pool image updatable (#286)
+* Changed deprecated map function (#283)
+* Changed base module version to 2.2.1. This allows controlling the state of the bastion (RUNNING or STOPPED), choosing between Oracle Linux 7.X or 8 for the operator host as well as supporting custom route rules on the NAT gateway route table (#279). Custom route rules will make hybrid deployment easier to manage.
 * Reworked the subnet boundaries for bastion and operator hosts (#270)
 * Updated and simplified OKE security lists to support VCN native endpoints (#270)
 * All port numbers and stateless are now in integer and boolean formats respectively (#270)
 * Updated default Kubernetes version to v 1.19.7
 * Updated documentation and topology diagrams
 * Fixed incorrect namespace issue when creating secret for OCIR (#267)
-* Narrow permissions for kubeconfig file 
+* Narrow permissions for kubeconfig file
 
 === Deletions
 Removed hardcoded WAF CIDRs and used data source instead.
diff --git a/modules/oke/activeworker.tf b/modules/oke/activeworker.tf
@@ -11,7 +11,7 @@ data "template_file" "check_active_worker" {
   count = local.post_provisioning_ops == true && var.check_node_active != "none" ? 1 : 0
 }
 
-resource null_resource "check_worker_active" {  
+resource null_resource "check_worker_active" {
   triggers = {
     node_pools = length(data.oci_containerengine_node_pools.all_node_pools.node_pools)
   }
@@ -44,4 +44,4 @@ resource null_resource "check_worker_active" {
   }
 
   count = local.post_provisioning_ops == true && var.check_node_active != "none" ? 1 : 0
-}
+}
diff --git a/modules/oke/cluster.tf b/modules/oke/cluster.tf
@@ -17,7 +17,7 @@ resource "oci_containerengine_cluster" "k8s_cluster" {
 
     content {
       is_policy_enabled = true
-      
+
       dynamic "key_details" {
         iterator = signing_keys_iterator
         for_each = var.oke_cluster.image_signing_keys
diff --git a/modules/oke/datasources.tf b/modules/oke/datasources.tf
@@ -13,4 +13,4 @@ data "oci_containerengine_node_pool_option" "node_pool_options" {
 
 # retrieve for creating ocir secret
 data "oci_objectstorage_namespace" "object_storage_namespace" {
-}
+}
diff --git a/modules/oke/drain.tf b/modules/oke/drain.tf
@@ -10,12 +10,12 @@ data "template_file" "drain" {
 data "template_file" "drainlist" {
   template = file("${path.module}/scripts/drainlist.py")
 
-   vars = {
-     cluster_id       = oci_containerengine_cluster.k8s_cluster.id
-     compartment_id   = var.compartment_id
-     region           = var.region
-     pools_to_drain   = var.label_prefix == "none" ? trim(join(",", formatlist("'%s'", var.node_pools_to_drain)), "'") : trim(join(",", formatlist("'%s-%s'", var.label_prefix, var.node_pools_to_drain)), "'")    
-   }  
+  vars = {
+    cluster_id     = oci_containerengine_cluster.k8s_cluster.id
+    compartment_id = var.compartment_id
+    region         = var.region
+    pools_to_drain = var.label_prefix == "none" ? trim(join(",", formatlist("'%s'", var.node_pools_to_drain)), "'") : trim(join(",", formatlist("'%s-%s'", var.label_prefix, var.node_pools_to_drain)), "'")
+  }
 
   count = var.nodepool_drain == true ? 1 : 0
 }
diff --git a/modules/oke/k8stools.tf b/modules/oke/k8stools.tf
@@ -7,7 +7,7 @@ data "template_file" "install_kubectl" {
 
   vars = {
     ol = var.oke_operator.operator_version
-  }  
+  }
 }
 
 resource "null_resource" "install_kubectl_operator" {
@@ -36,7 +36,7 @@ resource "null_resource" "install_kubectl_operator" {
     ]
   }
 
-  count = var.oke_operator.bastion_enabled == true && var.oke_operator.bastion_state == "RUNNING" &&  var.oke_operator.operator_enabled == true ? 1 : 0
+  count = var.oke_operator.bastion_enabled == true && var.oke_operator.bastion_state == "RUNNING" && var.oke_operator.operator_enabled == true ? 1 : 0
 }
 
 # helm
diff --git a/modules/oke/kubeconfig.tf b/modules/oke/kubeconfig.tf
@@ -2,7 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 data "oci_containerengine_cluster_kube_config" "kube_config" {
-  cluster_id    = oci_containerengine_cluster.k8s_cluster.id
+  cluster_id = oci_containerengine_cluster.k8s_cluster.id
 }
 
 resource "null_resource" "create_local_kubeconfig" {
@@ -20,9 +20,9 @@ resource "null_resource" "create_local_kubeconfig" {
 }
 
 resource "local_file" "kube_config_file" {
-  content    = data.oci_containerengine_cluster_kube_config.kube_config.content
-  depends_on = [null_resource.create_local_kubeconfig, oci_containerengine_cluster.k8s_cluster]
-  filename   = "${path.root}/generated/kubeconfig"
+  content         = data.oci_containerengine_cluster_kube_config.kube_config.content
+  depends_on      = [null_resource.create_local_kubeconfig, oci_containerengine_cluster.k8s_cluster]
+  filename        = "${path.root}/generated/kubeconfig"
   file_permission = "0600"
 }
 
@@ -37,6 +37,29 @@ data "template_file" "generate_kubeconfig" {
   count = local.post_provisioning_ops == true ? 1 : 0
 }
 
+data "template_file" "token_helper" {
+  template = file("${path.module}/scripts/token_helper.template.sh")
+
+  vars = {
+    cluster-id = oci_containerengine_cluster.k8s_cluster.id
+    region     = var.region
+  }
+
+  count = local.post_provisioning_ops == true ? 1 : 0
+}
+
+data "template_file" "set_credentials" {
+  template = file("${path.module}/scripts/kubeconfig_set_credentials.template.sh")
+
+  vars = {
+    cluster-id    = oci_containerengine_cluster.k8s_cluster.id
+    cluster-id-11 = substr(oci_containerengine_cluster.k8s_cluster.id, (length(oci_containerengine_cluster.k8s_cluster.id) - 11), length(oci_containerengine_cluster.k8s_cluster.id))
+    region        = var.region
+  }
+
+  count = local.post_provisioning_ops == true ? 1 : 0
+}
+
 resource "null_resource" "write_kubeconfig_on_operator" {
   connection {
     host        = var.oke_operator.operator_private_ip
@@ -57,11 +80,26 @@ resource "null_resource" "write_kubeconfig_on_operator" {
     destination = "~/generate_kubeconfig.sh"
   }
 
+  provisioner "file" {
+    content     = data.template_file.token_helper[0].rendered
+    destination = "~/token_helper.sh"
+  }
+
+  provisioner "file" {
+    content     = data.template_file.set_credentials[0].rendered
+    destination = "~/kubeconfig_set_credentials.sh"
+  }
+
   provisioner "remote-exec" {
     inline = [
       "chmod +x $HOME/generate_kubeconfig.sh",
       "$HOME/generate_kubeconfig.sh",
-      "rm -f $HOME/generate_kubeconfig.sh"
+      "chmod +x $HOME/token_helper.sh",
+      "sudo mv $HOME/token_helper.sh /usr/local/bin",
+      "chmod +x $HOME/kubeconfig_set_credentials.sh",
+      "$HOME/kubeconfig_set_credentials.sh",
+      "rm -f $HOME/generate_kubeconfig.sh",
+      "rm -f $HOME/kubeconfig_set_credentials.sh"
     ]
   }
 
diff --git a/modules/oke/outputs.tf b/modules/oke/outputs.tf
@@ -2,9 +2,9 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 output "cluster_id" {
-    value = oci_containerengine_cluster.k8s_cluster.id
+  value = oci_containerengine_cluster.k8s_cluster.id
 }
 
 output "nodepool_ids" {
-  value = zipmap( values(oci_containerengine_node_pool.nodepools)[*].name, values(oci_containerengine_node_pool.nodepools)[*].id)
+  value = zipmap(values(oci_containerengine_node_pool.nodepools)[*].name, values(oci_containerengine_node_pool.nodepools)[*].id)
 }
diff --git a/modules/oke/scripts/kubeconfig_set_credentials.template.sh b/modules/oke/scripts/kubeconfig_set_credentials.template.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# Copyright 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+kubectl config set-credentials "user-${cluster-id-11}" --exec-command="./token_helper.sh" \
+  --exec-arg="ce" \
+  --exec-arg="cluster" \
+  --exec-arg="generate-token" \
+  --exec-arg="--cluster-id" \
+  --exec-arg="${cluster-id}" \
+  --exec-arg="--region" \
+  --exec-arg="${region}"
diff --git a/modules/oke/scripts/token_helper.template.sh b/modules/oke/scripts/token_helper.template.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# Copyright 2021 Oracle Corporation and/or affiliates.  All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
+
+TOKEN_FILE=~/.kube/TOKEN
+
+if ! test -f "$TOKEN_FILE" || test $(( `date +%s` - `stat -L -c %Y $TOKEN_FILE` )) -gt 240; then
+  umask 022
+  oci ce cluster generate-token --cluster-id ${cluster-id} --region ${region} >$TOKEN_FILE
+fi
+
+cat $TOKEN_FILE
diff --git a/modules/okenetwork/datasources.tf b/modules/okenetwork/datasources.tf
@@ -20,4 +20,4 @@ data "oci_core_subnets" "oke_subnets" {
 }
 
 data "oci_waas_edge_subnets" "waf_cidr_blocks" {
-}
+}
diff --git a/modules/okenetwork/locals.tf b/modules/okenetwork/locals.tf
@@ -143,7 +143,7 @@ locals {
       protocol         = local.tcp_protocol,
       port             = -1,
       stateless        = false
-    }    
+    }
   ]
 
   workers_ingress = [
@@ -160,7 +160,7 @@ locals {
       port        = -1,
       source      = local.cp_subnet,
       stateless   = false
-    },    
+    },
     {
       description = "Allow path discovery from worker nodes"
       protocol    = local.icmp_protocol,
diff --git a/modules/okenetwork/outputs.tf b/modules/okenetwork/outputs.tf
@@ -3,9 +3,9 @@
 
 output "subnet_ids" {
   value = {
-      "cp"      = join(",", oci_core_subnet.cp[*].id)
-      "workers" = join(",", oci_core_subnet.workers[*].id)
-      "int_lb"  = join(",", oci_core_subnet.int_lb[*].id)
-      "pub_lb"  = join(",", oci_core_subnet.pub_lb[*].id)
-    }  
+    "cp"      = join(",", oci_core_subnet.cp[*].id)
+    "workers" = join(",", oci_core_subnet.workers[*].id)
+    "int_lb"  = join(",", oci_core_subnet.int_lb[*].id)
+    "pub_lb"  = join(",", oci_core_subnet.pub_lb[*].id)
+  }
 }
diff --git a/modules/okenetwork/security.tf b/modules/okenetwork/security.tf
@@ -140,7 +140,7 @@ resource "oci_core_security_list" "workers_seclist" {
       }
     }
   }
-  
+
   # NodePort access - TCP
   dynamic "ingress_security_rules" {
     for_each = var.oke_network_worker.allow_node_port_access == true ? [1] : []
@@ -254,7 +254,7 @@ resource "oci_core_security_list" "pub_lb_seclist" {
       stateless   = false
     }
   }
-  
+
   # allow only from WAF
   dynamic "ingress_security_rules" {
     iterator = waf_iterator
@@ -267,7 +267,7 @@ resource "oci_core_security_list" "pub_lb_seclist" {
       stateless   = false
     }
   }
-  
+
   # restrict by ports only
   dynamic "ingress_security_rules" {
     iterator = pub_lb_ingress_iterator
diff --git a/modules/okenetwork/subnets.tf b/modules/okenetwork/subnets.tf
@@ -9,7 +9,7 @@ resource "oci_core_subnet" "cp" {
   prohibit_public_ip_on_vnic = var.cluster_access == "private" ? true : false
   route_table_id             = var.cluster_access == "private" ? var.oke_network_vcn.nat_route_id : var.oke_network_vcn.ig_route_id
   security_list_ids          = [oci_core_security_list.control_plane_seclist.id]
-  vcn_id = var.oke_network_vcn.vcn_id
+  vcn_id                     = var.oke_network_vcn.vcn_id
 }
 
 resource "oci_core_subnet" "workers" {
diff --git a/modules/policies/datasources.tf b/modules/policies/datasources.tf
@@ -2,7 +2,7 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 data "oci_identity_tenancy" "tenancy" {
-  tenancy_id = var.tenancy_id  
+  tenancy_id = var.tenancy_id
 }
 
 # get the tenancy's home region
@@ -11,4 +11,4 @@ data "oci_identity_regions" "home_region" {
     name   = "key"
     values = [data.oci_identity_tenancy.tenancy.home_region_key]
   }
-}
+}
diff --git a/modules/policies/policies.tf b/modules/policies/policies.tf
@@ -5,7 +5,7 @@ resource "oci_identity_policy" "operator_instance_principal_dynamic_group" {
   provider       = oci.home
   compartment_id = var.tenancy_id
   description    = "policy to allow operator host to manage dynamic group"
-  name           = var.label_prefix == "none" ? "operator-instance-principal-dynamic-group-${substr(uuid(),0,8)}" : "${var.label_prefix}-operator-instance-principal-dynamic-group-${substr(uuid(),0,8)}"
+  name           = var.label_prefix == "none" ? "operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}" : "${var.label_prefix}-operator-instance-principal-dynamic-group-${substr(uuid(), 0, 8)}"
   statements     = ["Allow dynamic-group ${var.dynamic_group} to use dynamic-groups in tenancy"]
   count          = (var.oke_kms.use_encryption == true && var.operator.bastion_enabled == true && var.operator.operator_instance_principal == true) ? 1 : 0
 }
@@ -17,4 +17,4 @@ resource "oci_identity_policy" "oke-kms" {
   name           = var.label_prefix == "none" ? "oke-kms" : "${var.label_prefix}-oke-kms"
   statements     = [local.policy_statement]
   count          = (var.oke_kms.use_encryption == true) ? 1 : 0
-}
+}
diff --git a/modules/policies/provider.tf b/modules/policies/provider.tf
@@ -9,4 +9,4 @@ provider "oci" {
   region           = lookup(data.oci_identity_regions.home_region.regions[0], "name")
   tenancy_ocid     = var.tenancy_id
   user_ocid        = var.user_id
-}
+}
diff --git a/outputs.tf b/outputs.tf
@@ -2,17 +2,17 @@
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 # for reuse 
-
-output "cluster_id" {
-  description = "ID of the Kubernetes cluster"
-  value       = module.oke.cluster_id
-}
-
-output "nodepool_ids" {
-  description = "Map of Nodepool names and IDs"
-  value = module.oke.nodepool_ids
-}
-
+
+output "cluster_id" {
+  description = "ID of the Kubernetes cluster"
+  value       = module.oke.cluster_id
+}
+
+output "nodepool_ids" {
+  description = "Map of Nodepool names and IDs"
+  value       = module.oke.nodepool_ids
+}
+
 
 output "ig_route_id" {
   description = "id of route table to vcn internet gateway"
@@ -26,7 +26,7 @@ output "nat_route_id" {
 
 output "subnet_ids" {
   description = "map of subnet ids (worker, int_lb, pub_lb) used by OKE."
-  value = module.network.subnet_ids
+  value       = module.network.subnet_ids
 }
 
 output "vcn_id" {
@@ -59,4 +59,4 @@ output "ssh_to_bastion" {
 output "kubeconfig" {
   description = "convenient command to set KUBECONFIG environment variable before running kubectl locally"
   value       = "export KUBECONFIG=generated/kubeconfig"
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ data "template_file" "check_active_worker" {`
`11`	`11`	`count = local.post_provisioning_ops == true && var.check_node_active != "none" ? 1 : 0`
`12`	`12`	`}`
`13`	`13`
`14`		`-resource null_resource "check_worker_active" {`
	`14`	`+resource null_resource "check_worker_active" {`
`15`	`15`	`triggers = {`
`16`	`16`	`node_pools = length(data.oci_containerengine_node_pools.all_node_pools.node_pools)`
`17`	`17`	`}`
`@@ -44,4 +44,4 @@ resource null_resource "check_worker_active" {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`count = local.post_provisioning_ops == true && var.check_node_active != "none" ? 1 : 0`
`47`		`-}`
	`47`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ data "template_file" "install_kubectl" {`
`7`	`7`
`8`	`8`	`vars = {`
`9`	`9`	`ol = var.oke_operator.operator_version`
`10`		`- }`
	`10`	`+ }`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`resource "null_resource" "install_kubectl_operator" {`
`@@ -36,7 +36,7 @@ resource "null_resource" "install_kubectl_operator" {`
`36`	`36`	`]`
`37`	`37`	`}`
`38`	`38`
`39`		`- count = var.oke_operator.bastion_enabled == true && var.oke_operator.bastion_state == "RUNNING" && var.oke_operator.operator_enabled == true ? 1 : 0`
	`39`	`+ count = var.oke_operator.bastion_enabled == true && var.oke_operator.bastion_state == "RUNNING" && var.oke_operator.operator_enabled == true ? 1 : 0`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`# helm`
Original file line number	Diff line number	Diff line change
`@@ -2,9 +2,9 @@`
`2`	`2`	`# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl`
`3`	`3`
`4`	`4`	`output "cluster_id" {`
`5`		`- value = oci_containerengine_cluster.k8s_cluster.id`
	`5`	`+ value = oci_containerengine_cluster.k8s_cluster.id`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`output "nodepool_ids" {`
`9`		`- value = zipmap( values(oci_containerengine_node_pool.nodepools)[].name, values(oci_containerengine_node_pool.nodepools)[].id)`
	`9`	`+ value = zipmap(values(oci_containerengine_node_pool.nodepools)[].name, values(oci_containerengine_node_pool.nodepools)[].id)`
`10`	`10`	`}`