Last active
May 29, 2019 20:31
-
-
Save sallyom/66e6557a69a299272dfb50c867a1a65e to your computer and use it in GitHub Desktop.
script that demos features of service-ca-operator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # service-ca-demo.sh demo script. | |
| # This script will demonstrate features of service-ca-operator | |
| # Prerequisite: A running OpenShift 4.x cluster | |
| # Setting up some colors for helping read the demo output. | |
| # Comment out any of the below to turn off that color. | |
| bold=$(tput bold) | |
| bright=$(tput setaf 14) | |
| yellow=$(tput setaf 11) | |
| red=$(tput setaf 196) | |
| reset=$(tput sgr0) | |
| # commands | |
| read_bright() { | |
| read -p "${bold}${bright}$1${reset}" | |
| } | |
| echo_bright() { | |
| echo "${bold}${bright}$1${reset}" | |
| } | |
| # headings | |
| read_yellow() { | |
| read -p "${bold}${yellow}$1${reset}" | |
| } | |
| # headings | |
| read_red() { | |
| read -p "${bold}${red}$1${reset}" | |
| } | |
| # Initial setup, ensure KUBECONFIG is exported | |
| setup() { | |
| if ! oc whoami | grep 'system:admin' > /dev/null; then | |
| echo "$0" export KUBECONFIG=/path/to/kubeconfig | |
| exit 1 | |
| fi | |
| } | |
| intro() { | |
| read_yellow "Demo! service-ca-operator" | |
| echo "" | |
| clear | |
| } | |
| services_reference_serving_cert_secret() { | |
| read_yellow "Demo: service-serving-cert-signer controller" | |
| read_yellow "List of services in the cluster with 'service.alpha.openshift.io/serving-cert-secret-name'" | |
| read_yellow "Notice also the annotation 'serving-cert-signed-by'. This denotes a service managed by service-ca-operator" | |
| echo "" | |
| read_bright "--> oc get services --all-namespaces -o yaml | grep -A 7 'serving-cert-secret-name'" | |
| oc get services --all-namespaces -o yaml | grep -A 7 'serving-cert-secret-name' 2> /dev/null | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Examine a service that has the 'serving-cert-secret-name' annotation" | |
| read_bright "--> oc get service prometheus-k8s -n openshift-monitoring -o yaml" | |
| oc get service prometheus-k8s -n openshift-monitoring -o yaml | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Examine a secret referenced by a service with the annotation 'serving-cert-secret-name' and 'serving-cert-signed-by'" | |
| read_yellow "Note: the secret references the originating service name" | |
| read_bright "--> oc get secret prometheus-k8s-tls -n openshift-monitoring -o yaml" | |
| oc get secret prometheus-k8s-tls -n openshift-monitoring -o yaml | |
| echo "" | |
| read_yellow "Now we'll delete the secret. Service-CA-Operator will regenerate the secret." | |
| read_bright "--> oc delete secret prometheus-k8s-tls -n openshift-monitoring" | |
| oc delete secret prometheus-k8s-tls -n openshift-monitoring | |
| echo "" | |
| read_yellow "The secret 'prometheus-k8s-tls' is regenerated." | |
| read_bright "--> oc get secret prometheus-k8s-tls -n openshift-monitoring -o yaml" | |
| oc get secret prometheus-k8s-tls -n openshift-monitoring -o yaml | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Finally, let's examine the openssl cert from that secret 'prometheus-k8s-tls'." | |
| read_bright "--> oc get secret prometheus-k8s-tls -n openshift-monitoring -o template='{{index .data 'tls.crt' }}' | base64 -d | openssl x509 -text" | |
| oc get secret prometheus-k8s-tls -n openshift-monitoring -o template='{{index .data "tls.crt" }}' | base64 -d | openssl x509 -text | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| } | |
| configmaps_inject_cabundle() { | |
| read_yellow "Demo: configmap-cabundle-injector controller" | |
| read_yellow "List all configmaps in cluster that have the annotation 'inject-cabundle: true'" | |
| read_yellow "This annotation ensures the configmap has a data item (key: service-ca.crt) containing PEM-encoded CA signing bundle" | |
| echo "" | |
| read_bright "--> oc get configmaps --all-namespaces -o yaml | grep -A 5 'inject-cabundle'" | |
| oc get configmaps --all-namespaces -o yaml | grep -A 5 'inject-cabundle' | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Examine a configmap with the annotation 'inject-cabundle: true'" | |
| read_bright "--> oc get configmap serving-certs-ca-bundle -n openshift-monitoring -o yaml" | |
| oc get configmap serving-certs-ca-bundle -n openshift-monitoring -o yaml | |
| echo "" | |
| read_yellow "Now we'll delete the service-ca.crt from the configmap. Service-CA-Operator will regenerate the service-ca.crt key/data in the configmap." | |
| read_bright "--> oc edit configmap serving-certs-ca-bundle -n openshift-monitoring" | |
| oc edit configmap serving-certs-ca-bundle -n openshift-monitoring | |
| echo "" | |
| read_yellow "The service-ca.crt key/value is regenerated." | |
| read_bright "--> oc get configmap serving-certs-ca-bundle -n openshift-monitoring -o yaml" | |
| oc get configmap serving-certs-ca-bundle -n openshift-monitoring -o yaml | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Also, if you delete the configmap, the configmap is regenerated, with the service-ca.crt key/data." | |
| read_yellow "For this demo we won't, because it takes a few minutes for the Cluster Version Operator to notice/regenerate." | |
| read_bright "--> Try this at home :) --> oc delete configmap serving-certs-ca-bundle -n openshift-monitoring" | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| } | |
| pod_mounts() { | |
| read_yellow "Demo: Example pod mounts service-cabundle configmap and tls crts secret" | |
| read_yellow "Pods access the CA bundle and/or tls crts by mounting the cabundle configmap and/or the tls secret" | |
| echo "" | |
| read_bright "--> oc describe pod prometheus-k8s-0 -n openshift-monitoring" | |
| oc describe pod prometheus-k8s-0 -n openshift-monitoring | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| } | |
| apiservice_inject_cabundle() { | |
| read_yellow "Demo: apiservice-cabundle-injector controller" | |
| read_yellow "List all APIServices in cluster that have the annotation 'inject-cabundle: true'" | |
| read_yellow "This annotation ensures the APIService has a data item (spec.caBundle) containing base64URL-encoded CA signing bundle" | |
| echo "" | |
| read_bright "--> oc get apiservice --all-namespaces -o yaml | grep -A 2 'inject-cabundle'" | |
| oc get apiservice --all-namespaces -o yaml | grep -A 2 'inject-cabundle' | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| read_yellow "Examine an apiservice with the annotation 'inject-cabundle: true'" | |
| read_bright "--> oc get apiservice v1.authorization.openshift.io -o yaml" | |
| oc get apiservice v1.authorization.openshift.io -o yaml | |
| echo "" | |
| read_yellow "Examine the service referenced by authorization apiservice" | |
| read_bright "--> oc get service api -o yaml -n openshift-apiserver" | |
| oc get service api -o yaml -n openshift-apiserver | |
| echo "" | |
| read_bright "--> clear" | |
| clear | |
| } | |
| setup | |
| intro | |
| services_reference_serving_cert_secret | |
| configmaps_inject_cabundle | |
| pod_mounts | |
| apiservice_inject_cabundle | |
| read_yellow "End of Demo" | |
| echo_bright "Thank you!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment