#!/bin/bash echo "" echo "... ] Setup Environment [ ..." if [ -f config ]; then echo "config file FOUND :)" source config else echo "config file is missing." exit 1 fi export CEPH_MONITOR_1 export CEPH_MONITOR_2 export CEPH_MONITOR_3 export CLUSTER_DOMAIN if [ -z $1 ]; then echo "Usage: $0 " exit 1 fi apt update apt install -y jq cp -v scripts/create-sa.sh /usr/local/bin/create-sa nspace=$1 export nspace # Setup namespace, Service Accounts, RBAC, Limit printf "\nsetting up ${nspace}... \n" cat yaml/system/namespace.yaml | envsubst | kubectl apply -f - printf "\nsetting up Service Accounts... \n" /usr/local/bin/create-sa admin-sa ${nspace} /usr/local/bin/create-sa backup-agent-sa ${nspace} sleep 5 printf "\nsetting up RBAC... \n" cat yaml/system/sa-rbac.yaml | envsubst | kubectl apply -f - cat yaml/system/sa-rbac-backup-agent.yaml | envsubst | kubectl apply -f - sleep 5 printf "\nsetting up resource limits... \n" kubectl -n $nspace apply -f yaml/system/namespace-resource-limits.yaml # Create a auth-keypair unique to the new namespace, to be used by external applications printf "\nsetting up shared keypair secret... \n" mkdir -p -v /root/secrets/kube openssl ecparam -genkey -name prime256v1 -noout -out /root/secrets/kube/${nspace}_id_ecdsa openssl ec -in /root/secrets/kube/${nspace}_id_ecdsa -pubout -out /root/secrets/kube/${nspace}_id_ecdsa.pub kubectl -n $nspace create secret generic auth-keypair --from-file=id_ecdsa=/root/secrets/kube/${nspace}_id_ecdsa --from-file=id_ecdsa.pub=/tmp/${nspace}_id_ecdsa.pub #rm /root/secrets/kube/${nspace}_id_ecdsa #rm /root/secrets/kube/${nspace}_id_ecdsa.pub # Create wildcard certificate if we have cert-manager installed if [ $CERT_MODE == "True" ] ; then printf "\ncreate a wildcard certificate secret with letsencrypt for the defined namespace...\n" cat yaml/system/namespace-wild-cert.yaml | envsubst | kubectl -n ${nspace} apply -f - fi # Copy internal registry credentials from its namespace kubectl -n registry get secret registry-internal -o yaml | sed "s/namespace: .*/namespace: ${nspace}/" | kubectl apply -f - # Path the default service account with registry-internal as ImagePullSecret kubectl -n ${nspace} patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-internal"}]}'