-
Notifications
You must be signed in to change notification settings - Fork 197
/
Copy pathcreate-kind-cluster.sh
executable file
·66 lines (57 loc) · 2.12 KB
/
create-kind-cluster.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
: "${SERVICE_ACCOUNT_ISSUER:?Environment variable empty or not defined.}"
REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
cd "${REPO_ROOT}" || exit 1
SERVICE_ACCOUNT_SIGNING_KEY_FILE="$(pwd)/sa.key"
SERVICE_ACCOUNT_KEY_FILE="$(pwd)/sa.pub"
KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"
create_kind_cluster() {
# create a kind cluster
cat <<EOF | kind create cluster --name "${KIND_CLUSTER_NAME}" --image "kindest/node:${KIND_K8S_VERSION:-v1.27.1}" --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
extraMounts:
- hostPath: ${SERVICE_ACCOUNT_KEY_FILE}
containerPath: /etc/kubernetes/pki/sa.pub
- hostPath: ${SERVICE_ACCOUNT_SIGNING_KEY_FILE}
containerPath: /etc/kubernetes/pki/sa.key
# Load environment json into kind node to enable custom cloud coverage
- hostPath: test/custom_environment.json
containerPath: /etc/kubernetes/custom_environment.json
readOnly: true
propagation: None
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
taints:
- key: "kubeadmNode"
value: "master"
effect: "NoSchedule"
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
service-account-issuer: ${SERVICE_ACCOUNT_ISSUER}
service-account-key-file: /etc/kubernetes/pki/sa.pub
service-account-signing-key-file: /etc/kubernetes/pki/sa.key
controllerManager:
extraArgs:
service-account-private-key-file: /etc/kubernetes/pki/sa.key
EOF
kubectl wait node "${KIND_CLUSTER_NAME}-control-plane" --for=condition=Ready --timeout=90s
}
download_service_account_keys() {
if [[ -z "${SERVICE_ACCOUNT_KEYVAULT_NAME:-}" ]]; then
return
fi
az keyvault secret show --vault-name "${SERVICE_ACCOUNT_KEYVAULT_NAME}" --name workload-identity-sa-pub | jq -r .value | base64 -d > "${SERVICE_ACCOUNT_KEY_FILE}"
az keyvault secret show --vault-name "${SERVICE_ACCOUNT_KEYVAULT_NAME}" --name workload-identity-sa-key | jq -r .value | base64 -d > "${SERVICE_ACCOUNT_SIGNING_KEY_FILE}"
}
download_service_account_keys
create_kind_cluster