blob: dbcedb407595154c2914008ebefba21137a4c406 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
kind: StatefulSet
apiVersion: apps/v1beta1
metadata:
name: bootstrap-autoapprover
namespace: openshift-infra
spec:
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: bootstrap-autoapprover
spec:
serviceAccountName: bootstrap-autoapprover
terminationGracePeriodSeconds: 1
containers:
- name: signer
image: openshift/node:v3.7.0-rc.0
command:
- /bin/bash
- -c
args:
- |
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
unset KUBECONFIG
cat <<SCRIPT > /tmp/signer
#!/bin/bash
#
# It will approve any CSR that is not approved yet, and delete any CSR that expired more than 60 seconds
# ago.
#
set -o errexit
set -o nounset
set -o pipefail
name=\${1}
condition=\${2}
certificate=\${3}
username=\${4}
# auto approve
if [[ -z "\${condition}" && ("\${username}" == "system:serviceaccount:openshift-infra:node-bootstrapper" || "\${username}" == "system:node:"* ) ]]; then
oc adm certificate approve "\${name}"
exit 0
fi
# check certificate age
if [[ -n "\${certificate}" ]]; then
text="\$( echo "\${certificate}" | base64 -d - )"
if ! echo "\${text}" | openssl x509 -noout; then
echo "error: Unable to parse certificate" 2>&1
exit 1
fi
if ! echo "\${text}" | openssl x509 -checkend -60 > /dev/null; then
echo "Certificate is expired, deleting"
oc delete csr "\${name}"
fi
exit 0
fi
SCRIPT
chmod u+x /tmp/signer
exec oc observe csr --maximum-errors=1 --resync-period=10m -a '{.status.conditions[*].type}' -a '{.status.certificate}' -a '{.spec.username}' -- /tmp/signer
|
