rancher-cli

command module
v0.0.0-...-fbfee1b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 19, 2023 License: EUPL-1.2 Imports: 3 Imported by: 1

README

Rancher CLI

Rancher CLI provides tools for configuring Rancher projects and RBAC.

configure-project

The subcommand configure-project creates a Rancher project using a specification in a YAML file. If the YAML file specifies namespaces, the subcommand will create these namespaces with resource quota as well.

configure-global-roles

The subcommand configure-global-roles creates global roles in Rancher. This command should only to be used while bootstrapping the Rancher environment.

manage-service-account

The subcommand manage-service-account creates a K8s service account in the services namespace and saves this in the GitLab group.

  • Each customer has a namespace with the name <customer>-services.
  • In this namespace a service account is created with the name <customer>-deployer.
  • The service account gets rolebindings in each namespaces of the customer, to the clusterrole as specified in param cluster-role. With these rolebindings the serviceaccount has sufficient permissions to perform rollout of applications. The cluster role is managed by Rancher as a global project role.
  • The token for the service account is saved in a Kubernetes environment in the GitLab group(s) of the customer. This facilitates the pipelines for authorization to the clusters.
  • The token for the service account is rotated. The lifetime is specified in the param token-lifetime with a default of 60 minutes. After expiry of the lifetime a new token is created. Older tokens are removed, but only if a new token was issued at least for the duration of lifetime. This is to make sure running pipelines keep working. The token rotation assumes the command manage-service-account is run as a scheduled task at least every hour.

TODO

  • Design a global role model and implement that in this tool. Currently only one global role will vbe created.
  • Test if all preconditions are met to make the Rancher project operational.
  • Test the service account tokens

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL