Skip to content

Commit d9bef36

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #9424 from everettraven/feature/auth-bootstrapping
CNTRLPLANE-194: add auth-api-bootstrap stage to bootkube.sh template
2 parents 754b874 + 9d0ac16 commit d9bef36

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

data/data/bootstrap/files/usr/local/bin/bootkube.sh.template

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ KUBE_CONTROLLER_MANAGER_OPERATOR_IMAGE=$(image_for cluster-kube-controller-manag
5858
KUBE_SCHEDULER_OPERATOR_IMAGE=$(image_for cluster-kube-scheduler-operator)
5959
INGRESS_OPERATOR_IMAGE=$(image_for cluster-ingress-operator)
6060
NODE_TUNING_OPERATOR_IMAGE=$(image_for cluster-node-tuning-operator)
61+
AUTH_OPERATOR_IMAGE=$(image_for cluster-authentication-operator)
6162

6263
CLOUD_CREDENTIAL_OPERATOR_IMAGE=$(image_for cloud-credential-operator)
6364

@@ -117,6 +118,41 @@ then
117118
record_service_stage_success
118119
fi
119120

121+
# The cluster-authentication-operator is going to be responsible for managing the
122+
# rolebindingrestrictions.authorization.openshift.io CRD as outlined in
123+
# https://github.com/openshift/enhancements/pull/1726
124+
#
125+
# This CRD is required for bootstrapping so that the authorization.openshift.io/RestrictSubjectBindings
126+
# default admission plugin on the kube-apiserver does not prevent
127+
# the creation of `system:*` RoleBindings.
128+
#
129+
# Because the only thing required for bootstrapping from the cluster-authentication-operator
130+
# is this API, and this API used to be part of the api-bootstrap process,
131+
# this stage is put immediately after the api-bootstrap stage.
132+
if [ ! -f auth-api-bootstrap.done ]
133+
then
134+
record_service_stage_start "auth-api-bootstrap"
135+
echo "Rendering auth api manifests..."
136+
137+
rm --recursive --force auth-api-bootstrap
138+
139+
bootkube_podman_run \
140+
--name auth-api-render \
141+
--volume "$PWD:/assets:z" \
142+
"${AUTH_OPERATOR_IMAGE}" \
143+
render \
144+
--asset-output-dir=/assets/auth-api-bootstrap/manifests \
145+
--rendered-manifest-dir=/assets/manifests \
146+
--cluster-profile=${CLUSTER_PROFILE_ANNOTATION} \
147+
--payload-version=$VERSION
148+
149+
150+
cp auth-api-bootstrap/manifests/* manifests/
151+
152+
touch auth-api-bootstrap.done
153+
record_service_stage_success
154+
fi
155+
120156
if [ ! -f config-bootstrap.done ]
121157
then
122158
record_service_stage_start "config-bootstrap"

0 commit comments

Comments
 (0)