Refactor

4ops · 4ops · commit b069f226cc64 · 2020-04-26T02:39:10.000+03:00
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.sh]
+indent_style = tab
+indent_size = 4
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,17 @@
 FROM busybox:1.31 AS installer
-ADD https://storage.googleapis.com/kubernetes-release/release/v1.18.2/bin/linux/amd64/kubectl /kubectl
-RUN chmod 0755 /kubectl
 
-FROM scratch
-COPY --from=installer /kubectl /kubectl
+ARG VERSION="1.18.2"
+
+ADD https://storage.googleapis.com/kubernetes-release/release/v${VERSION}/bin/linux/amd64/kubectl /install/kubectl
+COPY --chown=root:root entrypoint.sh /install/entrypoint
+RUN chmod 0755 /install/kubectl /install/entrypoint
+
+
+FROM busybox:1.31
+
+RUN mkdir -p /config && chown -R 1042 /config
+COPY --from=installer /install /usr/bin
 USER 1042
-ENTRYPOINT ["/kubectl"]
+VOLUME ["/config"]
+ENTRYPOINT ["entrypoint"]
+CMD ["version", "--short", "--client"]
diff --git a/README.md b/README.md
@@ -1,26 +1,29 @@
 # Kubectl docker image
 
-Minimal docker image with kubectl only.
+Minimal docker image based on busybox with kubeconfig automation.
 
 # Components
 
-## kubectl
+## Kubectl
 
 Kubectl is the Kubernetes cli version of a swiss army knife, and can do many things.
 
-[Project link](https://kubectl.docs.kubernetes.io)
+[Project link](https://kubectl.docs.kubernetes.io/)
 
-# Usage
+## BusyBox
+
+BusyBox provides a fairly complete environment for any small or embedded system.
 
-## Console
+[Project link](https://busybox.net/)
+
+# Usage
 
-Docker:
+## Run in Docker
 
 ```shell
 $ docker run \
     --name="docker-kubectl-example" \
-    --volume="$HOME/.kube/config:/config:ro" \
-    --env="KUBECONFIG=/config" \
+    --volume="$HOME/.kube/config:/config/kubectl.conf:ro" \
     --network="host" \
     --rm \
     --interactive \
@@ -29,21 +32,53 @@ $ docker run \
     get pods
 ```
 
-Kubernetes:
+## Run in Kubernetes
+
+From command line:
 
 ```shell
-$ TOKEN=$(kubectl -n test-jobs get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='executor')].data.token}" | base64 --decode)
 $ kubectl run "get-pods-example" \
     --rm="true" \
     --restart="Never" \
     --image="4ops/kubectl:1.18.2" \
-    --image-pull-policy="Always" \
     --stdin \
     --tty \
-    --namespace="test-jobs" \
-    --env="TOKEN=$TOKEN" \
     -- \
-    --token='$(TOKEN)' \
     get \
     pods
 ```
+
+Pod manifest example:
+
+```YAML
+apiVersion: v1
+kind: Pod
+metadata:
+  name: get-pods-example
+spec:
+  containers:
+    - name: "kubectl"
+      image: "4ops/kubectl:1.18.2"
+      args: ["get", "pods"]
+```
+
+# Credentials
+
+## Using existing kubeconfig
+
+- Mount volume with kubeconfig file
+- Setup path to kubeconfig using environment variable `KUBECONFIG`
+
+## Using ServiceAccount token
+
+- Setup token as environment variable `KUBE_TOKEN`
+- If no `KUBECONFIG` or `KUBE_TOKEN` set, entrypoint script will try to discover ServiceAccount secrets from `/var/run/secrets/kubernetes.io/serviceaccount` directory
+
+# Environment variables
+
+- `KUBECONFIG` - path to kubeconfig file (default: `/config/kubectl.conf`)
+- `KUBERNETES_SERVICE_HOST`, `KUBERNETES_SERVICE_PORT` - Kubernetes API native service discovery [variables](https://kubernetes.io/docs/concepts/services-networking/service/#environment-variables) (default: `kubernetes.default.svc`, `443`)
+- `KUBE_URL` - custom Kubernetes API URL
+- `KUBE_CA_PEM` - PEM-encoded certificate (or path to cert file) for TLS verification
+- `KUBE_NAMESPACE` - default namespace for kubeconfig context (default: `default`)
+- `KUBE_TOKEN` - auth token
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+set -eu
+
+readonly kubectl="/usr/bin/kubectl"
+readonly sa="/var/run/secrets/kubernetes.io/serviceaccount"
+readonly debug="${DEBUG:-}"
+readonly kubeconfig="${KUBECONFIG:-/config/kubectl.conf}"
+readonly url="${KUBE_URL:-https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}}"
+
+token="${KUBE_TOKEN:-}"
+ca="${KUBE_CA_PEM:-}"
+namespace="${KUBE_NAMESPACE:-}"
+
+[ -n "$token" ] && [ -r $sa/token ] && token="$(cat $sa/token)"
+[ -n "$token" ] && secret="$token" && token="@token"
+[ -n "$debug" ] && set -x && printenv | sed 's eyJhbGci.* @secret g'
+
+unset KUBE_TOKEN KUBE_URL KUBE_NAMESPACE KUBE_CA_PEM
+
+# try to get certificate authority
+if [ -n "$ca" ] && [ ! -r "$ca" ]; then
+	echo "$ca" > /tmp/ca.crt
+	ca=/tmp/ca.crt
+elif [ -z "$ca" ] && [ -r $sa/ca.crt ]; then
+	ca=$sa/ca.crt
+fi
+
+# set namespace
+if [ -z "$namespace" ] && [ -r $sa/namespace ]; then
+	namespace="$(cat $sa/namespace)"
+else
+	namespace="default"
+fi
+
+# create kubeconfig
+if [ -n "$ca" ] && [ -n "$token" ] && [ ! -r "$kubeconfig" ]; then
+	kcfg="$kubectl --kubeconfig=$kubeconfig config"
+	$kcfg set-credentials token --token="$secret"
+	$kcfg set-cluster kube --server="$url" --certificate-authority="$ca" --embed-certs=true
+	$kcfg set-context kube-token --cluster=kube --user=token
+	$kcfg use-context kube-token
+fi
+
+# setup arguments
+if [ -r "$kubeconfig" ]; then
+	set -- --kubeconfig="$kubeconfig" "$@"
+else
+	[ -n "$token" ] && set -- --server="$url" --token="$secret" "$@"
+fi
+
+exec $kubectl "$@" || exit $?
