Feature Request: Workload Runtime Security - installation wrapper script draft - Issue-#4115 #4148
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| #!/bin/bash | ||
|
|
||
| # Installs the kube armor operator on the Open Horizon cluster agent | ||
|
|
||
| set -e #future: remove? | ||
|
|
||
| echo "Starting KubeArmor installation..." | ||
|
|
||
| # Step 1: Install Helm (if not already installed) | ||
| if ! command -v helm &> /dev/null; then | ||
| echo "Helm not found, installing Helm..." | ||
| curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | ||
| else | ||
| echo "Helm is already installed" | ||
| fi | ||
|
|
||
| # Step 2: Create a new working directory for a new horizon project | ||
| echo "Create a new working directory for a new horizon project" | ||
| hzn dev service new -V 1.0.0 -s kubearmor-operator -c cluster | ||
|
|
||
| # Step 3: Making the Operator file | ||
| echo "Making the operator file" | ||
| helm repo add kubearmor https://kubearmor.github.io/charts | ||
| helm repo update kubearmor | ||
| helm template kubearmor/kubearmor-operator -n openhorizon-agent >> kubearmor-operator.yaml | ||
|
|
||
| curl https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml > kubearmor-crd.yaml | ||
|
|
||
| # Step 4: Compress the .yaml file | ||
| echo "Compressing the .yaml helm file" | ||
| tar -czvf operator.tar.gz kubearmor-operator.yaml | ||
|
|
||
| # Step 5: Configure the KubeArmor operator | ||
| echo "KubeArmor operator config" | ||
| kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml | ||
|
|
||
| # Step 6: Edit the horizon/service.definition.json file to point to the operator's yaml archive created in the previous step | ||
| echo "Editing the horizon/service.definition.json file to point to the operator's yaml archive" | ||
| # Defining the JSON file | ||
| SERVICE_DEF_JSON="horizon/service.definition.json" | ||
| UPDATED_VAL="../operator.tar.gz" | ||
| jq --arg updatedValue "$UPDATED_VAL" '.clusterDeployment.operatorYamlArchive = $updatedValue' "$SERVICE_DEF_JSON" > tmp.json && mv tmp.json "$SERVICE_DEF_JSON" | ||
| echo "Updated operatorYamlArchive to point to: $UPDATED_VAL" | ||
|
|
||
| # Step 7: Publish operator service | ||
| echo "Publishing operator service" | ||
| hzn exchange service publish -f horizon/service.definition.json | ||
|
There was a problem hiding this comment. Think you should use $SERVICE_DEF_JSON env variable on the publish command |
||
|
|
||
| # Step 8: Create a deployment policy file: | ||
| echo "Creating a deployment.policy.json file" | ||
| cat << 'EOF' > horizon/deployment.policy.json | ||
| { | ||
| "label": "$SERVICE_NAME Deployment Policy", | ||
| "description": "A super-simple sample Horizon Deployment Policy", | ||
| "service": { | ||
| "name": "$SERVICE_NAME", | ||
| "org": "$HZN_ORG_ID", | ||
| "arch": "*", | ||
| "serviceVersions": [ | ||
| { | ||
| "version": "$SERVICE_VERSION", | ||
| "priority":{} | ||
| } | ||
| ] | ||
| }, | ||
| "properties": [ | ||
| ], | ||
| "constraints": [ | ||
| "example == kubearmor-operator" | ||
| ], | ||
| "userInput": [ | ||
| ] | ||
| } | ||
| EOF | ||
|
|
||
|
|
||
| # Step 9: Publish your deployment policy | ||
| echo "Publishing your deployment policy" | ||
| hzn exchange deployment addpolicy -f horizon/deployment.policy.json kubearmor-operator | ||
|
|
||
| # Step 10: Create a node.policy.json file | ||
| echo "Creating node policy file" | ||
| cat << 'EOF' > node.policy.json | ||
| { | ||
| "properties": [ | ||
| { "name": "example", "value": "kubearmor-operator" } | ||
| ] | ||
| } | ||
| EOF | ||
|
There was a problem hiding this comment. This is setting the property as a top level property. You should use the new deployment properties instead |
||
|
|
||
| # Step 11: Register your edge cluster with your new node policy | ||
| echo "Registering edge cluster with new node policy" | ||
| hznpod register -u $HZN_EXCHANGE_USER_AUTH | ||
|
There was a problem hiding this comment. What is hznpod ? That needs to be defined somewhere |
||
| cat node.policy.json | hznpod policy update -f- | ||
| hznpod policy list | ||
|
|
||
| # Step 12: Check to see the agreement has been created (this can take approximately 15 seconds) | ||
| echo "Checking for agreement creation" | ||
|
|
||
| #max_attempts=5 | ||
| #attempt=1 | ||
| #agreements="" | ||
|
|
||
| #while [ $attempt -le $max_attempts ]; do | ||
| # echo "Attempt $attempt of $max_attempts..." | ||
| #agreements=$(hznpod agreement list) | ||
| #if [[ -n "$agreements" ]]; then | ||
| # echo "Agreement created successfully" | ||
| #echo "$agreements" > agreements_output.txt | ||
| #break | ||
| #else | ||
| #echo "No agreements found. Waiting for 15 seconds before retrying..." | ||
| #sleep 15 | ||
| #fi | ||
| #attempt=$((attempt + 1)) | ||
| #done | ||
|
|
||
| #if [[ -z "$agreements" ]]; then | ||
| #echo "Failed to create agreement after $max_attempts attempts" >&2 | ||
| #exit 1 | ||
| #fi | ||
|
|
||
| sleep 15 | ||
| hznpod agreement list | ||
|
|
||
| # Step 13: Check if the operator is up in the cluster | ||
| echo "Checking if the operator is up in the cluster" | ||
| kubectl get pods -n openhorizon-agent | ||
|
There was a problem hiding this comment. you should not hard code that the namespace is openhorizon-agent. You should provide a way to provide an environment variable.. Something like |
||
|
|
||
| #pod_status=$(kubectl get pods -n openhorizon-agent) | ||
| #if echo "$pod_status" | grep -q "kubearmor-operator"; then | ||
| #if echo "$pod_status" | grep "kubearmor-operator" | grep -q "Running"; then | ||
| #echo "Kubearmor-operator is running" | ||
| #else | ||
| #echo "Kubearmor-operator is not in Running state" >&2 | ||
| #exit 1 | ||
| #fi | ||
| #else | ||
| #echo "Kubearmor-operator pod not found" >&2 | ||
| #exit 1 | ||
| #fi | ||
|
|
||
| # Step 14: Download the sample configuration file | ||
| echo "Downloading sample configuration file" | ||
| wget https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml -O sample-config.yml | ||
|
|
||
| echo "KubeArmor has been deployed!" | ||
| echo "Next: Modify the sample configuration file to change the namespace to openhorizon-agent, then apply this policy to deploy all the components of KubeArmor as done by the operator, this sample config can be modified according to the config you want." | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are assuming the
hznexecutable is installed without checking for it.. I think you check for it and for jq