-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Workload Runtime Security - installation wrapper script draft - Issue-#4115 #4148
base: master
Are you sure you want to change the base?
Changes from all commits
060b05f
c80d53e
57249f5
3f115eb
6c7f9d5
75f31b9
0be04c7
ad9cedb
4ec0bf3
267467c
9e46d9a
606d26c
ec7d3bc
00a57eb
a3dd1d1
8469456
df5cac2
c8361a8
4ee79b2
7eccde6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
#!/bin/bash | ||
|
||
# Installs the kube armor operator on the Open Horizon cluster agent | ||
|
||
set -e #future: remove? | ||
|
||
echo "Starting KubeArmor installation..." | ||
|
||
# Step 1: Install Helm (if not already installed) | ||
if ! command -v helm &> /dev/null; then | ||
echo "Helm not found, installing Helm..." | ||
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | ||
else | ||
echo "Helm is already installed" | ||
fi | ||
|
||
# Step 2: Create a new working directory for a new horizon project | ||
echo "Create a new working directory for a new horizon project" | ||
hzn dev service new -V 1.0.0 -s kubearmor-operator -c cluster | ||
|
||
# Step 3: Making the Operator file | ||
echo "Making the operator file" | ||
helm repo add kubearmor https://kubearmor.github.io/charts | ||
helm repo update kubearmor | ||
helm template kubearmor/kubearmor-operator -n openhorizon-agent >> kubearmor-operator.yaml | ||
|
||
curl https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml > kubearmor-crd.yaml | ||
|
||
# Step 4: Compress the .yaml file | ||
echo "Compressing the .yaml helm file" | ||
tar -czvf operator.tar.gz kubearmor-operator.yaml | ||
|
||
# Step 5: Configure the KubeArmor operator | ||
echo "KubeArmor operator config" | ||
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml | ||
|
||
# Step 6: Edit the horizon/service.definition.json file to point to the operator's yaml archive created in the previous step | ||
echo "Editing the horizon/service.definition.json file to point to the operator's yaml archive" | ||
# Defining the JSON file | ||
SERVICE_DEF_JSON="horizon/service.definition.json" | ||
UPDATED_VAL="../operator.tar.gz" | ||
jq --arg updatedValue "$UPDATED_VAL" '.clusterDeployment.operatorYamlArchive = $updatedValue' "$SERVICE_DEF_JSON" > tmp.json && mv tmp.json "$SERVICE_DEF_JSON" | ||
echo "Updated operatorYamlArchive to point to: $UPDATED_VAL" | ||
|
||
# Step 7: Publish operator service | ||
echo "Publishing operator service" | ||
hzn exchange service publish -f horizon/service.definition.json | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Think you should use $SERVICE_DEF_JSON env variable on the publish command |
||
|
||
# Step 8: Create a deployment policy file: | ||
echo "Creating a deployment.policy.json file" | ||
cat << 'EOF' > horizon/deployment.policy.json | ||
{ | ||
"label": "$SERVICE_NAME Deployment Policy", | ||
"description": "A super-simple sample Horizon Deployment Policy", | ||
"service": { | ||
"name": "$SERVICE_NAME", | ||
"org": "$HZN_ORG_ID", | ||
"arch": "*", | ||
"serviceVersions": [ | ||
{ | ||
"version": "$SERVICE_VERSION", | ||
"priority":{} | ||
} | ||
] | ||
}, | ||
"properties": [ | ||
], | ||
"constraints": [ | ||
"example == kubearmor-operator" | ||
], | ||
"userInput": [ | ||
] | ||
} | ||
EOF | ||
|
||
|
||
# Step 9: Publish your deployment policy | ||
echo "Publishing your deployment policy" | ||
hzn exchange deployment addpolicy -f horizon/deployment.policy.json kubearmor-operator | ||
|
||
# Step 10: Create a node.policy.json file | ||
echo "Creating node policy file" | ||
cat << 'EOF' > node.policy.json | ||
{ | ||
"properties": [ | ||
{ "name": "example", "value": "kubearmor-operator" } | ||
] | ||
} | ||
EOF | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is setting the property as a top level property. You should use the new deployment properties instead |
||
|
||
# Step 11: Register your edge cluster with your new node policy | ||
echo "Registering edge cluster with new node policy" | ||
hznpod register -u $HZN_EXCHANGE_USER_AUTH | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is hznpod ? That needs to be defined somewhere |
||
cat node.policy.json | hznpod policy update -f- | ||
hznpod policy list | ||
|
||
# Step 12: Check to see the agreement has been created (this can take approximately 15 seconds) | ||
echo "Checking for agreement creation" | ||
|
||
#max_attempts=5 | ||
#attempt=1 | ||
#agreements="" | ||
|
||
#while [ $attempt -le $max_attempts ]; do | ||
# echo "Attempt $attempt of $max_attempts..." | ||
#agreements=$(hznpod agreement list) | ||
#if [[ -n "$agreements" ]]; then | ||
# echo "Agreement created successfully" | ||
#echo "$agreements" > agreements_output.txt | ||
#break | ||
#else | ||
#echo "No agreements found. Waiting for 15 seconds before retrying..." | ||
#sleep 15 | ||
#fi | ||
#attempt=$((attempt + 1)) | ||
#done | ||
|
||
#if [[ -z "$agreements" ]]; then | ||
#echo "Failed to create agreement after $max_attempts attempts" >&2 | ||
#exit 1 | ||
#fi | ||
|
||
sleep 15 | ||
hznpod agreement list | ||
|
||
# Step 13: Check if the operator is up in the cluster | ||
echo "Checking if the operator is up in the cluster" | ||
kubectl get pods -n openhorizon-agent | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you should not hard code that the namespace is openhorizon-agent. You should provide a way to provide an environment variable.. Something like |
||
|
||
#pod_status=$(kubectl get pods -n openhorizon-agent) | ||
#if echo "$pod_status" | grep -q "kubearmor-operator"; then | ||
#if echo "$pod_status" | grep "kubearmor-operator" | grep -q "Running"; then | ||
#echo "Kubearmor-operator is running" | ||
#else | ||
#echo "Kubearmor-operator is not in Running state" >&2 | ||
#exit 1 | ||
#fi | ||
#else | ||
#echo "Kubearmor-operator pod not found" >&2 | ||
#exit 1 | ||
#fi | ||
|
||
# Step 14: Download the sample configuration file | ||
echo "Downloading sample configuration file" | ||
wget https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml -O sample-config.yml | ||
|
||
echo "KubeArmor has been deployed!" | ||
echo "Next: Modify the sample configuration file to change the namespace to openhorizon-agent, then apply this policy to deploy all the components of KubeArmor as done by the operator, this sample config can be modified according to the config you want." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are assuming the
hzn
executable is installed without checking for it.. I think you check for it and for jq