The maintain-kubeusers script is the mechanism we currently use to create, populate and maintain the Toolforge tools information into Kubernetes.
Some stuff that the script currently does, when dealing with new tools:
- fetch tool information from LDAP
- create the homedir in NFS
- generates a token-based auth
- generates the ABAC config
- create a k8s namespace per tool
- writes a kubeconfig file per tool with the corresponding token and place it in the homedir
- restart the kube-apiserver service to read new changes
In the new k8s we are trying to move away from ABAC/token and use RBAC/x509 instead, so this script will require some updates to handle this new situation.
Also, the script currently runs in the master nodes. We could probably try something nicer like running this inside k8s itself (define a static pod by means of puppet?)