From 0acf8f9a00b3acd91122709b79b3e4f5f6d971f5 Mon Sep 17 00:00:00 2001 From: Max Forbes Date: Fri, 8 May 2015 15:47:49 -0700 Subject: [PATCH 1/2] Refactor GCE kube-env for both OSes. --- cluster/gce/coreos/helper.sh | 3 --- cluster/gce/coreos/node.yaml | 2 +- cluster/gce/debian/helper.sh | 13 +++++++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cluster/gce/coreos/helper.sh b/cluster/gce/coreos/helper.sh index 6e289eac21c..bf3c373402c 100644 --- a/cluster/gce/coreos/helper.sh +++ b/cluster/gce/coreos/helper.sh @@ -69,9 +69,6 @@ ENABLE_CLUSTER_DNS=$(yaml-quote ${ENABLE_CLUSTER_DNS:-false}) DNS_REPLICAS=$(yaml-quote ${DNS_REPLICAS:-}) DNS_SERVER_IP=$(yaml-quote ${DNS_SERVER_IP:-}) DNS_DOMAIN=$(yaml-quote ${DNS_DOMAIN:-}) -KUBE_USER=$(yaml-quote ${KUBE_USER}) -KUBE_PASSWORD=$(yaml-quote ${KUBE_PASSWORD}) -KUBE_BEARER_TOKEN=$(yaml-quote ${KUBE_BEARER_TOKEN}) KUBELET_TOKEN=$(yaml-quote ${KUBELET_TOKEN:-}) KUBE_PROXY_TOKEN=$(yaml-quote ${KUBE_PROXY_TOKEN:-}) ADMISSION_CONTROL=$(yaml-quote ${ADMISSION_CONTROL:-}) diff --git a/cluster/gce/coreos/node.yaml b/cluster/gce/coreos/node.yaml index 884074fa14a..97daf77fa6c 100644 --- a/cluster/gce/coreos/node.yaml +++ b/cluster/gce/coreos/node.yaml @@ -17,7 +17,7 @@ write_files: source /etc/kube-env /usr/bin/mkdir -p /var/lib/kubelet - /bin/echo {\"BearerToken\": \"${KUBE_BEARER_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth + /bin/echo {\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth - path: /run/config-kube-proxy.sh permissions: "0755" content: | diff --git a/cluster/gce/debian/helper.sh b/cluster/gce/debian/helper.sh index e0ccee796ae..17367328532 100644 --- a/cluster/gce/debian/helper.sh +++ b/cluster/gce/debian/helper.sh @@ -41,16 +41,21 @@ ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false}) DNS_REPLICAS: $(yaml-quote ${DNS_REPLICAS:-}) DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-}) DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-}) -KUBE_USER: $(yaml-quote ${KUBE_USER}) -KUBE_PASSWORD: $(yaml-quote ${KUBE_PASSWORD}) -KUBE_BEARER_TOKEN: $(yaml-quote ${KUBE_BEARER_TOKEN}) KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-}) KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-}) ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-}) MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE}) EOF - if [[ "${master}" != "true" ]]; then + if [[ "${master}" == "true" ]]; then + # Master-only env vars. + cat >>$file <>$file < Date: Fri, 8 May 2015 16:30:20 -0700 Subject: [PATCH 2/2] Master vs node salt auth refactor in configure-vm.sh --- cluster/gce/configure-vm.sh | 41 +++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 3d8b3ae2183..9fdb9c1e4d5 100644 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -260,7 +260,7 @@ EOF # on upgrade, this file exists on the master-pd and should never # be touched again (except perhaps an additional service account, # see NB below.) -function create-salt-auth() { +function create-salt-master-auth() { if [ ! -e "${BASIC_AUTH_FILE}" ]; then mkdir -p /srv/salt-overlay/salt/kube-apiserver (umask 077; @@ -273,13 +273,31 @@ function create-salt-auth() { echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${KNOWN_TOKENS_FILE}"; echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${KNOWN_TOKENS_FILE}") + # Generate tokens for other "service accounts". Append to known_tokens. + # + # NB: If this list ever changes, this script actually has to + # change to detect the existence of this file, kill any deleted + # old tokens and add any new tokens (to handle the upgrade case). + local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") + for account in "${service_accounts[@]}"; do + token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) + echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}" + done + fi +} + +function create-salt-node-auth() { + kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" + if [ ! -e "${kubelet_auth_file}" ]; then mkdir -p /srv/salt-overlay/salt/kubelet - kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" (umask 077; echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}") + fi + kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" + if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then mkdir -p /srv/salt-overlay/salt/kube-proxy - kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" + # Make a kubeconfig file with the token. # TODO(etune): put apiserver certs into secret too, and reference from authfile, # so that "Insecure" is not needed. @@ -303,17 +321,6 @@ contexts: current-context: service-account-context EOF ) - - # Generate tokens for other "service accounts". Append to known_tokens. - # - # NB: If this list ever changes, this script actually has to - # change to detect the existence of this file, kill any deleted - # old tokens and add any new tokens (to handle the upgrade case). - local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") - for account in "${service_accounts[@]}"; do - token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) - echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}" - done fi } @@ -453,7 +460,11 @@ if [[ -z "${is_push}" ]]; then set-kube-env [[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd create-salt-pillar - create-salt-auth + if [[ "${KUBERNETES_MASTER}" == "true" ]]; then + create-salt-master-auth + else + create-salt-node-auth + fi download-release configure-salt remove-docker-artifacts