github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #13068 from jlowdermilk/no-reuse-auth

Browse Source 
Don't reuse credentials on cluster create
This commit is contained in:
Nikhil Jindal 2015-08-24 15:56:36 -07:00
commit 411d78dac3
12 changed files with 46 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
cluster/aws/util.sh
View File

@ -544,24 +544,6 @@ function upload-server-tars() {
SALT_TAR_URL="${s3_url_base}/${AWS_S3_BUCKET}/${salt_tar_path}" SALT_TAR_URL="${s3_url_base}/${AWS_S3_BUCKET}/${salt_tar_path}"
} }
# Ensure that we have a password created for validating to the master. Will
# read from kubeconfig for the current context if available.
#
# Assumed vars
# KUBE_ROOT
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
# Adds a tag to an AWS resource # Adds a tag to an AWS resource
# usage: add-tag <resource-id> <tag-name> <tag-value> # usage: add-tag <resource-id> <tag-name> <tag-value>
function add-tag { function add-tag {
@ -681,7 +663,7 @@ function kube-up {
ensure-iam-profiles ensure-iam-profiles
get-password gen-kube-basicauth
if [[ ! -f "$AWS_SSH_KEY" ]]; then if [[ ! -f "$AWS_SSH_KEY" ]]; then
ssh-keygen -f "$AWS_SSH_KEY" -N '' ssh-keygen -f "$AWS_SSH_KEY" -N ''
@ -1082,6 +1064,8 @@ function kube-up {
done done
done done
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo echo
echo -e "${color_green}Kubernetes cluster is running. The master is running at:" echo -e "${color_green}Kubernetes cluster is running. The master is running at:"
echo echo
@ -1241,7 +1225,7 @@ function kube-push {
echo "sudo salt --force-color '*' state.highstate" echo "sudo salt --force-color '*' state.highstate"
) | ssh -oStrictHostKeyChecking=no -i "${AWS_SSH_KEY}" ${SSH_USER}@${KUBE_MASTER_IP} sudo bash ) | ssh -oStrictHostKeyChecking=no -i "${AWS_SSH_KEY}" ${SSH_USER}@${KUBE_MASTER_IP} sudo bash
get-password get-kubeconfig-basicauth
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"

20
cluster/azure/util.sh
View File

@ -242,20 +242,6 @@ function detect-master () {
echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)" echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)"
} }
# Ensure that we have a password created for validating to the master. Will
# read from kubeconfig current-context if available.
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
# Instantiate a kubernetes cluster # Instantiate a kubernetes cluster
# #
# Assumed vars # Assumed vars
@ -268,7 +254,7 @@ function kube-up {
ensure-temp-dir ensure-temp-dir
get-password gen-kube-basicauth
python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \ python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \
-b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD" -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD"
local htpasswd local htpasswd
@ -442,6 +428,8 @@ function kube-up {
done done
done done
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"
echo echo
@ -486,7 +474,7 @@ function kube-down {
# echo "sudo salt --force-color '*' state.highstate" # echo "sudo salt --force-color '*' state.highstate"
# ) | gcutil ssh --project "$PROJECT" --zone "$ZONE" "$KUBE_MASTER" sudo bash # ) | gcutil ssh --project "$PROJECT" --zone "$ZONE" "$KUBE_MASTER" sudo bash
# get-password # get-kubeconfig-basicauth
# echo # echo
# echo "Kubernetes cluster is running. The master is running at:" # echo "Kubernetes cluster is running. The master is running at:"

18
cluster/common.sh
View File

@ -146,6 +146,16 @@ function get-kubeconfig-basicauth() {
fi fi
} }
# Generate basic auth user and password.
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function gen-kube-basicauth() {
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
}
# Get the bearer token for the current-context in kubeconfig if one exists. # Get the bearer token for the current-context in kubeconfig if one exists.
# Assumed vars: # Assumed vars:
# KUBECONFIG # if unset, defaults to global # KUBECONFIG # if unset, defaults to global
@ -171,6 +181,14 @@ function get-kubeconfig-bearertoken() {
fi fi
} }
# Generate bearer token.
#
# Vars set:
# KUBE_BEARER_TOKEN
function gen-kube-bearertoken() {
KUBE_BEARER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
}
# Get the master IP for the current-context in kubeconfig if one exists. # Get the master IP for the current-context in kubeconfig if one exists.
# #
# Assumed vars: # Assumed vars:

42
cluster/gce/util.sh
View File

@ -304,38 +304,6 @@ function detect-master () {
echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)" echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)"
} }
# Ensure that we have a password created for validating to the master. Will
# read from kubeconfig for the current context if available.
#
# Assumed vars
# KUBE_ROOT
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
# Ensure that we have a bearer token created for validating to the master.
# Will read from kubeconfig for the current context if available.
#
# Assumed vars
# KUBE_ROOT
#
# Vars set:
# KUBE_BEARER_TOKEN
function get-bearer-token() {
get-kubeconfig-bearertoken
if [[ -z "${KUBE_BEARER_TOKEN:-}" ]]; then
KUBE_BEARER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
fi
}
# Wait for background jobs to finish. Exit with # Wait for background jobs to finish. Exit with
# an error status if any of the jobs failed. # an error status if any of the jobs failed.
function wait-for-jobs { function wait-for-jobs {
@ -577,8 +545,8 @@ function kube-up {
ensure-temp-dir ensure-temp-dir
detect-project detect-project
get-password gen-kube-basicauth
get-bearer-token gen-kube-bearertoken
# Make sure we have the tar files staged on Google Storage # Make sure we have the tar files staged on Google Storage
find-release-tars find-release-tars
@ -758,6 +726,8 @@ function kube-up {
create-kubeconfig create-kubeconfig
) )
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo echo
echo -e "${color_green}Kubernetes cluster is running. The master is running at:" echo -e "${color_green}Kubernetes cluster is running. The master is running at:"
echo echo
@ -1035,8 +1005,8 @@ function prepare-push() {
detect-project detect-project
detect-master detect-master
detect-minion-names detect-minion-names
get-password get-kubeconfig-basicauth
get-bearer-token get-kubeconfig-bearertoken
# Make sure we have the tar files staged on Google Storage # Make sure we have the tar files staged on Google Storage
tars_from_version tars_from_version

19
cluster/gke/util.sh
View File

@ -189,25 +189,6 @@ function test-setup() {
--network="${NETWORK}" --network="${NETWORK}"
} }
# Ensure that we have a password created for validating to the master.
#
# Assumed vars:
# ZONE
# CLUSTER_NAME
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password() {
echo "... in gke:get-password()" >&2
detect-project >&2
KUBE_USER=$("${GCLOUD}" "${CMD_GROUP}" container clusters describe \
--project="${PROJECT}" --zone="${ZONE}" "${CLUSTER_NAME}" \
| grep user | cut -f 4 -d ' ')
KUBE_PASSWORD=$("${GCLOUD}" "${CMD_GROUP}" container clusters describe \
--project="${PROJECT}" --zone="${ZONE}" "${CLUSTER_NAME}" \
| grep password | cut -f 4 -d ' ')
}
# Detect the IP for the master. Note that on GKE, we don't know the name of the # Detect the IP for the master. Note that on GKE, we don't know the name of the
# master, so KUBE_MASTER is not set. # master, so KUBE_MASTER is not set.
# #

4
cluster/juju/util.sh
View File

@ -41,10 +41,6 @@ function build-local() {
cp -v $OUTPUT_DIR/* cluster/juju/charms/trusty/kubernetes-master/files/output cp -v $OUTPUT_DIR/* cluster/juju/charms/trusty/kubernetes-master/files/output
} }
function get-password() {
echo "TODO: Assign username/password security"
}
function kube-up() { function kube-up() {
build-local build-local
if [[ -d "~/.juju/current-env" ]]; then if [[ -d "~/.juju/current-env" ]]; then

5
cluster/kube-util.sh
View File

@ -91,11 +91,6 @@ function test-teardown {
echo "TODO: test-teardown" 1>&2 echo "TODO: test-teardown" 1>&2
} }
# Set the {KUBE_USER} and {KUBE_PASSWORD} environment values required to interact with provider
function get-password {
echo "TODO: get-password" 1>&2
}
# Providers util.sh scripts should define functions that override the above default functions impls # Providers util.sh scripts should define functions that override the above default functions impls
if [ -n "${KUBERNETES_PROVIDER}" ]; then if [ -n "${KUBERNETES_PROVIDER}" ]; then
PROVIDER_UTILS="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/util.sh" PROVIDER_UTILS="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/util.sh"

2
cluster/libvirt-coreos/util.sh
View File

@ -183,7 +183,7 @@ function wait-cluster-readiness {
function kube-up { function kube-up {
detect-master detect-master
detect-minions detect-minions
get-kubeconfig-bearertoken gen-kube-bearertoken
initialize-pool keep_base_image initialize-pool keep_base_image
initialize-network initialize-network

18
cluster/rackspace/util.sh
View File

@ -51,20 +51,6 @@ verify-prereqs() {
fi fi
} }
# Ensure that we have a password created for validating to the master. Will
# read from kubeconfig current-context if available.
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
get-password() {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python2.7 -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
rax-ssh-key() { rax-ssh-key() {
if [ ! -f $HOME/.ssh/${SSH_KEY_NAME} ]; then if [ ! -f $HOME/.ssh/${SSH_KEY_NAME} ]; then
echo "cluster/rackspace/util.sh: Generating SSH KEY ${HOME}/.ssh/${SSH_KEY_NAME}" echo "cluster/rackspace/util.sh: Generating SSH KEY ${HOME}/.ssh/${SSH_KEY_NAME}"
@ -301,7 +287,7 @@ kube-up() {
KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX) KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX)
trap "rm -rf ${KUBE_TEMP}" EXIT trap "rm -rf ${KUBE_TEMP}" EXIT
get-password gen-kube-basicauth
python2.7 $(dirname $0)/../third_party/htpasswd/htpasswd.py -b -c ${KUBE_TEMP}/htpasswd $KUBE_USER $KUBE_PASSWORD python2.7 $(dirname $0)/../third_party/htpasswd/htpasswd.py -b -c ${KUBE_TEMP}/htpasswd $KUBE_USER $KUBE_PASSWORD
HTPASSWD=$(cat ${KUBE_TEMP}/htpasswd) HTPASSWD=$(cat ${KUBE_TEMP}/htpasswd)
@ -365,6 +351,8 @@ kube-up() {
detect-minions detect-minions
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo "All minions may not be online yet, this is okay." echo "All minions may not be online yet, this is okay."
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"

16
cluster/ubuntu/util.sh
View File

@ -260,20 +260,6 @@ FLANNEL_OPTS=""
EOF EOF
} }
# Ensure that we have a password created for validating to the master. Will
# read from ${KUBECONFIG:-$DEFAULT_KUBECONFIG} if available.
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
# Detect the IP for the master # Detect the IP for the master
# #
# Assumed vars: # Assumed vars:
@ -360,7 +346,7 @@ function kube-up() {
source "${KUBE_ROOT}/cluster/common.sh" source "${KUBE_ROOT}/cluster/common.sh"
# set kubernetes user and password # set kubernetes user and password
get-password gen-kube-basicauth
create-kubeconfig create-kubeconfig
} }

15
cluster/vagrant/util.sh
View File

@ -253,19 +253,21 @@ function verify-cluster {
} }
( (
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"
echo echo
echo " https://${MASTER_IP}" echo " https://${MASTER_IP}"
echo echo
echo "The user name and password to use is located in ~/.kubernetes_vagrant_auth." echo "The user name and password to use is located in ${KUBECONIG}"
echo echo
) )
} }
# Instantiate a kubernetes cluster # Instantiate a kubernetes cluster
function kube-up { function kube-up {
get-password gen-kube-basicauth
get-tokens get-tokens
create-provision-scripts create-provision-scripts
@ -295,7 +297,7 @@ function kube-down {
# Update a kubernetes cluster with latest source # Update a kubernetes cluster with latest source
function kube-push { function kube-push {
get-password get-kubeconfig-basicauth
create-provision-scripts create-provision-scripts
vagrant provision vagrant provision
} }
@ -316,13 +318,6 @@ function test-teardown {
kube-down kube-down
} }
# Set the {user} and {password} environment values required to interact with provider
function get-password {
export KUBE_USER=vagrant
export KUBE_PASSWORD=vagrant
echo "Using credentials: $KUBE_USER:$KUBE_PASSWORD" 1>&2
}
# Find the minion name based on the IP address # Find the minion name based on the IP address
function find-vagrant-name-by-ip { function find-vagrant-name-by-ip {
local ip="$1" local ip="$1"

20
cluster/vsphere/util.sh
View File

@ -169,20 +169,6 @@ function upload-server-tars {
done done
} }
# Ensure that we have a password created for validating to the master. Will
# read from kubeconfig if available.
#
# Vars set:
# KUBE_USER
# KUBE_PASSWORD
function get-password {
get-kubeconfig-basicauth
if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
KUBE_USER=admin
KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
fi
}
# Run command over ssh # Run command over ssh
function kube-ssh { function kube-ssh {
local host="$1" local host="$1"
@ -264,7 +250,7 @@ function kube-up {
ensure-temp-dir ensure-temp-dir
get-password gen-kube-basicauth
python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \ python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \
-b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD" -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD"
local htpasswd local htpasswd
@ -395,6 +381,8 @@ function kube-up {
} }
done done
# ensures KUBECONFIG is set
get-kubeconfig-basicauth
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"
echo echo
@ -434,7 +422,7 @@ function kube-push {
echo "sudo salt --force-color '*' state.highstate" echo "sudo salt --force-color '*' state.highstate"
) | kube-ssh "${KUBE_MASTER_IP}" ) | kube-ssh "${KUBE_MASTER_IP}"
get-password get-kubeconfig-basicauth
echo echo
echo "Kubernetes cluster is running. The master is running at:" echo "Kubernetes cluster is running. The master is running at:"