github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-16 23:29:21 +00:00
Code Issues Projects Releases Wiki Activity

Fixes: 1. Get certs for a dead leader. 2. Append tokens.

Browse Source
This commit is contained in:
Konstantinos Tsakalozos 2017-03-24 12:46:55 +02:00
parent a845e3e936
commit 533d4bfd54
1 changed files with 39 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
View File

@ -158,18 +158,28 @@ def setup_leader_authentication():
api_opts.add('--token-auth-file', known_tokens) api_opts.add('--token-auth-file', known_tokens)
api_opts.add('--service-cluster-ip-range', service_cidr()) api_opts.add('--service-cluster-ip-range', service_cidr())
hookenv.status_set('maintenance', 'Rendering authentication templates.') hookenv.status_set('maintenance', 'Rendering authentication templates.')
if not os.path.isfile(basic_auth):
setup_basic_auth('admin', 'admin', 'admin')
if not os.path.isfile(known_tokens):
setup_tokens(None, 'admin', 'admin')
setup_tokens(None, 'kubelet', 'kubelet')
setup_tokens(None, 'kube_proxy', 'kube_proxy')
# Generate the default service account token key
os.makedirs('/etc/kubernetes', exist_ok=True)
cmd = ['openssl', 'genrsa', '-out', service_key, # Try to fetch data from leadership broadcast.
'2048'] contents = charms.leadership.leader_get(service_key)
check_call(cmd) if contents is not None:
# Since there was a leader in the past and we are bootstrapping
# the leader here, all masters were killed and a new one is
# added again.
keys = [service_key, basic_auth, known_tokens]
get_keys_from_leader(keys)
else:
if not os.path.isfile(basic_auth):
setup_basic_auth('admin', 'admin', 'admin')
if not os.path.isfile(known_tokens):
setup_tokens(None, 'admin', 'admin')
setup_tokens(None, 'kubelet', 'kubelet')
setup_tokens(None, 'kube_proxy', 'kube_proxy')
# Generate the default service account token key
os.makedirs('/etc/kubernetes', exist_ok=True)
cmd = ['openssl', 'genrsa', '-out', service_key,
'2048']
check_call(cmd)
api_opts.add('--service-account-key-file', service_key) api_opts.add('--service-account-key-file', service_key)
controller_opts.add('--service-account-private-key-file', service_key) controller_opts.add('--service-account-private-key-file', service_key)
@ -199,15 +209,27 @@ def setup_non_leader_authentication():
basic_auth = '/srv/kubernetes/basic_auth.csv' basic_auth = '/srv/kubernetes/basic_auth.csv'
known_tokens = '/srv/kubernetes/known_tokens.csv' known_tokens = '/srv/kubernetes/known_tokens.csv'
hookenv.status_set('maintenance', 'Rendering authentication templates.')
# Set an array for looping logic
keys = [service_key, basic_auth, known_tokens]
get_keys_from_leader(keys)
api_opts.add('--basic-auth-file', basic_auth)
api_opts.add('--token-auth-file', known_tokens)
api_opts.add('--service-cluster-ip-range', service_cidr())
api_opts.add('--service-account-key-file', service_key)
controller_opts.add('--service-account-private-key-file', service_key)
set_state('authentication.setup')
def get_keys_from_leader(keys):
# This races with other codepaths, and seems to require being created first # This races with other codepaths, and seems to require being created first
# This block may be extracted later, but for now seems to work as intended # This block may be extracted later, but for now seems to work as intended
os.makedirs('/etc/kubernetes', exist_ok=True) os.makedirs('/etc/kubernetes', exist_ok=True)
os.makedirs('/srv/kubernetes', exist_ok=True) os.makedirs('/srv/kubernetes', exist_ok=True)
hookenv.status_set('maintenance', 'Rendering authentication templates.')
# Set an array for looping logic
keys = [service_key, basic_auth, known_tokens]
for k in keys: for k in keys:
# If the path does not exist, assume we need it # If the path does not exist, assume we need it
if not os.path.exists(k): if not os.path.exists(k):
@ -223,14 +245,6 @@ def setup_non_leader_authentication():
with open(k, 'w+') as fp: with open(k, 'w+') as fp:
fp.write(contents) fp.write(contents)
api_opts.add('--basic-auth-file', basic_auth)
api_opts.add('--token-auth-file', known_tokens)
api_opts.add('--service-cluster-ip-range', service_cidr())
api_opts.add('--service-account-key-file', service_key)
controller_opts.add('--service-account-private-key-file', service_key)
set_state('authentication.setup')
@when('kubernetes-master.components.installed') @when('kubernetes-master.components.installed')
def set_app_version(): def set_app_version():
@ -760,8 +774,8 @@ def setup_tokens(token, username, user):
if not token: if not token:
alpha = string.ascii_letters + string.digits alpha = string.ascii_letters + string.digits
token = ''.join(random.SystemRandom().choice(alpha) for _ in range(32)) token = ''.join(random.SystemRandom().choice(alpha) for _ in range(32))
with open(known_tokens, 'w') as stream: with open(known_tokens, 'a') as stream:
stream.write('{0},{1},{2}'.format(token, username, user)) stream.write('{0},{1},{2}\n'.format(token, username, user))
def all_kube_system_pods_running(): def all_kube_system_pods_running():