From 57f7b658bb2ed669e4123ceec51be2ebe38d4439 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Sat, 2 May 2015 15:37:54 -0400
Subject: [PATCH] AWS: Change apiserver to listen on 443 directly, not through
 nginx

Mirrors changes in GCE.  I think the same changes will be needed for vagrant.
---
 cluster/aws/templates/create-dynamic-salt-files.sh        | 8 ++++++--
 cluster/aws/util.sh                                       | 7 ++-----
 cluster/saltbase/salt/kube-apiserver/init.sls             | 2 +-
 .../saltbase/salt/kube-apiserver/kube-apiserver.manifest  | 4 ++--
 cluster/saltbase/salt/kubelet/default                     | 2 +-
 cluster/saltbase/salt/top.sls                             | 2 +-
 6 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/cluster/aws/templates/create-dynamic-salt-files.sh b/cluster/aws/templates/create-dynamic-salt-files.sh
index 87abb8cc8c8..cf214719f4c 100644
--- a/cluster/aws/templates/create-dynamic-salt-files.sh
+++ b/cluster/aws/templates/create-dynamic-salt-files.sh
@@ -36,8 +36,12 @@ dns_domain: '$(echo "$DNS_DOMAIN" | sed -e "s/'/''/g")'
 admission_control: '$(echo "$ADMISSION_CONTROL" | sed -e "s/'/''/g")'
 EOF
 
-mkdir -p /srv/salt-overlay/salt/nginx
-echo $MASTER_HTPASSWD > /srv/salt-overlay/salt/nginx/htpasswd
+readonly BASIC_AUTH_FILE="/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"
+if [ ! -e "${BASIC_AUTH_FILE}" ]; then
+  mkdir -p /srv/salt-overlay/salt/kube-apiserver
+  (umask 077;
+    echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${BASIC_AUTH_FILE}")
+fi
 
 # Generate and distribute a shared secret (bearer token) to
 # apiserver and the nodes so that kubelet and kube-proxy can
diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh
index 2b8f09d2f8d..62847cb02db 100644
--- a/cluster/aws/util.sh
+++ b/cluster/aws/util.sh
@@ -361,10 +361,6 @@ function kube-up {
   ensure-iam-profiles
 
   get-password
-  python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \
-    -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD"
-  local htpasswd
-  htpasswd=$(cat "${KUBE_TEMP}/htpasswd")
 
   if [[ ! -f "$AWS_SSH_KEY" ]]; then
     ssh-keygen -f "$AWS_SSH_KEY" -N ''
@@ -442,7 +438,8 @@ function kube-up {
     echo "readonly SERVER_BINARY_TAR_URL='${SERVER_BINARY_TAR_URL}'"
     echo "readonly SALT_TAR_URL='${SALT_TAR_URL}'"
     echo "readonly ZONE='${ZONE}'"
-    echo "readonly MASTER_HTPASSWD='${htpasswd}'"
+    echo "readonly KUBE_USER='${KUBE_USER}'"
+    echo "readonly KUBE_PASSWORD='${KUBE_PASSWORD}'"
     echo "readonly PORTAL_NET='${PORTAL_NET}'"
     echo "readonly ENABLE_CLUSTER_MONITORING='${ENABLE_CLUSTER_MONITORING:-false}'"
     echo "readonly ENABLE_NODE_MONITORING='${ENABLE_NODE_MONITORING:-false}'"
diff --git a/cluster/saltbase/salt/kube-apiserver/init.sls b/cluster/saltbase/salt/kube-apiserver/init.sls
index 6b5f5b78bdd..0308245680c 100644
--- a/cluster/saltbase/salt/kube-apiserver/init.sls
+++ b/cluster/saltbase/salt/kube-apiserver/init.sls
@@ -9,7 +9,7 @@
 {% endif %}
 {% endif %}
 
-{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
+{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce' ]  %}
 /srv/kubernetes/basic_auth.csv:
   file.managed:
     - source: salt://kube-apiserver/basic_auth.csv
diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
index 98646052d46..4b80e291de0 100644
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@@ -46,7 +46,7 @@
 {% set client_ca_file = "" -%}
 
 {% set secure_port = "6443" -%}
-{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
+{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce' ]    %}
   {% set secure_port = "443" -%}
   {% set client_ca_file = "--client_ca_file=/srv/kubernetes/ca.crt" -%}
 {% endif -%}
@@ -60,7 +60,7 @@
 {% endif -%}
 {% endif -%}
 
-{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
+{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce' ]  %}
   {% set basic_auth_file = "--basic_auth_file=/srv/kubernetes/basic_auth.csv" -%}
 {% endif -%}
 
diff --git a/cluster/saltbase/salt/kubelet/default b/cluster/saltbase/salt/kubelet/default
index 9a6316b7ce1..b504ede33c4 100644
--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@@ -16,7 +16,7 @@
 {% endif -%}
 
 # TODO: remove nginx for other cloud providers.
-{% if grains['cloud'] is defined and grains['cloud'] == 'gce' -%}
+{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce' ]  %}
   {% set api_servers_with_port = api_servers -%}
 {% else -%}
   {% set api_servers_with_port = api_servers + ":6443" -%}
diff --git a/cluster/saltbase/salt/top.sls b/cluster/saltbase/salt/top.sls
index f644a2c589d..c1aa08c50d2 100644
--- a/cluster/saltbase/salt/top.sls
+++ b/cluster/saltbase/salt/top.sls
@@ -33,7 +33,7 @@ base:
     - kube-controller-manager
     - kube-scheduler
     - monit
-{% if grains['cloud'] is defined and grains['cloud'] != 'gce' %}
+{% if grains['cloud'] is defined and not grains.cloud in [ 'aws', 'gce' ] %}
     - nginx
 {% endif %}
     - cadvisor