github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 01:06:27 +00:00
Code Issues Projects Releases Wiki Activity

Make secrets at cluster startup.

Browse Source 
These secrets will be used in subsequent PRs by:
scheduler, controller-manager, monitoring services,
logging services, and skydns.

Each of these services will then be able to stop using kubernetes-ro
or host networking.
This commit is contained in:
Eric Tune 2015-03-13 15:34:00 -07:00
parent 4a2000c4aa
commit 59daeabaee
2 changed files with 62 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cluster/gce/configure-vm.sh
View File

@ -254,6 +254,13 @@ function create-salt-auth() {
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
(umask 077; (umask 077;
echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}") echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}")
# Generate tokens for other "service accounts". Append to known_tokens.
local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
for account in "${service_accounts[@]}"; do
token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${token},${account},${account}" >> "${known_tokens_file}"
done
} }
function download-release() { function download-release() {

62
cluster/saltbase/salt/kube-addons/kube-addons.sh
View File

@ -19,19 +19,52 @@
# managed result is of that. Start everything below that directory. # managed result is of that. Start everything below that directory.
KUBECTL=/usr/local/bin/kubectl KUBECTL=/usr/local/bin/kubectl
# $1 addon to start. function create-kubernetesauth-secret() {
local -r token=$1
local -r username=$2
local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
# Make secret with a kubernetes_auth file with a token.
# TODO(etune): put apiserver certs into secret too, and reference from authfile,
# so that "Insecure" is not needed.
kafile=$(echo "{\"BearerToken\": \"${token}\", \"Insecure\": true }" | base64 -w0)
read -r -d '' secretjson <<EOF
apiVersion: v1beta1
kind: Secret
id: token-${safe_username}
data:
kubernetes-auth: ${kafile}
EOF
create-resource-from-string "${secretjson}" 100 10 "Secret-for-token-for-user-${username}" &
# TODO: label the secrets with special label so kubectl does not show these?
}
# $1 filename of addon to start.
# $2 count of tries to start the addon. # $2 count of tries to start the addon.
# $3 delay in seconds between two consecutive tries # $3 delay in seconds between two consecutive tries
function start_addon() { function start_addon() {
addon=$1; local -r addon_filename=$1;
tries=$2; local -r tries=$2;
delay=$3; local -r delay=$3;
create-resource-from-string "$(cat ${addon_filename})" "${tries}" "${delay}" "${addon_filename}"
}
# $1 string with json or yaml.
# $2 count of tries to start the addon.
# $3 delay in seconds between two consecutive tries
# $3 name of this object to use when logging about it.
function create-resource-from-string() {
local -r config_string=$1;
local -r tries=$2;
local -r delay=$3;
local -r config_name=$1;
while [ ${tries} -gt 0 ]; do while [ ${tries} -gt 0 ]; do
${KUBECTL} create -f ${addon} && \ echo "${config_string}" | ${KUBECTL} create -f - && \
echo "== Successfully started ${addon} at $(date -Is)" && \ echo "== Successfully started ${config_name} at $(date -Is)" && \
return 0; return 0;
let tries=tries-1; let tries=tries-1;
echo "== Failed to start ${addon} at $(date -Is). ${tries} tries remaining. ==" echo "== Failed to start ${config_name} at $(date -Is). ${tries} tries remaining. =="
sleep ${delay}; sleep ${delay};
done done
return 1; return 1;
@ -41,6 +74,21 @@ function start_addon() {
# was already enforced by salt, and /etc/kubernetes/addons is the # was already enforced by salt, and /etc/kubernetes/addons is the
# managed result is of that. Start everything below that directory. # managed result is of that. Start everything below that directory.
echo "== Kubernetes addon manager started at $(date -Is) ==" echo "== Kubernetes addon manager started at $(date -Is) =="
# Generate secrets for "internal service accounts".
# TODO(etune): move to a completely yaml/object based
# workflow so that service accounts can be created
# at the same time as the services that use them.
# NOTE: needs to run as root to read this file.
# Read each line in the csv file of tokens.
while read line; do
# Split each line into the token and username.
IFS=',' read -a parts <<< "${line}"
token=${parts[0]}
username=${parts[1]}
create-kubernetesauth-secret "${token}" "${username}"
done < /srv/kubernetes/known_tokens.csv
for obj in $(find /etc/kubernetes/addons -name \*.yaml); do for obj in $(find /etc/kubernetes/addons -name \*.yaml); do
start_addon ${obj} 100 10 & start_addon ${obj} 100 10 &
echo "++ addon ${obj} starting in pid $! ++" echo "++ addon ${obj} starting in pid $! ++"