Merge pull request #9292 from cjcullen/test_pull_8946

Add an ssh tunnel option to the /proxy endpoint
2025-09-07 20:21:20 +00:00 · 2015-06-08 14:30:12 -07:00
parent 09e1a044ad 9ab329827a
commit 5aa0219ada
23 changed files with 481 additions and 80 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -220,9 +220,12 @@ mount-master-pd() {
  mkdir -p /mnt/master-pd/srv/kubernetes
  # Contains the cluster's initial config parameters and auth tokens
  mkdir -p /mnt/master-pd/srv/salt-overlay
+  # Directory for kube-apiserver to store SSH key (if necessary)
+  mkdir -p /mnt/master-pd/srv/sshproxy

  ln -s -f /mnt/master-pd/var/etcd /var/etcd
  ln -s -f /mnt/master-pd/srv/kubernetes /srv/kubernetes
+  ln -s -f /mnt/master-pd/srv/sshproxy /srv/sshproxy
  ln -s -f /mnt/master-pd/srv/salt-overlay /srv/salt-overlay

  # This is a bit of a hack to get around the fact that salt has to run after the
@@ -487,16 +490,18 @@ grains:
  cbr-cidr: ${MASTER_IP_RANGE}
  cloud: gce
 EOF
-  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]]; then
+  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then
    cat <<EOF >/etc/gce.conf
 [global]
 token-url = ${TOKEN_URL}
 project-id = ${PROJECT_ID}
+network-name = ${NODE_NETWORK}
 EOF
    EXTERNAL_IP=$(curl --fail --silent -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip")
    cat <<EOF >>/etc/salt/minion.d/grains.conf
  cloud_config: /etc/gce.conf
  advertise_address: '${EXTERNAL_IP}'
+  proxy_ssh_user: '${INSTANCE_PREFIX}'
 EOF
  fi
 }
--- a/cluster/kubectl.sh
+++ b/cluster/kubectl.sh
@@ -102,9 +102,6 @@ kubectl="${KUBECTL_PATH:-${kubectl}}"

 if [[ "$KUBERNETES_PROVIDER" == "gke" ]]; then
  detect-project &> /dev/null
-  config=(
-    "--context=gke_${PROJECT}_${ZONE}_${CLUSTER_NAME}"
-  )
 elif [[ "$KUBERNETES_PROVIDER" == "ubuntu" || "$KUBERNETES_PROVIDER" == "juju" ]]; then
  detect-master > /dev/null
  config=(
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@@ -5,21 +5,17 @@

 {% set cloud_provider = "" -%}
 {% set cloud_config = "" -%}
+{% set cloud_config_mount = "" -%}
+{% set cloud_config_volume = "" -%}

 {% if grains.cloud is defined -%}
-{% set cloud_provider = "--cloud_provider=" + grains.cloud -%}
+  {% set cloud_provider = "--cloud_provider=" + grains.cloud -%}

-{% if grains.cloud == 'gce' -%}
-  {% if grains.cloud_config is defined -%}
+  {% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%}
    {% set cloud_config = "--cloud_config=" + grains.cloud_config -%}
+    {% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%}
+    {% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\"}}," -%}
  {% endif -%}
-
-{% elif grains.cloud == 'aws' -%}
-  {% if grains.cloud_config is defined -%}
-    {% set cloud_config = "--cloud_config=" + grains.cloud_config -%}
-  {% endif -%}
-{% endif -%}
-
 {% endif -%}

 {% set advertise_address = "" -%}
@@ -27,6 +23,11 @@
  {% set advertise_address = "--advertise-address=" + grains.advertise_address -%}
 {% endif -%}

+{% set proxy_ssh_options = "" -%}
+{% if grains.proxy_ssh_user is defined -%}
+  {% set proxy_ssh_options = "--ssh-user=" + grains.proxy_ssh_user + " --ssh-keyfile=/srv/sshproxy/.sshkeyfile" -%}
+{% endif -%}
+
 {% set address = "--address=127.0.0.1" -%}

 {% set cluster_name = "" -%}
@@ -85,7 +86,7 @@
 {% endif -%}

 {% set params = address + " " + etcd_servers + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + " " + basic_auth_file + " " + min_request_timeout -%}
-{% set params = params + " " + cluster_name + " " + cert_file + " " + key_file + " --secure_port=" + secure_port + " " + token_auth_file + " " + bind_address + " " + pillar['log_level'] + " " + advertise_address -%}
+{% set params = params + " " + cluster_name + " " + cert_file + " " + key_file + " --secure_port=" + secure_port + " " + token_auth_file + " " + bind_address + " " + pillar['log_level'] + " " + advertise_address  + " " + proxy_ssh_options -%}

 {
 "apiVersion": "v1beta3",
@@ -111,6 +112,7 @@
        "hostPort": 8080}
        ],
    "volumeMounts": [
+        {{cloud_config_mount}}
        { "name": "srvkube",
        "mountPath": "/srv/kubernetes",
        "readOnly": true},
@@ -140,11 +142,15 @@
        "readOnly": true},
        { "name": "etcpkitls",
        "mountPath": "/etc/pki/tls",
-        "readOnly": true}
+        "readOnly": true},
+        { "name": "srvsshproxy",
+        "mountPath": "/srv/sshproxy",
+        "readOnly": false}
      ]
    }
 ],
 "volumes":[
+  {{cloud_config_volume}}
  { "name": "srvkube",
    "hostPath": {
        "path": "/srv/kubernetes"}
@@ -184,6 +190,10 @@
  { "name": "etcpkitls",
    "hostPath": {
        "path": "/etc/pki/tls"}
+  },
+  { "name": "srvsshproxy",
+    "hostPath": {
+        "path": "/srv/sshproxy"}
  }
 ]
 }}
--- a/cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest
+++ b/cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest
@@ -14,6 +14,8 @@

 {% set cloud_provider = "" -%}
 {% set cloud_config = "" -%}
+{% set cloud_config_mount = "" -%}
+{% set cloud_config_volume = "" -%}

 {% if grains.cloud is defined -%}
  {% set cloud_provider = "--cloud_provider=" + grains.cloud -%}
@@ -21,6 +23,8 @@

  {% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%}
    {% set cloud_config = "--cloud_config=" + grains.cloud_config -%}
+    {% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%}
+    {% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\"}}," -%}
  {% endif -%}
 {% endif -%}

@@ -42,6 +46,7 @@
                 "/usr/local/bin/kube-controller-manager {{params}} 1>>/var/log/kube-controller-manager.log 2>&1"
               ],
    "volumeMounts": [
+        {{cloud_config_mount}}
        { "name": "srvkube",
        "mountPath": "/srv/kubernetes",
        "readOnly": true},
@@ -76,6 +81,7 @@
    }
 ],
 "volumes":[
+  {{cloud_config_volume}}
  { "name": "srvkube",
    "hostPath": {
        "path": "/srv/kubernetes"}