diff --git a/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-pod.yaml b/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-pod.yaml new file mode 100644 index 00000000000..2d604a25501 --- /dev/null +++ b/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-pod.yaml @@ -0,0 +1,50 @@ +kind: ReplicationController +apiVersion: v1 +metadata: + name: etcd + labels: + etcd: "true" +spec: + replicas: 1 + selector: + etcd: "true" + template: + metadata: + labels: + etcd: "true" + spec: + containers: + - name: etcd + image: quay.io/coreos/etcd:v3.0.15 + command: + - "etcd" + - "--listen-client-urls=https://0.0.0.0:4001" + - "--advertise-client-urls=https://etcd.kube-public.svc:4001" + - "--trusted-ca-file=/var/run/serving-ca/ca.crt" + - "--cert-file=/var/run/serving-cert/tls.crt" + - "--key-file=/var/run/serving-cert/tls.key" + - "--client-cert-auth=true" + - "--listen-peer-urls=https://0.0.0.0:7001" + - "--initial-advertise-peer-urls=https://etcd.kube-public.svc:7001" + - "--peer-trusted-ca-file=/var/run/serving-ca/ca.crt" + - "--peer-cert-file=/var/run/serving-cert/tls.crt" + - "--peer-key-file=/var/run/serving-cert/tls.key" + - "--peer-client-cert-auth=true" + - "--initial-cluster=default=https://etcd.kube-public.svc:7001" + ports: + - containerPort: 4001 + volumeMounts: + - mountPath: /var/run/serving-cert + name: volume-serving-cert + - mountPath: /var/run/serving-ca + name: volume-etcd-ca + volumes: + - secret: + defaultMode: 420 + secretName: serving-etcd + name: volume-serving-cert + - configMap: + defaultMode: 420 + name: etcd-ca + name: volume-etcd-ca + diff --git a/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-svc.yaml b/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-svc.yaml new file mode 100644 index 00000000000..a10ce54e810 --- /dev/null +++ b/cmd/kubernetes-discovery/artifacts/local-cluster-up/etcd-svc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: etcd +spec: + ports: + - port: 4001 + protocol: TCP + targetPort: 4001 + selector: + etcd: "true" diff --git a/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discover-pod.yaml b/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discover-pod.yaml new file mode 100644 index 00000000000..e40a6c90f9c --- /dev/null +++ b/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discover-pod.yaml @@ -0,0 +1,86 @@ +kind: ReplicationController +apiVersion: v1 +metadata: + name: kubernetes-discovery + labels: + kubernetes-discovery: "true" +spec: + replicas: 1 + selector: + kubernetes-discovery: "true" + template: + metadata: + labels: + kubernetes-discovery: "true" + spec: + containers: + - name: kubernetes-discovery + image: kubernetes-discovery:latest + imagePullPolicy: Never + args: + - "--tls-cert-file=/var/run/serving-cert/tls.crt" + - "--tls-private-key-file=/var/run/serving-cert/tls.key" + - "--tls-ca-file=/var/run/serving-ca/ca.crt" + - "--client-ca-file=/var/run/client-ca/ca.crt" + - "--authentication-kubeconfig=/var/run/auth-kubeconfig/kubeconfig" + - "--authorization-kubeconfig=/var/run/auth-kubeconfig/kubeconfig" + - "--requestheader-username-headers=X-Remote-User" + - "--requestheader-group-headers=X-Remote-Group" + - "--requestheader-extra-headers-prefix=X-Remote-Extra-" + - "--requestheader-client-ca-file=/var/run/request-header-ca/ca.crt" + - "--etcd-servers=https://etcd.kube-public.svc:4001" + - "--etcd-certfile=/var/run/etcd-client-cert/tls.crt" + - "--etcd-keyfile=/var/run/etcd-client-cert/tls.key" + - "--etcd-cafile=/var/run/etcd-ca/ca.crt" + ports: + - containerPort: 443 + volumeMounts: + - mountPath: /var/run/request-header-ca + name: volume-request-header-ca + - mountPath: /var/run/client-ca + name: volume-client-ca + - mountPath: /var/run/auth-proxy-client + name: volume-auth-proxy-client + - mountPath: /var/run/auth-kubeconfig + name: volume-auth-kubeconfig + - mountPath: /var/run/etcd-client-cert + name: volume-etcd-client-cert + - mountPath: /var/run/serving-ca + name: volume-serving-ca + - mountPath: /var/run/serving-cert + name: volume-serving-cert + - mountPath: /var/run/etcd-ca + name: volume-etcd-ca + volumes: + - configMap: + defaultMode: 420 + name: request-header-ca + name: volume-request-header-ca + - configMap: + defaultMode: 420 + name: client-ca + name: volume-client-ca + - name: volume-auth-proxy-client + secret: + defaultMode: 420 + secretName: auth-proxy-client + - name: volume-auth-kubeconfig + secret: + defaultMode: 420 + secretName: discovery-auth-kubeconfig + - name: volume-etcd-client-cert + secret: + defaultMode: 420 + secretName: discovery-etcd + - name: volume-serving-cert + secret: + defaultMode: 420 + secretName: serving-discovery + - configMap: + defaultMode: 420 + name: discovery-ca + name: volume-serving-ca + - configMap: + defaultMode: 420 + name: etcd-ca + name: volume-etcd-ca diff --git a/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discovery-svc.yaml b/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discovery-svc.yaml new file mode 100644 index 00000000000..669888c0982 --- /dev/null +++ b/cmd/kubernetes-discovery/artifacts/local-cluster-up/kubernetes-discovery-svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + kubernetes-discovery: "true" + name: kubernetes-discovery +spec: + ports: + - port: 443 + protocol: TCP + nodePort: 31090 + targetPort: 443 + selector: + kubernetes-discovery: "true" + type: NodePort diff --git a/cmd/kubernetes-discovery/artifacts/simple-image/Dockerfile b/cmd/kubernetes-discovery/artifacts/simple-image/Dockerfile new file mode 100644 index 00000000000..1cfe288c0fa --- /dev/null +++ b/cmd/kubernetes-discovery/artifacts/simple-image/Dockerfile @@ -0,0 +1,18 @@ +# Copyright 2016 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM fedora +MAINTAINER David Eads +ADD kubernetes-discovery / +ENTRYPOINT ["/kubernetes-discovery"] diff --git a/cmd/kubernetes-discovery/hack/build-image.sh b/cmd/kubernetes-discovery/hack/build-image.sh new file mode 100755 index 00000000000..f9f5809836f --- /dev/null +++ b/cmd/kubernetes-discovery/hack/build-image.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# Copyright 2014 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../../.. +source "${KUBE_ROOT}/hack/lib/util.sh" + +# Register function to be called on EXIT to remove generated binary. +function cleanup { + rm "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/simple-image/kubernetes-discovery" +} +trap cleanup EXIT + +cp -v ${KUBE_ROOT}/_output/local/bin/linux/amd64/kubernetes-discovery "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/simple-image/kubernetes-discovery" +docker build -t kubernetes-discovery:latest ${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/simple-image diff --git a/cmd/kubernetes-discovery/pkg/cmd/server/start.go b/cmd/kubernetes-discovery/pkg/cmd/server/start.go index b2b806accda..3bbb1be0a6a 100644 --- a/cmd/kubernetes-discovery/pkg/cmd/server/start.go +++ b/cmd/kubernetes-discovery/pkg/cmd/server/start.go @@ -61,9 +61,10 @@ func NewCommandStartDiscoveryServer(out, err io.Writer) *cobra.Command { StdOut: out, StdErr: err, } + o.Etcd.StorageConfig.Type = storagebackend.StorageTypeETCD3 o.Etcd.StorageConfig.Prefix = defaultEtcdPathPrefix o.Etcd.StorageConfig.Codec = api.Codecs.LegacyCodec(v1alpha1.SchemeGroupVersion) - o.SecureServing.ServingOptions.BindPort = 9090 + o.SecureServing.ServingOptions.BindPort = 443 cmd := &cobra.Command{ Short: "Launch a discovery summarizer and proxy server", diff --git a/hack/lib/util.sh b/hack/lib/util.sh index d4a76616e14..14cbe0e6f1b 100755 --- a/hack/lib/util.sh +++ b/hack/lib/util.sh @@ -460,7 +460,7 @@ function kube::util::test_cfssl_installed { # Test whether openssl is installed. # Sets: # OPENSSL_BIN: The path to the openssl binary to use -function test_openssl_installed { +function kube::util::test_openssl_installed { openssl version >& /dev/null if [ "$?" != "0" ]; then echo "Failed to run openssl. Please ensure openssl is installed" @@ -569,7 +569,7 @@ EOF # flatten the kubeconfig files to make them self contained username=$(whoami) ${sudo} /bin/bash -e < "/tmp/${client_id}.kubeconfig" + $(kube::util::find-binary kubectl) --kubeconfig="${dest_dir}/${client_id}.kubeconfig" config view --minify --flatten > "/tmp/${client_id}.kubeconfig" mv -f "/tmp/${client_id}.kubeconfig" "${dest_dir}/${client_id}.kubeconfig" chown ${username} "${dest_dir}/${client_id}.kubeconfig" EOF diff --git a/hack/local-up-discovery.sh b/hack/local-up-discovery.sh new file mode 100755 index 00000000000..37affccdc85 --- /dev/null +++ b/hack/local-up-discovery.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# Copyright 2014 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# starts kubernetes-discovery as a pod after you've run `local-up-cluster.sh` + + +KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. +source "${KUBE_ROOT}/hack/lib/init.sh" + +DISCOVERY_SECURE_PORT=${DISCOVERY_SECURE_PORT:-31090} +API_HOST=${API_HOST:-localhost} +API_HOST_IP=${API_HOST_IP:-"127.0.0.1"} +CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"} +ROOT_CA_FILE=$CERT_DIR/apiserver.crt + +# Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig +mkdir -p "${CERT_DIR}" &>/dev/null || sudo mkdir -p "${CERT_DIR}" +sudo=$(test -w "${CERT_DIR}" || echo "sudo -E") + + +kubectl=$(kube::util::find-binary kubectl) + +function kubectl_core { + ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@ +} + +function sudo_kubectl_core { + ${sudo} ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@ +} + +# start_discovery relies on certificates created by start_apiserver +function start_discovery { + kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "discovery" '"server auth"' + # sign the discovery cert to be good for the local node too, so that we can trust it + kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "discovery-ca" discovery api.kube-public.svc "localhost" ${API_HOST_IP} + + # Create serving and client CA. etcd only takes one arg + kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "etcd" '"client auth","server auth"' + kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc + # etcd doesn't seem to have separate signers for serving and client trust + kube::util::create_client_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" discovery-etcd discovery-etcd + + # create credentials for running delegated authn/authz checks + # "client-ca" is created when you start the apiserver + kube::util::create_client_certkey "${sudo}" "${CERT_DIR}" "client-ca" discovery-auth system:discovery-auth + kube::util::write_client_kubeconfig "${sudo}" "${CERT_DIR}" "${ROOT_CA_FILE}" "kubernetes.default.svc" 443 discovery-auth + # ${kubectl} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" --insecure-skip-tls-verify + + # don't fail if the namespace already exists or something + # If this fails for some reason, the script will fail during creation of other resources + kubectl_core create namespace kube-public || true + + # grant permission to run delegated authentication and authorization checks + kubectl_core delete clusterrolebinding discovery:system:auth-delegator > /dev/null 2>&1 || true + kubectl_core create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth + + # make sure the resources we're about to create don't exist + kubectl_core -n kube-public delete secret auth-proxy-client serving-etcd serving-discovery discovery-etcd discovery-auth-kubeconfig > /dev/null 2>&1 || true + kubectl_core -n kube-public delete configmap etcd-ca discovery-ca client-ca request-header-ca > /dev/null 2>&1 || true + kubectl_core -n kube-public delete -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/local-cluster-up" > /dev/null 2>&1 || true + + sudo_kubectl_core -n kube-public create secret tls auth-proxy-client --cert="${CERT_DIR}/client-auth-proxy.crt" --key="${CERT_DIR}/client-auth-proxy.key" + sudo_kubectl_core -n kube-public create secret tls serving-etcd --cert="${CERT_DIR}/serving-etcd.crt" --key="${CERT_DIR}/serving-etcd.key" + sudo_kubectl_core -n kube-public create secret tls serving-discovery --cert="${CERT_DIR}/serving-discovery.crt" --key="${CERT_DIR}/serving-discovery.key" + sudo_kubectl_core -n kube-public create secret tls discovery-etcd --cert="${CERT_DIR}/client-discovery-etcd.crt" --key="${CERT_DIR}/client-discovery-etcd.key" + kubectl_core -n kube-public create secret generic discovery-auth-kubeconfig --from-file="kubeconfig=${CERT_DIR}/discovery-auth.kubeconfig" + kubectl_core -n kube-public create configmap etcd-ca --from-file="ca.crt=${CERT_DIR}/etcd-ca.crt" || true + kubectl_core -n kube-public create configmap discovery-ca --from-file="ca.crt=${CERT_DIR}/discovery-ca.crt" || true + kubectl_core -n kube-public create configmap client-ca --from-file="ca.crt=${CERT_DIR}/client-ca.crt" || true + kubectl_core -n kube-public create configmap request-header-ca --from-file="ca.crt=${CERT_DIR}/request-header-ca.crt" || true + + ${KUBE_ROOT}/cmd/kubernetes-discovery/hack/build-image.sh + + kubectl_core -n kube-public create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/local-cluster-up" + + ${sudo} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-discovery.kubeconfig" + ${sudo} chown ${username} "${CERT_DIR}/admin-discovery.kubeconfig" + ${kubectl} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" --certificate-authority="${CERT_DIR}/discovery-ca.crt" --embed-certs --server="https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}" + + # Wait for kubernetes-discovery to come up before launching the rest of the components. + # this should work since we're creating a node port service + echo "Waiting for kubernetes-discovery to come up: https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" + kube::util::wait_for_url "https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" "kubernetes-discovery: " 1 60 || exit 1 + + # something is weird with the proxy + sleep 1 + + # create the "normal" api services for the core API server + ${kubectl} --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices" --token="foo/system:masters" +} + +kube::util::test_openssl_installed +kube::util::test_cfssl_installed + +start_discovery + +echo "kuberentes-discovery available at https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT} from 'api.kube-public.svc'" diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index f23a1879202..b4caa2c013c 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -1,7 +1,5 @@ Vagrantfile: node_ip = $node_ips[n] cluster/addons/addon-manager/kube-addons.sh:# Create admission_control objects if defined before any other addon services. If the limits -cluster/addons/registry/images/Dockerfile:ADD run_proxy.sh /usr/bin/run_proxy -cluster/addons/registry/images/Dockerfile:CMD ["/usr/bin/run_proxy"] cluster/aws/templates/configure-vm-aws.sh: # We set the hostname_override to the full EC2 private dns name cluster/aws/templates/configure-vm-aws.sh: api_servers: '${API_SERVERS}' cluster/aws/templates/configure-vm-aws.sh: env-to-grains "hostname_override" @@ -88,6 +86,7 @@ federation/deploy/config.json.sample: "num_nodes": 3, hack/e2e.go:.phase1.cloud_provider="gce" hack/e2e.go:.phase1.cluster_name="{{.Cluster}}" hack/e2e.go:.phase1.num_nodes=4 +hack/lib/util.sh: local api_port=$5 hack/local-up-cluster.sh: advertise_address="--advertise_address=${API_HOST_IP}" hack/local-up-cluster.sh: runtime_config="--runtime-config=${RUNTIME_CONFIG}" hack/local-up-cluster.sh: advertise_address=""