From 728b337e9c1614ceb14f2658f444fd2ae0a3c80f Mon Sep 17 00:00:00 2001 From: Robert Bailey Date: Fri, 17 Jul 2015 16:13:01 -0700 Subject: [PATCH] Refactor the functions that generate auth for the kubelet and kubeproxy and remove the insecure configuration now that GKE has plumbed through certificates. --- cluster/gce/configure-vm.sh | 82 ++++++++----------------------------- 1 file changed, 18 insertions(+), 64 deletions(-) diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index f1dff09d2db..6593049149a 100644 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -331,24 +331,16 @@ function create-salt-master-auth() { fi } -# TODO(roberthbailey): Remove the insecure kubeconfig configuration files -# once the certs are being plumbed through for GKE. -function create-salt-node-auth() { - if [[ ! -e /srv/kubernetes/ca.crt ]]; then - if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then - mkdir -p /srv/kubernetes - (umask 077; - echo "${CA_CERT}" | base64 -d > /srv/kubernetes/ca.crt; - echo "${KUBELET_CERT}" | base64 -d > /srv/kubernetes/kubelet.crt; - echo "${KUBELET_KEY}" | base64 -d > /srv/kubernetes/kubelet.key) - fi - fi - kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig" +# This should happen both on cluster initialization and node upgrades. +# +# - Uses CA_CERT, KUBELET_CERT, and KUBELET_KEY to generate a kubeconfig file +# for the kubelet to securely connect to the apiserver. +function create-salt-kubelet-auth() { + local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig" if [ ! -e "${kubelet_kubeconfig_file}" ]; then mkdir -p /srv/salt-overlay/salt/kubelet - if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then - (umask 077; - cat > "${kubelet_kubeconfig_file}" < "${kubelet_kubeconfig_file}" < "${kubelet_kubeconfig_file}" < "${kube_proxy_kubeconfig_file}" < "${kube_proxy_kubeconfig_file}" <