From 968b0b30cfed1056c79bf51b6ca71e3998d4fb05 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 6 Jan 2017 15:35:53 -0500 Subject: [PATCH] Update token users if needed --- .../gce/container-linux/configure-helper.sh | 28 +++++++++++++------ cluster/gce/gci/configure-helper.sh | 28 +++++++++++++------ 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index 8cc0745d17e..b5b494b382d 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -127,6 +127,20 @@ function mount-master-pd { chgrp -R etcd "${mount_point}/var/etcd" } +# replace_prefixed_line ensures: +# 1. the specified file exists +# 2. existing lines with the specified ${prefix} are removed +# 3. a new line with the specified ${prefix}${suffix} is appended +function replace_prefixed_line { + local -r file="${1:-}" + local -r prefix="${2:-}" + local -r suffix="${3:-}" + + touch "${file}" + awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}" + echo "${prefix}${suffix}" >> "${file}" +} + # After the first boot and on upgrade, these files exist on the master-pd # and should never be touched again (except perhaps an additional service # account, see NB below.) @@ -139,16 +153,14 @@ function create-master-auth { echo "${MASTER_KEY}" | base64 --decode > "${auth_dir}/server.key" fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" - if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" + if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then + replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" - if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" - echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" - echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" - echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" - fi + replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}" "admin,admin,system:masters" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}" "system:kube-controller-manager,uid:system:kube-controller-manager" + replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}" "system:node:node-name,uid:kubelet,system:nodes" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}" "system:kube-proxy,uid:kube_proxy" local use_cloud_config="false" cat </etc/gce.conf [global] diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 0462cd3db0d..e98e26259c1 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -190,6 +190,20 @@ function mount-master-pd { chgrp -R etcd "${mount_point}/var/etcd" } +# replace_prefixed_line ensures: +# 1. the specified file exists +# 2. existing lines with the specified ${prefix} are removed +# 3. a new line with the specified ${prefix}${suffix} is appended +function replace_prefixed_line { + local -r file="${1:-}" + local -r prefix="${2:-}" + local -r suffix="${3:-}" + + touch "${file}" + awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}" + echo "${prefix}${suffix}" >> "${file}" +} + # After the first boot and on upgrade, these files exist on the master-pd # and should never be touched again (except perhaps an additional service # account, see NB below.) @@ -206,16 +220,14 @@ function create-master-auth { echo "${KUBEAPISERVER_KEY}" | base64 --decode > "${auth_dir}/kubeapiserver.key" fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" - if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" + if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then + replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" - if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" - echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" - echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" - echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" - fi + replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" + replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}," "system:node:node-name,uid:kubelet,system:nodes" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}," "system:kube-proxy,uid:kube_proxy" local use_cloud_config="false" cat </etc/gce.conf [global]