Merge pull request #10150 from thockin/kube2sky-with-token-fix

Make DNS not need its own token

cluster/addons/dns/README.md

@@ -109,7 +109,7 @@ Create a file named busybox.yaml with the
 following contents:
 
 ```yaml
-apiVersion: v1beta3
+apiVersion: v1
 kind: Pod
 metadata:
   name: busybox

cluster/addons/dns/kube2sky/Changelog

@@ -1,12 +1,20 @@
-* Fri May 15 2015  Tim Hockin <thockin@google.com>
+## Version 1.10 (Jun 19 2015 Tim Hockin <thockin@google.com>)
-  - First Changelog entry
+- Fall back on service account tokens if no other auth is specified.
-  - Current version is 1.4
+
+
+## Version 1.9 (May 28 2015 Abhishek Shah <abshah@google.com>)
+- Add SRV support.
+
+
+## Version 1.8 (May 28 2015 Vishnu Kannan <vishnuk@google.com>)
+- Avoid making connections to the master insecure by default
+- Let users override the master URL in kubeconfig via a flag
 
 
 ## Version 1.7 (May 25 2015 Vishnu Kannan <vishnuk@google.com>)
-- Adding support for headless services. All pods backing a headless service is addressible via DNS RR.
+- Adding support for headless services. All pods backing a headless service is
+addressible via DNS RR.
 
 
-## Version 1.8 (May 18 2015 Vishnu Kannan <vishnuk@google.com>)
+## Version 1.4 (Fri May 15 2015 Tim Hockin <thockin@google.com>)
-- Avoid making connections to the master insecure by default
+- First Changelog entry
-- Let users override the master URL in kubeconfig via a flag

cluster/addons/dns/kube2sky/Makefile

@@ -4,7 +4,7 @@
 
 .PHONY: all kube2sky container push clean test
 
-TAG = 1.9
+TAG = 1.10
 PREFIX = gcr.io/google_containers
 
 all: container

cluster/addons/dns/kube2sky/kube2sky.go

@@ -46,10 +46,11 @@ import (
 )
 
 var (
+	// TODO: switch to pflag and make - and _ equivalent.
 	argDomain              = flag.String("domain", "cluster.local", "domain under which to create names")
 	argEtcdMutationTimeout = flag.Duration("etcd_mutation_timeout", 10*time.Second, "crash after retrying etcd mutation for a specified duration")
 	argEtcdServer          = flag.String("etcd-server", "http://127.0.0.1:4001", "URL to etcd server")
-	argKubecfgFile         = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes service")
+	argKubecfgFile         = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes master service; --kube_master_url overrides the URL part of this; if neither this nor --kube_master_url are provided, defaults to service account tokens")
 	argKubeMasterURL       = flag.String("kube_master_url", "", "URL to reach kubernetes master. Env variables in this flag will be expanded.")
 )
 
@@ -405,7 +406,7 @@ func newEtcdClient(etcdServer string) (*etcd.Client, error) {
 	return client, nil
 }
 
-func getKubeMasterURL() (string, error) {
+func expandKubeMasterURL() (string, error) {
 	parsedURL, err := url.Parse(os.ExpandEnv(*argKubeMasterURL))
 	if err != nil {
 		return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterURL, err)
@@ -423,31 +424,34 @@ func newKubeClient() (*kclient.Client, error) {
 		err       error
 		masterURL string
 	)
+	// If the user specified --kube_master_url, expand env vars and verify it.
 	if *argKubeMasterURL != "" {
-		masterURL, err = getKubeMasterURL()
+		masterURL, err = expandKubeMasterURL()
 		if err != nil {
 			return nil, err
 		}
 	}
-	if *argKubecfgFile == "" {
+	if masterURL != "" && *argKubecfgFile == "" {
-		if masterURL == "" {
+		// Only --kube_master_url was provided.
-			return nil, fmt.Errorf("--kube_master_url must be set when --kubecfg_file is not set")
-		}
 		config = &kclient.Config{
 			Host:    masterURL,
-			Version: "v1beta3",
+			Version: "v1",
 		}
 	} else {
+		// We either have:
+		//  1) --kube_master_url and --kubecfg_file
+		//  2) just --kubecfg_file
+		//  3) neither flag
+		// In any case, the logic is the same.  If (3), this will automatically
+		// fall back on the service account token.
 		overrides := &kclientcmd.ConfigOverrides{}
-		if masterURL != "" {
+		overrides.ClusterInfo.Server = masterURL                                     // might be "", but that is OK
-			overrides.ClusterInfo.Server = masterURL
+		rules := &kclientcmd.ClientConfigLoadingRules{ExplicitPath: *argKubecfgFile} // might be "", but that is OK
-		}
+		if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, overrides).ClientConfig(); err != nil {
-		if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-			&kclientcmd.ClientConfigLoadingRules{ExplicitPath: *argKubecfgFile},
-			overrides).ClientConfig(); err != nil {
 			return nil, err
 		}
 	}
+
 	glog.Infof("Using %s for kubernetes master", config.Host)
 	glog.Infof("Using kubernetes API %s", config.Version)
 	return kclient.New(config)

cluster/addons/dns/skydns-rc.yaml.in

@@ -1,21 +1,22 @@
-apiVersion: v1beta3
+apiVersion: v1
 kind: ReplicationController
 metadata:
-  name: kube-dns-v3
+  name: kube-dns-v4
   namespace: default
   labels:
-    k8s-app: kube-dns-v3
+    k8s-app: kube-dns
+    version: v4
     kubernetes.io/cluster-service: "true"
 spec:
   replicas: {{ pillar['dns_replicas'] }}
   selector:
     k8s-app: kube-dns
-    version: v3
+    version: v4
   template:
     metadata:
       labels:
         k8s-app: kube-dns
-        version: v3
+        version: v4
         kubernetes.io/cluster-service: "true"
     spec:
       containers:
@@ -30,15 +31,10 @@ spec:
         - -initial-cluster-token
         - skydns-etcd
       - name: kube2sky
-        image: gcr.io/google_containers/kube2sky:1.9
+        image: gcr.io/google_containers/kube2sky:1.10
         args:
         # command = "/kube2sky"
         - -domain={{ pillar['dns_domain'] }}
-        - -kubecfg_file=/etc/dns_token/kubeconfig
-        volumeMounts:
-        - mountPath: /etc/dns_token
-          name: dns-token
-          readOnly: true
       - name: skydns
         image: gcr.io/google_containers/skydns:2015-03-11-001
         args:
@@ -58,11 +54,7 @@ spec:
             command:
             - /bin/sh
             - -c
-            - nslookup kubernetes.default.{{ pillar['dns_domain'] }} localhost >/dev/null
+            - nslookup kubernetes.default.svc.{{ pillar['dns_domain'] }} localhost >/dev/null
           initialDelaySeconds: 30
           timeoutSeconds: 5
       dnsPolicy: Default  # Don't use cluster DNS.
-      volumes:
-      - name: dns-token
-        secret:
-          secretName: token-system-dns

cluster/addons/dns/skydns-svc.yaml.in

@@ -1,4 +1,4 @@
-apiVersion: v1beta3
+apiVersion: v1
 kind: Service
 metadata:
   name: kube-dns
@@ -10,7 +10,7 @@ metadata:
 spec:
   selector:
     k8s-app: kube-dns
-  portalIP:  {{ pillar['dns_server'] }}
+  clusterIP:  {{ pillar['dns_server'] }}
   ports:
   - name: dns
     port: 53