From c3203cba6d799bdd1ab125e843f74274a8ca283f Mon Sep 17 00:00:00 2001
From: Eric Tune <etune@google.com>
Date: Mon, 20 Apr 2015 07:35:20 -0700
Subject: [PATCH] Create system secrets in kubeconfig format

Was previously kubernetes_auth format.

Added defaults file which uses salt to fill in an env var
with the master's IP.

More thought needs to be given soon to how to make this
connection use a cert for the master, and how to support
multiple masters, and whether to use the DNS record
instead of an IP address.  But this PR unblocks some other
more urgent things, so doing it this way.
---
 cluster/saltbase/salt/kube-addons/default     | 14 +++++++
 cluster/saltbase/salt/kube-addons/init.sls    | 14 +++++++
 cluster/saltbase/salt/kube-addons/initd       |  3 ++
 .../salt/kube-addons/kube-addons.service      |  1 +
 .../saltbase/salt/kube-addons/kube-addons.sh  | 38 +++++++++++++++----
 5 files changed, 63 insertions(+), 7 deletions(-)
 create mode 100644 cluster/saltbase/salt/kube-addons/default

diff --git a/cluster/saltbase/salt/kube-addons/default b/cluster/saltbase/salt/kube-addons/default
new file mode 100644
index 00000000000..65bc90a4af8
--- /dev/null
+++ b/cluster/saltbase/salt/kube-addons/default
@@ -0,0 +1,14 @@
+#TODO(erictune): once we make DNS a hard requirement for clusters, then this can be removed,
+# and APISERVER_URL="https://kubernetes:443"
+{% if grains.api_servers is defined -%}
+  {% set api_server = "https://" + grains.api_servers + ":6443" -%}
+{% elif grains.apiservers is defined -%} # TODO(remove after 0.16.0): Deprecated form
+  {% set api_server = "https://" + grains.apiservers + ":6443" -%}
+{% elif grains['roles'][0] == 'kubernetes-master' -%}
+  {% set master_ipv4 = salt['grains.get']('fqdn_ip4')[0] -%}
+  {% set api_server = "https://" + master_ipv4 + ":6443" -%}
+{% else -%}
+  {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
+  {% set api_server = "https://" + ips[0][0] + ":6443" -%}
+{% endif -%}
+export APISERVER_URL={{ api_server }}
diff --git a/cluster/saltbase/salt/kube-addons/init.sls b/cluster/saltbase/salt/kube-addons/init.sls
index a38adb62556..069574c592e 100644
--- a/cluster/saltbase/salt/kube-addons/init.sls
+++ b/cluster/saltbase/salt/kube-addons/init.sls
@@ -48,6 +48,20 @@
     - makedirs: True
 {% endif %}
 
+{% if grains['os_family'] == 'RedHat' %}
+{% set environment_file = '/etc/sysconfig/kube-addons' %}
+{% else %}
+{% set environment_file = '/etc/default/kube-addons' %}
+{% endif %}
+
+{{ environment_file }}:
+  file.managed:
+    - source: salt://kube-addons/default
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+
 /etc/kubernetes/kube-addons.sh:
   file.managed:
     - source: salt://kube-addons/kube-addons.sh
diff --git a/cluster/saltbase/salt/kube-addons/initd b/cluster/saltbase/salt/kube-addons/initd
index 6b06e8c7cd1..2c60e5bd291 100644
--- a/cluster/saltbase/salt/kube-addons/initd
+++ b/cluster/saltbase/salt/kube-addons/initd
@@ -21,6 +21,9 @@ PIDFILE=/var/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 KUBE_ADDONS_SH=/etc/kubernetes/kube-addons.sh
 
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
 # and status_of_proc is working.
diff --git a/cluster/saltbase/salt/kube-addons/kube-addons.service b/cluster/saltbase/salt/kube-addons/kube-addons.service
index 086394e857a..f9be6db3168 100644
--- a/cluster/saltbase/salt/kube-addons/kube-addons.service
+++ b/cluster/saltbase/salt/kube-addons/kube-addons.service
@@ -3,6 +3,7 @@ Description=Kubernetes Addon Object Manager
 Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 
 [Service]
+EnvironmentFile=/etc/sysconfig/kube-addons
 ExecStart=/etc/kubernetes/kube-addons.sh
 
 [Install]
diff --git a/cluster/saltbase/salt/kube-addons/kube-addons.sh b/cluster/saltbase/salt/kube-addons/kube-addons.sh
index 433464a486c..12cd629f64a 100644
--- a/cluster/saltbase/salt/kube-addons/kube-addons.sh
+++ b/cluster/saltbase/salt/kube-addons/kube-addons.sh
@@ -19,23 +19,47 @@
 # managed result is of that. Start everything below that directory.
 KUBECTL=/usr/local/bin/kubectl
 
-function create-kubernetesauth-secret() {
+if [ -z "$APISERVER_URL" ] ; then
+  echo "Must set APISERVER_URL"
+  exit 1
+fi
+
+function create-kubeconfig-secret() {
   local -r token=$1
   local -r username=$2
   local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
 
-  # Make secret with a kubernetes_auth file with a token.
+  # Make a kubeconfig file with the token.
   # TODO(etune): put apiserver certs into secret too, and reference from authfile,
   # so that "Insecure" is not needed.
-  kafile=$(echo "{\"BearerToken\": \"${token}\", \"Insecure\": true }" | base64 -w0)
-  read -r -d '' secretjson <<EOF
+  read -r -d '' kubeconfig <<EOF
+apiVersion: v1
+kind: Config
+users:
+- name: ${username}
+  user:
+    token: ${token}
+clusters:
+- name: local
+  cluster:
+     server: ${APISERVER_URL}
+     insecure-skip-tls-verify: true
+contexts:
+- context:
+    cluster: local
+    user: ${username}
+  name: service-account-context
+current-context: service-account-context
+EOF
+  local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
+  read -r -d '' secretyaml <<EOF
 apiVersion: v1beta1
 kind: Secret 
 id: token-${safe_username}
 data:
-  kubernetes-auth: ${kafile}
+  kubeconfig: ${kubeconfig_base64}
 EOF
-  create-resource-from-string "${secretjson}" 100 10 "Secret-for-token-for-user-${username}" &
+  create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" &
 # TODO: label the secrets with special label so kubectl does not show these?
 }
 
@@ -86,7 +110,7 @@ while read line; do
   IFS=',' read -a parts <<< "${line}"
   token=${parts[0]}
   username=${parts[1]}
-  create-kubernetesauth-secret "${token}" "${username}"
+  create-kubeconfig-secret "${token}" "${username}"
 done < /srv/kubernetes/known_tokens.csv
 
 for obj in $(find /etc/kubernetes/addons -name \*.yaml); do