github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 02:09:56 +00:00
Code Issues Projects Releases Wiki Activity

Create system secrets in kubeconfig format

Browse Source 
Was previously kubernetes_auth format.

Added defaults file which uses salt to fill in an env var
with the master's IP.

More thought needs to be given soon to how to make this
connection use a cert for the master, and how to support
multiple masters, and whether to use the DNS record
instead of an IP address.  But this PR unblocks some other
more urgent things, so doing it this way.
This commit is contained in:
Eric Tune 2015-04-20 07:35:20 -07:00
parent e079e23e47
commit c3203cba6d
5 changed files with 63 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cluster/saltbase/salt/kube-addons/default Normal file
View File

@ -0,0 +1,14 @@
#TODO(erictune): once we make DNS a hard requirement for clusters, then this can be removed,
# and APISERVER_URL="https://kubernetes:443"
{% if grains.api_servers is defined -%}
{% set api_server = "https://" + grains.api_servers + ":6443" -%}
{% elif grains.apiservers is defined -%} # TODO(remove after 0.16.0): Deprecated form
{% set api_server = "https://" + grains.apiservers + ":6443" -%}
{% elif grains['roles'][0] == 'kubernetes-master' -%}
{% set master_ipv4 = salt['grains.get']('fqdn_ip4')[0] -%}
{% set api_server = "https://" + master_ipv4 + ":6443" -%}
{% else -%}
{% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
{% set api_server = "https://" + ips[0][0] + ":6443" -%}
{% endif -%}
export APISERVER_URL={{ api_server }}

14
cluster/saltbase/salt/kube-addons/init.sls
View File

@ -48,6 +48,20 @@
- makedirs: True - makedirs: True
{% endif %} {% endif %}
{% if grains['os_family'] == 'RedHat' %}
{% set environment_file = '/etc/sysconfig/kube-addons' %}
{% else %}
{% set environment_file = '/etc/default/kube-addons' %}
{% endif %}
{{ environment_file }}:
file.managed:
- source: salt://kube-addons/default
- template: jinja
- user: root
- group: root
- mode: 644
/etc/kubernetes/kube-addons.sh: /etc/kubernetes/kube-addons.sh:
file.managed: file.managed:
- source: salt://kube-addons/kube-addons.sh - source: salt://kube-addons/kube-addons.sh

3
cluster/saltbase/salt/kube-addons/initd
View File

@ -21,6 +21,9 @@ PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME SCRIPTNAME=/etc/init.d/$NAME
KUBE_ADDONS_SH=/etc/kubernetes/kube-addons.sh KUBE_ADDONS_SH=/etc/kubernetes/kube-addons.sh
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Define LSB log_* functions. # Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working. # and status_of_proc is working.

1
cluster/saltbase/salt/kube-addons/kube-addons.service
View File

@ -3,6 +3,7 @@ Description=Kubernetes Addon Object Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service] [Service]
EnvironmentFile=/etc/sysconfig/kube-addons
ExecStart=/etc/kubernetes/kube-addons.sh ExecStart=/etc/kubernetes/kube-addons.sh
[Install] [Install]

38
cluster/saltbase/salt/kube-addons/kube-addons.sh
View File

@ -19,23 +19,47 @@
# managed result is of that. Start everything below that directory. # managed result is of that. Start everything below that directory.
KUBECTL=/usr/local/bin/kubectl KUBECTL=/usr/local/bin/kubectl
function create-kubernetesauth-secret() { if [ -z "$APISERVER_URL" ] ; then
echo "Must set APISERVER_URL"
exit 1
fi
function create-kubeconfig-secret() {
local -r token=$1 local -r token=$1
local -r username=$2 local -r username=$2
local -r safe_username=$(tr -s ':_' '--' <<< "${username}") local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
# Make secret with a kubernetes_auth file with a token. # Make a kubeconfig file with the token.
# TODO(etune): put apiserver certs into secret too, and reference from authfile, # TODO(etune): put apiserver certs into secret too, and reference from authfile,
# so that "Insecure" is not needed. # so that "Insecure" is not needed.
kafile=$(echo "{\"BearerToken\": \"${token}\", \"Insecure\": true }" | base64 -w0) read -r -d '' kubeconfig <<EOF
read -r -d '' secretjson <<EOF apiVersion: v1
kind: Config
users:
- name: ${username}
user:
token: ${token}
clusters:
- name: local
cluster:
server: ${APISERVER_URL}
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: ${username}
name: service-account-context
current-context: service-account-context
EOF
local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
read -r -d '' secretyaml <<EOF
apiVersion: v1beta1 apiVersion: v1beta1
kind: Secret kind: Secret
id: token-${safe_username} id: token-${safe_username}
data: data:
kubernetes-auth: ${kafile} kubeconfig: ${kubeconfig_base64}
EOF EOF
create-resource-from-string "${secretjson}" 100 10 "Secret-for-token-for-user-${username}" & create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" &
# TODO: label the secrets with special label so kubectl does not show these? # TODO: label the secrets with special label so kubectl does not show these?
} }
@ -86,7 +110,7 @@ while read line; do
IFS=',' read -a parts <<< "${line}" IFS=',' read -a parts <<< "${line}"
token=${parts[0]} token=${parts[0]}
username=${parts[1]} username=${parts[1]}
create-kubernetesauth-secret "${token}" "${username}" create-kubeconfig-secret "${token}" "${username}"
done < /srv/kubernetes/known_tokens.csv done < /srv/kubernetes/known_tokens.csv
for obj in $(find /etc/kubernetes/addons -name \*.yaml); do for obj in $(find /etc/kubernetes/addons -name \*.yaml); do