From 0a567f0990bd68a1f714fd9017b8a90489d643ed Mon Sep 17 00:00:00 2001 From: Andrew Lytvynov Date: Tue, 1 May 2018 10:40:32 -0700 Subject: [PATCH 1/2] gcp: allow non-bootstrap kubeconfig The regular kubeconfig is fetched from metadata when CREATE_BOOTSTRAP_KUBECONFIG==false. We will experiment with an exec plugin that does TLS bootstrapping internally: #61803 --- cluster/gce/gci/configure-helper.sh | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index ebf735955cf..7c437fb0932 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -892,8 +892,9 @@ function create-kubelet-kubeconfig() { echo "Must provide API server address to create Kubelet kubeconfig file!" exit 1 fi - echo "Creating kubelet kubeconfig file" - cat </var/lib/kubelet/bootstrap-kubeconfig + if [[ "${CREATE_BOOTSTRAP_KUBECONFIG:-true}" == "true" ]]; then + echo "Creating kubelet bootstrap-kubeconfig file" + cat </var/lib/kubelet/bootstrap-kubeconfig apiVersion: v1 kind: Config users: @@ -913,6 +914,10 @@ contexts: name: service-account-context current-context: service-account-context EOF + else + echo "Fetching kubelet kubeconfig file from metadata" + get-metadata-value "instance/attributes/kubeconfig" >/var/lib/kubelet/kubeconfig + fi } # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY @@ -1611,7 +1616,7 @@ function start-kube-apiserver { params+=" --feature-gates=${FEATURE_GATES}" fi if [[ -n "${PROJECT_ID:-}" && -n "${TOKEN_URL:-}" && -n "${TOKEN_BODY:-}" && -n "${NODE_NETWORK:-}" ]]; then - local -r vm_external_ip=$(curl --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --fail --silent -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip") + local -r vm_external_ip=$(get-metadata-value "instance/network-interfaces/0/access-configs/0/external-ip") if [[ -n "${PROXY_SSH_USER:-}" ]]; then params+=" --advertise-address=${vm_external_ip}" params+=" --ssh-user=${PROXY_SSH_USER}" @@ -2004,6 +2009,20 @@ function download-extra-addons { "${curl_cmd[@]}" } +# A function that fetches a GCE metadata value and echoes it out. +# +# $1: URL path after /computeMetadata/v1/ (without heading slash). +function get-metadata-value { + curl \ + --retry 5 \ + --retry-delay 3 \ + ${CURL_RETRY_CONNREFUSED} \ + --fail \ + --silent \ + -H 'Metadata-Flavor: Google' \ + "http://metadata/computeMetadata/v1/${1}" +} + # A helper function for copying manifests and setting dir/files # permissions. # @@ -2586,4 +2605,4 @@ if [[ "$#" -eq 1 && "${1}" == "--source-only" ]]; then : else main "${@}" -fi \ No newline at end of file +fi From 77c13d6dc77058dcf97fd8948af192d1d389f51a Mon Sep 17 00:00:00 2001 From: Andrew Lytvynov Date: Thu, 3 May 2018 11:32:18 -0700 Subject: [PATCH 2/2] Allow fetching bootstrap-kubeconfig from VM metadata --- cluster/gce/gci/configure-helper.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 7c437fb0932..1ab995c4e19 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -914,6 +914,9 @@ contexts: name: service-account-context current-context: service-account-context EOF + elif [[ "${FETCH_BOOTSTRAP_KUBECONFIG:-false}" == "true" ]]; then + echo "Fetching kubelet bootstrap-kubeconfig file from metadata" + get-metadata-value "instance/attributes/bootstrap-kubeconfig" >/var/lib/kubelet/bootstrap-kubeconfig else echo "Fetching kubelet kubeconfig file from metadata" get-metadata-value "instance/attributes/kubeconfig" >/var/lib/kubelet/kubeconfig