Some refactoring. Only selectively use ssh proxy.

Add NetworkName to gce.Config. Add locking to uses of master.tunnels.
2025-09-10 05:30:26 +00:00 · 2015-06-04 11:58:38 -07:00
parent 1ae8801387
commit cb317604ab
7 changed files with 60 additions and 60 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -487,16 +487,18 @@ grains:
  cbr-cidr: ${MASTER_IP_RANGE}
  cloud: gce
 EOF
-  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]]; then
+  if ! [[ -z "${PROJECT_ID:-}" ]] && ! [[ -z "${TOKEN_URL:-}" ]] && ! [[ -z "${NODE_NETWORK:-}" ]] ; then
    cat <<EOF >/etc/gce.conf
 [global]
 token-url = ${TOKEN_URL}
 project-id = ${PROJECT_ID}
+network-name = ${NODE_NETWORK}
 EOF
    EXTERNAL_IP=$(curl --fail --silent -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip")
    cat <<EOF >>/etc/salt/minion.d/grains.conf
  cloud_config: /etc/gce.conf
  advertise_address: '${EXTERNAL_IP}'
+  proxy_ssh_user: '${INSTANCE_PREFIX}'
 EOF
  fi
 }
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@@ -23,6 +23,11 @@
  {% set advertise_address = "--advertise-address=" + grains.advertise_address -%}
 {% endif -%}

+{% set proxy_ssh_options = "" -%}
+{% if grains.proxy_ssh_user is defined -%}
+  {% set proxy_ssh_options = "--ssh-user=" + grains.proxy_ssh_user + " --ssh-keyfile=/sshproxy/.sshkeyfile" -%}
+{% endif -%}
+
 {% set address = "--address=127.0.0.1" -%}

 {% set cluster_name = "" -%}
@@ -81,7 +86,7 @@
 {% endif -%}

 {% set params = address + " " + etcd_servers + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + " " + basic_auth_file + " " + min_request_timeout -%}
-{% set params = params + " " + cluster_name + " " + cert_file + " " + key_file + " --secure_port=" + secure_port + " " + token_auth_file + " " + bind_address + " " + pillar['log_level'] + " " + advertise_address  + " --ssh-user=root --ssh-keyfile=/.sshkeyfile"-%}
+{% set params = params + " " + cluster_name + " " + cert_file + " " + key_file + " --secure_port=" + secure_port + " " + token_auth_file + " " + bind_address + " " + pillar['log_level'] + " " + advertise_address  + " " + proxy_ssh_options -%}

 {
 "apiVersion": "v1beta3",
@@ -137,7 +142,10 @@
        "readOnly": true},
        { "name": "etcpkitls",
        "mountPath": "/etc/pki/tls",
-        "readOnly": true}
+        "readOnly": true},
+        { "name": "sshproxy",
+        "mountPath": "/sshproxy",
+        "readOnly": false}
      ]
    }
 ],
@@ -182,6 +190,9 @@
  { "name": "etcpkitls",
    "hostPath": {
        "path": "/etc/pki/tls"}
+  },
+  { "name": "sshproxy",
+    "emptyDir": {}
  }
 ]
 }}