From 2acf60e44d80dfb7b77faa454eb93d20749f354c Mon Sep 17 00:00:00 2001 From: Isaac Hollander McCreery Date: Mon, 17 Apr 2017 17:05:33 -0700 Subject: [PATCH 1/4] When changing basic auth creds, just delete the whole file, in order to be able to rotate username in addition to password --- cluster/gce/gci/configure-helper.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 2d95bc5a355..4500df2cab1 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -287,9 +287,7 @@ function create-master-auth { local -r basic_auth_csv="${auth_dir}/basic_auth.csv" if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then if [[ -e "${basic_auth_csv}" && "${METADATA_CLOBBERS_CONFIG:-false}" == "true" ]]; then - sed -i "/,${KUBE_USER},admin,system:masters$/d" "${basic_auth_csv}" - # The following is for the legacy form of the password line. - sed -i "/,${KUBE_USER},admin$/d" "${basic_auth_csv}" + rm "${basic_auth_csv}" fi replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi From 7f599dc52fa9deeba33e5e04caf8222555616ffe Mon Sep 17 00:00:00 2001 From: Isaac Hollander McCreery Date: Fri, 21 Apr 2017 10:27:34 -0700 Subject: [PATCH 2/4] Make comments in config-default scripts more explicit --- cluster/gce/config-default.sh | 5 +++-- cluster/gke/config-default.sh | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index b81febddb21..5e4a4911247 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -233,6 +233,7 @@ ENABLE_LEGACY_ABAC="${ENABLE_LEGACY_ABAC:-true}" # true, false # Kernel panic upon soft lockup issue SOFTLOCKUP_PANIC="${SOFTLOCKUP_PANIC:-false}" # true, false -# Indicates if the values (eg. kube password) in metadata should be treated as -# canonical, and therefore disk copies ought to be recreated/clobbered. +# Indicates if the values (i.e. KUBE_USER and KUBE_PASSWORD for basic +# authentication) in metadata should be treated as canonical, and therefore disk +# copies ought to be recreated/clobbered. METADATA_CLOBBERS_CONFIG=${METADATA_CLOBBERS_CONFIG:-false} diff --git a/cluster/gke/config-default.sh b/cluster/gke/config-default.sh index da42d53575f..bd7459325b1 100644 --- a/cluster/gke/config-default.sh +++ b/cluster/gke/config-default.sh @@ -43,6 +43,7 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-standalone}" KUBE_DELETE_NETWORK=${KUBE_DELETE_NETWORK:-false} -# Indicates if the values (eg. kube password) in metadata should be treated as -# canonical, and therefore disk copies ought to be recreated/clobbered. +# Indicates if the values (i.e. KUBE_USER and KUBE_PASSWORD for basic +# authentication) in metadata should be treated as canonical, and therefore disk +# copies ought to be recreated/clobbered. METADATA_CLOBBERS_CONFIG=true From 596b9ebca727e7272ccb62db5477638062361fa5 Mon Sep 17 00:00:00 2001 From: Isaac Hollander McCreery Date: Fri, 21 Apr 2017 11:25:12 -0700 Subject: [PATCH 3/4] Add comments and change function name --- cluster/gce/gci/configure-helper.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 4500df2cab1..827681d31dc 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -182,11 +182,11 @@ function mount-master-pd { chgrp -R etcd "${mount_point}/var/etcd" } -# replace_prefixed_line ensures: +# append_or_replace_prefixed_line ensures: # 1. the specified file exists # 2. existing lines with the specified ${prefix} are removed # 3. a new line with the specified ${prefix}${suffix} is appended -function replace_prefixed_line { +function append_or_replace_prefixed_line { local -r file="${1:-}" local -r prefix="${2:-}" local -r suffix="${3:-}" @@ -286,29 +286,30 @@ function create-master-auth { local -r auth_dir="/etc/srv/kubernetes" local -r basic_auth_csv="${auth_dir}/basic_auth.csv" if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then + # Remove basic_auth_csv because we will rewrite it. if [[ -e "${basic_auth_csv}" && "${METADATA_CLOBBERS_CONFIG:-false}" == "true" ]]; then rm "${basic_auth_csv}" fi - replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" + append_or_replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" fi if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" fi if [[ -n "${KUBE_SCHEDULER_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${KUBE_SCHEDULER_TOKEN}," "system:kube-scheduler,uid:system:kube-scheduler" + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_SCHEDULER_TOKEN}," "system:kube-scheduler,uid:system:kube-scheduler" fi if [[ -n "${KUBELET_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}," "kubelet,uid:kubelet,system:nodes" + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}," "kubelet,uid:kubelet,system:nodes" fi if [[ -n "${KUBE_PROXY_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}," "system:kube-proxy,uid:kube_proxy" + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}," "system:kube-proxy,uid:kube_proxy" fi if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then - replace_prefixed_line "${known_tokens_csv}" "${NODE_PROBLEM_DETECTOR_TOKEN}," "system:node-problem-detector,uid:node-problem-detector" + append_or_replace_prefixed_line "${known_tokens_csv}" "${NODE_PROBLEM_DETECTOR_TOKEN}," "system:node-problem-detector,uid:node-problem-detector" fi local use_cloud_config="false" cat </etc/gce.conf From 1769af78fa6ce9aa9cd4411673beace2fc72cd95 Mon Sep 17 00:00:00 2001 From: Isaac Hollander McCreery Date: Fri, 21 Apr 2017 15:58:39 -0700 Subject: [PATCH 4/4] Comment extension --- cluster/gce/gci/configure-helper.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 827681d31dc..66cfdae6865 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -286,8 +286,11 @@ function create-master-auth { local -r auth_dir="/etc/srv/kubernetes" local -r basic_auth_csv="${auth_dir}/basic_auth.csv" if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - # Remove basic_auth_csv because we will rewrite it. if [[ -e "${basic_auth_csv}" && "${METADATA_CLOBBERS_CONFIG:-false}" == "true" ]]; then + # If METADATA_CLOBBERS_CONFIG is true, we want to rewrite the file + # completely, because if we're changing KUBE_USER and KUBE_PASSWORD, we + # have nothing to match on. The file is replaced just below with + # append_or_replace_prefixed_line. rm "${basic_auth_csv}" fi append_or_replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"