github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #8009 from mbforbes/refactorEnv

Browse Source 
Refactor master vs node kube-env and salt auth
This commit is contained in:
Zach Loafman
2015-05-12 13:37:54 -07:00
parent fab980598a 76c89db5a8
commit 0b0bace006
4 changed files with 36 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
cluster/gce/configure-vm.sh
View File

@@ -260,7 +260,7 @@ EOF
# on upgrade, this file exists on the master-pd and should never # on upgrade, this file exists on the master-pd and should never
# be touched again (except perhaps an additional service account, # be touched again (except perhaps an additional service account,
# see NB below.) # see NB below.)
function create-salt-auth() { function create-salt-master-auth() {
if [ ! -e "${BASIC_AUTH_FILE}" ]; then if [ ! -e "${BASIC_AUTH_FILE}" ]; then
mkdir -p /srv/salt-overlay/salt/kube-apiserver mkdir -p /srv/salt-overlay/salt/kube-apiserver
(umask 077; (umask 077;
@@ -273,13 +273,31 @@ function create-salt-auth() {
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${KNOWN_TOKENS_FILE}"; echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${KNOWN_TOKENS_FILE}";
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${KNOWN_TOKENS_FILE}") echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${KNOWN_TOKENS_FILE}")
# Generate tokens for other "service accounts". Append to known_tokens.
#
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
for account in "${service_accounts[@]}"; do
token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
done
fi
}
function create-salt-node-auth() {
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
if [ ! -e "${kubelet_auth_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
(umask 077; (umask 077;
echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}") echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}")
fi
kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kube-proxy mkdir -p /srv/salt-overlay/salt/kube-proxy
kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
# Make a kubeconfig file with the token. # Make a kubeconfig file with the token.
# TODO(etune): put apiserver certs into secret too, and reference from authfile, # TODO(etune): put apiserver certs into secret too, and reference from authfile,
# so that "Insecure" is not needed. # so that "Insecure" is not needed.
@@ -303,17 +321,6 @@ contexts:
current-context: service-account-context current-context: service-account-context
EOF EOF
) )
# Generate tokens for other "service accounts". Append to known_tokens.
#
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
for account in "${service_accounts[@]}"; do
token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"
done
fi fi
} }
@@ -453,7 +460,11 @@ if [[ -z "${is_push}" ]]; then
set-kube-env set-kube-env
[[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd [[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd
create-salt-pillar create-salt-pillar
create-salt-auth if [[ "${KUBERNETES_MASTER}" == "true" ]]; then
create-salt-master-auth
else
create-salt-node-auth
fi
download-release download-release
configure-salt configure-salt
remove-docker-artifacts remove-docker-artifacts

3
cluster/gce/coreos/helper.sh
View File

@@ -69,9 +69,6 @@ ENABLE_CLUSTER_DNS=$(yaml-quote ${ENABLE_CLUSTER_DNS:-false})
DNS_REPLICAS=$(yaml-quote ${DNS_REPLICAS:-}) DNS_REPLICAS=$(yaml-quote ${DNS_REPLICAS:-})
DNS_SERVER_IP=$(yaml-quote ${DNS_SERVER_IP:-}) DNS_SERVER_IP=$(yaml-quote ${DNS_SERVER_IP:-})
DNS_DOMAIN=$(yaml-quote ${DNS_DOMAIN:-}) DNS_DOMAIN=$(yaml-quote ${DNS_DOMAIN:-})
KUBE_USER=$(yaml-quote ${KUBE_USER})
KUBE_PASSWORD=$(yaml-quote ${KUBE_PASSWORD})
KUBE_BEARER_TOKEN=$(yaml-quote ${KUBE_BEARER_TOKEN})
KUBELET_TOKEN=$(yaml-quote ${KUBELET_TOKEN:-}) KUBELET_TOKEN=$(yaml-quote ${KUBELET_TOKEN:-})
KUBE_PROXY_TOKEN=$(yaml-quote ${KUBE_PROXY_TOKEN:-}) KUBE_PROXY_TOKEN=$(yaml-quote ${KUBE_PROXY_TOKEN:-})
ADMISSION_CONTROL=$(yaml-quote ${ADMISSION_CONTROL:-}) ADMISSION_CONTROL=$(yaml-quote ${ADMISSION_CONTROL:-})

2
cluster/gce/coreos/node.yaml
View File

@@ -17,7 +17,7 @@ write_files:
source /etc/kube-env source /etc/kube-env
/usr/bin/mkdir -p /var/lib/kubelet /usr/bin/mkdir -p /var/lib/kubelet
/bin/echo {\"BearerToken\": \"${KUBE_BEARER_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth /bin/echo {\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth
- path: /run/config-kube-proxy.sh - path: /run/config-kube-proxy.sh
permissions: "0755" permissions: "0755"
content: | content: |

13
cluster/gce/debian/helper.sh
View File

@@ -41,16 +41,21 @@ ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false})
DNS_REPLICAS: $(yaml-quote ${DNS_REPLICAS:-}) DNS_REPLICAS: $(yaml-quote ${DNS_REPLICAS:-})
DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-}) DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-})
DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-}) DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-})
KUBE_USER: $(yaml-quote ${KUBE_USER})
KUBE_PASSWORD: $(yaml-quote ${KUBE_PASSWORD})
KUBE_BEARER_TOKEN: $(yaml-quote ${KUBE_BEARER_TOKEN})
KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-}) KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-}) KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-}) ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE}) MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
EOF EOF
if [[ "${master}" != "true" ]]; then if [[ "${master}" == "true" ]]; then
# Master-only env vars.
cat >>$file <<EOF
KUBE_USER: $(yaml-quote ${KUBE_USER})
KUBE_PASSWORD: $(yaml-quote ${KUBE_PASSWORD})
KUBE_BEARER_TOKEN: $(yaml-quote ${KUBE_BEARER_TOKEN})
EOF
else
# Node-only env vars.
cat >>$file <<EOF cat >>$file <<EOF
KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME}) KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME})
ZONE: $(yaml-quote ${ZONE}) ZONE: $(yaml-quote ${ZONE})