Generate a token for kube-proxy.

Tested on GCE. Includes untested modifications for AWS and Vagrant. No changes for any other distros. Probably will work on other up-to-date providers but beware. Symptom would be that service proxying stops working. 1. Generates a token kube-proxy in AWS, GCE, and Vagrant setup scripts. 1. Distributes the token via salt-overlay, and salt to /var/lib/kube-proxy/kubeconfig 1. Changes kube-proxy args: - use the --kubeconfig argument - changes --master argument from http://MASTER:7080 to https://MASTER - http -> https - explicit port 7080 -> implied 443 Possible ways this might break other distros: Mitigation: there is an default empty kubeconfig file. If the distro does not populate the salt-overlay, then it should get the empty, which parses to an empty object, which, combined with the --master argument, should still work. Mitigation: - azure: Special case to use 7080 in - rackspace: way out of date, so don't care. - vsphere: way out of date, so don't care. - other distros: not using salt.
2015-04-24 09:27:11 -07:00
parent ee5cad84e0
commit 9044177bb6
7 changed files with 111 additions and 13 deletions
--- a/cluster/saltbase/salt/kube-proxy/default
+++ b/cluster/saltbase/salt/kube-proxy/default
@@ -2,11 +2,18 @@
 {% if grains['os_family'] == 'RedHat' -%}
 	{% set daemon_args = "" -%}
 {% endif -%}
-{% if grains.api_servers is defined -%}
-  {% set api_servers = "--master=http://" + grains.api_servers + ":7080" -%}
-{% else -%}
-  {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
+{# TODO(azure-maintainer): add support for distributing kubeconfig with token to kube-proxy #}
+{# so it can use https #}
+{% if grains['cloud'] is defined and grains['cloud'] == 'azure' -%}
  {% set api_servers = "--master=http://" + ips[0][0] + ":7080" -%}
+  {% set kubeconfig = "" -%}
+{% else -%}
+  {% set kubeconfig = "--kubeconfig=/var/lib/kube-proxy/kubeconfig" -%}
+  {% if grains.api_servers is defined -%}
+    {% set api_servers = "--master=https://" + grains.api_servers -%}
+  {% else -%}
+    {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
+    {% set api_servers = "--master=https://" + ips[0][0] -%}
+  {% endif -%}
 {% endif -%}
-
-DAEMON_ARGS="{{daemon_args}} {{api_servers}} {{pillar['log_level']}}"
+DAEMON_ARGS="{{daemon_args}} {{api_servers}} {{kubeconfig}} {{pillar['log_level']}}"
--- a/cluster/saltbase/salt/kube-proxy/init.sls
+++ b/cluster/saltbase/salt/kube-proxy/init.sls
@@ -55,3 +55,12 @@ kube-proxy:
 {% if grains['os_family'] != 'RedHat' %}
      - file: /etc/init.d/kube-proxy
 {% endif %}
+      - file: /var/lib/kube-proxy/kubeconfig
+
+/var/lib/kube-proxy/kubeconfig:
+  file.managed:
+    - source: salt://kube-proxy/kubeconfig
+    - user: root
+    - group: root
+    - mode: 400
+    - makedirs: true
--- a/cluster/saltbase/salt/kube-proxy/kubeconfig
+++ b/cluster/saltbase/salt/kube-proxy/kubeconfig