Replace the auth config file with a kubeconfig file when

starting the kubelet on GCE.
2015-05-11 20:44:13 -07:00
parent ec19d41b63
commit c47b9178b4
7 changed files with 118 additions and 19 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -287,11 +287,29 @@ function create-salt-master-auth() {
 }

 function create-salt-node-auth() {
-  kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
-  if [ ! -e "${kubelet_auth_file}" ]; then
+  kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
+  if [ ! -e "${kubelet_kubeconfig_file}" ]; then
    mkdir -p /srv/salt-overlay/salt/kubelet
    (umask 077;
-      echo "{\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true }" > "${kubelet_auth_file}")
+    cat > "${kubelet_kubeconfig_file}" <<EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kubelet
+  user:
+    token: ${KUBELET_TOKEN}
+clusters:
+- name: local
+  cluster:
+     insecure-skip-tls-verify: true
+contexts:
+- context:
+    cluster: local
+    user: kubelet
+  name: service-account-context
+current-context: service-account-context
+EOF
+)
  fi

  kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
--- a/cluster/gce/coreos/node.yaml
+++ b/cluster/gce/coreos/node.yaml
@@ -17,7 +17,25 @@ write_files:
      source /etc/kube-env

      /usr/bin/mkdir -p /var/lib/kubelet
-      /bin/echo  {\"BearerToken\": \"${KUBELET_TOKEN}\", \"Insecure\": true } > /var/lib/kubelet/kubernetes_auth
+      cat > /var/lib/kubelet/kubeconfig << EOF
+      apiVersion: v1
+      kind: Config
+      users:
+      - name: kubelet
+        user:
+          token: ${KUBELET_TOKEN}
+      clusters:
+      - name: local
+        cluster:
+          insecure-skip-tls-verify: true
+      contexts:
+      - context:
+          cluster: local
+          user: kubelet
+        name: service-account-context
+      current-context: service-account-context
+      EOF
+
  - path: /run/config-kube-proxy.sh
    permissions: "0755"
    content: |
--- a/cluster/saltbase/salt/kubelet/init.sls
+++ b/cluster/saltbase/salt/kubelet/init.sls
@@ -38,6 +38,20 @@

 {% endif %}

+# The default here is that this file is blank.  If this is the case, the kubelet
+# won't be able to parse it as JSON and will try to use the kubernetes_auth file
+# instead.  You'll see a single error line in the kubelet start up file
+# about this.
+/var/lib/kubelet/kubeconfig:
+  file.managed:
+    - source: salt://kubelet/kubeconfig
+    - user: root
+    - group: root
+    - mode: 400
+    - makedirs: true
+
+#
+# --- This file is DEPRECATED ---
 # The default here is that this file is blank.  If this is the case, the kubelet
 # won't be able to parse it as JSON and it'll not be able to publish events to
 # the apiserver.  You'll see a single error line in the kubelet start up file