This change refactors the way Kubelet's DockerPuller handles the docker config credentials to utilize a new credentialprovider library.
The credentialprovider library is based on several of the files from the Kubelet's dockertools directory, but supports a new pluggable model for retrieving a .dockercfg-compatible JSON blob with credentials.
With this change, the Kubelet will lazily ask for the docker config from a set of DockerConfigProvider extensions each time it needs a credential.
This change provides common implementations of DockerConfigProvider for:
- "Default": load .dockercfg from disk
- "Caching": wraps another provider in a cache that expires after a pre-specified lifetime.
GCP-only:
- "google-dockercfg": reads a .dockercfg from a GCE instance's metadata
- "google-dockercfg-url": reads a .dockercfg from a URL specified in a GCE instance's metadata.
- "google-container-registry": reads an access token from GCE metadata into a password field.
Also fix up cert generation. It was failing during the first salt highstate when trying to chown the certs as the apiserver user didn't exist yet. Fix this by creating a 'kube-cert' group and chgrping the files to that. Then make the apiserver a member of that group.
Fixes#2365Fixes#2368
apiserver becomes kube-apiserver
controller-manager -> kube-controller-manager
scheduler and proxy similarly.
Only thing I promise is that right now hack/build-go.sh and
build/release.sh exit with 0. That's it. Who knows if any of this
actually works....
It's actually used unset a couple of lines after this patch, but this
just resolves it in one place instead of calling
$(kube::golang::host_platform) twice.
Because of Fedora's crazy packaging guidelines, go install basically
isn't allowed. So allow us to use go build instead of go install.
test-integration also needs to accept the flag to be able to pass it
along to the build function.
* Rewrite a bunch of the hack/ directory with modular reusable bash libraries.
* Have 'build/*' build on 'hack/*'. The stuff in build now just runs hack/* in a docker container.
* Use a docker data container to enable faster incremental builds.
* Standardize output to _output/{local,dockerized}/bin/OS/ARCH/*. This regularized placement makes cross compilation work.
* Move travis specific scripts under hack/travis
With new dockerized incremental builds, I can do a no-op `make quick-release` in ~30s. This is a significant improvement.
test-cmd runs a 127.0.0.1 version of the apiservers, but does not
set --public_address_override, which means it can fail on some systems
(like Macs) which don't expose a bindable external port by default.
Since reachability is not necessary for test-cmd.sh today, set
public_address_override to 127.0.0.1
Added basic interface for authorizer implementations.
Added default "authorize everything" and "authorize nothing
implementations.
Added authorization check immediately after authentication check.
Added an integration test of authorization at the HTTP level of
abstraction.
Proper quoting, error checks, use $KUBE_* variables when applicable, trap to do
cleanup on all errors, call cleanup explicitly on successful exit.
Tested:
- Ran it manually to completion, test run successful.
- Interrupted it during the run, checked that $? was non-zero, etcd was killed.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
This doesn't fix anything broken. But we have config-go which exports
KUBE_REPO_ROOT and KUBE_TARGET. Using those means the test scripts can
be more easily moved around the repo and still work. Especially in
hack/test-integration.sh where we use hack/build-go.sh which is going
to use KUBE_TARGET to place the binary, then we use a different method
to find/execute the binary...
If this is set, and it normally shouldn't be, the config file will not
add the in tree Godeps to the GOPATH. So all of them must be solved by
the KUBE_EXTRA_GOPATH
This fixes `hack/test-go.sh pkg/apiserver -test.run=<a_specific_test_name>`
which was broken by PR #1116.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
add usage
verify flag value for -i is numeric
allow multiple targets on the command line
actually capture coverage output
fix lingering GOFLAGS undef issue
fix issue with -i not working at all: ((x++)) returns 1 when x is 0, which is
incompatible with "set -e"
Set the values of major and minor version based on the output of the
`git describe` command, which uses annotated tags as source of
versioning information.
Minor will get a "+" appended whenever the annotated tag does not match
the tree exactly (including when the tree is dirty.) So that only
official releases will have a "bare" minor version, all others will have
a "+" to indicate the binaries contain changes from the released version
in minor.
(This is similar to how versions of development builds of the Linux
kernel work.)
Tested:
- With no annotated tags:
$ hack/build-go.sh
$ _output/go/bin/kubecfg -version=raw
version.Info{Major:"0", Minor:"1+", GitVersion:"v0.1+", GitCommit:"7d29873bdee87efacaace30ab3602297cacf1b4f", GitTreeState:"clean"}
- Tagging current version on a clean git tree:
$ git tag -a -m 'Test tag v2.3' v2.3
$ hack/build-go.sh
$ _output/go/bin/kubecfg -version=raw
version.Info{Major:"2", Minor:"3", GitVersion:"v2.3", GitCommit:"7d29873bdee87efacaace30ab3602297cacf1b4f", GitTreeState:"clean"}
- Tagging current version on a dirty git tree:
$ git tag -a -m 'Test tag v2.3' v2.3
$ touch test.txt # this is enough to mark the tree as dirty
$ hack/build-go.sh
$ _output/go/bin/kubecfg -version=raw
version.Info{Major:"2", Minor:"3+", GitVersion:"v2.3-dirty", GitCommit:"7d29873bdee87efacaace30ab3602297cacf1b4f", GitTreeState:"dirty"}
- Tagging a previous version on a clean tree:
$ git tag -a -m 'Test tag v2.3' v2.3 HEAD~5
$ hack/build-go.sh
$ _output/go/bin/kubecfg -version=raw
version.Info{Major:"2", Minor:"3+", GitVersion:"v2.3-6-g7d29873bdee87e", GitCommit:"7d29873bdee87efacaace30ab3602297cacf1b4f", GitTreeState:"clean"}
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
Ensure the output of `git describe` will include the `-dirty` suffix
when building on a tree with modified files in it.
Tested:
- ...
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
