Merge pull request #9563 from BenTheElder/vagrant_certificates

Fix vagrant client authorization.

cluster/vagrant/provision-master.sh

@@ -116,7 +116,7 @@ cat <<EOF >/srv/salt-overlay/pillar/cluster-params.sls
   dns_server: '$(echo "$DNS_SERVER_IP" | sed -e "s/'/''/g")'
   dns_domain: '$(echo "$DNS_DOMAIN" | sed -e "s/'/''/g")'
   instance_prefix: '$(echo "$INSTANCE_PREFIX" | sed -e "s/'/''/g")'
-  admission_control: '$(echo "$ADMISSION_CONTROL" | sed -e "s/'/''/g")'  
+  admission_control: '$(echo "$ADMISSION_CONTROL" | sed -e "s/'/''/g")'
 EOF
 
 # Configure the salt-master
@@ -153,37 +153,54 @@ EOF
 # apiserver to send events.
 known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
 if [[ ! -f "${known_tokens_file}" ]]; then
-  kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
-  kube_proxy_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
 
   mkdir -p /srv/salt-overlay/salt/kube-apiserver
   known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
   (umask u=rw,go= ;
-   echo "$kubelet_token,kubelet,kubelet" > $known_tokens_file;
-   echo "$kube_proxy_token,kube_proxy,kube_proxy" >> $known_tokens_file)
+   echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file;
+   echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file)
 
   mkdir -p /srv/salt-overlay/salt/kubelet
   kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
-  (umask u=rw,go= ; echo "{\"BearerToken\": \"$kubelet_token\", \"Insecure\": true }" > $kubelet_auth_file)
+  (umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file)
   kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
-  # Make a kubeconfig file with the token.
+
+  mkdir -p /srv/salt-overlay/salt/kubelet
   (umask 077;
-  cat > "${kubelet_kubeconfig_file}" <<EOF
+  cat > "${kubelet_kubeconfig_file}" << EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kubelet
+  user:
+    token: ${KUBELET_TOKEN}
+clusters:
+- name: local
+  cluster:
+    insecure-skip-tls-verify: true
+contexts:
+  - context:
+    cluster: local
+    user: kubelet
+  name: service-account-context
+current-context: service-account-context
+EOF
 )
 
+
   mkdir -p /srv/salt-overlay/salt/kube-proxy
   kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
   # Make a kubeconfig file with the token.
   # TODO(etune): put apiserver certs into secret too, and reference from authfile,
   # so that "Insecure" is not needed.
   (umask 077;
-  cat > "${kube_proxy_kubeconfig_file}" <<EOF
+  cat > "${kube_proxy_kubeconfig_file}" << EOF
 apiVersion: v1
 kind: Config
 users:
 - name: kube-proxy
   user:
-    token: ${kube_proxy_token}
+    token: ${KUBE_PROXY_TOKEN}
 clusters:
 - name: local
   cluster:

cluster/vagrant/provision-minion.sh

@@ -17,6 +17,57 @@
 # exit on any error
 set -e
 
+#setup kubelet config
+mkdir -p "/var/lib/kubelet"
+(umask 077;
+cat > "/var/lib/kubelet/kubeconfig" << EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kubelet
+user:
+  token: ${KUBELET_TOKEN}
+clusters:
+- name: local
+cluster:
+  insecure-skip-tls-verify: true
+contexts:
+- context:
+  cluster: local
+  user: kubelet
+name: service-account-context
+current-context: service-account-context
+EOF
+)
+
+#setup proxy config
+mkdir -p "/var/lib/kube-proxy/"
+# Make a kubeconfig file with the token.
+# TODO(etune): put apiserver certs into secret too, and reference from authfile,
+# so that "Insecure" is not needed.
+(umask 077;
+cat > "/var/lib/kube-proxy/kubeconfig" << EOF
+apiVersion: v1
+kind: Config
+users:
+- name: kube-proxy
+user:
+  token: ${KUBE_PROXY_TOKEN}
+clusters:
+- name: local
+cluster:
+   insecure-skip-tls-verify: true
+contexts:
+- context:
+  cluster: local
+  user: kube-proxy
+name: service-account-context
+current-context: service-account-context
+EOF
+)
+
+
+
 # Set the host name explicitly
 # See: https://github.com/mitchellh/vagrant/issues/2430
 hostnamectl set-hostname ${MINION_NAME}

cluster/vagrant/util.sh

@@ -141,6 +141,8 @@ function create-provision-scripts {
     echo "ADMISSION_CONTROL='${ADMISSION_CONTROL:-}'"
     echo "DOCKER_OPTS='${EXTRA_DOCKER_OPTS-}'"
     echo "VAGRANT_DEFAULT_PROVIDER='${VAGRANT_DEFAULT_PROVIDER:-}'"
+    echo "KUBELET_TOKEN='${KUBELET_TOKEN:-}'"
+    echo "KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN:-}'"
     awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-network.sh"
     awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-master.sh"
   ) > "${KUBE_TEMP}/master-start.sh"
@@ -163,6 +165,8 @@ function create-provision-scripts {
       echo "CONTAINER_SUBNET='${CONTAINER_SUBNET}'"
       echo "DOCKER_OPTS='${EXTRA_DOCKER_OPTS-}'"
       echo "VAGRANT_DEFAULT_PROVIDER='${VAGRANT_DEFAULT_PROVIDER:-}'"
+      echo "KUBELET_TOKEN='${KUBELET_TOKEN:-}'"
+      echo "KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN:-}'"
       awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-network.sh"
       awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-minion.sh"
     ) > "${KUBE_TEMP}/minion-start-${i}.sh"
@@ -251,6 +255,7 @@ function verify-cluster {
 # Instantiate a kubernetes cluster
 function kube-up {
   get-password
+  get-tokens
   create-provision-scripts
 
   vagrant up
@@ -368,3 +373,8 @@ function restart-apiserver {
 function prepare-e2e() {
   echo "Vagrant doesn't need special preparations for e2e tests" 1>&2
 }
+
+function get-tokens() {
+  KUBELET_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+  KUBE_PROXY_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+}