diff --git a/cluster/vagrant/provision-master.sh b/cluster/vagrant/provision-master.sh index 17414084e6..e2c98bc656 100755 --- a/cluster/vagrant/provision-master.sh +++ b/cluster/vagrant/provision-master.sh @@ -116,7 +116,7 @@ cat </srv/salt-overlay/pillar/cluster-params.sls dns_server: '$(echo "$DNS_SERVER_IP" | sed -e "s/'/''/g")' dns_domain: '$(echo "$DNS_DOMAIN" | sed -e "s/'/''/g")' instance_prefix: '$(echo "$INSTANCE_PREFIX" | sed -e "s/'/''/g")' - admission_control: '$(echo "$ADMISSION_CONTROL" | sed -e "s/'/''/g")' + admission_control: '$(echo "$ADMISSION_CONTROL" | sed -e "s/'/''/g")' EOF # Configure the salt-master @@ -153,37 +153,54 @@ EOF # apiserver to send events. known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv" if [[ ! -f "${known_tokens_file}" ]]; then - kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) - kube_proxy_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) mkdir -p /srv/salt-overlay/salt/kube-apiserver known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv" (umask u=rw,go= ; - echo "$kubelet_token,kubelet,kubelet" > $known_tokens_file; - echo "$kube_proxy_token,kube_proxy,kube_proxy" >> $known_tokens_file) + echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file; + echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file) mkdir -p /srv/salt-overlay/salt/kubelet kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" - (umask u=rw,go= ; echo "{\"BearerToken\": \"$kubelet_token\", \"Insecure\": true }" > $kubelet_auth_file) + (umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file) kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig" - # Make a kubeconfig file with the token. + + mkdir -p /srv/salt-overlay/salt/kubelet (umask 077; - cat > "${kubelet_kubeconfig_file}" < "${kubelet_kubeconfig_file}" << EOF +apiVersion: v1 +kind: Config +users: +- name: kubelet + user: + token: ${KUBELET_TOKEN} +clusters: +- name: local + cluster: + insecure-skip-tls-verify: true +contexts: + - context: + cluster: local + user: kubelet + name: service-account-context +current-context: service-account-context +EOF ) + mkdir -p /srv/salt-overlay/salt/kube-proxy kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" # Make a kubeconfig file with the token. # TODO(etune): put apiserver certs into secret too, and reference from authfile, # so that "Insecure" is not needed. (umask 077; - cat > "${kube_proxy_kubeconfig_file}" < "${kube_proxy_kubeconfig_file}" << EOF apiVersion: v1 kind: Config users: - name: kube-proxy user: - token: ${kube_proxy_token} + token: ${KUBE_PROXY_TOKEN} clusters: - name: local cluster: diff --git a/cluster/vagrant/provision-minion.sh b/cluster/vagrant/provision-minion.sh index 0e541b2496..7d68701d63 100755 --- a/cluster/vagrant/provision-minion.sh +++ b/cluster/vagrant/provision-minion.sh @@ -17,6 +17,57 @@ # exit on any error set -e +#setup kubelet config +mkdir -p "/var/lib/kubelet" +(umask 077; +cat > "/var/lib/kubelet/kubeconfig" << EOF +apiVersion: v1 +kind: Config +users: +- name: kubelet +user: + token: ${KUBELET_TOKEN} +clusters: +- name: local +cluster: + insecure-skip-tls-verify: true +contexts: +- context: + cluster: local + user: kubelet +name: service-account-context +current-context: service-account-context +EOF +) + +#setup proxy config +mkdir -p "/var/lib/kube-proxy/" +# Make a kubeconfig file with the token. +# TODO(etune): put apiserver certs into secret too, and reference from authfile, +# so that "Insecure" is not needed. +(umask 077; +cat > "/var/lib/kube-proxy/kubeconfig" << EOF +apiVersion: v1 +kind: Config +users: +- name: kube-proxy +user: + token: ${KUBE_PROXY_TOKEN} +clusters: +- name: local +cluster: + insecure-skip-tls-verify: true +contexts: +- context: + cluster: local + user: kube-proxy +name: service-account-context +current-context: service-account-context +EOF +) + + + # Set the host name explicitly # See: https://github.com/mitchellh/vagrant/issues/2430 hostnamectl set-hostname ${MINION_NAME} diff --git a/cluster/vagrant/util.sh b/cluster/vagrant/util.sh index e7337763fa..b4891a021b 100644 --- a/cluster/vagrant/util.sh +++ b/cluster/vagrant/util.sh @@ -141,6 +141,8 @@ function create-provision-scripts { echo "ADMISSION_CONTROL='${ADMISSION_CONTROL:-}'" echo "DOCKER_OPTS='${EXTRA_DOCKER_OPTS-}'" echo "VAGRANT_DEFAULT_PROVIDER='${VAGRANT_DEFAULT_PROVIDER:-}'" + echo "KUBELET_TOKEN='${KUBELET_TOKEN:-}'" + echo "KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN:-}'" awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-network.sh" awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-master.sh" ) > "${KUBE_TEMP}/master-start.sh" @@ -163,6 +165,8 @@ function create-provision-scripts { echo "CONTAINER_SUBNET='${CONTAINER_SUBNET}'" echo "DOCKER_OPTS='${EXTRA_DOCKER_OPTS-}'" echo "VAGRANT_DEFAULT_PROVIDER='${VAGRANT_DEFAULT_PROVIDER:-}'" + echo "KUBELET_TOKEN='${KUBELET_TOKEN:-}'" + echo "KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN:-}'" awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-network.sh" awk '!/^#/' "${KUBE_ROOT}/cluster/vagrant/provision-minion.sh" ) > "${KUBE_TEMP}/minion-start-${i}.sh" @@ -251,6 +255,7 @@ function verify-cluster { # Instantiate a kubernetes cluster function kube-up { get-password + get-tokens create-provision-scripts vagrant up @@ -368,3 +373,8 @@ function restart-apiserver { function prepare-e2e() { echo "Vagrant doesn't need special preparations for e2e tests" 1>&2 } + +function get-tokens() { + KUBELET_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) + KUBE_PROXY_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) +}