github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Refactor the functions that generate auth for the kubelet and kubeproxy 

and remove the insecure configuration now that GKE has plumbed through
certificates.
pull/6/head
Robert Bailey 2015-07-17 16:13:01 -07:00
parent d28a6656ae
commit 728b337e9c
1 changed files with 18 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
cluster/gce/configure-vm.sh
View File

@ -331,24 +331,16 @@ function create-salt-master-auth() {
fi fi
} }
# TODO(roberthbailey): Remove the insecure kubeconfig configuration files # This should happen both on cluster initialization and node upgrades.
# once the certs are being plumbed through for GKE. #
function create-salt-node-auth() { # - Uses CA_CERT, KUBELET_CERT, and KUBELET_KEY to generate a kubeconfig file
if [[ ! -e /srv/kubernetes/ca.crt ]]; then # for the kubelet to securely connect to the apiserver.
if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then function create-salt-kubelet-auth() {
mkdir -p /srv/kubernetes local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
(umask 077;
echo "${CA_CERT}" | base64 -d > /srv/kubernetes/ca.crt;
echo "${KUBELET_CERT}" | base64 -d > /srv/kubernetes/kubelet.crt;
echo "${KUBELET_KEY}" | base64 -d > /srv/kubernetes/kubelet.key)
fi
fi
kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
if [ ! -e "${kubelet_kubeconfig_file}" ]; then if [ ! -e "${kubelet_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then (umask 077;
(umask 077; cat > "${kubelet_kubeconfig_file}" <<EOF
cat > "${kubelet_kubeconfig_file}" <<EOF
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
users: users:
@ -368,35 +360,18 @@ contexts:
current-context: service-account-context current-context: service-account-context
EOF EOF
) )
else
(umask 077;
cat > "${kubelet_kubeconfig_file}" <<EOF
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
token: ${KUBELET_TOKEN}
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: kubelet
name: service-account-context
current-context: service-account-context
EOF
)
fi
fi fi
}
kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" # This should happen both on cluster initialization and node upgrades.
#
# - Uses the CA_CERT and KUBE_PROXY_TOKEN to generate a kubeconfig file for
# the kube-proxy to securely connect to the apiserver.
function create-salt-kubeproxy-auth() {
local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kube-proxy mkdir -p /srv/salt-overlay/salt/kube-proxy
if [[ ! -z "${CA_CERT:-}" ]]; then (umask 077;
(umask 077;
cat > "${kube_proxy_kubeconfig_file}" <<EOF cat > "${kube_proxy_kubeconfig_file}" <<EOF
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
@ -416,28 +391,6 @@ contexts:
current-context: service-account-context current-context: service-account-context
EOF EOF
) )
else
(umask 077;
cat > "${kube_proxy_kubeconfig_file}" <<EOF
apiVersion: v1
kind: Config
users:
- name: kube-proxy
user:
token: ${KUBE_PROXY_TOKEN}
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: kube-proxy
name: service-account-context
current-context: service-account-context
EOF
)
fi
fi fi
} }
@ -598,7 +551,8 @@ if [[ -z "${is_push}" ]]; then
if [[ "${KUBERNETES_MASTER}" == "true" ]]; then if [[ "${KUBERNETES_MASTER}" == "true" ]]; then
create-salt-master-auth create-salt-master-auth
else else
create-salt-node-auth create-salt-kubelet-auth
create-salt-kubeproxy-auth
fi fi
download-release download-release
configure-salt configure-salt