Salt configuration to add basic auth to GCE.

cluster/common.sh

@@ -28,11 +28,13 @@ DEFAULT_KUBECONFIG="${HOME}/.kube/config"
 # Assumed vars:
 #   KUBE_USER
 #   KUBE_PASSWORD
-#   KUBE_BEARER_TOKEN
 #   KUBE_MASTER_IP
 #   KUBECONFIG
 #   CONTEXT
 #
+# If the apiserver supports bearer auth, also provide:
+#   KUBE_BEARER_TOKEN
+#
 # The following can be omitted for --insecure-skip-tls-verify
 #   KUBE_CERT
 #   KUBE_KEY
@@ -57,8 +59,9 @@ function create-kubeconfig() {
       "--embed-certs=true"
     )
   fi
+
   local user_args=()
-  if [[ -z "${KUBE_USER:-}" || -z "${KUBE_PASSWORD:-}" ]]; then
+  if [[ ! -z "${KUBE_BEARER_TOKEN:-}" ]]; then
     user_args+=(
      "--token=${KUBE_BEARER_TOKEN}"
     )
@@ -81,6 +84,13 @@ function create-kubeconfig() {
   "${kubectl}" config set-context "${CONTEXT}" --cluster="${CONTEXT}" --user="${CONTEXT}"
   "${kubectl}" config use-context "${CONTEXT}"  --cluster="${CONTEXT}"
 
+  # If we have a bearer token, also create a credential entry with basic auth
+  # so that it is easy to discover the basic auth password for your cluster
+  # to use in a web browser.
+  if [[ ! -z "${KUBE_BEARER_TOKEN:-}" ]]; then
+    "${kubectl}" config set-credentials "${CONTEXT}-basic-auth" "--username=${KUBE_USER}" "--password=${KUBE_PASSWORD}"
+  fi
+
    echo "Wrote config for ${CONTEXT} to ${KUBECONFIG}"
 }
 
@@ -93,6 +103,7 @@ function clear-kubeconfig() {
   local kubectl="${KUBE_ROOT}/cluster/kubectl.sh"
   "${kubectl}" config unset "clusters.${CONTEXT}"
   "${kubectl}" config unset "users.${CONTEXT}"
+  "${kubectl}" config unset "users.${CONTEXT}-basic-auth"
   "${kubectl}" config unset "contexts.${CONTEXT}"
 
   local current

cluster/gce/configure-vm.sh

@@ -22,6 +22,7 @@ set -o pipefail
 is_push=$@
 
 readonly KNOWN_TOKENS_FILE="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
+readonly BASIC_AUTH_FILE="/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"
 
 function ensure-install-dir() {
   INSTALL_DIR="/var/cache/kubernetes-install"
@@ -238,12 +239,18 @@ EOF
 }
 
 # This should only happen on cluster initialization. Uses
+# KUBE_PASSWORD and KUBE_USER to generate basic_auth.csv. Uses
 # KUBE_BEARER_TOKEN, KUBELET_TOKEN, and KUBE_PROXY_TOKEN to generate
 # known_tokens.csv (KNOWN_TOKENS_FILE). After the first boot and
 # on upgrade, this file exists on the master-pd and should never
 # be touched again (except perhaps an additional service account,
 # see NB below.)
 function create-salt-auth() {
+  if [ ! -e "${BASIC_AUTH_FILE}" ]; then
+    mkdir -p /srv/salt-overlay/salt/kube-apiserver
+    (umask 077;
+      echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${BASIC_AUTH_FILE}")
+  fi
   if [ ! -e "${KNOWN_TOKENS_FILE}" ]; then
     mkdir -p /srv/salt-overlay/salt/kube-apiserver
     (umask 077;

cluster/gce/util.sh

@@ -471,6 +471,8 @@ ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false})
 DNS_REPLICAS: $(yaml-quote ${DNS_REPLICAS:-})
 DNS_SERVER_IP: $(yaml-quote ${DNS_SERVER_IP:-})
 DNS_DOMAIN: $(yaml-quote ${DNS_DOMAIN:-})
+KUBE_USER: $(yaml-quote ${KUBE_USER})
+KUBE_PASSWORD: $(yaml-quote ${KUBE_PASSWORD})
 KUBE_BEARER_TOKEN: $(yaml-quote ${KUBE_BEARER_TOKEN})
 KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
 KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
@@ -507,6 +509,7 @@ function write-node-env {
 # variables are set:
 #   ensure-temp-dir
 #   detect-project
+#   get-password
 #   get-bearer-token
 #
 function create-master-instance {
@@ -540,6 +543,7 @@ function kube-up {
   ensure-temp-dir
   detect-project
 
+  get-password
   get-bearer-token
 
   # Make sure we have the tar files staged on Google Storage
@@ -803,6 +807,7 @@ function kube-push {
   detect-project
   detect-master
   detect-minion-names
+  get-password
   get-bearer-token
 
   # Make sure we have the tar files staged on Google Storage
@@ -831,7 +836,7 @@ function kube-push {
   echo
   echo "  https://${KUBE_MASTER_IP}"
   echo
-  echo "The user name and password to use is located in ~/.kubernetes_auth."
+  echo "The user name and password to use is located in ~/.kube/config"
   echo
 }
 

cluster/saltbase/salt/kube-apiserver/init.sls

@@ -9,6 +9,12 @@
 {% endif %}
 {% endif %}
 
+{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
+/srv/kubernetes/basic_auth.csv:
+  file.managed:
+    - source: salt://kube-apiserver/basic_auth.csv
+{% endif %}
+
 # Copy kube-apiserver manifest to manifests folder for kubelet.
 /etc/kubernetes/manifests/kube-apiserver.manifest:
   file.managed:
@@ -20,7 +26,7 @@
     - makedirs: true
     - dir_mode: 755
 
-#stop legacy kube-apiserver service 
+#stop legacy kube-apiserver service
 stop_kube-apiserver:
   service.dead:
     - name: kube-apiserver

cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest

@@ -52,6 +52,7 @@
 {% endif -%}
 
 {% set token_auth_file = "--token_auth_file=/dev/null" -%}
+{% set basic_auth_file = "" -%}
 
 {% if grains.cloud is defined -%}
 {% if grains.cloud in [ 'aws', 'gce', 'vagrant' ] -%}
@@ -59,6 +60,10 @@
 {% endif -%}
 {% endif -%}
 
+{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
+  {% set basic_auth_file = "--basic_auth_file=/srv/kubernetes/basic_auth.csv" -%}
+{% endif -%}
+
 {% set admission_control = "" -%}
 {% if pillar['admission_control'] is defined -%}
  {% set admission_control = "--admission_control=" + pillar['admission_control'] -%}
@@ -95,6 +100,7 @@
                  "--secure_port={{secure_port}}",
                  "{{token_auth_file}}",
                  "{{client_ca_file}}",
+                 "{{basic_auth_file}}",
                  "{{publicAddressOverride}}",
                  "{{pillar['log_level']}}"
                ],