Fix cassandra example for service accounts.

2015-05-15 23:21:56 +01:00 · 2015-05-15 23:21:56 +01:00 · b4b4ac4ad3
parent d7834f5033
commit b4b4ac4ad3
4 changed files with 51 additions and 13 deletions
--- a/examples/cassandra/cassandra.yaml
+++ b/examples/cassandra/cassandra.yaml
@ -26,8 +26,6 @@ spec:
      value: 512M
    - name: HEAP_NEWSIZE
      value: 100M
-    - name: KUBERNETES_API_PROTOCOL
-      value: http
  volumes:
    - name: data
      emptyDir: {}
--- a/examples/cassandra/image/kubernetes-cassandra.jar
+++ b/examples/cassandra/image/kubernetes-cassandra.jar
--- a/examples/cassandra/java/pom.xml
+++ b/examples/cassandra/java/pom.xml
@ -2,7 +2,7 @@
  <modelVersion>4.0.0</modelVersion>
  <groupId>io.k8s.cassandra</groupId>
  <artifactId>kubernetes-cassandra</artifactId>
-  <version>0.0.2</version>
+  <version>0.0.3</version>
  <build>
    <sourceDirectory>src</sourceDirectory>
    <plugins>
--- a/examples/cassandra/java/src/io/k8s/cassandra/KubernetesSeedProvider.java
+++ b/examples/cassandra/java/src/io/k8s/cassandra/KubernetesSeedProvider.java
@ -1,10 +1,14 @@
 package io.k8s.cassandra;

 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.security.cert.X509Certificate;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
@ -13,6 +17,13 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
 import org.codehaus.jackson.JsonNode;
 import org.codehaus.jackson.annotate.JsonIgnoreProperties;
 import org.codehaus.jackson.map.ObjectMapper;
@ -45,10 +56,17 @@ public class KubernetesSeedProvider implements SeedProvider {
        return val;
    }

+    private static String getServiceAccountToken() throws IOException {
+        String file = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+        return new String(Files.readAllBytes(Paths.get(file)));
+    }
+
    private static final Logger logger = LoggerFactory.getLogger(KubernetesSeedProvider.class);

    private List defaultSeeds;
-   
+    private TrustManager[] trustAll;
+    private HostnameVerifier trustAllHosts;
+
    public KubernetesSeedProvider(Map<String, String> params) {
        // Taken from SimpleSeedProvider.java
        // These are used as a fallback, if we get nothing from k8s.
@ -65,21 +83,43 @@ public class KubernetesSeedProvider implements SeedProvider {
 			logger.warn("Seed provider couldn't lookup host " + host);
 		    }
 	    }
-    } 
+	// TODO: Load the CA cert when it is available on all platforms.
+	trustAll = new TrustManager[] {
+	    new X509TrustManager() {
+		public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+		public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+		public X509Certificate[] getAcceptedIssuers() { return null; }
+	    }
+	};
+	trustAllHosts = new HostnameVerifier() {
+		public boolean verify(String hostname, SSLSession session) {
+		    return true;
+		}
+	    };
+    }

    public List<InetAddress> getSeeds() {
        List<InetAddress> list = new ArrayList<InetAddress>();
-        String protocol = getEnvOrDefault("KUBERNETES_API_PROTOCOL", "http");
-        String hostName = getEnvOrDefault("KUBERNETES_RO_SERVICE_HOST", "localhost");
-        String hostPort = getEnvOrDefault("KUBERNETES_RO_SERVICE_PORT", "8080");
-
-        String host = protocol + "://" + hostName + ":" + hostPort;
+        String host = "https://kubernetes.default.cluster.local";
        String serviceName = getEnvOrDefault("CASSANDRA_SERVICE", "cassandra");
        String path = "/api/v1beta3/namespaces/default/endpoints/";
        try {
+            String token = getServiceAccountToken();
+
+            SSLContext ctx = SSLContext.getInstance("SSL");
+            ctx.init(null, trustAll, new SecureRandom());
+
            URL url = new URL(host + path + serviceName);
+            HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
+
+            // TODO: Remove this once the CA cert is propogated everywhere, and replace
+            // with loading the CA cert.
+            conn.setSSLSocketFactory(ctx.getSocketFactory());
+            conn.setHostnameVerifier(trustAllHosts);
+
+            conn.addRequestProperty("Authorization", "Bearer " + token);
            ObjectMapper mapper = new ObjectMapper();
-            Endpoints endpoints = mapper.readValue(url, Endpoints.class);
+            Endpoints endpoints = mapper.readValue(conn.getInputStream(), Endpoints.class);
            if (endpoints != null) {
                // Here is a problem point, endpoints.subsets can be null in first node cases.
                if (endpoints.subsets != null && !endpoints.subsets.isEmpty()){
@ -90,8 +130,8 @@ public class KubernetesSeedProvider implements SeedProvider {
                    }
                }
            }
-        } catch (IOException ex) {
-	    logger.warn("Request to kubernetes apiserver failed"); 
+        } catch (IOException | NoSuchAlgorithmException | KeyManagementException ex) {
+	    logger.warn("Request to kubernetes apiserver failed", ex); 
        }
        if (list.size() == 0) {
 	    // If we got nothing, we might be the first instance, in that case