Merge pull request #7275 from cjcullen/readonly

kube2sky using kubeconfig secret: take 2. Point system secrets at https:...

cluster/addons/dns/kube2sky/kube2sky.go

@@ -29,6 +29,8 @@ import (
 
 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
+	kclientcmd "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd"
+	kclientcmdapi "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd/api"
 	kfields "github.com/GoogleCloudPlatform/kubernetes/pkg/fields"
 	klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
 	tools "github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
@@ -42,6 +44,7 @@ var (
 	etcd_mutation_timeout = flag.Duration("etcd_mutation_timeout", 10*time.Second, "crash after retrying etcd mutation for a specified duration")
 	etcd_server           = flag.String("etcd-server", "http://127.0.0.1:4001", "URL to etcd server")
 	verbose               = flag.Bool("verbose", false, "log extra information")
+	kubecfg_file          = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes service")
 )
 
 func removeDNS(record string, etcdClient *etcd.Client) error {
@@ -128,22 +131,40 @@ func newEtcdClient() (client *etcd.Client) {
 
 // TODO: evaluate using pkg/client/clientcmd
 func newKubeClient() (*kclient.Client, error) {
-	config := &kclient.Config{}
+	var config *kclient.Config
-
+	if *kubecfg_file == "" {
-	masterHost := os.Getenv("KUBERNETES_RO_SERVICE_HOST")
+		// No kubecfg file provided. Use kubernetes_ro service.
-	if masterHost == "" {
+		masterHost := os.Getenv("KUBERNETES_RO_SERVICE_HOST")
-		log.Fatalf("KUBERNETES_RO_SERVICE_HOST is not defined")
+		if masterHost == "" {
+			log.Fatalf("KUBERNETES_RO_SERVICE_HOST is not defined")
+		}
+		masterPort := os.Getenv("KUBERNETES_RO_SERVICE_PORT")
+		if masterPort == "" {
+			log.Fatalf("KUBERNETES_RO_SERVICE_PORT is not defined")
+		}
+		config = &kclient.Config{
+			Host:    fmt.Sprintf("http://%s:%s", masterHost, masterPort),
+			Version: "v1beta1",
+		}
+	} else {
+		masterHost := os.Getenv("KUBERNETES_SERVICE_HOST")
+		if masterHost == "" {
+			log.Fatalf("KUBERNETES_SERVICE_HOST is not defined")
+		}
+		masterPort := os.Getenv("KUBERNETES_SERVICE_PORT")
+		if masterPort == "" {
+			log.Fatalf("KUBERNETES_SERVICE_PORT is not defined")
+		}
+		master := fmt.Sprintf("https://%s:%s", masterHost, masterPort)
+		var err error
+		if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+			&kclientcmd.ClientConfigLoadingRules{ExplicitPath: *kubecfg_file},
+			&kclientcmd.ConfigOverrides{ClusterInfo: kclientcmdapi.Cluster{Server: master}}).ClientConfig(); err != nil {
+			return nil, err
+		}
 	}
-	masterPort := os.Getenv("KUBERNETES_RO_SERVICE_PORT")
-	if masterPort == "" {
-		log.Fatalf("KUBERNETES_RO_SERVICE_PORT is not defined")
-	}
-	config.Host = fmt.Sprintf("http://%s:%s", masterHost, masterPort)
 	log.Printf("Using %s for kubernetes master", config.Host)
-
-	config.Version = "v1beta1"
 	log.Printf("Using kubernetes API %s", config.Version)
-
 	return kclient.New(config)
 }
 

cluster/addons/dns/skydns-rc.yaml.in

@@ -29,10 +29,15 @@ desiredState:
                     "-advertise-client-urls=http://127.0.0.1:4001",
             ]
           - name: kube2sky
-            image: gcr.io/google_containers/kube2sky:1.1
+            image: gcr.io/google_containers/kube2sky:1.2
+            volumeMounts:
+               - name: dns-token
+                 mountPath: /etc/dns_token
+                 readOnly: true
             command: [
                     # entrypoint = "/kube2sky",
                     "-domain={{ pillar['dns_domain'] }}",
+                    "-kubecfg_file=/etc/dns_token/kubeconfig",
             ]
           - name: skydns
             image: gcr.io/google_containers/skydns:2015-03-11-001
@@ -46,3 +51,11 @@ desiredState:
               - name: dns
                 containerPort: 53
                 protocol: UDP
+        volumes:
+           - name: dns-token
+             source:
+               secret:
+                 target:
+                   kind: Secret
+                   namespace: default
+                   name: token-system-dns

cluster/saltbase/salt/kube-addons/default

@@ -1,14 +0,0 @@
-#TODO(erictune): once we make DNS a hard requirement for clusters, then this can be removed,
-# and APISERVER_URL="https://kubernetes:443"
-{% if grains.api_servers is defined -%}
-  {% set api_server = "https://" + grains.api_servers + ":6443" -%}
-{% elif grains.apiservers is defined -%} # TODO(remove after 0.16.0): Deprecated form
-  {% set api_server = "https://" + grains.apiservers + ":6443" -%}
-{% elif grains['roles'][0] == 'kubernetes-master' -%}
-  {% set master_ipv4 = salt['grains.get']('fqdn_ip4')[0] -%}
-  {% set api_server = "https://" + master_ipv4 + ":6443" -%}
-{% else -%}
-  {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
-  {% set api_server = "https://" + ips[0][0] + ":6443" -%}
-{% endif -%}
-export APISERVER_URL={{ api_server }}

cluster/saltbase/salt/kube-addons/init.sls

@@ -48,20 +48,6 @@
     - makedirs: True
 {% endif %}
 
-{% if grains['os_family'] == 'RedHat' %}
-{% set environment_file = '/etc/sysconfig/kube-addons' %}
-{% else %}
-{% set environment_file = '/etc/default/kube-addons' %}
-{% endif %}
-
-{{ environment_file }}:
-  file.managed:
-    - source: salt://kube-addons/default
-    - template: jinja
-    - user: root
-    - group: root
-    - mode: 644
-
 /etc/kubernetes/kube-addons.sh:
   file.managed:
     - source: salt://kube-addons/kube-addons.sh

cluster/saltbase/salt/kube-addons/initd

@@ -21,9 +21,6 @@ PIDFILE=/var/run/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 KUBE_ADDONS_SH=/etc/kubernetes/kube-addons.sh
 
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
 # Define LSB log_* functions.
 # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
 # and status_of_proc is working.

cluster/saltbase/salt/kube-addons/kube-addons.service

@@ -3,7 +3,6 @@ Description=Kubernetes Addon Object Manager
 Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 
 [Service]
-EnvironmentFile=/etc/sysconfig/kube-addons
 ExecStart=/etc/kubernetes/kube-addons.sh
 
 [Install]

cluster/saltbase/salt/kube-addons/kube-addons.sh

@@ -19,11 +19,6 @@
 # managed result is of that. Start everything below that directory.
 KUBECTL=/usr/local/bin/kubectl
 
-if [ -z "$APISERVER_URL" ] ; then
-  echo "Must set APISERVER_URL"
-  exit 1
-fi
-
 function create-kubeconfig-secret() {
   local -r token=$1
   local -r username=$2
@@ -32,6 +27,8 @@ function create-kubeconfig-secret() {
   # Make a kubeconfig file with the token.
   # TODO(etune): put apiserver certs into secret too, and reference from authfile,
   # so that "Insecure" is not needed.
+  # Point the kubeconfig file at https://kubernetes:443. Pods/components that
+  # do not have DNS available will have to override the server.
   read -r -d '' kubeconfig <<EOF
 apiVersion: v1
 kind: Config
@@ -42,7 +39,7 @@ users:
 clusters:
 - name: local
   cluster:
-     server: ${APISERVER_URL}
+     server: "https://kubernetes:443"
      insecure-skip-tls-verify: true
 contexts:
 - context: