From 21dae01005d8d58be5d85756e6ee8cd92120184e Mon Sep 17 00:00:00 2001 From: Eric Tune Date: Mon, 20 Oct 2014 13:49:24 -0700 Subject: [PATCH] Handle auth files with BearerToken sections. --- cluster/gce/util.sh | 22 ++++++++++++++++++++-- cmd/e2e/e2e.go | 1 + cmd/kubecfg/kubecfg.go | 3 +++ pkg/kubecfg/kubecfg.go | 13 +++++++------ pkg/kubectl/cmd/cmd.go | 1 + pkg/kubectl/kubectl.go | 13 +++++++------ 6 files changed, 39 insertions(+), 14 deletions(-) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 1dda16160e..dee16d6851 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -193,7 +193,8 @@ function get-password { KUBE_USER=admin KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))') - # Store password for reuse. + # Remove this code, since in all use cases I can see, we are overwriting this + # at cluster creation time. cat << EOF > "$file" { "User": "$KUBE_USER", @@ -203,6 +204,20 @@ EOF chmod 0600 "$file" } +# Generate authentication token for admin user. Will +# read from $HOME/.kubernetes_auth if available. +# +# Vars set: +# KUBE_ADMIN_TOKEN +function get-admin-token { + local file="$HOME/.kubernetes_auth" + if [[ -r "$file" ]]; then + KUBE_ADMIN_TOKEN=$(cat "$file" | python -c 'import json,sys;print json.load(sys.stdin)["BearerToken"]') + return + fi + KUBE_ADMIN_TOKEN=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(32))') +} + # Instantiate a kubernetes cluster # # Assumed vars @@ -375,6 +390,8 @@ function kube-up { local kube_key=".kubecfg.key" local ca_cert=".kubernetes.ca.crt" + # TODO: generate ADMIN (and KUBELET) tokens and put those in the master's + # config file. Distribute the same way the htpasswd is done. (umask 077 gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null @@ -386,7 +403,8 @@ function kube-up { "Password": "$KUBE_PASSWORD", "CAFile": "$HOME/$ca_cert", "CertFile": "$HOME/$kube_cert", - "KeyFile": "$HOME/$kube_key" + "KeyFile": "$HOME/$kube_key", + "BearerToken": "$KUBE_ADMIN_TOKEN" } EOF diff --git a/cmd/e2e/e2e.go b/cmd/e2e/e2e.go index 1753fc37cd..8cc28dc0bc 100644 --- a/cmd/e2e/e2e.go +++ b/cmd/e2e/e2e.go @@ -88,6 +88,7 @@ func loadClientOrDie() *client.Client { config.CAFile = auth.CAFile config.CertFile = auth.CertFile config.KeyFile = auth.KeyFile + config.BearerToken = auth.BearerToken if auth.Insecure != nil { config.Insecure = *auth.Insecure } diff --git a/cmd/kubecfg/kubecfg.go b/cmd/kubecfg/kubecfg.go index 38272e4de0..a8cf0d9789 100644 --- a/cmd/kubecfg/kubecfg.go +++ b/cmd/kubecfg/kubecfg.go @@ -216,6 +216,9 @@ func main() { if auth.KeyFile != "" { clientConfig.KeyFile = auth.KeyFile } + if auth.BearerToken != "" { + clientConfig.BearerToken = auth.BearerToken + } if auth.Insecure != nil { clientConfig.Insecure = *auth.Insecure } diff --git a/pkg/kubecfg/kubecfg.go b/pkg/kubecfg/kubecfg.go index 680ba59fe1..271f904838 100644 --- a/pkg/kubecfg/kubecfg.go +++ b/pkg/kubecfg/kubecfg.go @@ -52,12 +52,13 @@ func promptForString(field string, r io.Reader) string { } type AuthInfo struct { - User string - Password string - CAFile string - CertFile string - KeyFile string - Insecure *bool + User string + Password string + CAFile string + CertFile string + KeyFile string + BearerToken string + Insecure *bool } type NamespaceInfo struct { diff --git a/pkg/kubectl/cmd/cmd.go b/pkg/kubectl/cmd/cmd.go index 14760b199a..9e2a7ec36a 100644 --- a/pkg/kubectl/cmd/cmd.go +++ b/pkg/kubectl/cmd/cmd.go @@ -171,6 +171,7 @@ func getKubeClient(cmd *cobra.Command) *client.Client { config.CAFile = firstNonEmptyString(getFlagString(cmd, "certificate-authority"), authInfo.CAFile) config.CertFile = firstNonEmptyString(getFlagString(cmd, "client-certificate"), authInfo.CertFile) config.KeyFile = firstNonEmptyString(getFlagString(cmd, "client-key"), authInfo.KeyFile) + config.BearerToken = authInfo.BearerToken // For config.Insecure, the command line ALWAYS overrides the authInfo // file, regardless of its setting. if insecureFlag := getFlagBoolPtr(cmd, "insecure-skip-tls-verify"); insecureFlag != nil { diff --git a/pkg/kubectl/kubectl.go b/pkg/kubectl/kubectl.go index 4ef0be41cd..566b8a0a4d 100644 --- a/pkg/kubectl/kubectl.go +++ b/pkg/kubectl/kubectl.go @@ -59,12 +59,13 @@ func GetKubeClient(config *client.Config, matchVersion bool) (*client.Client, er } type AuthInfo struct { - User string - Password string - CAFile string - CertFile string - KeyFile string - Insecure *bool + User string + Password string + CAFile string + CertFile string + KeyFile string + BearerToken string + Insecure *bool } // LoadAuthInfo parses an AuthInfo object from a file path. It prompts user and creates file if it doesn't exist.