Commit 728b337e authored by Robert Bailey's avatar Robert Bailey

Refactor the functions that generate auth for the kubelet and kubeproxy

and remove the insecure configuration now that GKE has plumbed through certificates.
parent d28a6656
...@@ -331,24 +331,16 @@ function create-salt-master-auth() { ...@@ -331,24 +331,16 @@ function create-salt-master-auth() {
fi fi
} }
# TODO(roberthbailey): Remove the insecure kubeconfig configuration files # This should happen both on cluster initialization and node upgrades.
# once the certs are being plumbed through for GKE. #
function create-salt-node-auth() { # - Uses CA_CERT, KUBELET_CERT, and KUBELET_KEY to generate a kubeconfig file
if [[ ! -e /srv/kubernetes/ca.crt ]]; then # for the kubelet to securely connect to the apiserver.
if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then function create-salt-kubelet-auth() {
mkdir -p /srv/kubernetes local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
(umask 077;
echo "${CA_CERT}" | base64 -d > /srv/kubernetes/ca.crt;
echo "${KUBELET_CERT}" | base64 -d > /srv/kubernetes/kubelet.crt;
echo "${KUBELET_KEY}" | base64 -d > /srv/kubernetes/kubelet.key)
fi
fi
kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
if [ ! -e "${kubelet_kubeconfig_file}" ]; then if [ ! -e "${kubelet_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
if [[ ! -z "${CA_CERT:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then (umask 077;
(umask 077; cat > "${kubelet_kubeconfig_file}" <<EOF
cat > "${kubelet_kubeconfig_file}" <<EOF
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
users: users:
...@@ -368,35 +360,18 @@ contexts: ...@@ -368,35 +360,18 @@ contexts:
current-context: service-account-context current-context: service-account-context
EOF EOF
) )
else
(umask 077;
cat > "${kubelet_kubeconfig_file}" <<EOF
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
token: ${KUBELET_TOKEN}
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: kubelet
name: service-account-context
current-context: service-account-context
EOF
)
fi
fi fi
}
kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" # This should happen both on cluster initialization and node upgrades.
#
# - Uses the CA_CERT and KUBE_PROXY_TOKEN to generate a kubeconfig file for
# the kube-proxy to securely connect to the apiserver.
function create-salt-kubeproxy-auth() {
local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kube-proxy mkdir -p /srv/salt-overlay/salt/kube-proxy
if [[ ! -z "${CA_CERT:-}" ]]; then (umask 077;
(umask 077;
cat > "${kube_proxy_kubeconfig_file}" <<EOF cat > "${kube_proxy_kubeconfig_file}" <<EOF
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
...@@ -416,28 +391,6 @@ contexts: ...@@ -416,28 +391,6 @@ contexts:
current-context: service-account-context current-context: service-account-context
EOF EOF
) )
else
(umask 077;
cat > "${kube_proxy_kubeconfig_file}" <<EOF
apiVersion: v1
kind: Config
users:
- name: kube-proxy
user:
token: ${KUBE_PROXY_TOKEN}
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: kube-proxy
name: service-account-context
current-context: service-account-context
EOF
)
fi
fi fi
} }
...@@ -598,7 +551,8 @@ if [[ -z "${is_push}" ]]; then ...@@ -598,7 +551,8 @@ if [[ -z "${is_push}" ]]; then
if [[ "${KUBERNETES_MASTER}" == "true" ]]; then if [[ "${KUBERNETES_MASTER}" == "true" ]]; then
create-salt-master-auth create-salt-master-auth
else else
create-salt-node-auth create-salt-kubelet-auth
create-salt-kubeproxy-auth
fi fi
download-release download-release
configure-salt configure-salt
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment