Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
b4488252
Commit
b4488252
authored
Apr 02, 2016
by
k8s-merge-robot
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #23603 from mikedanese/dont-create-secret-for-dns
Automatic merge from submit-queue stop creating secrets for dns, it uses the kube-system service account now
parents
b1b58c41
0a821a47
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
2 additions
and
93 deletions
+2
-93
configure-vm.sh
cluster/gce/configure-vm.sh
+1
-1
configure-node.sh
cluster/gce/coreos/configure-node.sh
+1
-1
configure-helper.sh
cluster/gce/trusty/configure-helper.sh
+0
-1
kube-addons.sh
cluster/saltbase/salt/kube-addons/kube-addons.sh
+0
-90
No files found.
cluster/gce/configure-vm.sh
View file @
b4488252
...
@@ -585,7 +585,7 @@ function create-salt-master-auth() {
...
@@ -585,7 +585,7 @@ function create-salt-master-auth() {
# NB: If this list ever changes, this script actually has to
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
# old tokens and add any new tokens (to handle the upgrade case).
local
-r
service_accounts
=(
"system:scheduler"
"system:controller_manager"
"system:logging"
"system:monitoring"
"system:dns"
)
local
-r
service_accounts
=(
"system:scheduler"
"system:controller_manager"
"system:logging"
"system:monitoring"
)
for
account
in
"
${
service_accounts
[@]
}
"
;
do
for
account
in
"
${
service_accounts
[@]
}
"
;
do
token
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
token
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
echo
"
${
token
}
,
${
account
}
,
${
account
}
"
>>
"
${
KNOWN_TOKENS_FILE
}
"
echo
"
${
token
}
,
${
account
}
,
${
account
}
"
>>
"
${
KNOWN_TOKENS_FILE
}
"
...
...
cluster/gce/coreos/configure-node.sh
View file @
b4488252
...
@@ -256,7 +256,7 @@ function create-salt-master-auth() {
...
@@ -256,7 +256,7 @@ function create-salt-master-auth() {
# NB: If this list ever changes, this script actually has to
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
# old tokens and add any new tokens (to handle the upgrade case).
local
-r
service_accounts
=(
"system:scheduler"
"system:controller_manager"
"system:logging"
"system:monitoring"
"system:dns"
)
local
-r
service_accounts
=(
"system:scheduler"
"system:controller_manager"
"system:logging"
"system:monitoring"
)
for
account
in
"
${
service_accounts
[@]
}
"
;
do
for
account
in
"
${
service_accounts
[@]
}
"
;
do
token
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
token
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
echo
"
${
token
}
,
${
account
}
,
${
account
}
"
>>
"
${
KNOWN_TOKENS_FILE
}
"
echo
"
${
token
}
,
${
account
}
,
${
account
}
"
>>
"
${
KNOWN_TOKENS_FILE
}
"
...
...
cluster/gce/trusty/configure-helper.sh
View file @
b4488252
...
@@ -309,7 +309,6 @@ create_master_auth() {
...
@@ -309,7 +309,6 @@ create_master_auth() {
add_token_entry
"system:controller_manager"
"
${
known_tokens_csv
}
"
add_token_entry
"system:controller_manager"
"
${
known_tokens_csv
}
"
add_token_entry
"system:logging"
"
${
known_tokens_csv
}
"
add_token_entry
"system:logging"
"
${
known_tokens_csv
}
"
add_token_entry
"system:monitoring"
"
${
known_tokens_csv
}
"
add_token_entry
"system:monitoring"
"
${
known_tokens_csv
}
"
add_token_entry
"system:dns"
"
${
known_tokens_csv
}
"
fi
fi
if
[
-n
"
${
PROJECT_ID
:-}
"
]
&&
[
-n
"
${
TOKEN_URL
:-}
"
]
&&
[
-n
"
${
TOKEN_BODY
:-}
"
]
&&
[
-n
"
${
NODE_NETWORK
:-}
"
]
;
then
if
[
-n
"
${
PROJECT_ID
:-}
"
]
&&
[
-n
"
${
TOKEN_URL
:-}
"
]
&&
[
-n
"
${
TOKEN_BODY
:-}
"
]
&&
[
-n
"
${
NODE_NETWORK
:-}
"
]
;
then
...
...
cluster/saltbase/salt/kube-addons/kube-addons.sh
View file @
b4488252
...
@@ -22,7 +22,6 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
...
@@ -22,7 +22,6 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
ADDON_CHECK_INTERVAL_SEC
=
${
TEST_ADDON_CHECK_INTERVAL_SEC
:-
600
}
ADDON_CHECK_INTERVAL_SEC
=
${
TEST_ADDON_CHECK_INTERVAL_SEC
:-
600
}
SYSTEM_NAMESPACE
=
kube-system
SYSTEM_NAMESPACE
=
kube-system
token_dir
=
${
TOKEN_DIR
:-
/srv/kubernetes
}
trusty_master
=
${
TRUSTY_MASTER
:-
false
}
trusty_master
=
${
TRUSTY_MASTER
:-
false
}
function
ensure_python
()
{
function
ensure_python
()
{
...
@@ -35,72 +34,6 @@ function ensure_python() {
...
@@ -35,72 +34,6 @@ function ensure_python() {
fi
fi
}
}
function
create-kubeconfig-secret
()
{
local
-r
token
=
$1
local
-r
username
=
$2
local
-r
server
=
$3
local
-r
safe_username
=
$(
tr
-s
':_'
'--'
<<<
"
${
username
}
"
)
# Make a kubeconfig file with the token.
if
[[
!
-z
"
${
CA_CERT
:-}
"
]]
;
then
# If the CA cert is available, put it into the secret rather than using
# insecure-skip-tls-verify.
read
-r
-d
''
kubeconfig
<<
EOF
apiVersion: v1
kind: Config
users:
- name:
${
username
}
user:
token:
${
token
}
clusters:
- name: local
cluster:
server:
${
server
}
certificate-authority-data:
${
CA_CERT
}
contexts:
- context:
cluster: local
user:
${
username
}
namespace:
${
SYSTEM_NAMESPACE
}
name: service-account-context
current-context: service-account-context
EOF
else
read
-r
-d
''
kubeconfig
<<
EOF
apiVersion: v1
kind: Config
users:
- name:
${
username
}
user:
token:
${
token
}
clusters:
- name: local
cluster:
server:
${
server
}
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user:
${
username
}
namespace:
${
SYSTEM_NAMESPACE
}
name: service-account-context
current-context: service-account-context
EOF
fi
local
-r
kubeconfig_base64
=
$(
echo
"
${
kubeconfig
}
"
|
base64
-w0
)
read
-r
-d
''
secretyaml
<<
EOF
apiVersion: v1
data:
kubeconfig:
${
kubeconfig_base64
}
kind: Secret
metadata:
name: token-
${
safe_username
}
type: Opaque
EOF
create-resource-from-string
"
${
secretyaml
}
"
100 10
"Secret-for-token-for-user-
${
username
}
"
"
${
SYSTEM_NAMESPACE
}
"
&
}
# $1 filename of addon to start.
# $1 filename of addon to start.
# $2 count of tries to start the addon.
# $2 count of tries to start the addon.
# $3 delay in seconds between two consecutive tries
# $3 delay in seconds between two consecutive tries
...
@@ -196,29 +129,6 @@ done
...
@@ -196,29 +129,6 @@ done
echo
"== default service account in the
${
SYSTEM_NAMESPACE
}
namespace has token
${
token_found
}
=="
echo
"== default service account in the
${
SYSTEM_NAMESPACE
}
namespace has token
${
token_found
}
=="
# Generate secrets for "internal service accounts".
# TODO(etune): move to a completely yaml/object based
# workflow so that service accounts can be created
# at the same time as the services that use them.
# NOTE: needs to run as root to read this file.
# Read each line in the csv file of tokens.
# Expect errors when the script is started again.
# NOTE: secrets are created asynchronously, in background.
while
read
line
;
do
# Split each line into the token and username.
IFS
=
','
read
-a
parts
<<<
"
${
line
}
"
token
=
${
parts
[0]
}
username
=
${
parts
[1]
}
# DNS is special, since it's necessary for cluster bootstrapping.
if
[[
"
${
username
}
"
==
"system:dns"
]]
&&
[[
!
-z
"
${
KUBERNETES_MASTER_NAME
:-}
"
]]
;
then
create-kubeconfig-secret
"
${
token
}
"
"
${
username
}
"
"https://
${
KUBERNETES_MASTER_NAME
}
"
else
# Set the server to https://kubernetes. Pods/components that
# do not have DNS available will have to override the server.
create-kubeconfig-secret
"
${
token
}
"
"
${
username
}
"
"https://kubernetes.default"
fi
done
<
"
${
token_dir
}
/known_tokens.csv"
# Create admission_control objects if defined before any other addon services. If the limits
# Create admission_control objects if defined before any other addon services. If the limits
# are defined in a namespace other than default, we should still create the limits for the
# are defined in a namespace other than default, we should still create the limits for the
# default namespace.
# default namespace.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment