Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
e4200cea
Unverified
Commit
e4200cea
authored
Oct 12, 2018
by
k8s-ci-robot
Committed by
GitHub
Oct 12, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #69354 from yujuhong/rm-jwt
GCP: Remove the deprecated google-json-key support
parents
f22334f1
ed92397e
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
1 addition
and
261 deletions
+1
-261
gen_kube_docs.go
cmd/genkubedocs/gen_kube_docs.go
+0
-1
kubeadm.go
cmd/kubeadm/app/kubeadm.go
+0
-1
globalflags.go
cmd/kubelet/app/options/globalflags.go
+0
-3
BUILD
pkg/credentialprovider/gcp/BUILD
+1
-9
jwt.go
pkg/credentialprovider/gcp/jwt.go
+0
-120
jwt_test.go
pkg/credentialprovider/gcp/jwt_test.go
+0
-127
No files found.
cmd/genkubedocs/gen_kube_docs.go
View file @
e4200cea
...
...
@@ -79,7 +79,6 @@ func main() {
case
"kubeadm"
:
// resets global flags created by kubelet or other commands e.g.
// --azure-container-registry-config from pkg/credentialprovider/azure
// --google-json-key from pkg/credentialprovider/gcp
// --version pkg/version/verflag
pflag
.
CommandLine
=
pflag
.
NewFlagSet
(
os
.
Args
[
0
],
pflag
.
ExitOnError
)
...
...
cmd/kubeadm/app/kubeadm.go
View file @
e4200cea
...
...
@@ -36,7 +36,6 @@ func Run() error {
// We do not want these flags to show up in --help
// These MarkHidden calls must be after the lines above
pflag
.
CommandLine
.
MarkHidden
(
"version"
)
pflag
.
CommandLine
.
MarkHidden
(
"google-json-key"
)
pflag
.
CommandLine
.
MarkHidden
(
"log-flush-frequency"
)
pflag
.
CommandLine
.
MarkHidden
(
"alsologtostderr"
)
pflag
.
CommandLine
.
MarkHidden
(
"log-backtrace-at"
)
...
...
cmd/kubelet/app/options/globalflags.go
View file @
e4200cea
...
...
@@ -84,9 +84,6 @@ func addCredentialProviderFlags(fs *pflag.FlagSet) {
global
:=
pflag
.
CommandLine
local
:=
pflag
.
NewFlagSet
(
os
.
Args
[
0
],
pflag
.
ExitOnError
)
// Note this is deprecated in the library that provides it, so we just allow that deprecation
// notice to pass through our registration here.
pflagRegister
(
global
,
local
,
"google-json-key"
)
// TODO(#58034): This is not a static file, so it's not quite as straightforward as --google-json-key.
// We need to figure out how ACR users can dynamically provide pull credentials before we can deprecate this.
pflagRegister
(
global
,
local
,
"azure-container-registry-config"
)
...
...
pkg/credentialprovider/gcp/BUILD
View file @
e4200cea
...
...
@@ -10,7 +10,6 @@ go_library(
name = "go_default_library",
srcs = [
"doc.go",
"jwt.go",
"metadata.go",
],
importpath = "k8s.io/kubernetes/pkg/credentialprovider/gcp",
...
...
@@ -18,19 +17,12 @@ go_library(
"//pkg/credentialprovider:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/golang.org/x/oauth2:go_default_library",
"//vendor/golang.org/x/oauth2/google:go_default_library",
"//vendor/golang.org/x/oauth2/jwt:go_default_library",
],
)
go_test(
name = "go_default_test",
srcs = [
"jwt_test.go",
"metadata_test.go",
],
srcs = ["metadata_test.go"],
embed = [":go_default_library"],
deps = [
"//pkg/credentialprovider:go_default_library",
...
...
pkg/credentialprovider/gcp/jwt.go
deleted
100644 → 0
View file @
f22334f1
/*
Copyright 2014 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
gcp_credentials
import
(
"io/ioutil"
"time"
"github.com/golang/glog"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"golang.org/x/oauth2/jwt"
"k8s.io/kubernetes/pkg/credentialprovider"
"github.com/spf13/pflag"
)
const
(
storageReadOnlyScope
=
"https://www.googleapis.com/auth/devstorage.read_only"
jwtFileFlagName
=
"google-json-key"
)
var
(
flagJwtFile
=
pflag
.
String
(
jwtFileFlagName
,
""
,
"The Google Cloud Platform Service Account JSON Key to use for authentication."
)
)
// A DockerConfigProvider that reads its configuration from Google
// Compute Engine metadata.
type
jwtProvider
struct
{
path
*
string
config
*
jwt
.
Config
tokenUrl
string
}
// init registers the various means by which credentials may
// be resolved on GCP.
func
init
()
{
pflag
.
CommandLine
.
MarkDeprecated
(
jwtFileFlagName
,
"Will be removed in a future version. "
+
"To maintain node-level authentication, credentials should instead be included in a docker "
+
"config.json file, located inside the Kubelet's --root-dir."
)
credentialprovider
.
RegisterCredentialProvider
(
"google-jwt-key"
,
&
credentialprovider
.
CachingDockerConfigProvider
{
Provider
:
&
jwtProvider
{
path
:
flagJwtFile
,
},
Lifetime
:
30
*
time
.
Minute
,
})
}
// Enabled implements DockerConfigProvider for the JSON Key based implementation.
func
(
j
*
jwtProvider
)
Enabled
()
bool
{
if
*
j
.
path
==
""
{
return
false
}
data
,
err
:=
ioutil
.
ReadFile
(
*
j
.
path
)
if
err
!=
nil
{
glog
.
Errorf
(
"while reading file %s got %v"
,
*
j
.
path
,
err
)
return
false
}
config
,
err
:=
google
.
JWTConfigFromJSON
(
data
,
storageReadOnlyScope
)
if
err
!=
nil
{
glog
.
Errorf
(
"while parsing %s data got %v"
,
*
j
.
path
,
err
)
return
false
}
j
.
config
=
config
if
j
.
tokenUrl
!=
""
{
j
.
config
.
TokenURL
=
j
.
tokenUrl
}
return
true
}
// LazyProvide implements DockerConfigProvider. Should never be called.
func
(
j
*
jwtProvider
)
LazyProvide
()
*
credentialprovider
.
DockerConfigEntry
{
return
nil
}
// Provide implements DockerConfigProvider
func
(
j
*
jwtProvider
)
Provide
()
credentialprovider
.
DockerConfig
{
cfg
:=
credentialprovider
.
DockerConfig
{}
ts
:=
j
.
config
.
TokenSource
(
oauth2
.
NoContext
)
token
,
err
:=
ts
.
Token
()
if
err
!=
nil
{
glog
.
Errorf
(
"while exchanging json key %s for access token %v"
,
*
j
.
path
,
err
)
return
cfg
}
if
!
token
.
Valid
()
{
glog
.
Errorf
(
"Got back invalid token: %v"
,
token
)
return
cfg
}
entry
:=
credentialprovider
.
DockerConfigEntry
{
Username
:
"_token"
,
Password
:
token
.
AccessToken
,
Email
:
j
.
config
.
Email
,
}
// Add our entry for each of the supported container registry URLs
for
_
,
k
:=
range
containerRegistryUrls
{
cfg
[
k
]
=
entry
}
return
cfg
}
pkg/credentialprovider/gcp/jwt_test.go
deleted
100644 → 0
View file @
f22334f1
/*
Copyright 2014 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
gcp_credentials
import
(
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"strings"
"testing"
"k8s.io/kubernetes/pkg/credentialprovider"
)
const
email
=
"foo@bar.com"
// From oauth2/jwt_test.go
var
(
dummyPrivateKey
=
`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAx4fm7dngEmOULNmAs1IGZ9Apfzh+BkaQ1dzkmbUgpcoghucE
DZRnAGd2aPyB6skGMXUytWQvNYav0WTR00wFtX1ohWTfv68HGXJ8QXCpyoSKSSFY
fuP9X36wBSkSX9J5DVgiuzD5VBdzUISSmapjKm+DcbRALjz6OUIPEWi1Tjl6p5RK
1w41qdbmt7E5/kGhKLDuT7+M83g4VWhgIvaAXtnhklDAggilPPa8ZJ1IFe31lNlr
k4DRk38nc6sEutdf3RL7QoH7FBusI7uXV03DC6dwN1kP4GE7bjJhcRb/7jYt7CQ9
/E9Exz3c0yAp0yrTg0Fwh+qxfH9dKwN52S7SBwIDAQABAoIBAQCaCs26K07WY5Jt
3a2Cw3y2gPrIgTCqX6hJs7O5ByEhXZ8nBwsWANBUe4vrGaajQHdLj5OKfsIDrOvn
2NI1MqflqeAbu/kR32q3tq8/Rl+PPiwUsW3E6Pcf1orGMSNCXxeducF2iySySzh3
nSIhCG5uwJDWI7a4+9KiieFgK1pt/Iv30q1SQS8IEntTfXYwANQrfKUVMmVF9aIK
6/WZE2yd5+q3wVVIJ6jsmTzoDCX6QQkkJICIYwCkglmVy5AeTckOVwcXL0jqw5Kf
5/soZJQwLEyBoQq7Kbpa26QHq+CJONetPP8Ssy8MJJXBT+u/bSseMb3Zsr5cr43e
DJOhwsThAoGBAPY6rPKl2NT/K7XfRCGm1sbWjUQyDShscwuWJ5+kD0yudnT/ZEJ1
M3+KS/iOOAoHDdEDi9crRvMl0UfNa8MAcDKHflzxg2jg/QI+fTBjPP5GOX0lkZ9g
z6VePoVoQw2gpPFVNPPTxKfk27tEzbaffvOLGBEih0Kb7HTINkW8rIlzAoGBAM9y
1yr+jvfS1cGFtNU+Gotoihw2eMKtIqR03Yn3n0PK1nVCDKqwdUqCypz4+ml6cxRK
J8+Pfdh7D+ZJd4LEG6Y4QRDLuv5OA700tUoSHxMSNn3q9As4+T3MUyYxWKvTeu3U
f2NWP9ePU0lV8ttk7YlpVRaPQmc1qwooBA/z/8AdAoGAW9x0HWqmRICWTBnpjyxx
QGlW9rQ9mHEtUotIaRSJ6K/F3cxSGUEkX1a3FRnp6kPLcckC6NlqdNgNBd6rb2rA
cPl/uSkZP42Als+9YMoFPU/xrrDPbUhu72EDrj3Bllnyb168jKLa4VBOccUvggxr
Dm08I1hgYgdN5huzs7y6GeUCgYEAj+AZJSOJ6o1aXS6rfV3mMRve9bQ9yt8jcKXw
5HhOCEmMtaSKfnOF1Ziih34Sxsb7O2428DiX0mV/YHtBnPsAJidL0SdLWIapBzeg
KHArByIRkwE6IvJvwpGMdaex1PIGhx5i/3VZL9qiq/ElT05PhIb+UXgoWMabCp84
OgxDK20CgYAeaFo8BdQ7FmVX2+EEejF+8xSge6WVLtkaon8bqcn6P0O8lLypoOhd
mJAYH8WU+UAy9pecUnDZj14LAGNVmYcse8HFX71MoshnvCTFEPVo4rZxIAGwMpeJ
5jgQ3slYLpqrGlcbLgUXBUgzEO684Wk/UV9DFPlHALVqCfXQ9dpJPg==
-----END RSA PRIVATE KEY-----`
jsonKey
=
fmt
.
Sprintf
(
`{"private_key":"%[1]s", "client_email":"%[2]s", "type": "service_account"}`
,
strings
.
Replace
(
dummyPrivateKey
,
"
\n
"
,
"
\\
n"
,
-
1
),
email
)
)
func
TestJwtProvider
(
t
*
testing
.
T
)
{
token
:=
"asdhflkjsdfkjhsdf"
// Modeled after oauth2/jwt_test.go
ts
:=
httptest
.
NewServer
(
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
w
.
Header
()
.
Set
(
"Content-Type"
,
"application/json"
)
w
.
Write
([]
byte
(
fmt
.
Sprintf
(
`{
"access_token": "%[1]s",
"scope": "user",
"token_type": "bearer",
"expires_in": 3600
}`
,
token
)))
}))
defer
ts
.
Close
()
file
,
err
:=
ioutil
.
TempFile
(
os
.
TempDir
(),
"temp"
)
if
err
!=
nil
{
t
.
Fatalf
(
"Error creating temp file: %v"
,
err
)
}
filename
:=
file
.
Name
()
defer
os
.
Remove
(
filename
)
_
,
err
=
file
.
WriteString
(
jsonKey
)
if
err
!=
nil
{
t
.
Fatalf
(
"Error writing temp file: %v"
,
err
)
}
provider
:=
&
jwtProvider
{
path
:
&
filename
,
tokenUrl
:
ts
.
URL
,
}
if
!
provider
.
Enabled
()
{
t
.
Fatalf
(
"Provider is unexpectedly disabled"
)
}
keyring
:=
&
credentialprovider
.
BasicDockerKeyring
{}
keyring
.
Add
(
provider
.
Provide
())
// Verify that we get the expected username/password combo for
// a gcr.io image name.
registryUrl
:=
"gcr.io/foo/bar"
creds
,
ok
:=
keyring
.
Lookup
(
registryUrl
)
if
!
ok
{
t
.
Errorf
(
"Didn't find expected URL: %s"
,
registryUrl
)
return
}
if
len
(
creds
)
>
1
{
t
.
Errorf
(
"Got more hits than expected: %s"
,
creds
)
}
val
:=
creds
[
0
]
if
"_token"
!=
val
.
Username
{
t
.
Errorf
(
"Unexpected username value, want: _token, got: %s"
,
val
.
Username
)
}
if
token
!=
val
.
Password
{
t
.
Errorf
(
"Unexpected password value, want: %s, got: %s"
,
token
,
val
.
Password
)
}
if
email
!=
val
.
Email
{
t
.
Errorf
(
"Unexpected email value, want: %s, got: %s"
,
email
,
val
.
Email
)
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment