Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
fe38101b
Commit
fe38101b
authored
Apr 28, 2015
by
Zach Loafman
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #7426 from roberthbailey/basic-auth-salt
Salt configuration to add basic auth to GCE.
parents
01f20194
8206aa9e
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
39 additions
and
4 deletions
+39
-4
common.sh
cluster/common.sh
+13
-2
configure-vm.sh
cluster/gce/configure-vm.sh
+7
-0
util.sh
cluster/gce/util.sh
+6
-1
init.sls
cluster/saltbase/salt/kube-apiserver/init.sls
+7
-1
kube-apiserver.manifest
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+6
-0
No files found.
cluster/common.sh
View file @
fe38101b
...
...
@@ -28,11 +28,13 @@ DEFAULT_KUBECONFIG="${HOME}/.kube/config"
# Assumed vars:
# KUBE_USER
# KUBE_PASSWORD
# KUBE_BEARER_TOKEN
# KUBE_MASTER_IP
# KUBECONFIG
# CONTEXT
#
# If the apiserver supports bearer auth, also provide:
# KUBE_BEARER_TOKEN
#
# The following can be omitted for --insecure-skip-tls-verify
# KUBE_CERT
# KUBE_KEY
...
...
@@ -57,8 +59,9 @@ function create-kubeconfig() {
"--embed-certs=true"
)
fi
local
user_args
=()
if
[[
-z
"
${
KUBE_USER
:-}
"
||
-z
"
${
KUBE_PASSWORD
:-}
"
]]
;
then
if
[[
!
-z
"
${
KUBE_BEARER_TOKEN
:-}
"
]]
;
then
user_args+
=(
"--token=
${
KUBE_BEARER_TOKEN
}
"
)
...
...
@@ -81,6 +84,13 @@ function create-kubeconfig() {
"
${
kubectl
}
"
config set-context
"
${
CONTEXT
}
"
--cluster
=
"
${
CONTEXT
}
"
--user
=
"
${
CONTEXT
}
"
"
${
kubectl
}
"
config use-context
"
${
CONTEXT
}
"
--cluster
=
"
${
CONTEXT
}
"
# If we have a bearer token, also create a credential entry with basic auth
# so that it is easy to discover the basic auth password for your cluster
# to use in a web browser.
if
[[
!
-z
"
${
KUBE_BEARER_TOKEN
:-}
"
]]
;
then
"
${
kubectl
}
"
config set-credentials
"
${
CONTEXT
}
-basic-auth"
"--username=
${
KUBE_USER
}
"
"--password=
${
KUBE_PASSWORD
}
"
fi
echo
"Wrote config for
${
CONTEXT
}
to
${
KUBECONFIG
}
"
}
...
...
@@ -93,6 +103,7 @@ function clear-kubeconfig() {
local
kubectl
=
"
${
KUBE_ROOT
}
/cluster/kubectl.sh"
"
${
kubectl
}
"
config
unset
"clusters.
${
CONTEXT
}
"
"
${
kubectl
}
"
config
unset
"users.
${
CONTEXT
}
"
"
${
kubectl
}
"
config
unset
"users.
${
CONTEXT
}
-basic-auth"
"
${
kubectl
}
"
config
unset
"contexts.
${
CONTEXT
}
"
local
current
...
...
cluster/gce/configure-vm.sh
View file @
fe38101b
...
...
@@ -22,6 +22,7 @@ set -o pipefail
is_push
=
$@
readonly
KNOWN_TOKENS_FILE
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
readonly
BASIC_AUTH_FILE
=
"/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"
function
ensure-install-dir
()
{
INSTALL_DIR
=
"/var/cache/kubernetes-install"
...
...
@@ -238,12 +239,18 @@ EOF
}
# This should only happen on cluster initialization. Uses
# KUBE_PASSWORD and KUBE_USER to generate basic_auth.csv. Uses
# KUBE_BEARER_TOKEN, KUBELET_TOKEN, and KUBE_PROXY_TOKEN to generate
# known_tokens.csv (KNOWN_TOKENS_FILE). After the first boot and
# on upgrade, this file exists on the master-pd and should never
# be touched again (except perhaps an additional service account,
# see NB below.)
function
create-salt-auth
()
{
if
[
!
-e
"
${
BASIC_AUTH_FILE
}
"
]
;
then
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
(
umask
077
;
echo
"
${
KUBE_PASSWORD
}
,
${
KUBE_USER
}
,admin"
>
"
${
BASIC_AUTH_FILE
}
"
)
fi
if
[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]
;
then
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
(
umask
077
;
...
...
cluster/gce/util.sh
View file @
fe38101b
...
...
@@ -471,6 +471,8 @@ ENABLE_CLUSTER_DNS: $(yaml-quote ${ENABLE_CLUSTER_DNS:-false})
DNS_REPLICAS:
$(
yaml-quote
${
DNS_REPLICAS
:-})
DNS_SERVER_IP:
$(
yaml-quote
${
DNS_SERVER_IP
:-})
DNS_DOMAIN:
$(
yaml-quote
${
DNS_DOMAIN
:-})
KUBE_USER:
$(
yaml-quote
${
KUBE_USER
})
KUBE_PASSWORD:
$(
yaml-quote
${
KUBE_PASSWORD
})
KUBE_BEARER_TOKEN:
$(
yaml-quote
${
KUBE_BEARER_TOKEN
})
KUBELET_TOKEN:
$(
yaml-quote
${
KUBELET_TOKEN
:-})
KUBE_PROXY_TOKEN:
$(
yaml-quote
${
KUBE_PROXY_TOKEN
:-})
...
...
@@ -507,6 +509,7 @@ function write-node-env {
# variables are set:
# ensure-temp-dir
# detect-project
# get-password
# get-bearer-token
#
function
create-master-instance
{
...
...
@@ -540,6 +543,7 @@ function kube-up {
ensure-temp-dir
detect-project
get-password
get-bearer-token
# Make sure we have the tar files staged on Google Storage
...
...
@@ -803,6 +807,7 @@ function kube-push {
detect-project
detect-master
detect-minion-names
get-password
get-bearer-token
# Make sure we have the tar files staged on Google Storage
...
...
@@ -831,7 +836,7 @@ function kube-push {
echo
echo
" https://
${
KUBE_MASTER_IP
}
"
echo
echo
"The user name and password to use is located in ~/.kube
rnetes_auth.
"
echo
"The user name and password to use is located in ~/.kube
/config
"
echo
}
...
...
cluster/saltbase/salt/kube-apiserver/init.sls
View file @
fe38101b
...
...
@@ -9,6 +9,12 @@
{% endif %}
{% endif %}
{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
/srv/kubernetes/basic_auth.csv:
file.managed:
- source: salt://kube-apiserver/basic_auth.csv
{% endif %}
# Copy kube-apiserver manifest to manifests folder for kubelet.
/etc/kubernetes/manifests/kube-apiserver.manifest:
file.managed:
...
...
@@ -20,7 +26,7 @@
- makedirs: true
- dir_mode: 755
#stop legacy kube-apiserver service
#stop legacy kube-apiserver service
stop_kube-apiserver:
service.dead:
- name: kube-apiserver
...
...
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View file @
fe38101b
...
...
@@ -52,6 +52,7 @@
{% endif -%}
{% set token_auth_file = "--token_auth_file=/dev/null" -%}
{% set basic_auth_file = "" -%}
{% if grains.cloud is defined -%}
{% if grains.cloud in [ 'aws', 'gce', 'vagrant' ] -%}
...
...
@@ -59,6 +60,10 @@
{% endif -%}
{% endif -%}
{% if grains['cloud'] is defined and grains['cloud'] == 'gce' %}
{% set basic_auth_file = "--basic_auth_file=/srv/kubernetes/basic_auth.csv" -%}
{% endif -%}
{% set admission_control = "" -%}
{% if pillar['admission_control'] is defined -%}
{% set admission_control = "--admission_control=" + pillar['admission_control'] -%}
...
...
@@ -95,6 +100,7 @@
"--secure_port={{secure_port}}",
"{{token_auth_file}}",
"{{client_ca_file}}",
"{{basic_auth_file}}",
"{{publicAddressOverride}}",
"{{pillar['log_level']}}"
],
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment