From bf24a6443c270e1b4e4bc2be95ad2629c553a0bd Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Sun, 12 Nov 2017 16:21:44 -0500 Subject: [PATCH] Avoid ListSecrets call in nodeup This helps up with GCE permissions, but also helps us get rid of auth tokens. --- hack/.packages | 1 + nodeup/pkg/model/BUILD.bazel | 1 + nodeup/pkg/model/secrets.go | 22 ++++++++++------------ pkg/model/BUILD.bazel | 1 + pkg/model/pki.go | 9 +++------ pkg/tokens/BUILD.bazel | 8 ++++++++ pkg/tokens/wellknown.go | 26 ++++++++++++++++++++++++++ 7 files changed, 50 insertions(+), 18 deletions(-) create mode 100644 pkg/tokens/BUILD.bazel create mode 100644 pkg/tokens/wellknown.go diff --git a/hack/.packages b/hack/.packages index e23ebce3b1..c3c6372b31 100644 --- a/hack/.packages +++ b/hack/.packages @@ -107,6 +107,7 @@ k8s.io/kops/pkg/sshcredentials k8s.io/kops/pkg/systemd k8s.io/kops/pkg/templates k8s.io/kops/pkg/testutils +k8s.io/kops/pkg/tokens k8s.io/kops/pkg/util/stringorslice k8s.io/kops/pkg/util/templater k8s.io/kops/pkg/validation diff --git a/nodeup/pkg/model/BUILD.bazel b/nodeup/pkg/model/BUILD.bazel index 6bb50fca53..8cfb9a78dd 100644 --- a/nodeup/pkg/model/BUILD.bazel +++ b/nodeup/pkg/model/BUILD.bazel @@ -43,6 +43,7 @@ go_library( "//pkg/kubeconfig:go_default_library", "//pkg/kubemanifest:go_default_library", "//pkg/systemd:go_default_library", + "//pkg/tokens:go_default_library", "//upup/pkg/fi:go_default_library", "//upup/pkg/fi/nodeup/nodetasks:go_default_library", "//upup/pkg/fi/utils:go_default_library", diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go index 511f34ea85..1677cf8709 100644 --- a/nodeup/pkg/model/secrets.go +++ b/nodeup/pkg/model/secrets.go @@ -22,6 +22,7 @@ import ( "strings" "github.com/golang/glog" + "k8s.io/kops/pkg/tokens" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" ) @@ -193,16 +194,13 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error { } if b.SecretStore != nil { - allTokens, err := b.allTokens() + allTokens, err := b.allAuthTokens() if err != nil { return err } var lines []string for id, token := range allTokens { - if id == "dockerconfig" || id == "encryptionconfig" { - continue - } lines = append(lines, token+","+id+","+id) } csv := strings.Join(lines, "\n") @@ -269,19 +267,19 @@ func (b *SecretBuilder) writePrivateKey(c *fi.ModelBuilderContext, id string) er return nil } -// allTokens returns a map of all tokens -func (b *SecretBuilder) allTokens() (map[string]string, error) { +// allTokens returns a map of all auth tokens that are present +func (b *SecretBuilder) allAuthTokens() (map[string]string, error) { + possibleTokens := tokens.GetKubernetesAuthTokens_Deprecated() + tokens := make(map[string]string) - ids, err := b.SecretStore.ListSecrets() - if err != nil { - return nil, err - } - for _, id := range ids { + for _, id := range possibleTokens { token, err := b.SecretStore.FindSecret(id) if err != nil { return nil, err } - tokens[id] = string(token.Data) + if token != nil { + tokens[id] = string(token.Data) + } } return tokens, nil } diff --git a/pkg/model/BUILD.bazel b/pkg/model/BUILD.bazel index c5a81e6373..8bf5c73f16 100644 --- a/pkg/model/BUILD.bazel +++ b/pkg/model/BUILD.bazel @@ -30,6 +30,7 @@ go_library( "//pkg/model/components:go_default_library", "//pkg/model/iam:go_default_library", "//pkg/model/resources:go_default_library", + "//pkg/tokens:go_default_library", "//upup/pkg/fi:go_default_library", "//upup/pkg/fi/cloudup/awstasks:go_default_library", "//upup/pkg/fi/cloudup/awsup:go_default_library", diff --git a/pkg/model/pki.go b/pkg/model/pki.go index 7c0e2c6cc5..fd14216706 100644 --- a/pkg/model/pki.go +++ b/pkg/model/pki.go @@ -20,6 +20,7 @@ import ( "fmt" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/kops/pkg/tokens" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/fitasks" "k8s.io/kops/util/pkg/vfs" @@ -232,12 +233,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error { c.AddTask(t) } - // @@ The following are deprecated for > 1.6 and should be dropped at the appropreciate time - deprecated := []string{ - "kubelet", "kube-proxy", "system:scheduler", "system:controller_manager", - "system:logging", "system:monitoring", "system:dns", "kube", "admin"} - - for _, x := range deprecated { + // Create auth tokens (though this is deprecated) + for _, x := range tokens.GetKubernetesAuthTokens_Deprecated() { t := &fitasks.Secret{Name: fi.String(x), Lifecycle: b.Lifecycle} c.AddTask(t) } diff --git a/pkg/tokens/BUILD.bazel b/pkg/tokens/BUILD.bazel new file mode 100644 index 0000000000..0e26ca573f --- /dev/null +++ b/pkg/tokens/BUILD.bazel @@ -0,0 +1,8 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["wellknown.go"], + importpath = "k8s.io/kops/pkg/tokens", + visibility = ["//visibility:public"], +) diff --git a/pkg/tokens/wellknown.go b/pkg/tokens/wellknown.go new file mode 100644 index 0000000000..3b8b5bf303 --- /dev/null +++ b/pkg/tokens/wellknown.go @@ -0,0 +1,26 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tokens + +// GetKubernetesAuthTokens_Deprecated returns a list of all the API auth tokens we create. +// Use of these tokens is deprecated for > 1.6 and should be dropped at the appropriate time +func GetKubernetesAuthTokens_Deprecated() []string { + return []string{ + "kubelet", "kube-proxy", "system:scheduler", "system:controller_manager", + "system:logging", "system:monitoring", "system:dns", "kube", "admin", + } +}