mirror of https://github.com/kubernetes/kops.git
Avoid ListSecrets call in nodeup
This helps up with GCE permissions, but also helps us get rid of auth tokens.
This commit is contained in:
Justin Santa Barbara
parent
86ca778da3
commit
bf24a6443c
|
|
@ -107,6 +107,7 @@ k8s.io/kops/pkg/sshcredentials
|
||||||
k8s.io/kops/pkg/systemd
|
k8s.io/kops/pkg/systemd
|
||||||
k8s.io/kops/pkg/templates
|
k8s.io/kops/pkg/templates
|
||||||
k8s.io/kops/pkg/testutils
|
k8s.io/kops/pkg/testutils
|
||||||
|
k8s.io/kops/pkg/tokens
|
||||||
k8s.io/kops/pkg/util/stringorslice
|
k8s.io/kops/pkg/util/stringorslice
|
||||||
k8s.io/kops/pkg/util/templater
|
k8s.io/kops/pkg/util/templater
|
||||||
k8s.io/kops/pkg/validation
|
k8s.io/kops/pkg/validation
|
||||||
|
|
|
||||||
|
|
@ -43,6 +43,7 @@ go_library(
|
||||||
"//pkg/kubeconfig:go_default_library",
|
"//pkg/kubeconfig:go_default_library",
|
||||||
"//pkg/kubemanifest:go_default_library",
|
"//pkg/kubemanifest:go_default_library",
|
||||||
"//pkg/systemd:go_default_library",
|
"//pkg/systemd:go_default_library",
|
||||||
|
"//pkg/tokens:go_default_library",
|
||||||
"//upup/pkg/fi:go_default_library",
|
"//upup/pkg/fi:go_default_library",
|
||||||
"//upup/pkg/fi/nodeup/nodetasks:go_default_library",
|
"//upup/pkg/fi/nodeup/nodetasks:go_default_library",
|
||||||
"//upup/pkg/fi/utils:go_default_library",
|
"//upup/pkg/fi/utils:go_default_library",
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
"k8s.io/kops/pkg/tokens"
|
||||||
"k8s.io/kops/upup/pkg/fi"
|
"k8s.io/kops/upup/pkg/fi"
|
||||||
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
|
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
|
||||||
)
|
)
|
||||||
|
|
@ -193,16 +194,13 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if b.SecretStore != nil {
|
if b.SecretStore != nil {
|
||||||
allTokens, err := b.allTokens()
|
allTokens, err := b.allAuthTokens()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
var lines []string
|
var lines []string
|
||||||
for id, token := range allTokens {
|
for id, token := range allTokens {
|
||||||
if id == "dockerconfig" || id == "encryptionconfig" {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
lines = append(lines, token+","+id+","+id)
|
lines = append(lines, token+","+id+","+id)
|
||||||
}
|
}
|
||||||
csv := strings.Join(lines, "\n")
|
csv := strings.Join(lines, "\n")
|
||||||
|
|
@ -269,19 +267,19 @@ func (b *SecretBuilder) writePrivateKey(c *fi.ModelBuilderContext, id string) er
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// allTokens returns a map of all tokens
|
// allTokens returns a map of all auth tokens that are present
|
||||||
func (b *SecretBuilder) allTokens() (map[string]string, error) {
|
func (b *SecretBuilder) allAuthTokens() (map[string]string, error) {
|
||||||
|
possibleTokens := tokens.GetKubernetesAuthTokens_Deprecated()
|
||||||
|
|
||||||
tokens := make(map[string]string)
|
tokens := make(map[string]string)
|
||||||
ids, err := b.SecretStore.ListSecrets()
|
for _, id := range possibleTokens {
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
for _, id := range ids {
|
|
||||||
token, err := b.SecretStore.FindSecret(id)
|
token, err := b.SecretStore.FindSecret(id)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
tokens[id] = string(token.Data)
|
if token != nil {
|
||||||
|
tokens[id] = string(token.Data)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return tokens, nil
|
return tokens, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ go_library(
|
||||||
"//pkg/model/components:go_default_library",
|
"//pkg/model/components:go_default_library",
|
||||||
"//pkg/model/iam:go_default_library",
|
"//pkg/model/iam:go_default_library",
|
||||||
"//pkg/model/resources:go_default_library",
|
"//pkg/model/resources:go_default_library",
|
||||||
|
"//pkg/tokens:go_default_library",
|
||||||
"//upup/pkg/fi:go_default_library",
|
"//upup/pkg/fi:go_default_library",
|
||||||
"//upup/pkg/fi/cloudup/awstasks:go_default_library",
|
"//upup/pkg/fi/cloudup/awstasks:go_default_library",
|
||||||
"//upup/pkg/fi/cloudup/awsup:go_default_library",
|
"//upup/pkg/fi/cloudup/awsup:go_default_library",
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
"k8s.io/kops/pkg/tokens"
|
||||||
"k8s.io/kops/upup/pkg/fi"
|
"k8s.io/kops/upup/pkg/fi"
|
||||||
"k8s.io/kops/upup/pkg/fi/fitasks"
|
"k8s.io/kops/upup/pkg/fi/fitasks"
|
||||||
"k8s.io/kops/util/pkg/vfs"
|
"k8s.io/kops/util/pkg/vfs"
|
||||||
|
|
@ -232,12 +233,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
||||||
c.AddTask(t)
|
c.AddTask(t)
|
||||||
}
|
}
|
||||||
|
|
||||||
// @@ The following are deprecated for > 1.6 and should be dropped at the appropreciate time
|
// Create auth tokens (though this is deprecated)
|
||||||
deprecated := []string{
|
for _, x := range tokens.GetKubernetesAuthTokens_Deprecated() {
|
||||||
"kubelet", "kube-proxy", "system:scheduler", "system:controller_manager",
|
|
||||||
"system:logging", "system:monitoring", "system:dns", "kube", "admin"}
|
|
||||||
|
|
||||||
for _, x := range deprecated {
|
|
||||||
t := &fitasks.Secret{Name: fi.String(x), Lifecycle: b.Lifecycle}
|
t := &fitasks.Secret{Name: fi.String(x), Lifecycle: b.Lifecycle}
|
||||||
c.AddTask(t)
|
c.AddTask(t)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||||
|
|
||||||
|
go_library(
|
||||||
|
name = "go_default_library",
|
||||||
|
srcs = ["wellknown.go"],
|
||||||
|
importpath = "k8s.io/kops/pkg/tokens",
|
||||||
|
visibility = ["//visibility:public"],
|
||||||
|
)
|
||||||
|
|
@ -0,0 +1,26 @@
|
||||||
|
/*
|
||||||
|
Copyright 2017 The Kubernetes Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package tokens
|
||||||
|
|
||||||
|
// GetKubernetesAuthTokens_Deprecated returns a list of all the API auth tokens we create.
|
||||||
|
// Use of these tokens is deprecated for > 1.6 and should be dropped at the appropriate time
|
||||||
|
func GetKubernetesAuthTokens_Deprecated() []string {
|
||||||
|
return []string{
|
||||||
|
"kubelet", "kube-proxy", "system:scheduler", "system:controller_manager",
|
||||||
|
"system:logging", "system:monitoring", "system:dns", "kube", "admin",
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue