We create a simple exec plugin command which can create and renew
short-lived admin credentials on the fly, essentially leveraging the
security of the underlying cloud credentials.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
Kops creates an "api.internal.$clustername" dns A record that points to the master IP(s)
This adds a flag that will use that name and force the CA cert to be included.
This is a workaround for client certificate authentication not working on API ELBs with ACM certificates.
The ELB has a TLS listener rather than TCP, so the client certificate is not passed through to the apiserver.
Using --internal will bypass the API ELB so that the client certificate will be passed directly to the apiserver.
This also requires that the masters' security groups allow 443 access from the client which this does not handle automatically.
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog. That
will happen when we update to k8s 1.13.
We introduced some new heuristics in #3941 that meant we would access
private DNS names via the ELB's name, just as we do with gossip names.
But it's also possible to set up a VPN or DirectConnect and access a
private HostedZone directly, and in this case we don't want to use the
ELB DNS Name. We recognize this case because the ELB can be set to
Internal (and probably should be, for minimal attack surface!)
We'll probably have to introduce a field for this, but hopefully this
heuristic is sufficient to unblock the release.
Creating the keypair.yaml file if it does not exist.
If the Keypair is not found kops creates a new keyset file. We are
setting the Keyset Task Format to 'Keypair', which denotes that we do
not have a keypair.yaml file.
This commit enables upgrading from kops 1.8 -> 1.9 while upgrading an
existing cluster. Clusters built with kops 1.8 do not have the keypair
file, and these code changes allow the creation of that file.
John Gardiner Myers
Peter Rifel
Justin SB
Ole Markus With
ZouYu
mikesplain
Adam Yang
Raffaele Di Fazio
Justin Santa Barbara
chrislovecnm
Arto Jantunen