Set defaults for certs and token on the k8s client
Change-Id: Id74eb4d8a7b1ea7ec97085de85f29244bbda25ea
This commit is contained in:
parent
f0b082671b
commit
1e3ebc9783
|
@ -143,10 +143,8 @@ function generate_containerized_kuryr_resources {
|
|||
iniset "$KURYR_CONFIG" kubernetes controller_ha_port ${KURYR_CONTROLLER_HA_PORT}
|
||||
|
||||
# NOTE(dulek): In the container the CA bundle will be mounted in a standard
|
||||
# directory, so we need to modify that.
|
||||
# directory
|
||||
iniset "$KURYR_CONFIG" neutron cafile /etc/ssl/certs/kuryr-ca-bundle.crt
|
||||
iniset "$KURYR_CONFIG" kubernetes token_file /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
|
||||
# Generate kuryr resources in k8s formats.
|
||||
local output_dir="${DATA_DIR}/kuryr-kubernetes"
|
||||
|
@ -1073,6 +1071,8 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
|
|||
KURYR_K8S_API_ROOT="https://${k8s_api_clusterip}:${KURYR_K8S_API_LB_PORT}"
|
||||
fi
|
||||
iniset "$KURYR_CONFIG" kubernetes api_root ${KURYR_K8S_API_ROOT}
|
||||
iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file '""'
|
||||
iniset "$KURYR_CONFIG" kubernetes token_file '""'
|
||||
else
|
||||
iniset "$KURYR_CONFIG" kubernetes api_root '""'
|
||||
fi
|
||||
|
|
|
@ -38,7 +38,7 @@ KURYR_K8S_API_PORT=${KURYR_K8S_API_PORT:-8080}
|
|||
KURYR_K8S_API_URL=${KURYR_K8S_API_URL:-"http://${SERVICE_HOST}:${KURYR_K8S_API_PORT}"}
|
||||
KURYR_K8S_API_CERT=${KURYR_K8S_API_CERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.crt"}
|
||||
KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.key"}
|
||||
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr-ca.crt"}
|
||||
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}
|
||||
KURYR_K8S_API_LB_PORT=${KURYR_K8S_API_LB_PORT:-443}
|
||||
KURYR_PORT_DEBUG=${KURYR_PORT_DEBUG:-True}
|
||||
KURYR_SUBNET_DRIVER=${KURYR_SUBNET_DRIVER:-default}
|
||||
|
|
|
@ -39,6 +39,9 @@ Edit ``kuryr.conf``:
|
|||
|
||||
[kubernetes]
|
||||
api_root = http://{ip_of_kubernetes_apiserver}:8080
|
||||
ssl_client_crt_file = {path-to-kuryr-k8s-user-cert-file}
|
||||
ssl_client_key_file = {path-to-kuryr-k8s-user-key-file}
|
||||
ssl_ca_crt_file = {path-to-k8s-api-ca-cert-file}
|
||||
|
||||
[neutron]
|
||||
auth_url = http://127.0.0.1:35357/v3/
|
||||
|
@ -56,6 +59,17 @@ Edit ``kuryr.conf``:
|
|||
project = {id_of_project}
|
||||
service_subnet = {id_of_subnet_for_k8s_services}
|
||||
|
||||
.. note::
|
||||
|
||||
If you want Kuryr to connect to Kubernetes through an unauthenticated
|
||||
endpoint make sure to set ``[kubernetes]ssl_ca_crt_file`` and
|
||||
``[kubernetes]token_file`` to ``""`` as they default to the locations where
|
||||
Kubernetes puts those files for pods. Also don't set
|
||||
``[kubernetes]ssl_client_crt_file`` and ``[kubernetes]ssl_client_key_file``.
|
||||
|
||||
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
|
||||
a file having it.
|
||||
|
||||
Note that the service_subnet and the pod_subnet *should be routable* and that
|
||||
the pods should allow service subnet access.
|
||||
|
||||
|
|
|
@ -87,13 +87,14 @@ k8s_opts = [
|
|||
"connect to HTTPS K8S_API")),
|
||||
cfg.StrOpt('ssl_ca_crt_file',
|
||||
help=_("Absolute path to ca cert file to "
|
||||
"connect to HTTPS K8S_API")),
|
||||
"connect to HTTPS K8S_API"),
|
||||
default='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'),
|
||||
cfg.BoolOpt('ssl_verify_server_crt',
|
||||
help=_("HTTPS K8S_API server identity verification"),
|
||||
default=False),
|
||||
cfg.StrOpt('token_file',
|
||||
help=_("The token to talk to the k8s API"),
|
||||
default=''),
|
||||
default='/var/run/secrets/kubernetes.io/serviceaccount/token'),
|
||||
cfg.StrOpt('pod_project_driver',
|
||||
help=_("The driver to determine OpenStack "
|
||||
"project for pod ports"),
|
||||
|
|
|
@ -24,7 +24,9 @@ from kuryr_kubernetes.tests import base as test_base
|
|||
|
||||
|
||||
class TestStatusCmd(test_base.TestCase):
|
||||
def setUp(self):
|
||||
@mock.patch('kuryr_kubernetes.clients.get_kubernetes_client')
|
||||
@mock.patch('kuryr_kubernetes.clients.setup_kubernetes_client')
|
||||
def setUp(self, m_client_setup, m_client_get):
|
||||
super(TestStatusCmd, self).setUp()
|
||||
self.cmd = status.UpgradeCommands()
|
||||
|
||||
|
|
|
@ -26,9 +26,15 @@ from kuryr_kubernetes.tests import base as test_base
|
|||
|
||||
|
||||
class TestK8sClient(test_base.TestCase):
|
||||
def setUp(self):
|
||||
@mock.patch('kuryr_kubernetes.config.CONF')
|
||||
def setUp(self, m_cfg):
|
||||
super(TestK8sClient, self).setUp()
|
||||
self.base_url = 'http://127.0.0.1:12345'
|
||||
m_cfg.kubernetes.ssl_client_crt_file = None
|
||||
m_cfg.kubernetes.ssl_client_key_file = None
|
||||
m_cfg.kubernetes.ssl_ca_crt_file = None
|
||||
m_cfg.kubernetes.token_file = None
|
||||
m_cfg.kubernetes.ssl_verify_server_crt = False
|
||||
self.client = k8s_client.K8sClient(self.base_url)
|
||||
default_cert = (None, None)
|
||||
default_token = None
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
In order to prioritize running kuryr-kubernetes services as pods on the
|
||||
Kubernetes cluster they are supposed to serve, default values of
|
||||
``[kubernetes]ssl_ca_crt_file`` and ``[kubernetes]token_file`` are now
|
||||
set to where Kubernetes pods are having those files mounted
|
||||
(``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` and
|
||||
``/var/run/secrets/kubernetes.io/serviceaccount/token``). This means that
|
||||
if you want to run Kuryr services standalone through unauthenticated
|
||||
K8s endpoint you need to set both of them to ``""`` in ``kuryr.conf``.
|
Loading…
Reference in New Issue