Set defaults for certs and token on the k8s client

Change-Id: Id74eb4d8a7b1ea7ec97085de85f29244bbda25ea
This commit is contained in:
Luis Tomas Bolivar 2019-12-10 18:15:19 +01:00
parent f0b082671b
commit 1e3ebc9783
7 changed files with 42 additions and 8 deletions

View File

@ -143,10 +143,8 @@ function generate_containerized_kuryr_resources {
iniset "$KURYR_CONFIG" kubernetes controller_ha_port ${KURYR_CONTROLLER_HA_PORT}
# NOTE(dulek): In the container the CA bundle will be mounted in a standard
# directory, so we need to modify that.
# directory
iniset "$KURYR_CONFIG" neutron cafile /etc/ssl/certs/kuryr-ca-bundle.crt
iniset "$KURYR_CONFIG" kubernetes token_file /var/run/secrets/kubernetes.io/serviceaccount/token
iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Generate kuryr resources in k8s formats.
local output_dir="${DATA_DIR}/kuryr-kubernetes"
@ -1073,6 +1071,8 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
KURYR_K8S_API_ROOT="https://${k8s_api_clusterip}:${KURYR_K8S_API_LB_PORT}"
fi
iniset "$KURYR_CONFIG" kubernetes api_root ${KURYR_K8S_API_ROOT}
iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file '""'
iniset "$KURYR_CONFIG" kubernetes token_file '""'
else
iniset "$KURYR_CONFIG" kubernetes api_root '""'
fi

View File

@ -38,7 +38,7 @@ KURYR_K8S_API_PORT=${KURYR_K8S_API_PORT:-8080}
KURYR_K8S_API_URL=${KURYR_K8S_API_URL:-"http://${SERVICE_HOST}:${KURYR_K8S_API_PORT}"}
KURYR_K8S_API_CERT=${KURYR_K8S_API_CERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.crt"}
KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.key"}
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr-ca.crt"}
KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}
KURYR_K8S_API_LB_PORT=${KURYR_K8S_API_LB_PORT:-443}
KURYR_PORT_DEBUG=${KURYR_PORT_DEBUG:-True}
KURYR_SUBNET_DRIVER=${KURYR_SUBNET_DRIVER:-default}

View File

@ -39,6 +39,9 @@ Edit ``kuryr.conf``:
[kubernetes]
api_root = http://{ip_of_kubernetes_apiserver}:8080
ssl_client_crt_file = {path-to-kuryr-k8s-user-cert-file}
ssl_client_key_file = {path-to-kuryr-k8s-user-key-file}
ssl_ca_crt_file = {path-to-k8s-api-ca-cert-file}
[neutron]
auth_url = http://127.0.0.1:35357/v3/
@ -56,6 +59,17 @@ Edit ``kuryr.conf``:
project = {id_of_project}
service_subnet = {id_of_subnet_for_k8s_services}
.. note::
If you want Kuryr to connect to Kubernetes through an unauthenticated
endpoint make sure to set ``[kubernetes]ssl_ca_crt_file`` and
``[kubernetes]token_file`` to ``""`` as they default to the locations where
Kubernetes puts those files for pods. Also don't set
``[kubernetes]ssl_client_crt_file`` and ``[kubernetes]ssl_client_key_file``.
If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
a file having it.
Note that the service_subnet and the pod_subnet *should be routable* and that
the pods should allow service subnet access.

View File

@ -87,13 +87,14 @@ k8s_opts = [
"connect to HTTPS K8S_API")),
cfg.StrOpt('ssl_ca_crt_file',
help=_("Absolute path to ca cert file to "
"connect to HTTPS K8S_API")),
"connect to HTTPS K8S_API"),
default='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'),
cfg.BoolOpt('ssl_verify_server_crt',
help=_("HTTPS K8S_API server identity verification"),
default=False),
cfg.StrOpt('token_file',
help=_("The token to talk to the k8s API"),
default=''),
default='/var/run/secrets/kubernetes.io/serviceaccount/token'),
cfg.StrOpt('pod_project_driver',
help=_("The driver to determine OpenStack "
"project for pod ports"),

View File

@ -24,7 +24,9 @@ from kuryr_kubernetes.tests import base as test_base
class TestStatusCmd(test_base.TestCase):
def setUp(self):
@mock.patch('kuryr_kubernetes.clients.get_kubernetes_client')
@mock.patch('kuryr_kubernetes.clients.setup_kubernetes_client')
def setUp(self, m_client_setup, m_client_get):
super(TestStatusCmd, self).setUp()
self.cmd = status.UpgradeCommands()

View File

@ -26,9 +26,15 @@ from kuryr_kubernetes.tests import base as test_base
class TestK8sClient(test_base.TestCase):
def setUp(self):
@mock.patch('kuryr_kubernetes.config.CONF')
def setUp(self, m_cfg):
super(TestK8sClient, self).setUp()
self.base_url = 'http://127.0.0.1:12345'
m_cfg.kubernetes.ssl_client_crt_file = None
m_cfg.kubernetes.ssl_client_key_file = None
m_cfg.kubernetes.ssl_ca_crt_file = None
m_cfg.kubernetes.token_file = None
m_cfg.kubernetes.ssl_verify_server_crt = False
self.client = k8s_client.K8sClient(self.base_url)
default_cert = (None, None)
default_token = None

View File

@ -0,0 +1,11 @@
---
upgrade:
- |
In order to prioritize running kuryr-kubernetes services as pods on the
Kubernetes cluster they are supposed to serve, default values of
``[kubernetes]ssl_ca_crt_file`` and ``[kubernetes]token_file`` are now
set to where Kubernetes pods are having those files mounted
(``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` and
``/var/run/secrets/kubernetes.io/serviceaccount/token``). This means that
if you want to run Kuryr services standalone through unauthenticated
K8s endpoint you need to set both of them to ``""`` in ``kuryr.conf``.