Set defaults for certs and token on the k8s client

Change-Id: Id74eb4d8a7b1ea7ec97085de85f29244bbda25ea

devstack/plugin.sh

@@ -143,10 +143,8 @@ function generate_containerized_kuryr_resources {
     iniset "$KURYR_CONFIG" kubernetes controller_ha_port ${KURYR_CONTROLLER_HA_PORT}
 
     # NOTE(dulek): In the container the CA bundle will be mounted in a standard
-    # directory, so we need to modify that.
+    # directory
     iniset "$KURYR_CONFIG" neutron cafile /etc/ssl/certs/kuryr-ca-bundle.crt
-    iniset "$KURYR_CONFIG" kubernetes token_file /var/run/secrets/kubernetes.io/serviceaccount/token
-    iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 
     # Generate kuryr resources in k8s formats.
     local output_dir="${DATA_DIR}/kuryr-kubernetes"
@@ -1073,6 +1071,8 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
                 KURYR_K8S_API_ROOT="https://${k8s_api_clusterip}:${KURYR_K8S_API_LB_PORT}"
             fi
             iniset "$KURYR_CONFIG" kubernetes api_root ${KURYR_K8S_API_ROOT}
+            iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file '""'
+            iniset "$KURYR_CONFIG" kubernetes token_file '""'
         else
             iniset "$KURYR_CONFIG" kubernetes api_root '""'
         fi

devstack/settings

@@ -38,7 +38,7 @@ KURYR_K8S_API_PORT=${KURYR_K8S_API_PORT:-8080}
 KURYR_K8S_API_URL=${KURYR_K8S_API_URL:-"http://${SERVICE_HOST}:${KURYR_K8S_API_PORT}"}
 KURYR_K8S_API_CERT=${KURYR_K8S_API_CERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.crt"}
 KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr.key"}
-KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-"${KURYR_HYPERKUBE_DATA_DIR}/kuryr-ca.crt"}
+KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}
 KURYR_K8S_API_LB_PORT=${KURYR_K8S_API_LB_PORT:-443}
 KURYR_PORT_DEBUG=${KURYR_PORT_DEBUG:-True}
 KURYR_SUBNET_DRIVER=${KURYR_SUBNET_DRIVER:-default}

doc/source/installation/manual.rst

@@ -39,6 +39,9 @@ Edit ``kuryr.conf``:
 
    [kubernetes]
    api_root = http://{ip_of_kubernetes_apiserver}:8080
+   ssl_client_crt_file = {path-to-kuryr-k8s-user-cert-file}
+   ssl_client_key_file = {path-to-kuryr-k8s-user-key-file}
+   ssl_ca_crt_file = {path-to-k8s-api-ca-cert-file}
 
    [neutron]
    auth_url = http://127.0.0.1:35357/v3/
@@ -56,6 +59,17 @@ Edit ``kuryr.conf``:
    project = {id_of_project}
    service_subnet = {id_of_subnet_for_k8s_services}
 
+.. note::
+
+   If you want Kuryr to connect to Kubernetes through an unauthenticated
+   endpoint make sure to set ``[kubernetes]ssl_ca_crt_file`` and
+   ``[kubernetes]token_file`` to ``""`` as they default to the locations where
+   Kubernetes puts those files for pods. Also don't set
+   ``[kubernetes]ssl_client_crt_file`` and ``[kubernetes]ssl_client_key_file``.
+
+   If you use tokens to authenticate use ``[kubernetes]token_file`` to specify
+   a file having it.
+
 Note that the service_subnet and the pod_subnet *should be routable* and that
 the pods should allow service subnet access.
 

kuryr_kubernetes/config.py

@@ -87,13 +87,14 @@ k8s_opts = [
                       "connect to HTTPS K8S_API")),
     cfg.StrOpt('ssl_ca_crt_file',
                help=_("Absolute path to ca cert file to "
-                      "connect to HTTPS K8S_API")),
+                      "connect to HTTPS K8S_API"),
+               default='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'),
     cfg.BoolOpt('ssl_verify_server_crt',
                 help=_("HTTPS K8S_API server identity verification"),
                 default=False),
     cfg.StrOpt('token_file',
                help=_("The token to talk to the k8s API"),
-               default=''),
+               default='/var/run/secrets/kubernetes.io/serviceaccount/token'),
     cfg.StrOpt('pod_project_driver',
                help=_("The driver to determine OpenStack "
                       "project for pod ports"),

kuryr_kubernetes/tests/unit/cmd/test_status.py

@@ -24,7 +24,9 @@ from kuryr_kubernetes.tests import base as test_base
 
 
 class TestStatusCmd(test_base.TestCase):
-    def setUp(self):
+    @mock.patch('kuryr_kubernetes.clients.get_kubernetes_client')
+    @mock.patch('kuryr_kubernetes.clients.setup_kubernetes_client')
+    def setUp(self, m_client_setup, m_client_get):
         super(TestStatusCmd, self).setUp()
         self.cmd = status.UpgradeCommands()
 

kuryr_kubernetes/tests/unit/test_k8s_client.py

@@ -26,9 +26,15 @@ from kuryr_kubernetes.tests import base as test_base
 
 
 class TestK8sClient(test_base.TestCase):
-    def setUp(self):
+    @mock.patch('kuryr_kubernetes.config.CONF')
+    def setUp(self, m_cfg):
         super(TestK8sClient, self).setUp()
         self.base_url = 'http://127.0.0.1:12345'
+        m_cfg.kubernetes.ssl_client_crt_file = None
+        m_cfg.kubernetes.ssl_client_key_file = None
+        m_cfg.kubernetes.ssl_ca_crt_file = None
+        m_cfg.kubernetes.token_file = None
+        m_cfg.kubernetes.ssl_verify_server_crt = False
         self.client = k8s_client.K8sClient(self.base_url)
         default_cert = (None, None)
         default_token = None

releasenotes/notes/k8s-client-token-default-882ec49d1faffc29.yaml

@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    In order to prioritize running kuryr-kubernetes services as pods on the
+    Kubernetes cluster they are supposed to serve, default values of
+    ``[kubernetes]ssl_ca_crt_file`` and ``[kubernetes]token_file`` are now
+    set to where Kubernetes pods are having those files mounted
+    (``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` and
+    ``/var/run/secrets/kubernetes.io/serviceaccount/token``). This means that
+    if you want to run Kuryr services standalone through unauthenticated
+    K8s endpoint you need to set both of them to ``""`` in ``kuryr.conf``.