Skip to content

Commit

Permalink
Stop using insecure serving.
Browse files Browse the repository at this point in the history
  • Loading branch information
dlorenc committed Jul 24, 2017
1 parent 29a7d71 commit a1650b2
Show file tree
Hide file tree
Showing 14 changed files with 168 additions and 71 deletions.
9 changes: 9 additions & 0 deletions deploy/addons/addon-manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ spec:
containers:
- name: kube-addon-manager
image: gcr.io/google-containers/kube-addon-manager:v6.4-beta.2
env:
- name: KUBECONFIG
value: /var/lib/localkube/kubeconfig
imagePullPolicy: IfNotPresent
resources:
requests:
Expand All @@ -35,7 +38,13 @@ spec:
- mountPath: /etc/kubernetes/
name: addons
readOnly: true
- mountPath: /var/lib/localkube
name: kubeconfig
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/
name: addons
- hostPath:
path: /var/lib/localkube
name: kubeconfig
3 changes: 2 additions & 1 deletion hack/jenkins/linux_integration_tests_none.sh
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ OS_ARCH="linux-amd64"
VM_DRIVER="none"
JOB_NAME="Linux-None"
EXTRA_BUILD_ARGS="$EXTRA_BUILD_ARGS --use-vendored-driver"
SUDO_PREFIX="sudo "
SUDO_PREFIX="sudo -E "
export KUBECONFIG="/root/.kube/config"

# Download files and set permissions
source common.sh
10 changes: 5 additions & 5 deletions pkg/localkube/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ func StartAPIServer(lk LocalkubeServer) func() error {
config.SecureServing.BindAddress = lk.APIServerAddress
config.SecureServing.BindPort = lk.APIServerPort

config.InsecureServing.BindAddress = lk.APIServerInsecureAddress
config.InsecureServing.BindPort = lk.APIServerInsecurePort
// 0 turns off insecure serving.
config.InsecureServing.BindPort = 0

config.Authentication.ClientCert.ClientCA = lk.GetCAPublicKeyCertPath()

Expand Down Expand Up @@ -84,7 +84,7 @@ func StartAPIServer(lk LocalkubeServer) func() error {
}

func readyFunc(lk LocalkubeServer) HealthCheck {
hostport := net.JoinHostPort(lk.APIServerInsecureAddress.String(), strconv.Itoa(lk.APIServerInsecurePort))
addr := "http://" + path.Join(hostport, "healthz")
return healthCheck(addr)
hostport := net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerPort))
addr := "https://" + path.Join(hostport, "healthz")
return healthCheck(addr, lk)
}
3 changes: 2 additions & 1 deletion pkg/localkube/controller-manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package localkube
import (
controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewControllerManagerServer() Server {
Expand All @@ -28,7 +29,7 @@ func (lk LocalkubeServer) NewControllerManagerServer() Server {
func StartControllerManagerServer(lk LocalkubeServer) func() error {
config := options.NewCMServer()

config.Master = lk.GetAPIServerInsecureURL()
config.Kubeconfig = util.DefaultKubeConfigPath

// defaults from command
config.DeletingPodsQps = 0.1
Expand Down
5 changes: 4 additions & 1 deletion pkg/localkube/kubelet.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,10 @@ limitations under the License.
package localkube

import (
"k8s.io/apiserver/pkg/util/flag"
kubelet "k8s.io/kubernetes/cmd/kubelet/app"
"k8s.io/kubernetes/cmd/kubelet/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewKubeletServer() Server {
Expand All @@ -29,7 +31,8 @@ func StartKubeletServer(lk LocalkubeServer) func() error {
config := options.NewKubeletServer()

// Master details
config.APIServerList = []string{lk.GetAPIServerInsecureURL()}
config.KubeConfig = flag.NewStringFlag(util.DefaultKubeConfigPath)
config.RequireKubeConfig = true

// Set containerized based on the flag
config.Containerized = lk.Containerized
Expand Down
10 changes: 6 additions & 4 deletions pkg/localkube/proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package localkube

import (
kubeproxy "k8s.io/kubernetes/cmd/kube-proxy/app"
"k8s.io/minikube/pkg/util"

"time"

Expand All @@ -40,16 +41,17 @@ func StartProxyServer(lk LocalkubeServer) func() error {
config := &componentconfig.KubeProxyConfiguration{
OOMScoreAdj: &OOMScoreAdj,
ClientConnection: componentconfig.ClientConnectionConfiguration{
Burst: 10,
QPS: 5,
Burst: 10,
QPS: 5,
KubeConfigFile: util.DefaultKubeConfigPath,
},
ConfigSyncPeriod: v1.Duration{Duration: 15 * time.Minute},
IPTables: componentconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: &MasqueradeBit,
SyncPeriod: v1.Duration{Duration: 30 * time.Second},
MinSyncPeriod: v1.Duration{Duration: 5 * time.Second},
},
BindAddress: lk.APIServerInsecureAddress.String(),
BindAddress: lk.APIServerAddress.String(),
Mode: componentconfig.ProxyModeIPTables,
FeatureGates: lk.FeatureGates,
// Disable the healthz check
Expand All @@ -60,7 +62,7 @@ func StartProxyServer(lk LocalkubeServer) func() error {

return func() error {
// Creating this config requires the API Server to be up, so do it in the start function itself.
server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), lk.GetAPIServerInsecureURL())
server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "")
if err != nil {
panic(err)
}
Expand Down
29 changes: 27 additions & 2 deletions pkg/localkube/ready.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ limitations under the License.
package localkube

import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net/http"

Expand All @@ -25,10 +27,33 @@ import (

type HealthCheck func() bool

func healthCheck(addr string) HealthCheck {
func healthCheck(addr string, lk LocalkubeServer) HealthCheck {
return func() bool {
glog.Infof("Performing healthcheck on %s\n", addr)
resp, err := http.Get(addr)

cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
if err != nil {
glog.Error(err)
return false
}

// Load CA cert
caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
if err != nil {
glog.Warning(err)
return false
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}

resp, err := client.Get(addr)
if err != nil {
glog.Errorf("Error performing healthcheck: %s", err)
return false
Expand Down
3 changes: 2 additions & 1 deletion pkg/localkube/scheduler.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package localkube
import (
scheduler "k8s.io/kubernetes/plugin/cmd/kube-scheduler/app"
"k8s.io/kubernetes/plugin/cmd/kube-scheduler/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewSchedulerServer() Server {
Expand All @@ -29,7 +30,7 @@ func StartSchedulerServer(lk LocalkubeServer) func() error {
config := options.NewSchedulerServer()

// master details
config.Master = lk.GetAPIServerInsecureURL()
config.Kubeconfig = util.DefaultKubeConfigPath

// defaults from command
config.EnableProfiling = true
Expand Down
13 changes: 7 additions & 6 deletions pkg/localkube/storage_provisioner.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ import (
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/pkg/api/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/minikube/pkg/util"
)

const (
Expand Down Expand Up @@ -121,12 +122,12 @@ func (lk LocalkubeServer) NewStorageProvisionerServer() Server {

func StartStorageProvisioner(lk LocalkubeServer) func() error {

// Create an InClusterConfig and use it to create a client for the controller
// to use to communicate with Kubernetes
config := rest.Config{Host: "http://localhost:8080"}
return func() error {

clientset, err := kubernetes.NewForConfig(&config)
config, err := clientcmd.BuildConfigFromFlags("", util.DefaultKubeConfigPath)
if err != nil {
return err
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
glog.Fatalf("Failed to create client: %v", err)
}
Expand Down
56 changes: 28 additions & 28 deletions pkg/minikube/assets/addons.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@ import (
)

type Addon struct {
Assets []*MemoryAsset
Assets []*BinDataAsset
enabled bool
addonName string
}

func NewAddon(assets []*MemoryAsset, enabled bool, addonName string) *Addon {
func NewAddon(assets []*BinDataAsset, enabled bool, addonName string) *Addon {
a := &Addon{
Assets: assets,
enabled: enabled,
Expand All @@ -55,107 +55,107 @@ func (a *Addon) IsEnabled() (bool, error) {
}

var Addons = map[string]*Addon{
"addon-manager": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"addon-manager": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/addon-manager.yaml",
"/etc/kubernetes/manifests/",
"addon-manager.yaml",
"0640"),
}, true, "addon-manager"),
"dashboard": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"dashboard": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/dashboard/dashboard-rc.yaml",
constants.AddonsPath,
"dashboard-rc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/dashboard/dashboard-svc.yaml",
constants.AddonsPath,
"dashboard-svc.yaml",
"0640"),
}, true, "dashboard"),
"default-storageclass": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"default-storageclass": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/storageclass/storageclass.yaml",
constants.AddonsPath,
"storageclass.yaml",
"0640"),
}, true, "default-storageclass"),
"kube-dns": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"kube-dns": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/kube-dns/kube-dns-controller.yaml",
constants.AddonsPath,
"kube-dns-controller.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/kube-dns/kube-dns-cm.yaml",
constants.AddonsPath,
"kube-dns-cm.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/kube-dns/kube-dns-svc.yaml",
constants.AddonsPath,
"kube-dns-svc.yaml",
"0640"),
}, true, "kube-dns"),
"heapster": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"heapster": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/heapster/influxGrafana-rc.yaml",
constants.AddonsPath,
"influxGrafana-rc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/heapster/grafana-svc.yaml",
constants.AddonsPath,
"grafana-svc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/heapster/influxdb-svc.yaml",
constants.AddonsPath,
"influxdb-svc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/heapster/heapster-rc.yaml",
constants.AddonsPath,
"heapster-rc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/heapster/heapster-svc.yaml",
constants.AddonsPath,
"heapster-svc.yaml",
"0640"),
}, false, "heapster"),
"ingress": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"ingress": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/ingress/ingress-configmap.yaml",
constants.AddonsPath,
"ingress-configmap.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/ingress/ingress-rc.yaml",
constants.AddonsPath,
"ingress-rc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/ingress/ingress-svc.yaml",
constants.AddonsPath,
"ingress-svc.yaml",
"0640"),
}, false, "ingress"),
"registry": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"registry": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/registry/registry-rc.yaml",
constants.AddonsPath,
"registry-rc.yaml",
"0640"),
NewMemoryAsset(
NewBinDataAsset(
"deploy/addons/registry/registry-svc.yaml",
constants.AddonsPath,
"registry-svc.yaml",
"0640"),
}, false, "registry"),
"registry-creds": NewAddon([]*MemoryAsset{
NewMemoryAsset(
"registry-creds": NewAddon([]*BinDataAsset{
NewBinDataAsset(
"deploy/addons/registry-creds/registry-creds-rc.yaml",
constants.AddonsPath,
"registry-creds-rc.yaml",
Expand Down
Loading

0 comments on commit a1650b2

Please sign in to comment.