Logga in
golang
/
flannel
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 7de2388dc0
Grenar Taggar
flannel
/
vendor
/
k8s.io
/
kubernetes
/
cluster
/
photon-controller
/
templates
/
create-dynamic-salt-files.sh

create-dynamic-salt-files.sh 4.6 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. #!/bin/bash
    2. 

  2. 

  3. # Copyright 2014 The Kubernetes Authors.
    4. 

  4. #
    5. 

  5. # Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6. # you may not use this file except in compliance with the License.
    7. 

  7. # You may obtain a copy of the License at
    8. 

  8. #
    9. 

  9. #     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10. #
    11. 

  11. # Unless required by applicable law or agreed to in writing, software
    12. 

  12. # distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14. # See the License for the specific language governing permissions and
    15. 

  15. # limitations under the License.
    16. 

  16. 

  17. #generate token files
    18. 

  18. 

  19. KUBELET_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
    20. 

  20. KUBE_PROXY_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
    21. 

  21. known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
    22. 

  22. if [[ ! -f "${known_tokens_file}" ]]; then
    23. 

  23. 

  24.   mkdir -p /srv/salt-overlay/salt/kube-apiserver
    25. 

  25.   known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
    26. 

  26.   (umask u=rw,go= ;
    27. 

  27.    echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file;
    28. 

  28.    echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file)
    29. 

  29. 

  30.   mkdir -p /srv/salt-overlay/salt/kubelet
    31. 

  31.   kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
    32. 

  32.   (umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file)
    33. 

  33.   kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
    34. 

  34. 

  35.   mkdir -p /srv/salt-overlay/salt/kubelet
    36. 

  36.   (umask 077;
    37. 

  37.   cat > "${kubelet_kubeconfig_file}" << EOF
    38. 

  38. apiVersion: v1
    39. 

  39. kind: Config
    40. 

  40. clusters:
    41. 

  41. - cluster:
    42. 

  42.     insecure-skip-tls-verify: true
    43. 

  43.   name: local
    44. 

  44. contexts:
    45. 

  45. - context:
    46. 

  46.     cluster: local
    47. 

  47.     user: kubelet
    48. 

  48.   name: service-account-context
    49. 

  49. current-context: service-account-context
    50. 

  50. users:
    51. 

  51. - name: kubelet
    52. 

  52.   user:
    53. 

  53.     token: ${KUBELET_TOKEN}
    54. 

  54. EOF
    55. 

  55. )
    56. 

  56. 

  57. 

  58.   mkdir -p /srv/salt-overlay/salt/kube-proxy
    59. 

  59.   kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
    60. 

  60.   # Make a kubeconfig file with the token.
    61. 

  61.   # TODO(etune): put apiserver certs into secret too, and reference from authfile,
    62. 

  62.   # so that "Insecure" is not needed.
    63. 

  63.   (umask 077;
    64. 

  64.   cat > "${kube_proxy_kubeconfig_file}" << EOF
    65. 

  65. apiVersion: v1
    66. 

  66. kind: Config
    67. 

  67. clusters:
    68. 

  68. - cluster:
    69. 

  69.     insecure-skip-tls-verify: true
    70. 

  70.   name: local
    71. 

  71. contexts:
    72. 

  72. - context:
    73. 

  73.     cluster: local
    74. 

  74.     user: kube-proxy
    75. 

  75.   name: service-account-context
    76. 

  76. current-context: service-account-context
    77. 

  77. users:
    78. 

  78. - name: kube-proxy
    79. 

  79.   user:
    80. 

  80.     token: ${KUBE_PROXY_TOKEN}
    81. 

  81. EOF
    82. 

  82. )
    83. 

  83. 

  84.   # Generate tokens for other "service accounts".  Append to known_tokens.
    85. 

  85.   #
    86. 

  86.   # NB: If this list ever changes, this script actually has to
    87. 

  87.   # change to detect the existence of this file, kill any deleted
    88. 

  88.   # old tokens and add any new tokens (to handle the upgrade case).
    89. 

  89.   service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
    90. 

  90.   for account in "${service_accounts[@]}"; do
    91. 

  91.     token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
    92. 

  92.     echo "${token},${account},${account}" >> "${known_tokens_file}"
    93. 

  93.   done
    94. 

  94. fi
    95. 

  95. 

  96. readonly BASIC_AUTH_FILE="/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"
    97. 

  97. if [[ ! -e "${BASIC_AUTH_FILE}" ]]; then
    98. 

  98.   mkdir -p /srv/salt-overlay/salt/kube-apiserver
    99. 

  99.   (umask 077;
    100. 

  100.     echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${BASIC_AUTH_FILE}")
    101. 

  101. fi
    102. 

  102. 

  103. 

  104. # Create the overlay files for the salt tree.  We create these in a separate
    105. 

  105. # place so that we can blow away the rest of the salt configs on a kube-push and
    106. 

  106. # re-apply these.
    107. 

  107. 

  108. mkdir -p /srv/salt-overlay/pillar
    109. 

  109. cat <<EOF >/srv/salt-overlay/pillar/cluster-params.sls
    110. 

  110. instance_prefix: '$(echo "$INSTANCE_PREFIX" | sed -e "s/'/''/g")'
    111. 

  111. node_instance_prefix: $NODE_INSTANCE_PREFIX
    112. 

  112. service_cluster_ip_range: $SERVICE_CLUSTER_IP_RANGE
    113. 

  113. enable_cluster_monitoring: "${ENABLE_CLUSTER_MONITORING:-none}"
    114. 

  114. enable_cluster_logging: "${ENABLE_CLUSTER_LOGGING:false}"
    115. 

  115. enable_cluster_ui: "${ENABLE_CLUSTER_UI:true}"
    116. 

  116. enable_node_logging: "${ENABLE_NODE_LOGGING:false}"
    117. 

  117. logging_destination: $LOGGING_DESTINATION
    118. 

  118. elasticsearch_replicas: $ELASTICSEARCH_LOGGING_REPLICAS
    119. 

  119. enable_cluster_dns: "${ENABLE_CLUSTER_DNS:-false}"
    120. 

  120. dns_replicas: ${DNS_REPLICAS:-1}
    121. 

  121. dns_server: $DNS_SERVER_IP
    122. 

  122. dns_domain: $DNS_DOMAIN
    123. 

  123. federations_domain_map: ''
    124. 

  124. e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}"
    125. 

  125. cluster_cidr: "$NODE_IP_RANGES"
    126. 

  126. allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}"
    127. 

  127. admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota
    128. 

  128. EOF
    129.