Ensure charm only accesses local API server (#176)

* Ensure charm only accesses local API server The new LB support in #153 unintentionally changed the endpoint that the charm client uses to talk to the API server making it use the internal LB address instead of always talking to the API server locally. This introduced an issue during bootstrap where the initial local-only token would try to be used on other API servers and fail. Fixes [lp:1941763](https://bugs.launchpad.net/charm-kubernetes-master/+bug/1941763) * Ensure all local charm kubectl usage uses the local url
charmed-kubernetes · Aug 26, 2021 · 82f8683 · 82f8683
1 parent 6e8890a
commit 82f8683
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/lib/charms/layer/kubernetes_master.py b/lib/charms/layer/kubernetes_master.py
@@ -52,6 +52,15 @@ def get_endpoints_from_config():
         return []
 
 
+def get_local_api_endpoint():
+    """
+    Return the local address & port for self-access.
+
+    Returns a list with a single tuple to match the other functions below.
+    """
+    return [("127.0.0.1", STANDARD_API_PORT)]
+
+
 def get_internal_api_endpoints(relation=None):
     """
     Determine the best API endpoints for an internal client to connect to.

diff --git a/reactive/kubernetes_master.py b/reactive/kubernetes_master.py
@@ -1439,13 +1439,16 @@ def send_data():
     old_ingress_ip = get_ingress_address("kube-api-endpoint")
     new_ingress_ip = get_ingress_address("kube-control")
 
+    local_endpoint = kubernetes_master.get_local_api_endpoint()[0][0]
+
     domain = hookenv.config("dns_domain")
     # Create SANs that the tls layer will add to the server cert.
     sans = (
         [
             # The CN field is checked as a hostname, so if it's an IP, it
             # won't match unless also included in the SANs as an IP field.
             common_name,
+            local_endpoint,
             old_ingress_ip,
             new_ingress_ip,
             socket.gethostname(),
@@ -2043,11 +2046,13 @@ def shutdown():
 def build_kubeconfig():
     """Gather the relevant data for Kubernetes configuration objects and create
     a config object with that information."""
+    local_endpoint = kubernetes_master.get_local_api_endpoint()
     internal_endpoints = kubernetes_master.get_internal_api_endpoints()
     external_endpoints = kubernetes_master.get_external_api_endpoints()
 
     # Do we have everything we need?
     if ca_crt_path.exists() and internal_endpoints and external_endpoints:
+        local_url = kubernetes_master.get_api_url(local_endpoint)
         internal_url = kubernetes_master.get_api_url(internal_endpoints)
         external_url = kubernetes_master.get_api_url(external_endpoints)
         client_pass = get_token("admin")
@@ -2114,10 +2119,10 @@ def build_kubeconfig():
         cmd = ["chown", "ubuntu:ubuntu", kubeconfig_path]
         check_call(cmd)
 
-        # make a kubeconfig for root (same location on k8s-masters and workers)
+        # make a kubeconfig for root / the charm
         create_kubeconfig(
             kubeclientconfig_path,
-            internal_url,
+            local_url,
             ca_crt_path,
             user="admin",
             token=client_pass,
@@ -2137,7 +2142,7 @@ def build_kubeconfig():
         # make a kubeconfig for cdk-addons
         create_kubeconfig(
             cdk_addons_kubectl_config_path,
-            internal_url,
+            local_url,
             ca_crt_path,
             user="admin",
             token=client_pass,
@@ -2148,7 +2153,7 @@ def build_kubeconfig():
         if proxy_token:
             create_kubeconfig(
                 kubeproxyconfig_path,
-                internal_url,
+                local_url,
                 ca_crt_path,
                 token=proxy_token,
                 user="kube-proxy",
@@ -2157,7 +2162,7 @@ def build_kubeconfig():
         if controller_manager_token:
             create_kubeconfig(
                 kubecontrollermanagerconfig_path,
-                internal_url,
+                local_url,
                 ca_crt_path,
                 token=controller_manager_token,
                 user="kube-controller-manager",
@@ -2166,7 +2171,7 @@ def build_kubeconfig():
         if scheduler_token:
             create_kubeconfig(
                 kubeschedulerconfig_path,
-                internal_url,
+                local_url,
                 ca_crt_path,
                 token=scheduler_token,
                 user="kube-scheduler",

diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,7 @@
 [flake8]
 max-line-length = 88
+ignore =
+    W503 # line break before binary operator
 
 [tox]
 skipsdist = True