🔧 eliminate plain text creds from additional template files & fix e2e…

… regression
kubernetes-sigs · Jul 1, 2020 · e6d1a76 · e6d1a76
1 parent 435f4fa
commit e6d1a76
Show file tree

Hide file tree

Showing 12 changed files with 104 additions and 258 deletions.
diff --git a/hack/create-dev-cluster.sh b/hack/create-dev-cluster.sh
@@ -56,7 +56,7 @@ if ! [ -n "$SSH_KEY_FILE" ]; then
 fi
 export AZURE_SSH_PUBLIC_KEY=$(cat "${SSH_KEY_FILE}.pub" | base64 | tr -d '\n')
 
-export AZURE_STANDARD_JSON_B64=$(echo '{
+export AZURE_STANDARD_JSON_B64=${AZURE_STANDARD_JSON_B64:-$(echo '{
       "cloud": "${AZURE_ENVIRONMENT}",
       "tenantId": "${AZURE_TENANT_ID}",
       "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
@@ -74,9 +74,9 @@ export AZURE_STANDARD_JSON_B64=$(echo '{
       "maximumLoadBalancerRuleCount": 250,
       "useManagedIdentityExtension": false,
       "useInstanceMetadata": true
-}' | envsubst |  base64 | tr -d '\n')
+}' | envsubst |  base64 | tr -d '\n')}
 
-export AZURE_VMSS_JSON_B64=$(echo "$AZURE_STANDARD_JSON_B64" | base64 -d | jq '.vmType = "vmss"' | base64 | tr -d '\n')
+export AZURE_VMSS_JSON_B64=${AZURE_VMSS_JSON_B64:-$(echo "$AZURE_STANDARD_JSON_B64" | base64 -d | jq '.vmType = "vmss"' | base64 | tr -d '\n')}
 
 echo "================ DOCKER BUILD ==============="
 PULL_POLICY=IfNotPresent make modules docker-build

diff --git a/hack/log/redact.sh b/hack/log/redact.sh
@@ -28,11 +28,7 @@ echo "================ REDACTING LOGS ================"
 
 log_files=( $(find "${ARTIFACTS:-${PWD}/_artifacts}" -type f) )
 redact_vars=(
-    "${AZURE_CLIENT_ID}"
-    "${AZURE_CLIENT_SECRET}"
-    "${AZURE_SUBSCRIPTION_ID}"
-    "${AZURE_TENANT_ID}"
-    "${AZURE_STANDARD_JSON_B64:-}"
+        "${AZURE_STANDARD_JSON_B64:-}"
     "${AZURE_VMSS_JSON_B64:-}"
     "$(echo -n "$AZURE_SUBSCRIPTION_ID" | base64 | tr -d '\n')"
     "$(echo -n "$AZURE_TENANT_ID" | base64 | tr -d '\n')"

diff --git a/hack/parse-prow-creds.sh b/hack/parse-prow-creds.sh
@@ -28,4 +28,25 @@ if [[ -n "${AZURE_CREDENTIALS:-}" ]]; then
     export AZURE_TENANT_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred TenantID)"
     export AZURE_CLIENT_ID="$(cat ${AZURE_CREDENTIALS} | parse_cred ClientID)"
     export AZURE_CLIENT_SECRET="$(cat ${AZURE_CREDENTIALS} | parse_cred ClientSecret)"
+    export AZURE_STANDARD_JSON_B64=$(echo '{
+    "cloud": "${AZURE_ENVIRONMENT}",
+    "tenantId": "${AZURE_TENANT_ID}",
+    "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
+    "aadClientId": "${AZURE_CLIENT_ID}",
+    "aadClientSecret": "${AZURE_CLIENT_SECRET}",
+    "resourceGroup": "${CLUSTER_NAME}",
+    "securityGroupName": "${CLUSTER_NAME}-node-nsg",
+    "location": "${AZURE_LOCATION}",
+    "vmType": "standard",
+    "vnetName": "${CLUSTER_NAME}-vnet",
+    "vnetResourceGroup": "${CLUSTER_NAME}",
+    "subnetName": "${CLUSTER_NAME}-node-subnet",
+    "routeTableName": "${CLUSTER_NAME}-node-routetable",
+    "loadBalancerSku": "standard",
+    "maximumLoadBalancerRuleCount": 250,
+    "useManagedIdentityExtension": false,
+    "useInstanceMetadata": true
+}' | envsubst |  base64 | tr -d '\n')
+
+    export AZURE_VMSS_JSON_B64=$(echo "$AZURE_STANDARD_JSON_B64" | base64 -d | jq '.vmType = "vmss"' | base64 | tr -d '\n')
 fi
diff --git a/templates/cluster-template-external-cloud-provider.yaml b/templates/cluster-template-external-cloud-provider.yaml
@@ -64,27 +64,10 @@ spec:
           name: cloud-config
           readOnly: true
     files:
-    - content: |
-        {
-          "cloud": "${AZURE_ENVIRONMENT}",
-          "tenantId": "${AZURE_TENANT_ID}",
-          "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-          "aadClientId": "${AZURE_CLIENT_ID}",
-          "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-          "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-          "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-          "location": "${AZURE_LOCATION}",
-          "vmType": "vmss",
-          "vnetName": "${CLUSTER_NAME}-vnet",
-          "vnetResourceGroup": "${AZURE_RESOURCE_GROUP}",
-          "subnetName": "${CLUSTER_NAME}-node-subnet",
-          "routeTableName": "${CLUSTER_NAME}-node-routetable",
-          "userAssignedID": "${CLUSTER_NAME}",
-          "loadBalancerSku": "standard",
-          "maximumLoadBalancerRuleCount": 250,
-          "useManagedIdentityExtension": false,
-          "useInstanceMetadata": true
-        }
+    - contentFrom:
+        secret:
+          key: vmss
+          name: azure-secret
       owner: root:root
       path: /etc/kubernetes/azure.json
       permissions: "0644"
@@ -180,26 +163,10 @@ spec:
   template:
     spec:
       files:
-      - content: |
-          {
-            "cloud": "${AZURE_ENVIRONMENT}",
-            "tenantId": "${AZURE_TENANT_ID}",
-            "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-            "aadClientId": "${AZURE_CLIENT_ID}",
-            "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-            "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-            "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-            "location": "${AZURE_LOCATION}",
-            "vmType": "vmss",
-            "vnetName": "${CLUSTER_NAME}-vnet",
-            "vnetResourceGroup": "${AZURE_RESOURCE_GROUP}",
-            "subnetName": "${CLUSTER_NAME}-node-subnet",
-            "routeTableName": "${CLUSTER_NAME}-node-routetable",
-            "loadBalancerSku": "standard",
-            "maximumLoadBalancerRuleCount": 250,
-            "useManagedIdentityExtension": false,
-            "useInstanceMetadata": true
-          }
+      - contentFrom:
+          secret:
+            key: vmss
+            name: azure-secret
         owner: root:root
         path: /etc/kubernetes/azure.json
         permissions: "0644"

diff --git a/templates/flavors/external-cloud-provider/patches/external-cloud-provider.yaml b/templates/flavors/external-cloud-provider/patches/external-cloud-provider.yaml
@@ -29,27 +29,10 @@ spec:
       - path: /etc/kubernetes/azure.json
         owner: "root:root"
         permissions: "0644"
-        content: |
-          {
-            "cloud": "${AZURE_ENVIRONMENT}",
-            "tenantId": "${AZURE_TENANT_ID}",
-            "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-            "aadClientId": "${AZURE_CLIENT_ID}",
-            "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-            "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-            "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-            "location": "${AZURE_LOCATION}",
-            "vmType": "vmss",
-            "vnetName": "${CLUSTER_NAME}-vnet",
-            "vnetResourceGroup": "${AZURE_RESOURCE_GROUP}",
-            "subnetName": "${CLUSTER_NAME}-node-subnet",
-            "routeTableName": "${CLUSTER_NAME}-node-routetable",
-            "userAssignedID": "${CLUSTER_NAME}",
-            "loadBalancerSku": "standard",
-            "maximumLoadBalancerRuleCount": 250,
-            "useManagedIdentityExtension": false,
-            "useInstanceMetadata": true
-          }
+        contentFrom:
+          secret:
+            name: azure-secret
+            key: vmss
   version: "${KUBERNETES_VERSION}"
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
@@ -67,23 +50,7 @@ spec:
         - path: /etc/kubernetes/azure.json
           owner: "root:root"
           permissions: "0644"
-          content: |
-            {
-              "cloud": "${AZURE_ENVIRONMENT}",
-              "tenantId": "${AZURE_TENANT_ID}",
-              "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-              "aadClientId": "${AZURE_CLIENT_ID}",
-              "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-              "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-              "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-              "location": "${AZURE_LOCATION}",
-              "vmType": "vmss",
-              "vnetName": "${CLUSTER_NAME}-vnet",
-              "vnetResourceGroup": "${AZURE_RESOURCE_GROUP}",
-              "subnetName": "${CLUSTER_NAME}-node-subnet",
-              "routeTableName": "${CLUSTER_NAME}-node-routetable",
-              "loadBalancerSku": "standard",
-              "maximumLoadBalancerRuleCount": 250,
-              "useManagedIdentityExtension": false,
-              "useInstanceMetadata": true
-            }
+          contentFrom:
+            secret:
+              name: azure-secret
+              key: vmss
diff --git a/templates/test/cluster-template-prow-ci-version.yaml b/templates/test/cluster-template-prow-ci-version.yaml
@@ -142,27 +142,10 @@ spec:
       owner: root:root
       path: /tmp/kubeadm-bootstrap.sh
       permissions: "0744"
-    - content: |
-        {
-          "cloud": "AzurePublicCloud",
-          "tenantId": "${AZURE_TENANT_ID}",
-          "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-          "aadClientId": "${AZURE_CLIENT_ID}",
-          "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-          "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-          "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-          "location": "${AZURE_LOCATION}",
-          "vmType": "vmss",
-          "vnetName": "${CLUSTER_NAME}-vnet",
-          "vnetResourceGroup": "${CLUSTER_NAME}",
-          "subnetName": "${CLUSTER_NAME}-node-subnet",
-          "routeTableName": "${CLUSTER_NAME}-node-routetable",
-          "userAssignedID": "${CLUSTER_NAME}",
-          "loadBalancerSku": "standard",
-          "maximumLoadBalancerRuleCount": 250,
-          "useManagedIdentityExtension": false,
-          "useInstanceMetadata": true
-        }
+    - contentFrom:
+        secret:
+          key: vmss
+          name: azure-secret
       owner: root:root
       path: /etc/kubernetes/azure.json
       permissions: "0644"
@@ -346,26 +329,10 @@ spec:
         owner: root:root
         path: /tmp/kubeadm-bootstrap.sh
         permissions: "0744"
-      - content: |
-          {
-            "cloud": "AzurePublicCloud",
-            "tenantId": "${AZURE_TENANT_ID}",
-            "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-            "aadClientId": "${AZURE_CLIENT_ID}",
-            "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-            "resourceGroup": "${CLUSTER_NAME}",
-            "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-            "location": "${AZURE_LOCATION}",
-            "vmType": "vmss",
-            "vnetName": "${CLUSTER_NAME}-vnet",
-            "vnetResourceGroup": "${CLUSTER_NAME}",
-            "subnetName": "${CLUSTER_NAME}-node-subnet",
-            "routeTableName": "${CLUSTER_NAME}-node-routetable",
-            "loadBalancerSku": "standard",
-            "maximumLoadBalancerRuleCount": 250,
-            "useManagedIdentityExtension": false,
-            "useInstanceMetadata": true
-          }
+      - contentFrom:
+          secret:
+            key: vmss
+            name: azure-secret
         owner: root:root
         path: /etc/kubernetes/azure.json
         permissions: "0644"

diff --git a/templates/test/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/cluster-template-prow-machine-pool-ci-version.yaml
@@ -142,27 +142,10 @@ spec:
       owner: root:root
       path: /tmp/kubeadm-bootstrap.sh
       permissions: "0744"
-    - content: |
-        {
-          "cloud": "AzurePublicCloud",
-          "tenantId": "${AZURE_TENANT_ID}",
-          "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-          "aadClientId": "${AZURE_CLIENT_ID}",
-          "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-          "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-          "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-          "location": "${AZURE_LOCATION}",
-          "vmType": "vmss",
-          "vnetName": "${CLUSTER_NAME}-vnet",
-          "vnetResourceGroup": "${CLUSTER_NAME}",
-          "subnetName": "${CLUSTER_NAME}-node-subnet",
-          "routeTableName": "${CLUSTER_NAME}-node-routetable",
-          "userAssignedID": "${CLUSTER_NAME}",
-          "loadBalancerSku": "standard",
-          "maximumLoadBalancerRuleCount": 250,
-          "useManagedIdentityExtension": false,
-          "useInstanceMetadata": true
-        }
+    - contentFrom:
+        secret:
+          key: vmss
+          name: azure-secret
       owner: root:root
       path: /etc/kubernetes/azure.json
       permissions: "0644"
@@ -341,26 +324,10 @@ spec:
     owner: root:root
     path: /tmp/kubeadm-bootstrap.sh
     permissions: "0744"
-  - content: |
-      {
-        "cloud": "AzurePublicCloud",
-        "tenantId": "${AZURE_TENANT_ID}",
-        "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-        "aadClientId": "${AZURE_CLIENT_ID}",
-        "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-        "resourceGroup": "${CLUSTER_NAME}",
-        "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-        "location": "${AZURE_LOCATION}",
-        "vmType": "vmss",
-        "vnetName": "${CLUSTER_NAME}-vnet",
-        "vnetResourceGroup": "${CLUSTER_NAME}",
-        "subnetName": "${CLUSTER_NAME}-node-subnet",
-        "routeTableName": "${CLUSTER_NAME}-node-routetable",
-        "loadBalancerSku": "standard",
-        "maximumLoadBalancerRuleCount": 250,
-        "useManagedIdentityExtension": false,
-        "useInstanceMetadata": true
-      }
+  - contentFrom:
+      secret:
+        key: vmss
+        name: azure-secret
     owner: root:root
     path: /etc/kubernetes/azure.json
     permissions: "0644"

diff --git a/templates/test/prow-ci-version/patches/machine-deployment-ci-version.yaml b/templates/test/prow-ci-version/patches/machine-deployment-ci-version.yaml
@@ -87,27 +87,10 @@ spec:
     - path: /etc/kubernetes/azure.json
       owner: "root:root"
       permissions: "0644"
-      content: |
-        {
-          "cloud": "AzurePublicCloud",
-          "tenantId": "${AZURE_TENANT_ID}",
-          "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-          "aadClientId": "${AZURE_CLIENT_ID}",
-          "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-          "resourceGroup": "${AZURE_RESOURCE_GROUP}",
-          "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-          "location": "${AZURE_LOCATION}",
-          "vmType": "vmss",
-          "vnetName": "${CLUSTER_NAME}-vnet",
-          "vnetResourceGroup": "${CLUSTER_NAME}",
-          "subnetName": "${CLUSTER_NAME}-node-subnet",
-          "routeTableName": "${CLUSTER_NAME}-node-routetable",
-          "userAssignedID": "${CLUSTER_NAME}",
-          "loadBalancerSku": "standard",
-          "maximumLoadBalancerRuleCount": 250,
-          "useManagedIdentityExtension": false,
-          "useInstanceMetadata": true
-        }
+      contentFrom:
+        secret:
+          key: vmss
+          name: azure-secret
 ---
 apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
 kind: KubeadmConfigTemplate
@@ -196,26 +179,10 @@ spec:
         - path: /etc/kubernetes/azure.json
           owner: "root:root"
           permissions: "0644"
-          content: |
-            {
-              "cloud": "AzurePublicCloud",
-              "tenantId": "${AZURE_TENANT_ID}",
-              "subscriptionId": "${AZURE_SUBSCRIPTION_ID}",
-              "aadClientId": "${AZURE_CLIENT_ID}",
-              "aadClientSecret": "${AZURE_CLIENT_SECRET}",
-              "resourceGroup": "${CLUSTER_NAME}",
-              "securityGroupName": "${CLUSTER_NAME}-node-nsg",
-              "location": "${AZURE_LOCATION}",
-              "vmType": "vmss",
-              "vnetName": "${CLUSTER_NAME}-vnet",
-              "vnetResourceGroup": "${CLUSTER_NAME}",
-              "subnetName": "${CLUSTER_NAME}-node-subnet",
-              "routeTableName": "${CLUSTER_NAME}-node-routetable",
-              "loadBalancerSku": "standard",
-              "maximumLoadBalancerRuleCount": 250,
-              "useManagedIdentityExtension": false,
-              "useInstanceMetadata": true
-            }
+          contentFrom:
+            secret:
+              key: vmss
+              name: azure-secret
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
 kind: AzureMachineTemplate