/
create_kubecfg.go
206 lines (177 loc) · 5.93 KB
/
create_kubecfg.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubeconfig
import (
"crypto/x509/pkix"
"fmt"
"os/user"
"sort"
"time"
"k8s.io/klog/v2"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/apis/kops/util"
"k8s.io/kops/pkg/dns"
"k8s.io/kops/pkg/pki"
"k8s.io/kops/pkg/rbac"
"k8s.io/kops/upup/pkg/fi"
)
const DefaultKubecfgAdminLifetime = 18 * time.Hour
func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.SecretStore, status kops.StatusStore, admin time.Duration, configUser string, internal bool, kopsStateStore string, useKopsAuthenticationPlugin bool) (*KubeconfigBuilder, error) {
clusterName := cluster.ObjectMeta.Name
var master string
if internal {
master = cluster.Spec.MasterInternalName
if master == "" {
master = "api.internal." + clusterName
}
} else {
master = cluster.Spec.MasterPublicName
if master == "" {
master = "api." + clusterName
}
}
server := "https://" + master
// We use the LoadBalancer where we know the master DNS name is otherwise unreachable
useELBName := false
// If the master DNS is a gossip DNS name; there's no way that name can resolve outside the cluster
if dns.IsGossipHostname(master) {
useELBName = true
}
// If the DNS is set up as a private HostedZone, but here we have to be
// careful that we aren't accessing the API over DirectConnect (or a VPN).
// We differentiate using the heuristic that if we have an internal ELB
// we are likely connected directly to the VPC.
privateDNS := cluster.Spec.Topology != nil && cluster.Spec.Topology.DNS.Type == kops.DNSTypePrivate
internalELB := cluster.Spec.API != nil && cluster.Spec.API.LoadBalancer != nil && cluster.Spec.API.LoadBalancer.Type == kops.LoadBalancerTypeInternal
if privateDNS && !internalELB {
useELBName = true
}
if useELBName {
ingresses, err := status.GetApiIngressStatus(cluster)
if err != nil {
return nil, fmt.Errorf("error getting ingress status: %v", err)
}
var targets []string
for _, ingress := range ingresses {
if ingress.Hostname != "" {
targets = append(targets, ingress.Hostname)
}
if ingress.IP != "" {
targets = append(targets, ingress.IP)
}
}
sort.Strings(targets)
if len(targets) == 0 {
klog.Warningf("Did not find API endpoint for gossip hostname; may not be able to reach cluster")
} else {
if len(targets) != 1 {
klog.Warningf("Found multiple API endpoints (%v), choosing arbitrarily", targets)
}
server = "https://" + targets[0]
}
}
b := NewKubeconfigBuilder()
// Use the secondary load balancer port if a certificate is on the primary listener
if admin != 0 && cluster.Spec.API != nil && cluster.Spec.API.LoadBalancer != nil && cluster.Spec.API.LoadBalancer.SSLCertificate != "" && cluster.Spec.API.LoadBalancer.Class == kops.LoadBalancerClassNetwork {
server = server + ":8443"
}
b.Context = clusterName
b.Server = server
// add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB
// or if we're using admin credentials and the secondary port
if cluster.Spec.API == nil || cluster.Spec.API.LoadBalancer == nil || cluster.Spec.API.LoadBalancer.SSLCertificate == "" || cluster.Spec.API.LoadBalancer.Class == kops.LoadBalancerClassNetwork || internal {
cert, _, _, err := keyStore.FindKeypair(fi.CertificateIDCA)
if err != nil {
return nil, fmt.Errorf("error fetching CA keypair: %v", err)
}
if cert != nil {
b.CACert, err = cert.AsBytes()
if err != nil {
return nil, err
}
} else {
return nil, fmt.Errorf("cannot find CA certificate")
}
}
if admin != 0 {
cn := "kubecfg"
user, err := user.Current()
if err != nil || user == nil {
klog.Infof("unable to get user: %v", err)
} else {
cn += "-" + user.Name
}
req := pki.IssueCertRequest{
Signer: fi.CertificateIDCA,
Type: "client",
Subject: pkix.Name{
CommonName: cn,
Organization: []string{rbac.SystemPrivilegedGroup},
},
Validity: admin,
}
cert, privateKey, _, err := pki.IssueCert(&req, keyStore)
if err != nil {
return nil, err
}
b.ClientCert, err = cert.AsBytes()
if err != nil {
return nil, err
}
b.ClientKey, err = privateKey.AsBytes()
if err != nil {
return nil, err
}
}
if useKopsAuthenticationPlugin {
b.AuthenticationExec = []string{
"kops",
"helpers",
"kubectl-auth",
"--cluster=" + clusterName,
"--state=" + kopsStateStore,
}
}
b.Server = server
k8sVersion, err := util.ParseKubernetesVersion(cluster.Spec.KubernetesVersion)
if err != nil || k8sVersion == nil {
klog.Warningf("unable to parse KubernetesVersion %q", cluster.Spec.KubernetesVersion)
k8sVersion, _ = util.ParseKubernetesVersion("1.0.0")
}
basicAuthEnabled := false
if !util.IsKubernetesGTE("1.18", *k8sVersion) {
if cluster.Spec.KubeAPIServer == nil || cluster.Spec.KubeAPIServer.DisableBasicAuth == nil || !*cluster.Spec.KubeAPIServer.DisableBasicAuth {
basicAuthEnabled = true
}
} else if !util.IsKubernetesGTE("1.19", *k8sVersion) {
if cluster.Spec.KubeAPIServer != nil && cluster.Spec.KubeAPIServer.DisableBasicAuth != nil && !*cluster.Spec.KubeAPIServer.DisableBasicAuth {
basicAuthEnabled = true
}
}
if basicAuthEnabled && secretStore != nil {
secret, err := secretStore.FindSecret("kube")
if err != nil {
return nil, err
}
if secret != nil {
b.KubeUser = "admin"
b.KubePassword = string(secret.Data)
}
}
if configUser == "" {
b.User = cluster.ObjectMeta.Name
} else {
b.User = configUser
}
return b, nil
}