Add flag to disable Basic Auth.

kubernetes · Oct 17, 2018 · 4b27e6c · 4b27e6c
1 parent a95f3b9
commit 4b27e6c
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 1 deletion.
diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md
@@ -264,6 +264,16 @@ spec:
     serviceNodePortRange: 30000-33000
 ```
 
+#### Disable Basic Auth
+
+This will disable the passing of the `--basic-auth-file` flag.
+
+```yaml
+spec:
+  kubeAPIServer:
+    disableBasicAuth: true
+```
+
 #### targetRamMb
 
 Memory limit for apiserver in MB (used to configure sizes of caches, etc.)

diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
@@ -283,9 +283,12 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
 	kubeAPIServer.TLSCertFile = filepath.Join(b.PathSrvKubernetes(), "server.cert")
 	kubeAPIServer.TLSPrivateKeyFile = filepath.Join(b.PathSrvKubernetes(), "server.key")
-	kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv")
 	kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv")
 
+	if !kubeAPIServer.DisableBasicAuth {
+		kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv")
+	}
+
 	if b.UseEtcdTLS() {
 		kubeAPIServer.EtcdCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
 		kubeAPIServer.EtcdCertFile = filepath.Join(b.PathSrvKubernetes(), "etcd-client.pem")

diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
@@ -224,6 +224,8 @@ type KubeProxyConfig struct {
 type KubeAPIServerConfig struct {
 	// Image is the docker container used
 	Image string `json:"image,omitempty"`
+	// DisableBasicAuth removes the --basic-auth-file flag
+	DisableBasicAuth bool `json:"disableBasicAuth,omitempty"`
 	// LogLevel is the logging level of the api
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"`
 	// CloudProvider is the name of the cloudProvider we are using, aws, gce etcd

diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go
@@ -224,6 +224,8 @@ type KubeProxyConfig struct {
 type KubeAPIServerConfig struct {
 	// Image is the docker container used
 	Image string `json:"image,omitempty"`
+	// DisableBasicAuth removes the --basic-auth-file flag
+	DisableBasicAuth bool `json:"disableBasicAuth,omitempty"`
 	// LogLevel is the logging level of the api
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"`
 	// CloudProvider is the name of the cloudProvider we are using, aws, gce etcd

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -224,6 +224,8 @@ type KubeProxyConfig struct {
 type KubeAPIServerConfig struct {
 	// Image is the docker container used
 	Image string `json:"image,omitempty"`
+	// DisableBasicAuth removes the --basic-auth-file flag
+	DisableBasicAuth bool `json:"disableBasicAuth,omitempty"`
 	// LogLevel is the logging level of the api
 	LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"`
 	// CloudProvider is the name of the cloudProvider we are using, aws, gce etcd

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go