Automated cherry pick of #13068

cluster/aws/util.sh

@@ -540,24 +540,6 @@ function upload-server-tars() {
   SALT_TAR_URL="${s3_url_base}/${AWS_S3_BUCKET}/${salt_tar_path}"
 }
 
-
-# Ensure that we have a password created for validating to the master.  Will
-# read from kubeconfig for the current context if available.
-#
-# Assumed vars
-#   KUBE_ROOT
-#
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-function get-password {
-  get-kubeconfig-basicauth
-  if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
-    KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
-  fi
-}
-
 # Adds a tag to an AWS resource
 # usage: add-tag <resource-id> <tag-name> <tag-value>
 function add-tag {
@@ -677,7 +659,7 @@ function kube-up {
 
   ensure-iam-profiles
 
-  get-password
+  gen-kube-basicauth
 
   if [[ ! -f "$AWS_SSH_KEY" ]]; then
     ssh-keygen -f "$AWS_SSH_KEY" -N ''
@@ -1077,6 +1059,8 @@ function kube-up {
       done
   done
 
+  # ensures KUBECONFIG is set
+  get-kubeconfig-basicauth
   echo
   echo -e "${color_green}Kubernetes cluster is running.  The master is running at:"
   echo
@@ -1236,7 +1220,7 @@ function kube-push {
     echo "sudo salt --force-color '*' state.highstate"
   ) | ssh -oStrictHostKeyChecking=no -i "${AWS_SSH_KEY}" ${SSH_USER}@${KUBE_MASTER_IP} sudo bash
 
-  get-password
+  get-kubeconfig-basicauth
 
   echo
   echo "Kubernetes cluster is running.  The master is running at:"

cluster/azure/util.sh

@@ -242,20 +242,6 @@ function detect-master () {
     echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)"
 }
 
-# Ensure that we have a password created for validating to the master.  Will
-# read from kubeconfig current-context if available.
-#
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-function get-password {
-  get-kubeconfig-basicauth
-  if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
-    KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
-  fi
-}
-
 # Instantiate a kubernetes cluster
 #
 # Assumed vars
@@ -268,7 +254,7 @@ function kube-up {
 
     ensure-temp-dir
 
-    get-password
+    gen-kube-basicauth
     python "${KUBE_ROOT}/third_party/htpasswd/htpasswd.py" \
         -b -c "${KUBE_TEMP}/htpasswd" "$KUBE_USER" "$KUBE_PASSWORD"
     local htpasswd
@@ -442,6 +428,8 @@ function kube-up {
         done
     done
 
+    # ensures KUBECONFIG is set
+    get-kubeconfig-basicauth
     echo
     echo "Kubernetes cluster is running.  The master is running at:"
     echo
@@ -486,7 +474,7 @@ function kube-down {
 #    echo "sudo salt --force-color '*' state.highstate"
 #   ) | gcutil ssh --project "$PROJECT" --zone "$ZONE" "$KUBE_MASTER" sudo bash
 
-#  get-password
+#  get-kubeconfig-basicauth
 
 #  echo
 #  echo "Kubernetes cluster is running.  The master is running at:"

cluster/common.sh

@@ -146,6 +146,16 @@ function get-kubeconfig-basicauth() {
   fi
 }
 
+# Generate basic auth user and password.
+
+# Vars set:
+#   KUBE_USER
+#   KUBE_PASSWORD
+function gen-kube-basicauth() {
+    KUBE_USER=admin
+    KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
+}
+
 # Get the bearer token for the current-context in kubeconfig if one exists.
 # Assumed vars:
 #   KUBECONFIG  # if unset, defaults to global
@@ -171,8 +181,42 @@ function get-kubeconfig-bearertoken() {
   fi
 }
 
+# Generate bearer token.
+#
+# Vars set:
+#   KUBE_BEARER_TOKEN
+function gen-kube-bearertoken() {
+    KUBE_BEARER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+}
+
+# Get the master IP for the current-context in kubeconfig if one exists.
+#
+# Assumed vars:
+#   KUBECONFIG  # if unset, defaults to global
+#
+# Vars set:
+#   KUBE_MASTER_URL
+#
+# KUBE_MASTER_URL will be empty if no current-context is set, or the
+# current-context user does not exist or contain a server entry.
+function detect-master-from-kubeconfig() {
+  export KUBECONFIG=${KUBECONFIG:-$DEFAULT_KUBECONFIG}
+  # Template to safely extract the server for the current-context cluster.
+  # The long chain of 'with' commands avoids indexing nil if any of the
+  # entries ("current-context", "contexts"."current-context", "users", etc)
+  # is missing.
+  # Note: we save dot ('.') to $root because the 'with' action overrides it.
+  # See http://golang.org/pkg/text/template/.
+  local server_tpl='{{$dot := .}}{{with $ctx := index $dot "current-context"}}{{range $element := (index $dot "contexts")}}{{ if eq .name $ctx }}{{ with $cluster := .context.cluster }}{{range $element := (index $dot "clusters")}}{{ if eq .name $cluster }}{{ index . "cluster" "server" }}{{end}}{{end}}{{end}}{{end}}{{end}}{{end}}'
+  KUBE_MASTER_URL=$("${KUBE_ROOT}/cluster/kubectl.sh" config view -o template --template="${server_tpl}")
+  # Handle empty/missing server
+  if [[ "${KUBE_MASTER_URL}" == '<no value>' ]]; then
+    KUBE_MASTER_URL=''
+  fi
+}
+
 # Sets KUBE_VERSION variable to the version passed in as an argument, or if argument is
-# latest_stable, latest_release, or latest_ci fetches and sets the correponding version number
+# latest_stable, latest_release, or latest_ci fetches and sets the corresponding version number
 #
 # Args:
 #   $1 version string from command line

cluster/gce/util.sh

@@ -304,38 +304,6 @@ function detect-master () {
   echo "Using master: $KUBE_MASTER (external IP: $KUBE_MASTER_IP)"
 }
 
-# Ensure that we have a password created for validating to the master.  Will
-# read from kubeconfig for the current context if available.
-#
-# Assumed vars
-#   KUBE_ROOT
-#
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-function get-password {
-  get-kubeconfig-basicauth
-  if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
-    KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
-  fi
-}
-
-# Ensure that we have a bearer token created for validating to the master.
-# Will read from kubeconfig for the current context if available.
-#
-# Assumed vars
-#   KUBE_ROOT
-#
-# Vars set:
-#   KUBE_BEARER_TOKEN
-function get-bearer-token() {
-  get-kubeconfig-bearertoken
-  if [[ -z "${KUBE_BEARER_TOKEN:-}" ]]; then
-    KUBE_BEARER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
-  fi
-}
-
 # Wait for background jobs to finish. Exit with
 # an error status if any of the jobs failed.
 function wait-for-jobs {
@@ -572,8 +540,8 @@ function kube-up {
   ensure-temp-dir
   detect-project
 
-  get-password
-  get-bearer-token
+  gen-kube-basicauth
+  gen-kube-bearertoken
 
   # Make sure we have the tar files staged on Google Storage
   find-release-tars
@@ -732,6 +700,8 @@ function kube-up {
    create-kubeconfig
   )
 
+  # ensures KUBECONFIG is set
+  get-kubeconfig-basicauth
   echo
   echo -e "${color_green}Kubernetes cluster is running.  The master is running at:"
   echo
@@ -984,8 +954,8 @@ function prepare-push() {
   detect-project
   detect-master
   detect-minion-names
-  get-password
-  get-bearer-token
+  get-kubeconfig-basicauth
+  get-kubeconfig-bearertoken
 
   # Make sure we have the tar files staged on Google Storage
   tars_from_version

cluster/gke/util.sh

@@ -189,26 +189,8 @@ function test-setup() {
     --network="${NETWORK}"
 }
 
-# Ensure that we have a password created for validating to the master.
-#
-# Assumed vars:
-#  ZONE
-#  CLUSTER_NAME
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-function get-password() {
-  echo "... in get-password()" >&2
-  detect-project >&2
-  KUBE_USER=$("${GCLOUD}" "${CMD_GROUP}" container clusters describe \
-    --project="${PROJECT}" --zone="${ZONE}" "${CLUSTER_NAME}" \
-    | grep user | cut -f 4 -d ' ')
-  KUBE_PASSWORD=$("${GCLOUD}" "${CMD_GROUP}" container clusters describe \
-    --project="${PROJECT}" --zone="${ZONE}" "${CLUSTER_NAME}" \
-    | grep password | cut -f 4 -d ' ')
-}
-
-# Detect the instance name and IP for the master
+# Detect the IP for the master. Note that on GKE, we don't know the name of the
+# master, so KUBE_MASTER is not set.
 #
 # Assumed vars:
 #   ZONE

cluster/juju/util.sh

@@ -41,10 +41,6 @@ function build-local() {
     cp -v $OUTPUT_DIR/* cluster/juju/charms/trusty/kubernetes-master/files/output
 }
 
-function get-password() {
-    echo "TODO: Assign username/password security"
-}
-
 function kube-up() {
     build-local
     if [[ -d "~/.juju/current-env" ]]; then

cluster/kube-util.sh

@@ -79,10 +79,13 @@ function test-setup {
 
 # Execute after running tests to perform any required clean-up
 function test-teardown {
-	echo "TODO"
+	echo "TODO: test-teardown" 1>&2
 }
 
-# Set the {KUBE_USER} and {KUBE_PASSWORD} environment values required to interact with provider
-function get-password {
-	echo "TODO"
-}
+# Providers util.sh scripts should define functions that override the above default functions impls
+if [ -n "${KUBERNETES_PROVIDER}" ]; then
+	PROVIDER_UTILS="${KUBE_ROOT}/cluster/${KUBERNETES_PROVIDER}/util.sh"
+	if [ -f ${PROVIDER_UTILS} ]; then
+		source "${PROVIDER_UTILS}"
+	fi
+fi

cluster/libvirt-coreos/util.sh

@@ -200,6 +200,7 @@ function wait-cluster-readiness {
 function kube-up {
   detect-master
   detect-minions
+  gen-kube-bearertoken
   initialize-pool keep_base_image
   initialize-network
 

cluster/rackspace/util.sh

@@ -51,20 +51,6 @@ verify-prereqs() {
   fi
 }
 
-# Ensure that we have a password created for validating to the master.  Will
-# read from kubeconfig current-context if available.
-#
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-get-password() {
-  get-kubeconfig-basicauth
-  if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
-    KUBE_PASSWORD=$(python2.7 -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
-  fi
-}
-
 rax-ssh-key() {
   if [ ! -f $HOME/.ssh/${SSH_KEY_NAME} ]; then
     echo "cluster/rackspace/util.sh: Generating SSH KEY ${HOME}/.ssh/${SSH_KEY_NAME}"
@@ -301,7 +287,7 @@ kube-up() {
   KUBE_TEMP=$(mktemp -d -t kubernetes.XXXXXX)
   trap "rm -rf ${KUBE_TEMP}" EXIT
 
-  get-password
+  gen-kube-basicauth
   python2.7 $(dirname $0)/../third_party/htpasswd/htpasswd.py -b -c ${KUBE_TEMP}/htpasswd $KUBE_USER $KUBE_PASSWORD
   HTPASSWD=$(cat ${KUBE_TEMP}/htpasswd)
 
@@ -364,6 +350,8 @@ kube-up() {
 
   detect-minions
 
+  # ensures KUBECONFIG is set
+  get-kubeconfig-basicauth
   echo "All minions may not be online yet, this is okay."
   echo
   echo "Kubernetes cluster is running.  The master is running at:"

cluster/ubuntu/util.sh

@@ -261,20 +261,6 @@ FLANNEL_OPTS=""
 EOF
 }
 
-# Ensure that we have a password created for validating to the master. Will
-# read from $HOME/.kubernetes_auth if available.
-#
-# Vars set:
-#   KUBE_USER
-#   KUBE_PASSWORD
-function get-password {
-  get-kubeconfig-basicauth
-  if [[ -z "${KUBE_USER}" || -z "${KUBE_PASSWORD}" ]]; then
-    KUBE_USER=admin
-    KUBE_PASSWORD=$(python -c 'import string,random; print "".join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))')
-  fi
-}
-
 # Detect the IP for the master
 #
 # Assumed vars:
@@ -361,7 +347,7 @@ function kube-up() {
   source "${KUBE_ROOT}/cluster/common.sh"
 
   # set kubernetes user and password
-  get-password
+  gen-kube-basicauth
 
   create-kubeconfig
 }