From a8409af5b5cd27fdd98eb12a01386579381bfc81 Mon Sep 17 00:00:00 2001 From: deads2k Date: Wed, 15 Feb 2017 13:56:37 -0500 Subject: [PATCH 1/3] add script to register everything --- .../hack/apiservice-template.yaml | 12 +++ .../hack/register-all-apis-from.sh | 81 +++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml create mode 100755 staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh diff --git a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml new file mode 100644 index 000000000000..efb02e5ddabc --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml @@ -0,0 +1,12 @@ +apiVersion: apiregistration.k8s.io/v1alpha1 +kind: APIService +metadata: + name: RESOURCE_NAME +spec: + group: API_GROUP + version: API_VERSION + service: + namespace: SERVICE_NAMESPACE + name: SERVICE_NAME + insecureSkipTLSVerify: true + priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh b/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh new file mode 100755 index 000000000000..ca4635508040 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + + +if LANG=C sed --help 2>&1 | grep -q GNU; then + SED="sed" +elif which gsed &>/dev/null; then + SED="gsed" +else + echo "Failed to find GNU sed as sed or gsed. If you are on Mac: brew install gnu-sed." >&2 + exit 1 +fi + +scriptDir=$(dirname "${BASH_SOURCE}") + +# this uses discovery from a kube-like API server to register ALL the API versions that server provides +# first argument is reference to kube-config file that points the API server you're adding from +# second argument is the service namespace +# third argument is the service name +# fourth argument is reference to kube-config file that points to the aggregator you're using + +FROM_KUBECONFIG=${1} +SERVICE_NAMESPACE=${2} +SERVICE_NAME=${3} +AGG_KUBECONFIG=${4} + + +dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX") + + +# if we have a /api endpoint, then we need to register that +if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then + group="" + version="v1" + resourceName=${version}.${group} + resourceFileName=${dir}/${resourceName}.yaml + cp ${scriptDir}/apiservice-template.yaml ${resourceFileName} + ${SED} -i "s/RESOURCE_NAME/${resourceName}/" ${resourceFileName} + ${SED} -i "s/API_GROUP/${group}/" ${resourceFileName} + ${SED} -i "s/API_VERSION/${version}/" ${resourceFileName} + ${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName} + ${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName} + echo "registering ${resourceName} using ${resourceFileName}" + + kubectl --kubeconfig=${AGG_KUBECONFIG} create --v=8 -f ${resourceFileName} +fi + +groupVersions=( $(kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep /apis/ | sed 's/",.*//' | sed 's|.*"/apis/||' | grep '/') ) + +for groupVersion in "${groupVersions[@]}"; do + group=$(echo $groupVersion | awk -F/ '{print $1}') + version=$(echo $groupVersion | awk -F/ '{print $2}') + resourceName=${version}.${group} + resourceFileName=${dir}/${resourceName}.yaml + cp ${scriptDir}/apiservice-template.yaml ${resourceFileName} + ${SED} -i "s/RESOURCE_NAME/${resourceName}/" ${resourceFileName} + ${SED} -i "s/API_GROUP/${group}/" ${resourceFileName} + ${SED} -i "s/API_VERSION/${version}/" ${resourceFileName} + ${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName} + ${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName} + echo "registering ${resourceName} using ${resourceFileName}" + + kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName} +done From 23b22d645eabc276eeb48c02769f4de8112187c2 Mon Sep 17 00:00:00 2001 From: deads2k Date: Wed, 15 Feb 2017 15:37:20 -0500 Subject: [PATCH 2/3] stop registering the same group multiple times --- .../k8s.io/kube-aggregator/pkg/apiserver/apiserver.go | 11 ++++++++++- vendor/BUILD | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go index 61cade274642..dc59e63997f5 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go @@ -21,6 +21,7 @@ import ( "os" "time" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" @@ -69,6 +70,8 @@ type APIAggregator struct { // proxyHandlers are the proxy handlers that are currently registered, keyed by apiservice.name proxyHandlers map[string]*proxyHandler + // handledGroups are the groups that already have routes + handledGroups sets.String // lister is used to add group handling for /apis/ aggregator lookups based on // controller state @@ -131,6 +134,7 @@ func (c completedConfig) New() (*APIAggregator, error) { proxyClientCert: c.ProxyClientCert, proxyClientKey: c.ProxyClientKey, proxyHandlers: map[string]*proxyHandler{}, + handledGroups: sets.String{}, lister: informerFactory.Apiregistration().InternalVersion().APIServices().Lister(), serviceLister: kubeInformers.Core().V1().Services().Lister(), endpointsLister: kubeInformers.Core().V1().Endpoints().Lister(), @@ -233,6 +237,11 @@ func (s *APIAggregator) AddAPIService(apiService *apiregistration.APIService) { return } + // if we've already registered the path with the handler, we don't want to do it again. + if s.handledGroups.Has(apiService.Spec.Group) { + return + } + // it's time to register the group aggregation endpoint groupPath := "/apis/" + apiService.Spec.Group groupDiscoveryHandler := &apiGroupHandler{ @@ -244,7 +253,7 @@ func (s *APIAggregator) AddAPIService(apiService *apiregistration.APIService) { // aggregation is protected s.GenericAPIServer.HandlerContainer.UnlistedRoutes.Handle(groupPath, groupDiscoveryHandler) s.GenericAPIServer.HandlerContainer.UnlistedRoutes.Handle(groupPath+"/", groupDiscoveryHandler) - + s.handledGroups.Insert(apiService.Spec.Group) } // RemoveAPIService removes the APIService from being handled. Later on it will disable the proxy endpoint. diff --git a/vendor/BUILD b/vendor/BUILD index d2b1e11c1b00..4b0835b02b7a 100644 --- a/vendor/BUILD +++ b/vendor/BUILD @@ -16453,6 +16453,7 @@ go_library( "//vendor:k8s.io/apimachinery/pkg/runtime", "//vendor:k8s.io/apimachinery/pkg/util/httpstream/spdy", "//vendor:k8s.io/apimachinery/pkg/util/runtime", + "//vendor:k8s.io/apimachinery/pkg/util/sets", "//vendor:k8s.io/apimachinery/pkg/util/wait", "//vendor:k8s.io/apiserver/pkg/endpoints/filters", "//vendor:k8s.io/apiserver/pkg/endpoints/handlers/responsewriters", From b53b7f20622f1a6fa4d9b47e51860473a8683100 Mon Sep 17 00:00:00 2001 From: deads2k Date: Wed, 15 Feb 2017 13:01:13 -0500 Subject: [PATCH 3/3] make the on-infrastructure of kube-aggregator case easier --- hack/local-up-cluster.sh | 6 +- hack/local-up-kube-aggregator.sh | 105 ------------------ .../artifacts/core-apiservices/legacy.yaml | 11 -- .../v1.authorization.k8s.io.yaml | 12 -- .../core-apiservices/v1.autoscaling.yaml | 12 -- .../artifacts/core-apiservices/v1.batch.yaml | 12 -- .../v1alpha1.certificates.k8s.io.yaml | 12 -- .../v1alpha1.rbac.authorization.k8s.io.yaml | 12 -- .../core-apiservices/v1beta1.apps.yaml | 12 -- .../v1beta1.authentication.k8s.io.yaml | 12 -- .../v1beta1.authorization.k8s.io.yaml | 12 -- .../core-apiservices/v1beta1.extensions.yaml | 12 -- .../core-apiservices/v1beta1.policy.yaml | 12 -- .../v1beta1.storage.k8s.io.yaml | 12 -- .../kubernetes-discover-pod.yaml | 6 +- .../hack/apiservice-template.yaml | 2 +- .../hack/local-up-kube-aggregator.sh | 91 +++++++++++++++ .../hack/register-all-apis-from.sh | 15 ++- 18 files changed, 110 insertions(+), 258 deletions(-) delete mode 100755 hack/local-up-kube-aggregator.sh delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml delete mode 100644 staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml create mode 100755 staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index e86fbaa7c376..8e947cb5477d 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -34,6 +34,7 @@ NET_PLUGIN=${NET_PLUGIN:-""} # Place the binaries required by NET_PLUGIN in this directory, eg: "/home/kubernetes/bin". NET_PLUGIN_DIR=${NET_PLUGIN_DIR:-""} SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/24} +FIRST_SERVICE_CLUSTER_IP=${FIRST_SERVICE_CLUSTER_IP:-10.0.0.1} # if enabled, must set CGROUP_ROOT CGROUPS_PER_QOS=${CGROUPS_PER_QOS:-false} # this is not defaulted to preserve backward compatibility. @@ -404,7 +405,7 @@ function start_apiserver { kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"' # serving cert for kube-apiserver - kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} + kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP} # Create client certs signed with client-ca, given id, given CN and a number of groups kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes @@ -484,7 +485,7 @@ function start_apiserver { ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create namespace kube-public ${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig" ${CONTROLPLANE_SUDO} chown $(whoami) "${CERT_DIR}/admin-kube-aggregator.kubeconfig" - ${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:9443" + ${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:31090" echo "use 'kubectl --kubeconfig=${CERT_DIR}/admin-kube-aggregator.kubeconfig' to use the aggregated API server" } @@ -515,7 +516,6 @@ function start_controller_manager { function start_kubelet { KUBELET_LOG=/tmp/kubelet.log mkdir -p ${POD_MANIFEST_PATH} || true - cp ${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/hostpath-pods/insecure-etcd-pod.yaml ${POD_MANIFEST_PATH}/kube-aggregator.yaml priv_arg="" if [[ -n "${ALLOW_PRIVILEGED}" ]]; then diff --git a/hack/local-up-kube-aggregator.sh b/hack/local-up-kube-aggregator.sh deleted file mode 100755 index 5440dc86941f..000000000000 --- a/hack/local-up-kube-aggregator.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash - -# Copyright 2016 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# starts kube-aggregator as a pod after you've run `local-up-cluster.sh` - - -KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. -source "${KUBE_ROOT}/hack/lib/init.sh" - -DISCOVERY_SECURE_PORT=${DISCOVERY_SECURE_PORT:-31090} -API_HOST=${API_HOST:-localhost} -API_HOST_IP=${API_HOST_IP:-"127.0.0.1"} -CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"} -ROOT_CA_FILE=$CERT_DIR/apiserver.crt - -# Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig -mkdir -p "${CERT_DIR}" &>/dev/null || sudo mkdir -p "${CERT_DIR}" -sudo=$(test -w "${CERT_DIR}" || echo "sudo -E") - - -kubectl=$(kube::util::find-binary kubectl) - -function kubectl_core { - ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@ -} - -function sudo_kubectl_core { - ${sudo} ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@ -} - -# start_kube-aggregator relies on certificates created by start_apiserver -function start_kube-aggregator { - kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator" '"server auth"' - # sign the kube-aggregator cert to be good for the local node too, so that we can trust it - kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP} - - # Create serving and client CA. etcd only takes one arg - kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "etcd" '"client auth","server auth"' - kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc - # etcd doesn't seem to have separate signers for serving and client trust - kube::util::create_client_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd - - # don't fail if the namespace already exists or something - # If this fails for some reason, the script will fail during creation of other resources - kubectl_core create namespace kube-public || true - - # grant permission to run delegated authentication and authorization checks - kubectl_core delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true - kubectl_core delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true - kubectl_core create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator - kubectl_core create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator - - # make sure the resources we're about to create don't exist - kubectl_core -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true - kubectl_core -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true - kubectl_core -n kube-public delete -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up" > /dev/null 2>&1 || true - - sudo_kubectl_core -n kube-public create secret tls auth-proxy-client --cert="${CERT_DIR}/client-auth-proxy.crt" --key="${CERT_DIR}/client-auth-proxy.key" - sudo_kubectl_core -n kube-public create secret tls serving-etcd --cert="${CERT_DIR}/serving-etcd.crt" --key="${CERT_DIR}/serving-etcd.key" - sudo_kubectl_core -n kube-public create secret tls serving-kube-aggregator --cert="${CERT_DIR}/serving-kube-aggregator.crt" --key="${CERT_DIR}/serving-kube-aggregator.key" - sudo_kubectl_core -n kube-public create secret tls kube-aggregator-etcd --cert="${CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${CERT_DIR}/client-kube-aggregator-etcd.key" - kubectl_core -n kube-public create configmap etcd-ca --from-file="ca.crt=${CERT_DIR}/etcd-ca.crt" || true - kubectl_core -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${CERT_DIR}/kube-aggregator-ca.crt" || true - kubectl_core -n kube-public create configmap client-ca --from-file="ca.crt=${CERT_DIR}/client-ca.crt" || true - kubectl_core -n kube-public create configmap request-header-ca --from-file="ca.crt=${CERT_DIR}/request-header-ca.crt" || true - - ${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/hack/build-image.sh - - kubectl_core -n kube-public create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up" - - ${sudo} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig" - ${sudo} chown ${USER} "${CERT_DIR}/admin-kube-aggregator.kubeconfig" - ${kubectl} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --certificate-authority="${CERT_DIR}/kube-aggregator-ca.crt" --embed-certs --server="https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}" - - # Wait for kube-aggregator to come up before launching the rest of the components. - # This should work since we're creating a node port service. - echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" - kube::util::wait_for_url "https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1 - - # something is weird with the proxy - sleep 1 - - # create the "normal" api services for the core API server - ${kubectl} --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/core-apiservices" -} - -kube::util::test_openssl_installed -kube::util::test_cfssl_installed - -start_kube-aggregator - -echo "kuberentes-kube-aggregator available at https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT} from 'api.kube-public.svc'" diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml deleted file mode 100644 index a3d89f53f9b7..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1. -spec: - version: v1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml deleted file mode 100644 index 6465e31f2467..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1.authorization.k8s.io -spec: - group: authorization.k8s.io - version: v1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml deleted file mode 100644 index a604b8118c17..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1.autoscaling -spec: - group: autoscaling - version: v1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml deleted file mode 100644 index 3605b263f676..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1.batch -spec: - group: batch - version: v1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml deleted file mode 100644 index ec7a01a44403..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1alpha1.certificates.k8s.io -spec: - group: certificates.k8s.io - version: v1alpha1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml deleted file mode 100644 index cfcf643fec03..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1alpha1.rbac.authorization.k8s.io -spec: - group: rbac.authorization.k8s.io - version: v1alpha1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml deleted file mode 100644 index 1620af3259da..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.apps -spec: - group: apps - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml deleted file mode 100644 index d80e49f612f0..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.authentication.k8s.io -spec: - group: authentication.k8s.io - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml deleted file mode 100644 index 365f7904aa79..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.authorization.k8s.io -spec: - group: authorization.k8s.io - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml deleted file mode 100644 index 1deed18f97e6..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.extensions -spec: - group: extensions - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 150 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml deleted file mode 100644 index c451ce67255c..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.policy -spec: - group: policy - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml deleted file mode 100644 index 9e72c87da094..000000000000 --- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apiregistration.k8s.io/v1alpha1 -kind: APIService -metadata: - name: v1beta1.storage.k8s.io -spec: - group: storage.k8s.io - version: v1beta1 - service: - namespace: default - name: kubernetes - insecureSkipTLSVerify: true - priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml b/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml index a67f06b89952..7b21ac210fdc 100644 --- a/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml +++ b/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml @@ -84,14 +84,14 @@ spec: - name: volume-etcd-client-cert secret: defaultMode: 420 - secretName: discovery-etcd + secretName: kube-aggregator-etcd - name: volume-serving-cert secret: defaultMode: 420 - secretName: serving-discovery + secretName: serving-kube-aggregator - configMap: defaultMode: 420 - name: discovery-ca + name: kube-aggregator-ca name: volume-serving-ca - configMap: defaultMode: 420 diff --git a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml index efb02e5ddabc..17707866d7a5 100644 --- a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml +++ b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml @@ -8,5 +8,5 @@ spec: service: namespace: SERVICE_NAMESPACE name: SERVICE_NAME - insecureSkipTLSVerify: true + caBundle: CA_BUNDLE priority: 100 diff --git a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh new file mode 100755 index 000000000000..1c4b5e318a2a --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +# Copyright 2016 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# starts kube-aggregator as a pod after you've run `local-up-cluster.sh` + +set -o errexit +set -o nounset +set -o pipefail + +AGG_ROOT=$(dirname "${BASH_SOURCE}")/.. +KUBE_ROOT=${AGG_ROOT}/../../../.. +source "${KUBE_ROOT}/hack/lib/init.sh" + +AGGREGATOR_SECURE_PORT=${AGGREGATOR_SECURE_PORT:-31090} +API_HOST=${API_HOST:-localhost} +API_HOST_IP=${API_HOST_IP:-"127.0.0.1"} +AGGREGATOR_CERT_DIR=${AGGREGATOR_CERT_DIR:-"/var/run/kubernetes/aggregator"} + +KUBE_CERT_DIR=${KUBE_CERT_DIR:-"/var/run/kubernetes"} +SERVING_CERT_CA_CERT=${SERVING_CERT_CA_CERT:-"${KUBE_CERT_DIR}/server-ca.crt"} +CLIENT_CERT_CA_CERT=${CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/client-ca.crt"} +FRONT_PROXY_CLIENT_CERT_CA_CERT=${FRONT_PROXY_CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/request-header-ca.crt"} +SERVING_CERT=${SERVING_CERT:-"${KUBE_CERT_DIR}/serving-kube-aggregator.crt"} +SERVING_KEY=${SERVING_KEY:-"${KUBE_CERT_DIR}/serving-kube-aggregator.key"} +FRONT_PROXY_CLIENT_CERT=${FRONT_PROXY_CLIENT_CERT:-"${KUBE_CERT_DIR}/client-auth-proxy.crt"} +FRONT_PROXY_CLIENT_KEY=${FRONT_PROXY_CLIENT_KEY:-"${KUBE_CERT_DIR}/client-auth-proxy.key"} + + +# Ensure AGGREGATOR_CERT_DIR is created for auto-generated crt/key and kubeconfig +mkdir -p "${AGGREGATOR_CERT_DIR}" &>/dev/null || sudo mkdir -p "${AGGREGATOR_CERT_DIR}" +sudo=$(test -w "${AGGREGATOR_CERT_DIR}" || echo "sudo -E") + +# start_kube-aggregator relies on certificates created by start_apiserver +function start_kube-aggregator { + # Create serving and client CA. etcd only takes one arg + kube::util::create_signing_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd" '"client auth","server auth"' + kube::util::create_serving_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc + # etcd doesn't seem to have separate signers for serving and client trust + kube::util::create_client_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd + + # don't fail if the namespace already exists or something + # If this fails for some reason, the script will fail during creation of other resources + kubectl create namespace kube-public || true + + # grant permission to run delegated authentication and authorization checks + kubectl delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true + kubectl delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true + kubectl create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator + kubectl create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator + + # make sure the resources we're about to create don't exist + kubectl -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true + kubectl -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true + kubectl -n kube-public delete -f "${AGG_ROOT}/artifacts/self-contained" > /dev/null 2>&1 || true + + kubectl -n kube-public create secret tls auth-proxy-client --cert="${FRONT_PROXY_CLIENT_CERT}" --key="${FRONT_PROXY_CLIENT_KEY}" + kubectl -n kube-public create secret tls serving-etcd --cert="${AGGREGATOR_CERT_DIR}/serving-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/serving-etcd.key" + kubectl -n kube-public create secret tls serving-kube-aggregator --cert="${SERVING_CERT}" --key="${SERVING_KEY}" + kubectl -n kube-public create secret tls kube-aggregator-etcd --cert="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.key" + kubectl -n kube-public create configmap etcd-ca --from-file="ca.crt=${AGGREGATOR_CERT_DIR}/etcd-ca.crt" || true + kubectl -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${SERVING_CERT_CA_CERT}" || true + kubectl -n kube-public create configmap client-ca --from-file="ca.crt=${CLIENT_CERT_CA_CERT}" || true + kubectl -n kube-public create configmap request-header-ca --from-file="ca.crt=${FRONT_PROXY_CLIENT_CERT_CA_CERT}" || true + + kubectl -n kube-public create -f "${AGG_ROOT}/artifacts/self-contained" + + # Wait for kube-aggregator to come up before launching the rest of the components. + # This should work since we're creating a node port service. + echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version" + kube::util::wait_for_url "https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1 +} + +kube::util::test_openssl_installed +kube::util::test_cfssl_installed + +start_kube-aggregator + +echo "kube-aggregator available at https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT} from 'api.kube-public.svc'" diff --git a/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh b/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh index ca4635508040..34f6693d7c26 100755 --- a/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh +++ b/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh @@ -28,6 +28,14 @@ else exit 1 fi +dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX") +# Register function to be called on EXIT to remove generated binary. +function cleanup { + rm -rf "${dir}" +} +trap cleanup EXIT + + scriptDir=$(dirname "${BASH_SOURCE}") # this uses discovery from a kube-like API server to register ALL the API versions that server provides @@ -42,8 +50,7 @@ SERVICE_NAME=${3} AGG_KUBECONFIG=${4} -dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX") - +caBundle=$(base64 /var/run/kubernetes/server-ca.crt | awk 'BEGIN{ORS="";} {print}') # if we have a /api endpoint, then we need to register that if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then @@ -57,9 +64,10 @@ if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then ${SED} -i "s/API_VERSION/${version}/" ${resourceFileName} ${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName} ${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName} + ${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName} echo "registering ${resourceName} using ${resourceFileName}" - kubectl --kubeconfig=${AGG_KUBECONFIG} create --v=8 -f ${resourceFileName} + kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName} fi groupVersions=( $(kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep /apis/ | sed 's/",.*//' | sed 's|.*"/apis/||' | grep '/') ) @@ -75,6 +83,7 @@ for groupVersion in "${groupVersions[@]}"; do ${SED} -i "s/API_VERSION/${version}/" ${resourceFileName} ${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName} ${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName} + ${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName} echo "registering ${resourceName} using ${resourceFileName}" kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName}