Support insecure mode, where authentation token is not required, impl…

…ying init step not needed and config YAML doesn't have to be updated on minons.
pmichali · Oct 22, 2018 · efe9dce · efe9dce
1 parent 0ff39f6
commit efe9dce
Show file tree

Hide file tree

Showing 9 changed files with 494 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ general:
     work-area: "/tmp/lazyjack"
     mode: "ipv6"
     kubernetes-version: "v1.12.0"
+    insecure: true
 topology:
   my-master:
     interface: "enp10s0"
@@ -174,6 +175,12 @@ If omitted, the version of KubeAdm will be used to specify the Kubernetes versio
 NOTE: If you are using an un-released version, it may be beneficial to set this to
 `latest`.
 
+### Insecure mode (insecure)
+This optional boolean flag can be set to allow KubeAdm to run without specifying
+an auth token. This means that the `init` step is not needed, and the config YAML
+file does not need to be copied over to the minions, after the `prepare` step, thus
+simplifying startup for a non-production environment.
+
 ### Topology (topology)
 This is where you specify each of the systems to be provisioned. Each entry is referred
 to by the hostname, and contains three items.
@@ -328,7 +335,7 @@ as root:
 ```
 
 The commands do the following:
-* **init** - Sets up tokens and certificates needed by Kuberentes. Must be run on the master node, **before** copying the config file to minion nodes. Only needed once.
+* **init** - Sets up tokens and certificates needed by Kuberentes. Must be run on the master node, **before** copying the config file to minion nodes. Only needed once. Not needed, if running in insecure mode.
 * **prepare** - Prepares the node so that cluster can be brought up. Do on each node, before proceeded to next step.
 * **up** - Brings up Kubernetes cluster on the node. Do master first, and then minions.
 * **down** - Tears down the cluster on the node. Do minions first, and then master.
@@ -378,7 +385,7 @@ For each command, there are a series of actions performed...
 ### For the `init` command
 * Creates CA certificate and key for KubeAdm.
 * Creates token and CA certificate hash.
-* Updates the configuration YAML file (needed for `up` command on minions).
+* Updates the configuration YAML file (needed for `up` command on minions, unless running in insecure mode).
 
 ### For the `prepare` command
 * (IPv6) Creates support network with IPv6 and IPv4.
@@ -461,8 +468,8 @@ I also installed `ipset` and `ipvsadm`.
 * Some newer versions of docker break the enabling of IPv6 in the containers used for DNS64 and NAT64.
 * CNI v0.7.1+ is needed for full IPv6 support by plugins.
 * Relies on the tayga and bind6 containers (as provided by other developers), for IPv6 only mode.
-* The `init` command modifies the specified configuration YAML file. As a result, `init` must be done before copying the config YAML to other nodes.
-* Because the config YAML file is modified by the root user, permissions is set to 777, so that the non-root user can still modify the file.
+* The `init` command modifies the specified configuration YAML file. As a result, `init` must be done before copying the config YAML to other nodes, unless you are running in insecure mode where the `init` step is not needed and the config YAML is not updated.
+* In normal mode, because the config YAML file is modified by the root user, permissions is set to 777, so that the non-root user can still modify the file.
 
 
 ## Troubleshooting

diff --git a/cmd/lazyjack.go b/cmd/lazyjack.go
@@ -13,7 +13,7 @@ import (
 )
 
 const (
-	Version = "1.3.1"
+	Version = "1.3.2"
 )
 
 func init() {

diff --git a/config.go b/config.go
@@ -86,6 +86,7 @@ type GeneralSettings struct {
 	KubeAdmVersion     string     // Internal
 	FullKubeAdmVersion string     // Internal
 	K8sVersion         string     `yaml:"kubernetes-version"`
+	Insecure           bool       `yaml:"insecure"`
 }
 
 // Config defines the top level configuration read from YAML file.
@@ -155,6 +156,9 @@ const (
 	// KubeAdmConfFile name of the configuration file used by KubeAdm
 	KubeAdmConfFile = "kubeadm.conf"
 
+	// DefaultToken used when in insecure mode
+	DefaultToken = "abcdef.abcdefghijklmnop"
+
 	// MinimumPodMTU is the smallest MTU for IPv6
 	MinimumPodMTU = 1280
 	// DefaultPodMTU is the default MTU to use, when not specified

diff --git a/prepare.go b/prepare.go
@@ -48,7 +48,11 @@ func CollectKubeAdmConfigInfo(n *Node, c *Config) KubeAdmConfigInfo {
 
 	info.AdvertiseAddress = fmt.Sprintf("%s%d", c.Mgmt.Prefix, n.ID)
 
-	info.AuthToken = c.General.Token
+	if c.General.Insecure {
+		info.AuthToken = DefaultToken
+	} else {
+		info.AuthToken = c.General.Token
+	}
 
 	serviceNetMode := "::"
 	devicePart := "a"