Skip to content

Commit

Permalink
Stop using insecure serving.
Browse files Browse the repository at this point in the history
  • Loading branch information
dlorenc committed Jul 25, 2017
1 parent 45b090c commit 5016ce2
Show file tree
Hide file tree
Showing 18 changed files with 210 additions and 76 deletions.
9 changes: 9 additions & 0 deletions deploy/addons/addon-manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ spec:
containers:
- name: kube-addon-manager
image: gcr.io/google-containers/kube-addon-manager:v6.4-beta.2
env:
- name: KUBECONFIG
value: /var/lib/localkube/kubeconfig
imagePullPolicy: IfNotPresent
resources:
requests:
Expand All @@ -35,7 +38,13 @@ spec:
- mountPath: /etc/kubernetes/
name: addons
readOnly: true
- mountPath: /var/lib/localkube
name: kubeconfig
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/
name: addons
- hostPath:
path: /var/lib/localkube
name: kubeconfig
3 changes: 3 additions & 0 deletions hack/jenkins/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ ${SUDO_PREFIX}out/e2e-${OS_ARCH} -minikube-args="--vm-driver=${VM_DRIVER} --v=10
result=$?
set -e

# See the KUBECONFIG file for debugging
sudo cat $KUBECONFIG

MINIKUBE_WANTREPORTERRORPROMPT=False sudo ./out/minikube-${OS_ARCH} delete \
|| MINIKUBE_WANTREPORTERRORPROMPT=False ./out/minikube-${OS_ARCH} delete \
|| true
Expand Down
3 changes: 2 additions & 1 deletion hack/jenkins/linux_integration_tests_none.sh
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ OS_ARCH="linux-amd64"
VM_DRIVER="none"
JOB_NAME="Linux-None"
EXTRA_BUILD_ARGS="$EXTRA_BUILD_ARGS --use-vendored-driver"
SUDO_PREFIX="sudo "
SUDO_PREFIX="sudo -E "
export KUBECONFIG="/root/.kube/config"

# Download files and set permissions
source common.sh
3 changes: 3 additions & 0 deletions hack/jenkins/print-debug-info.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
# the cluster state.
set +e

env
${SUDO_PREFIX} cat $KUBECONFIG

kubectl get pods --all-namespaces
kubectl cluster-info dump

Expand Down
10 changes: 5 additions & 5 deletions pkg/localkube/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ func StartAPIServer(lk LocalkubeServer) func() error {
config.SecureServing.BindAddress = lk.APIServerAddress
config.SecureServing.BindPort = lk.APIServerPort

config.InsecureServing.BindAddress = lk.APIServerInsecureAddress
config.InsecureServing.BindPort = lk.APIServerInsecurePort
// 0 turns off insecure serving.
config.InsecureServing.BindPort = 0

config.Authentication.ClientCert.ClientCA = lk.GetCAPublicKeyCertPath()

Expand Down Expand Up @@ -84,7 +84,7 @@ func StartAPIServer(lk LocalkubeServer) func() error {
}

func readyFunc(lk LocalkubeServer) HealthCheck {
hostport := net.JoinHostPort(lk.APIServerInsecureAddress.String(), strconv.Itoa(lk.APIServerInsecurePort))
addr := "http://" + path.Join(hostport, "healthz")
return healthCheck(addr)
hostport := net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerPort))
addr := "https://" + path.Join(hostport, "healthz")
return healthCheck(addr, lk)
}
3 changes: 2 additions & 1 deletion pkg/localkube/controller-manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package localkube
import (
controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewControllerManagerServer() Server {
Expand All @@ -28,7 +29,7 @@ func (lk LocalkubeServer) NewControllerManagerServer() Server {
func StartControllerManagerServer(lk LocalkubeServer) func() error {
config := options.NewCMServer()

config.Master = lk.GetAPIServerInsecureURL()
config.Kubeconfig = util.DefaultKubeConfigPath

// defaults from command
config.DeletingPodsQps = 0.1
Expand Down
5 changes: 4 additions & 1 deletion pkg/localkube/kubelet.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,10 @@ limitations under the License.
package localkube

import (
"k8s.io/apiserver/pkg/util/flag"
kubelet "k8s.io/kubernetes/cmd/kubelet/app"
"k8s.io/kubernetes/cmd/kubelet/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewKubeletServer() Server {
Expand All @@ -29,7 +31,8 @@ func StartKubeletServer(lk LocalkubeServer) func() error {
config := options.NewKubeletServer()

// Master details
config.APIServerList = []string{lk.GetAPIServerInsecureURL()}
config.KubeConfig = flag.NewStringFlag(util.DefaultKubeConfigPath)
config.RequireKubeConfig = true

// Set containerized based on the flag
config.Containerized = lk.Containerized
Expand Down
10 changes: 6 additions & 4 deletions pkg/localkube/proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package localkube

import (
kubeproxy "k8s.io/kubernetes/cmd/kube-proxy/app"
"k8s.io/minikube/pkg/util"

"time"

Expand All @@ -40,16 +41,17 @@ func StartProxyServer(lk LocalkubeServer) func() error {
config := &componentconfig.KubeProxyConfiguration{
OOMScoreAdj: &OOMScoreAdj,
ClientConnection: componentconfig.ClientConnectionConfiguration{
Burst: 10,
QPS: 5,
Burst: 10,
QPS: 5,
KubeConfigFile: util.DefaultKubeConfigPath,
},
ConfigSyncPeriod: v1.Duration{Duration: 15 * time.Minute},
IPTables: componentconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: &MasqueradeBit,
SyncPeriod: v1.Duration{Duration: 30 * time.Second},
MinSyncPeriod: v1.Duration{Duration: 5 * time.Second},
},
BindAddress: lk.APIServerInsecureAddress.String(),
BindAddress: lk.APIServerAddress.String(),
Mode: componentconfig.ProxyModeIPTables,
FeatureGates: lk.FeatureGates,
// Disable the healthz check
Expand All @@ -60,7 +62,7 @@ func StartProxyServer(lk LocalkubeServer) func() error {

return func() error {
// Creating this config requires the API Server to be up, so do it in the start function itself.
server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), lk.GetAPIServerInsecureURL())
server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "")
if err != nil {
panic(err)
}
Expand Down
29 changes: 27 additions & 2 deletions pkg/localkube/ready.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ limitations under the License.
package localkube

import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net/http"

Expand All @@ -25,10 +27,33 @@ import (

type HealthCheck func() bool

func healthCheck(addr string) HealthCheck {
func healthCheck(addr string, lk LocalkubeServer) HealthCheck {
return func() bool {
glog.Infof("Performing healthcheck on %s\n", addr)
resp, err := http.Get(addr)

cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
if err != nil {
glog.Error(err)
return false
}

// Load CA cert
caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
if err != nil {
glog.Warning(err)
return false
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
transport := &http.Transport{TLSClientConfig: tlsConfig}
client := &http.Client{Transport: transport}

resp, err := client.Get(addr)
if err != nil {
glog.Errorf("Error performing healthcheck: %s", err)
return false
Expand Down
40 changes: 36 additions & 4 deletions pkg/localkube/ready_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,21 @@ limitations under the License.
package localkube

import (
"crypto/tls"
"crypto/x509"
"io"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
"testing"

"k8s.io/minikube/pkg/minikube/tests"
)

func TestBasicHealthCheck(t *testing.T) {

tests := []struct {
tcs := []struct {
body string
statusCode int
shouldSucceed bool
Expand All @@ -34,17 +40,43 @@ func TestBasicHealthCheck(t *testing.T) {
{"notok", 200, false},
}

for _, tc := range tests {
tempDir := tests.MakeTempDir()
defer os.RemoveAll(tempDir)
lk := LocalkubeServer{LocalkubeDirectory: tempDir}
lk.GenerateCerts()

cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
if err != nil {
t.Fatalf("Unable to load server certs.")
}

caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
if err != nil {
t.Fatalf("Unable to load CA certs.")
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

tls := tls.Config{
Certificates: []tls.Certificate{cert},
ClientCAs: caCertPool,
}

tls.BuildNameToCertificate()

for _, tc := range tcs {
// Do this in a func so we can use defer.
doTest := func() {
handler := func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(tc.statusCode)
io.WriteString(w, tc.body)
}
server := httptest.NewServer(http.HandlerFunc(handler))
server := httptest.NewUnstartedServer(http.HandlerFunc(handler))
defer server.Close()
server.TLS = &tls
server.StartTLS()

hcFunc := healthCheck(server.URL)
hcFunc := healthCheck(server.URL, lk)
result := hcFunc()
if result != tc.shouldSucceed {
t.Errorf("Expected healthcheck to return %v. Got %v", result, tc.shouldSucceed)
Expand Down
3 changes: 2 additions & 1 deletion pkg/localkube/scheduler.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package localkube
import (
scheduler "k8s.io/kubernetes/plugin/cmd/kube-scheduler/app"
"k8s.io/kubernetes/plugin/cmd/kube-scheduler/app/options"
"k8s.io/minikube/pkg/util"
)

func (lk LocalkubeServer) NewSchedulerServer() Server {
Expand All @@ -29,7 +30,7 @@ func StartSchedulerServer(lk LocalkubeServer) func() error {
config := options.NewSchedulerServer()

// master details
config.Master = lk.GetAPIServerInsecureURL()
config.Kubeconfig = util.DefaultKubeConfigPath

// defaults from command
config.EnableProfiling = true
Expand Down
13 changes: 7 additions & 6 deletions pkg/localkube/storage_provisioner.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ import (
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/pkg/api/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/minikube/pkg/util"
)

const (
Expand Down Expand Up @@ -121,12 +122,12 @@ func (lk LocalkubeServer) NewStorageProvisionerServer() Server {

func StartStorageProvisioner(lk LocalkubeServer) func() error {

// Create an InClusterConfig and use it to create a client for the controller
// to use to communicate with Kubernetes
config := rest.Config{Host: "http://localhost:8080"}
return func() error {

clientset, err := kubernetes.NewForConfig(&config)
config, err := clientcmd.BuildConfigFromFlags("", util.DefaultKubeConfigPath)
if err != nil {
return err
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
glog.Fatalf("Failed to create client: %v", err)
}
Expand Down
Loading

0 comments on commit 5016ce2

Please sign in to comment.