From 432f8e98417cc4bd2a87c5bc25b6d85865e38686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Mon, 3 Dec 2018 19:44:29 +0100 Subject: [PATCH] Fix basic auth tokens for kubeadm deployment. (#3801) * Fix basic auth tokens for kubeadm deployment. * Tokens should be a dependancy on master, not nodes --- roles/kubernetes/master/meta/main.yml | 6 ++++ roles/kubernetes/secrets/tasks/main.yml | 32 ++----------------- .../files/kube-gen-token.sh | 0 .../tasks/check-tokens.yml | 0 .../{secrets => tokens}/tasks/gen_tokens.yml | 2 -- roles/kubernetes/tokens/tasks/main.yml | 19 +++++++++++ tests/files/gce_centos7-flannel-addons.yml | 2 ++ 7 files changed, 29 insertions(+), 32 deletions(-) create mode 100644 roles/kubernetes/master/meta/main.yml rename roles/kubernetes/{secrets => tokens}/files/kube-gen-token.sh (100%) mode change 100755 => 100644 rename roles/kubernetes/{secrets => tokens}/tasks/check-tokens.yml (100%) rename roles/kubernetes/{secrets => tokens}/tasks/gen_tokens.yml (97%) create mode 100644 roles/kubernetes/tokens/tasks/main.yml diff --git a/roles/kubernetes/master/meta/main.yml b/roles/kubernetes/master/meta/main.yml new file mode 100644 index 000000000..f3cd01a64 --- /dev/null +++ b/roles/kubernetes/master/meta/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - role: kubernetes/tokens + when: kube_token_auth + tags: + - k8s-secrets diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index abc850cbb..ea5f604c5 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -5,12 +5,6 @@ - k8s-gen-certs - facts -- import_tasks: check-tokens.yml - tags: - - k8s-secrets - - k8s-gen-tokens - - facts - - name: Make sure the certificate directory exits file: path: "{{ kube_cert_dir }}" @@ -18,13 +12,6 @@ mode: o-rwx group: "{{ kube_cert_group }}" -- name: Make sure the tokens directory exits - file: - path: "{{ kube_token_dir }}" - state: directory - mode: o-rwx - group: "{{ kube_cert_group }}" - # # The following directory creates make sure that the directories # exist on the first master for cases where the first master isn't @@ -37,7 +24,7 @@ owner: kube run_once: yes delegate_to: "{{groups['kube-master'][0]}}" - when: gen_certs|default(false) or gen_tokens|default(false) + when: gen_certs|default(false) tags: - kubelet - k8s-secrets @@ -55,20 +42,10 @@ owner: kube run_once: yes delegate_to: "{{groups['kube-master'][0]}}" - when: gen_certs|default(false) or gen_tokens|default(false) + when: gen_certs|default(false) tags: - k8s-secrets -- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})" - file: - path: "{{ kube_token_dir }}" - state: directory - mode: o-rwx - group: "{{ kube_cert_group }}" - run_once: yes - delegate_to: "{{groups['kube-master'][0]}}" - when: gen_tokens|default(false) - - include_tasks: "gen_certs_script.yml" when: - cert_management |d('script') == 'script' @@ -130,8 +107,3 @@ - kubelet - node - kube-proxy - -- import_tasks: gen_tokens.yml - tags: - - k8s-secrets - - k8s-gen-tokens diff --git a/roles/kubernetes/secrets/files/kube-gen-token.sh b/roles/kubernetes/tokens/files/kube-gen-token.sh old mode 100755 new mode 100644 similarity index 100% rename from roles/kubernetes/secrets/files/kube-gen-token.sh rename to roles/kubernetes/tokens/files/kube-gen-token.sh diff --git a/roles/kubernetes/secrets/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml similarity index 100% rename from roles/kubernetes/secrets/tasks/check-tokens.yml rename to roles/kubernetes/tokens/tasks/check-tokens.yml diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml similarity index 97% rename from roles/kubernetes/secrets/tasks/gen_tokens.yml rename to roles/kubernetes/tokens/tasks/gen_tokens.yml index c24ba50fd..47370c205 100644 --- a/roles/kubernetes/secrets/tasks/gen_tokens.yml +++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml @@ -17,7 +17,6 @@ - "{{ groups['kube-master'] }}" register: gentoken_master changed_when: "'Added' in gentoken_master.stdout" - notify: set secret_changed run_once: yes delegate_to: "{{groups['kube-master'][0]}}" when: gen_tokens|default(false) @@ -31,7 +30,6 @@ - "{{ groups['kube-node'] }}" register: gentoken_node changed_when: "'Added' in gentoken_node.stdout" - notify: set secret_changed run_once: yes delegate_to: "{{groups['kube-master'][0]}}" when: gen_tokens|default(false) diff --git a/roles/kubernetes/tokens/tasks/main.yml b/roles/kubernetes/tokens/tasks/main.yml new file mode 100644 index 000000000..49b8c13fa --- /dev/null +++ b/roles/kubernetes/tokens/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- import_tasks: check-tokens.yml + tags: + - k8s-secrets + - k8s-gen-tokens + - facts + +- name: Make sure the tokens directory exits + file: + path: "{{ kube_token_dir }}" + state: directory + mode: o-rwx + group: "{{ kube_cert_group }}" + +- import_tasks: gen_tokens.yml + tags: + - k8s-secrets + - k8s-gen-tokens diff --git a/tests/files/gce_centos7-flannel-addons.yml b/tests/files/gce_centos7-flannel-addons.yml index 3847fbc91..05a9a837f 100644 --- a/tests/files/gce_centos7-flannel-addons.yml +++ b/tests/files/gce_centos7-flannel-addons.yml @@ -18,3 +18,5 @@ kube_encrypt_secret_data: true ingress_nginx_enabled: true cert_manager_enabled: true metrics_server_enabled: true +kube_token_auth: true +kube_basic_auth: true