Add support for 'admin' user bearer token that can also be used for authentication.

jlamillan · jlamillan · commit f152708dcc05 · 2017-09-27T16:55:48.000-07:00
diff --git a/README.md b/README.md
@@ -214,6 +214,7 @@ ca_cert                             | (generated)             | String value of
 ca_key                              | (generated)             | String value of PEM encoded CA private key
 api_server_private_key              | (generated)             | String value of PEM private key of API server
 api_server_cert                     | (generated)             | String value of PEM encoded certificate for API server
+api_server_admin_token              | (generated)             | String value of the admin user's bearer token for API server
 ssh_private_key                     | (generated)             | String value of PEM encoded SSH key pair for instances
 ssh_public_key_openssh              | (generated)             | String value of OpenSSH encoded SSH key pair key for instances
 
diff --git a/instances/k8smaster/cloud_init/bootstrap.template.yaml b/instances/k8smaster/cloud_init/bootstrap.template.yaml
@@ -75,7 +75,7 @@ write_files:
     content: |
       ${kubelet_service_content}
 
-# Kube certs
+# Kube certs, tokens
   - path: "/etc/kubernetes/ssl/ca.pem"
     permissions: "0600"
     encoding: b64
@@ -91,6 +91,11 @@ write_files:
     encoding: b64
     content: |
       ${api-server-key-content}
+  - path: "/etc/kubernetes/ssl/token_auth.csv"
+    permissions: "0600"
+    encoding: b64
+    content: |
+      ${api-token_auth_template_content}
 
 runcmd:
  - echo "Running k8s init..."
diff --git a/instances/k8smaster/datasources.tf b/instances/k8smaster/datasources.tf
@@ -112,6 +112,14 @@ data "template_file" "cnibridge-sh" {
   template = "${file("${path.module}/scripts/cni-bridge.sh")}"
 }
 
+data "template_file" "token_auth_file" {
+  template = "${file("${path.module}/scripts/token_auth.csv")}"
+
+  vars {
+    token_admin = "${var.k8s_apiserver_token_admin}"
+  }
+}
+
 data "template_file" "kube_master_cloud_init_file" {
   template = "${file("${path.module}/cloud_init/bootstrap.template.yaml")}"
 
@@ -130,6 +138,7 @@ data "template_file" "kube_master_cloud_init_file" {
     ca-pem-content                           = "${base64encode(var.root_ca_pem)}"
     api-server-key-content                   = "${base64encode(var.api_server_private_key_pem)}"
     api-server-cert-content                  = "${base64encode(var.api_server_cert_pem)}"
+    api-token_auth_template_content          = "${base64encode(data.template_file.token_auth_file.rendered)}"
     docker_service_content                   = "${base64encode(data.template_file.docker-service.rendered)}"
     flannel_service_content                  = "${base64encode(data.template_file.flannel-service.rendered)}"
     cnibridge_service_content                = "${base64encode(data.template_file.cnibridge-service.rendered)}"
diff --git a/instances/k8smaster/manifests/kube-apiserver.yaml b/instances/k8smaster/manifests/kube-apiserver.yaml
@@ -32,7 +32,7 @@ spec:
     - --etcd-quorum-read=true
     - --kubelet-client-certificate=/etc/kubernetes/ssl/apiserver.pem
     - --kubelet-client-key=/etc/kubernetes/ssl/apiserver-key.pem
-    #- --token-auth-file=/etc/kubernetes/tokens.csv
+    - --token-auth-file=/etc/kubernetes/ssl/token_auth.csv
     ports:
     - containerPort: 443
       hostPort: 443
diff --git a/instances/k8smaster/scripts/token_auth.csv b/instances/k8smaster/scripts/token_auth.csv
@@ -0,0 +1 @@
+${token_admin},admin,admin,"system:masters"
diff --git a/instances/k8smaster/variables.tf b/instances/k8smaster/variables.tf
@@ -55,6 +55,7 @@ variable "etcd_lb" {}
 variable "root_ca_pem" {}
 variable "api_server_private_key_pem" {}
 variable "api_server_cert_pem" {}
+variable "k8s_apiserver_token_admin" {}
 
 # etcd
 variable "etcd_discovery_url" {}
diff --git a/k8s-baremetal.tf b/k8s-baremetal.tf
@@ -6,6 +6,7 @@ module "k8s-tls" {
   api_server_cert        = "${var.api_server_cert}"
   ca_cert                = "${var.ca_cert}"
   ca_key                 = "${var.ca_key}"
+  api_server_admin_token = "${var.api_server_admin_token}"
   master_lb_public_ip    = "${module.k8smaster-public-lb.ip_addresses[0]}"
   ssh_private_key        = "${var.ssh_private_key}"
   ssh_public_key_openssh = "${var.ssh_public_key_openssh}"
@@ -254,6 +255,7 @@ module "instances-k8smaster-ad1" {
   api_server_cert_pem        = "${module.k8s-tls.api_server_cert_pem}"
   api_server_count           = "${var.k8sMasterAd1Count + var.k8sMasterAd2Count + var.k8sMasterAd3Count}"
   api_server_private_key_pem = "${module.k8s-tls.api_server_private_key_pem}"
+  k8s_apiserver_token_admin  = "${module.k8s-tls.api_server_admin_token}"
   availability_domain        = "${lookup(data.baremetal_identity_availability_domains.ADs.availability_domains[0],"name")}"
   compartment_ocid           = "${var.compartment_ocid}"
   display_name_prefix        = "k8s-master-ad1"
@@ -282,6 +284,7 @@ module "instances-k8smaster-ad2" {
   api_server_cert_pem        = "${module.k8s-tls.api_server_cert_pem}"
   api_server_count           = "${var.k8sMasterAd1Count + var.k8sMasterAd2Count + var.k8sMasterAd3Count}"
   api_server_private_key_pem = "${module.k8s-tls.api_server_private_key_pem}"
+  k8s_apiserver_token_admin  = "${module.k8s-tls.api_server_admin_token}"
   availability_domain        = "${lookup(data.baremetal_identity_availability_domains.ADs.availability_domains[1],"name")}"
   compartment_ocid           = "${var.compartment_ocid}"
   display_name_prefix        = "k8s-master-ad2"
@@ -310,6 +313,7 @@ module "instances-k8smaster-ad3" {
   api_server_cert_pem        = "${module.k8s-tls.api_server_cert_pem}"
   api_server_count           = "${var.k8sMasterAd1Count + var.k8sMasterAd2Count + var.k8sMasterAd3Count}"
   api_server_private_key_pem = "${module.k8s-tls.api_server_private_key_pem}"
+  k8s_apiserver_token_admin  = "${module.k8s-tls.api_server_admin_token}"
   availability_domain        = "${lookup(data.baremetal_identity_availability_domains.ADs.availability_domains[2],"name")}"
   compartment_ocid           = "${var.compartment_ocid}"
   display_name_prefix        = "k8s-master-ad3"
diff --git a/outputs.tf b/outputs.tf
@@ -102,6 +102,10 @@ output "api_server_cert_pem" {
   value = "${module.k8s-tls.api_server_cert_pem}"
 }
 
+output "api_server_admin_token" {
+  value = "${module.k8s-tls.api_server_admin_token}"
+}
+
 output "ssh_private_key" {
   value = "${module.k8s-tls.ssh_private_key}"
 }
diff --git a/tls/main.tf b/tls/main.tf
@@ -88,3 +88,9 @@ resource "tls_private_key" "ssh" {
   count     = "${var.ssh_private_key == "" ? 1 : 0}"
   rsa_bits  = 2048
 }
+
+
+resource "random_id" "token-auth" {
+  count       = "${var.api_server_admin_token == "" ? 1 : 0}"
+  byte_length = 16
+}
diff --git a/tls/outputs.tf b/tls/outputs.tf
@@ -14,6 +14,10 @@ output "api_server_cert_pem" {
   value = "${var.api_server_cert == "" ? join(" ", tls_locally_signed_cert.api-server.*.cert_pem) : var.api_server_cert}"
 }
 
+output "api_server_admin_token" {
+  value = "${var.api_server_admin_token == "" ? join(" ", random_id.token-auth.*.hex) : var.api_server_admin_token}"
+}
+
 output "ssh_private_key" {
   value = "${var.ssh_private_key == "" ? join(" ", tls_private_key.ssh.*.private_key_pem) : var.ssh_private_key}"
 }
diff --git a/tls/variables.tf b/tls/variables.tf
@@ -23,6 +23,12 @@ variable "api_server_cert" {
   default     = ""
 }
 
+variable "api_server_admin_token" {
+  description = "admin user's bearer token for API server (generated if left blank)"
+  type        = "string"
+  default     = ""
+}
+
 variable "common_name" {
   default = "kube-ca"
 }
diff --git a/variables.tf b/variables.tf
@@ -179,6 +179,12 @@ variable "api_server_cert" {
   default     = ""
 }
 
+variable "api_server_admin_token" {
+  description = "admin user's bearer token for API server (generated if left blank)"
+  type        = "string"
+  default     = ""
+}
+
 variable "docker_ver" {
   default = "docker-ce_17.03.0~ce-0~ubuntu-xenial_amd64"
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+${token_admin},admin,admin,"system:masters"`
Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,10 @@ output "api_server_cert_pem" {`
`102`	`102`	`value = "${module.k8s-tls.api_server_cert_pem}"`
`103`	`103`	`}`
`104`	`104`
	`105`	`+output "api_server_admin_token" {`
	`106`	`+ value = "${module.k8s-tls.api_server_admin_token}"`
	`107`	`+}`
	`108`	`+`
`105`	`109`	`output "ssh_private_key" {`
`106`	`110`	`value = "${module.k8s-tls.ssh_private_key}"`
`107`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,10 @@ output "api_server_cert_pem" {`
`14`	`14`	`value = "${var.api_server_cert == "" ? join(" ", tls_locally_signed_cert.api-server.*.cert_pem) : var.api_server_cert}"`
`15`	`15`	`}`
`16`	`16`
	`17`	`+output "api_server_admin_token" {`
	`18`	`+ value = "${var.api_server_admin_token == "" ? join(" ", random_id.token-auth.*.hex) : var.api_server_admin_token}"`
	`19`	`+}`
	`20`	`+`
`17`	`21`	`output "ssh_private_key" {`
`18`	`22`	`value = "${var.ssh_private_key == "" ? join(" ", tls_private_key.ssh.*.private_key_pem) : var.ssh_private_key}"`
`19`	`23`	`}`