Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve secret copy + kubeconfig permissions #481

Merged
merged 1 commit into from
Mar 5, 2018
Merged

Improve secret copy + kubeconfig permissions #481

merged 1 commit into from
Mar 5, 2018

Conversation

caseydavenport
Copy link
Member

@caseydavenport caseydavenport commented Mar 2, 2018
edited
Loading

Description

A few improvements to our install CNI script:

Todos

  • Tests
  • Documentation
  • Release note

Release Note

The install-cni container now maintains the original mode on certificates copied from Kubernetes secrets.

The install-cni container now writes the calico-kubeconfig file with mode 600 by default. It can be configured by setting the KUBECONFIG_MODE option.

The install-cni container now only writes the calico-kubeconfig file when running as a Kubernetes pod.

@caseydavenport caseydavenport changed the title Move more into kubeconfig file Improve secret copy + kubeconfig permissions Mar 2, 2018
@caseydavenport caseydavenport requested a review from tmjd March 2, 2018 23:38
@caseydavenport caseydavenport added this to the Calico v3.1.0 milestone Mar 3, 2018
tmjd
tmjd requested changes Mar 5, 2018
View reviewed changes
Copy link
Member

@tmjd tmjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One necessary change I think is needed and a couple other considerations.

k8s-install/scripts/install-cni.sh
@@ -29,7 +29,7 @@ if [ "$(ls ${SECRETS_MOUNT_DIR} 3>/dev/null)" ];
then
echo "Installing any TLS assets from ${SECRETS_MOUNT_DIR}"
mkdir -p /host/etc/cni/net.d/calico-tls
cp ${SECRETS_MOUNT_DIR}/* /host/etc/cni/net.d/calico-tls/
cp -p ${SECRETS_MOUNT_DIR}/* /host/etc/cni/net.d/calico-tls/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should have this change done on line 180 also.

k8s-install/scripts/install-cni.sh Outdated
cat > /host/etc/cni/net.d/calico-kubeconfig <<EOF
# Kubeconfig file for Calico CNI plugin.
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: https://${KUBERNETES_SERVICE_HOST:-}:${KUBERNETES_SERVICE_PORT:-}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If those are not set I think this will result in server: https://:, should we have defaults for them?
Do we need to have https be configurable, would someone ever use http?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we can put a reasonable default here. It's all a bit awkward, but those envs really should be set whenever we're running as a k8s pod (but not say, mesos).

+1 on adding http/https configuration.

k8s-install/scripts/install-cni.sh Outdated
@@ -119,7 +127,6 @@ current-context: calico-context
EOF

# Insert any of the supported "auto" parameters.
SERVICEACCOUNT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The replacement below of SERVICEACCOUNT_TOKEN could be removed once it is removed from the CNI config, are we waiting until that is done to allow an easier transition. I think that makes sense, just making sure it has been considered.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think we should wait a while. We should probably leave it there for compat purposes indefinitely. We can document it as deprecated if we want though.

@caseydavenport
Copy link
Member Author

@tmjd thanks for the review, I've pushed some changes, LMK what you think.

@caseydavenport caseydavenport merged commit 66e9468 into projectcalico:master Mar 5, 2018
@caseydavenport caseydavenport deleted the more-in-kubeconfig branch March 5, 2018 21:16
@caseydavenport caseydavenport mentioned this pull request Mar 5, 2018
Merged
3 tasks
@tmjd tmjd mentioned this pull request Mar 7, 2018
Merged
This was referenced May 24, 2018
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmjd tmjd tmjd approved these changes

Assignees
No one assigned
Labels
cherry-pick-completed release-note-required
Projects
None yet
Milestone
Calico v3.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@caseydavenport @tmjd