Merge pull request #1704 from ibuildthecloud/x509-admin

No longer use basic auth for default admin account
2024-06-07 19:41:36 +00:00 · 2020-05-04 20:21:12 -07:00 · 2020-05-04 20:21:12 -07:00 · 2fb5bad3e8
commit 2fb5bad3e8
parent 21eabd902b 3c8e0b4157
4 changed files with 38 additions and 61 deletions
--- a/pkg/clientaccess/clientaccess.go
+++ b/pkg/clientaccess/clientaccess.go
@ -34,8 +34,42 @@ type clientToken struct {
 	password string
 }

-func AgentAccessInfoToKubeConfig(destFile, server, token string) error {
-	return accessInfoToKubeConfig(destFile, server, token)
+func WriteClientKubeConfig(destFile, url, serverCAFile, clientCertFile, clientKeyFile string) error {
+	serverCA, err := ioutil.ReadFile(serverCAFile)
+	if err != nil {
+		return errors.Wrapf(err, "failed to read %s", serverCAFile)
+	}
+
+	clientCert, err := ioutil.ReadFile(clientCertFile)
+	if err != nil {
+		return errors.Wrapf(err, "failed to read %s", clientCertFile)
+	}
+
+	clientKey, err := ioutil.ReadFile(clientKeyFile)
+	if err != nil {
+		return errors.Wrapf(err, "failed to read %s", clientKeyFile)
+	}
+
+	config := clientcmdapi.NewConfig()
+
+	cluster := clientcmdapi.NewCluster()
+	cluster.CertificateAuthorityData = serverCA
+	cluster.Server = url
+
+	authInfo := clientcmdapi.NewAuthInfo()
+	authInfo.ClientCertificateData = clientCert
+	authInfo.ClientKeyData = clientKey
+
+	context := clientcmdapi.NewContext()
+	context.AuthInfo = "default"
+	context.Cluster = "default"
+
+	config.Clusters["default"] = cluster
+	config.AuthInfos["default"] = authInfo
+	config.Contexts["default"] = context
+	config.CurrentContext = "default"
+
+	return clientcmd.WriteToFile(*config, destFile)
 }

 type Info struct {
@ -50,42 +84,6 @@ func (i *Info) ToToken() string {
 	return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password)
 }

-func (i *Info) WriteKubeConfig(destFile string) error {
-	return clientcmd.WriteToFile(*i.KubeConfig(), destFile)
-}
-
-func (i *Info) KubeConfig() *clientcmdapi.Config {
-	config := clientcmdapi.NewConfig()
-
-	cluster := clientcmdapi.NewCluster()
-	cluster.CertificateAuthorityData = i.CACerts
-	cluster.Server = i.URL
-
-	authInfo := clientcmdapi.NewAuthInfo()
-	if i.password != "" {
-		authInfo.Username = i.username
-		authInfo.Password = i.password
-	} else if i.Token != "" {
-		if username, pass, ok := ParseUsernamePassword(i.Token); ok {
-			authInfo.Username = username
-			authInfo.Password = pass
-		} else {
-			authInfo.Token = i.Token
-		}
-	}
-
-	context := clientcmdapi.NewContext()
-	context.AuthInfo = "default"
-	context.Cluster = "default"
-
-	config.Clusters["default"] = cluster
-	config.AuthInfos["default"] = authInfo
-	config.Contexts["default"] = context
-	config.CurrentContext = "default"
-
-	return config
-}
-
 func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) {
 	if !strings.HasPrefix(token, "K10") {
 		token = "K10::" + user + ":" + token
@ -149,15 +147,6 @@ func ParseAndValidateToken(server, token string) (*Info, error) {
 	return i, nil
 }

-func accessInfoToKubeConfig(destFile, server, token string) error {
-	info, err := ParseAndValidateToken(server, token)
-	if err != nil {
-		return err
-	}
-
-	return info.WriteKubeConfig(destFile)
-}
-
 func validateToken(u url.URL, cacerts []byte, username, password string) error {
 	u.Path = "/apis"
 	_, err := get(u.String(), GetHTTPClient(cacerts), username, password)
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@ -153,7 +153,6 @@ type ControlRuntime struct {
 	ServingKubeAPICert string
 	ServingKubeAPIKey  string
 	ServingKubeletKey  string
-	ClientToken        string
 	ServerToken        string
 	AgentToken         string
 	Handler            http.Handler
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@ -365,9 +365,6 @@ func readTokens(runtime *config.ControlRuntime) error {
 	if serverToken, ok := tokens.Pass("server"); ok {
 		runtime.ServerToken = "server:" + serverToken
 	}
-	if clientToken, ok := tokens.Pass("admin"); ok {
-		runtime.ClientToken = "admin:" + clientToken
-	}

 	return nil
 }
@ -450,10 +447,6 @@ func genUsers(config *config.Control, runtime *config.ControlRuntime) error {

 	nodePass := getNodePass(config, serverPass)

-	if err := passwd.EnsureUser("admin", "system:masters", ""); err != nil {
-		return err
-	}
-
 	if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil {
 		return err
 	}
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -230,11 +230,6 @@ func printTokens(advertiseIP string, config *config.Control) error {
 }

 func writeKubeConfig(certs string, config *Config) error {
-	clientToken, err := FormatToken(config.ControlConfig.Runtime.ClientToken, certs)
-	if err != nil {
-		return err
-	}
-
 	ip := config.ControlConfig.BindAddress
 	if ip == "" {
 		ip = "127.0.0.1"
@ -257,7 +252,8 @@ func writeKubeConfig(certs string, config *Config) error {
 		}
 	}

-	if err = clientaccess.AgentAccessInfoToKubeConfig(kubeConfig, url, clientToken); err != nil {
+	if err = clientaccess.WriteClientKubeConfig(kubeConfig, url, config.ControlConfig.Runtime.ServerCA, config.ControlConfig.Runtime.ClientAdminCert,
+		config.ControlConfig.Runtime.ClientAdminKey); err != nil {
 		logrus.Errorf("Failed to generate kubeconfig: %v", err)
 	}