Mirror/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1704 from ibuildthecloud/x509-admin

Browse Source 
No longer use basic auth for default admin account
This commit is contained in:
Erik Wilson 2020-05-04 20:21:12 -07:00 committed by GitHub
commit 2fb5bad3e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 38 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
pkg/clientaccess/clientaccess.go
View File

@ -34,8 +34,42 @@ type clientToken struct {
password string password string
} }
func AgentAccessInfoToKubeConfig(destFile, server, token string) error { func WriteClientKubeConfig(destFile, url, serverCAFile, clientCertFile, clientKeyFile string) error {
return accessInfoToKubeConfig(destFile, server, token) serverCA, err := ioutil.ReadFile(serverCAFile)
if err != nil {
return errors.Wrapf(err, "failed to read %s", serverCAFile)
}
clientCert, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return errors.Wrapf(err, "failed to read %s", clientCertFile)
}
clientKey, err := ioutil.ReadFile(clientKeyFile)
if err != nil {
return errors.Wrapf(err, "failed to read %s", clientKeyFile)
}
config := clientcmdapi.NewConfig()
cluster := clientcmdapi.NewCluster()
cluster.CertificateAuthorityData = serverCA
cluster.Server = url
authInfo := clientcmdapi.NewAuthInfo()
authInfo.ClientCertificateData = clientCert
authInfo.ClientKeyData = clientKey
context := clientcmdapi.NewContext()
context.AuthInfo = "default"
context.Cluster = "default"
config.Clusters["default"] = cluster
config.AuthInfos["default"] = authInfo
config.Contexts["default"] = context
config.CurrentContext = "default"
return clientcmd.WriteToFile(*config, destFile)
} }
type Info struct { type Info struct {
@ -50,42 +84,6 @@ func (i *Info) ToToken() string {
return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password) return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password)
} }
func (i *Info) WriteKubeConfig(destFile string) error {
return clientcmd.WriteToFile(*i.KubeConfig(), destFile)
}
func (i *Info) KubeConfig() *clientcmdapi.Config {
config := clientcmdapi.NewConfig()
cluster := clientcmdapi.NewCluster()
cluster.CertificateAuthorityData = i.CACerts
cluster.Server = i.URL
authInfo := clientcmdapi.NewAuthInfo()
if i.password != "" {
authInfo.Username = i.username
authInfo.Password = i.password
} else if i.Token != "" {
if username, pass, ok := ParseUsernamePassword(i.Token); ok {
authInfo.Username = username
authInfo.Password = pass
} else {
authInfo.Token = i.Token
}
}
context := clientcmdapi.NewContext()
context.AuthInfo = "default"
context.Cluster = "default"
config.Clusters["default"] = cluster
config.AuthInfos["default"] = authInfo
config.Contexts["default"] = context
config.CurrentContext = "default"
return config
}
func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) { func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) {
if !strings.HasPrefix(token, "K10") { if !strings.HasPrefix(token, "K10") {
token = "K10::" + user + ":" + token token = "K10::" + user + ":" + token
@ -149,15 +147,6 @@ func ParseAndValidateToken(server, token string) (*Info, error) {
return i, nil return i, nil
} }
func accessInfoToKubeConfig(destFile, server, token string) error {
info, err := ParseAndValidateToken(server, token)
if err != nil {
return err
}
return info.WriteKubeConfig(destFile)
}
func validateToken(u url.URL, cacerts []byte, username, password string) error { func validateToken(u url.URL, cacerts []byte, username, password string) error {
u.Path = "/apis" u.Path = "/apis"
_, err := get(u.String(), GetHTTPClient(cacerts), username, password) _, err := get(u.String(), GetHTTPClient(cacerts), username, password)

1
pkg/daemons/config/types.go
View File

@ -153,7 +153,6 @@ type ControlRuntime struct {
ServingKubeAPICert string ServingKubeAPICert string
ServingKubeAPIKey string ServingKubeAPIKey string
ServingKubeletKey string ServingKubeletKey string
ClientToken string
ServerToken string ServerToken string
AgentToken string AgentToken string
Handler http.Handler Handler http.Handler

7
pkg/daemons/control/server.go
View File

@ -365,9 +365,6 @@ func readTokens(runtime *config.ControlRuntime) error {
if serverToken, ok := tokens.Pass("server"); ok { if serverToken, ok := tokens.Pass("server"); ok {
runtime.ServerToken = "server:" + serverToken runtime.ServerToken = "server:" + serverToken
} }
if clientToken, ok := tokens.Pass("admin"); ok {
runtime.ClientToken = "admin:" + clientToken
}
return nil return nil
} }
@ -450,10 +447,6 @@ func genUsers(config *config.Control, runtime *config.ControlRuntime) error {
nodePass := getNodePass(config, serverPass) nodePass := getNodePass(config, serverPass)
if err := passwd.EnsureUser("admin", "system:masters", ""); err != nil {
return err
}
if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil { if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil {
return err return err
} }

8
pkg/server/server.go
View File

@ -230,11 +230,6 @@ func printTokens(advertiseIP string, config *config.Control) error {
} }
func writeKubeConfig(certs string, config *Config) error { func writeKubeConfig(certs string, config *Config) error {
clientToken, err := FormatToken(config.ControlConfig.Runtime.ClientToken, certs)
if err != nil {
return err
}
ip := config.ControlConfig.BindAddress ip := config.ControlConfig.BindAddress
if ip == "" { if ip == "" {
ip = "127.0.0.1" ip = "127.0.0.1"
@ -257,7 +252,8 @@ func writeKubeConfig(certs string, config *Config) error {
} }
} }
if err = clientaccess.AgentAccessInfoToKubeConfig(kubeConfig, url, clientToken); err != nil { if err = clientaccess.WriteClientKubeConfig(kubeConfig, url, config.ControlConfig.Runtime.ServerCA, config.ControlConfig.Runtime.ClientAdminCert,
config.ControlConfig.Runtime.ClientAdminKey); err != nil {
logrus.Errorf("Failed to generate kubeconfig: %v", err) logrus.Errorf("Failed to generate kubeconfig: %v", err)
} }