From 3c8e0b4157cb81655a092c5497ef1130e9e954d6 Mon Sep 17 00:00:00 2001 From: Darren Shepherd Date: Tue, 28 Apr 2020 16:01:33 -0700 Subject: [PATCH] No longer use basic auth for default admin account --- pkg/clientaccess/clientaccess.go | 83 ++++++++++++++------------------ pkg/daemons/config/types.go | 1 - pkg/daemons/control/server.go | 7 --- pkg/server/server.go | 8 +-- 4 files changed, 38 insertions(+), 61 deletions(-) diff --git a/pkg/clientaccess/clientaccess.go b/pkg/clientaccess/clientaccess.go index 1d403c19f8..fc35c8ff55 100644 --- a/pkg/clientaccess/clientaccess.go +++ b/pkg/clientaccess/clientaccess.go @@ -34,8 +34,42 @@ type clientToken struct { password string } -func AgentAccessInfoToKubeConfig(destFile, server, token string) error { - return accessInfoToKubeConfig(destFile, server, token) +func WriteClientKubeConfig(destFile, url, serverCAFile, clientCertFile, clientKeyFile string) error { + serverCA, err := ioutil.ReadFile(serverCAFile) + if err != nil { + return errors.Wrapf(err, "failed to read %s", serverCAFile) + } + + clientCert, err := ioutil.ReadFile(clientCertFile) + if err != nil { + return errors.Wrapf(err, "failed to read %s", clientCertFile) + } + + clientKey, err := ioutil.ReadFile(clientKeyFile) + if err != nil { + return errors.Wrapf(err, "failed to read %s", clientKeyFile) + } + + config := clientcmdapi.NewConfig() + + cluster := clientcmdapi.NewCluster() + cluster.CertificateAuthorityData = serverCA + cluster.Server = url + + authInfo := clientcmdapi.NewAuthInfo() + authInfo.ClientCertificateData = clientCert + authInfo.ClientKeyData = clientKey + + context := clientcmdapi.NewContext() + context.AuthInfo = "default" + context.Cluster = "default" + + config.Clusters["default"] = cluster + config.AuthInfos["default"] = authInfo + config.Contexts["default"] = context + config.CurrentContext = "default" + + return clientcmd.WriteToFile(*config, destFile) } type Info struct { @@ -50,42 +84,6 @@ func (i *Info) ToToken() string { return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password) } -func (i *Info) WriteKubeConfig(destFile string) error { - return clientcmd.WriteToFile(*i.KubeConfig(), destFile) -} - -func (i *Info) KubeConfig() *clientcmdapi.Config { - config := clientcmdapi.NewConfig() - - cluster := clientcmdapi.NewCluster() - cluster.CertificateAuthorityData = i.CACerts - cluster.Server = i.URL - - authInfo := clientcmdapi.NewAuthInfo() - if i.password != "" { - authInfo.Username = i.username - authInfo.Password = i.password - } else if i.Token != "" { - if username, pass, ok := ParseUsernamePassword(i.Token); ok { - authInfo.Username = username - authInfo.Password = pass - } else { - authInfo.Token = i.Token - } - } - - context := clientcmdapi.NewContext() - context.AuthInfo = "default" - context.Cluster = "default" - - config.Clusters["default"] = cluster - config.AuthInfos["default"] = authInfo - config.Contexts["default"] = context - config.CurrentContext = "default" - - return config -} - func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) { if !strings.HasPrefix(token, "K10") { token = "K10::" + user + ":" + token @@ -149,15 +147,6 @@ func ParseAndValidateToken(server, token string) (*Info, error) { return i, nil } -func accessInfoToKubeConfig(destFile, server, token string) error { - info, err := ParseAndValidateToken(server, token) - if err != nil { - return err - } - - return info.WriteKubeConfig(destFile) -} - func validateToken(u url.URL, cacerts []byte, username, password string) error { u.Path = "/apis" _, err := get(u.String(), GetHTTPClient(cacerts), username, password) diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go index 696b5acc19..9dd87485cf 100644 --- a/pkg/daemons/config/types.go +++ b/pkg/daemons/config/types.go @@ -153,7 +153,6 @@ type ControlRuntime struct { ServingKubeAPICert string ServingKubeAPIKey string ServingKubeletKey string - ClientToken string ServerToken string AgentToken string Handler http.Handler diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go index 54e989c1a1..acfb110497 100644 --- a/pkg/daemons/control/server.go +++ b/pkg/daemons/control/server.go @@ -365,9 +365,6 @@ func readTokens(runtime *config.ControlRuntime) error { if serverToken, ok := tokens.Pass("server"); ok { runtime.ServerToken = "server:" + serverToken } - if clientToken, ok := tokens.Pass("admin"); ok { - runtime.ClientToken = "admin:" + clientToken - } return nil } @@ -450,10 +447,6 @@ func genUsers(config *config.Control, runtime *config.ControlRuntime) error { nodePass := getNodePass(config, serverPass) - if err := passwd.EnsureUser("admin", "system:masters", ""); err != nil { - return err - } - if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil { return err } diff --git a/pkg/server/server.go b/pkg/server/server.go index 8071f89483..1e0f4f4104 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -230,11 +230,6 @@ func printTokens(advertiseIP string, config *config.Control) error { } func writeKubeConfig(certs string, config *Config) error { - clientToken, err := FormatToken(config.ControlConfig.Runtime.ClientToken, certs) - if err != nil { - return err - } - ip := config.ControlConfig.BindAddress if ip == "" { ip = "127.0.0.1" @@ -257,7 +252,8 @@ func writeKubeConfig(certs string, config *Config) error { } } - if err = clientaccess.AgentAccessInfoToKubeConfig(kubeConfig, url, clientToken); err != nil { + if err = clientaccess.WriteClientKubeConfig(kubeConfig, url, config.ControlConfig.Runtime.ServerCA, config.ControlConfig.Runtime.ClientAdminCert, + config.ControlConfig.Runtime.ClientAdminKey); err != nil { logrus.Errorf("Failed to generate kubeconfig: %v", err) }