mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
No longer use basic auth for default admin account
This commit is contained in:
parent
690a4ca7a4
commit
3c8e0b4157
@ -34,8 +34,42 @@ type clientToken struct {
|
|||||||
password string
|
password string
|
||||||
}
|
}
|
||||||
|
|
||||||
func AgentAccessInfoToKubeConfig(destFile, server, token string) error {
|
func WriteClientKubeConfig(destFile, url, serverCAFile, clientCertFile, clientKeyFile string) error {
|
||||||
return accessInfoToKubeConfig(destFile, server, token)
|
serverCA, err := ioutil.ReadFile(serverCAFile)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "failed to read %s", serverCAFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
clientCert, err := ioutil.ReadFile(clientCertFile)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "failed to read %s", clientCertFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
clientKey, err := ioutil.ReadFile(clientKeyFile)
|
||||||
|
if err != nil {
|
||||||
|
return errors.Wrapf(err, "failed to read %s", clientKeyFile)
|
||||||
|
}
|
||||||
|
|
||||||
|
config := clientcmdapi.NewConfig()
|
||||||
|
|
||||||
|
cluster := clientcmdapi.NewCluster()
|
||||||
|
cluster.CertificateAuthorityData = serverCA
|
||||||
|
cluster.Server = url
|
||||||
|
|
||||||
|
authInfo := clientcmdapi.NewAuthInfo()
|
||||||
|
authInfo.ClientCertificateData = clientCert
|
||||||
|
authInfo.ClientKeyData = clientKey
|
||||||
|
|
||||||
|
context := clientcmdapi.NewContext()
|
||||||
|
context.AuthInfo = "default"
|
||||||
|
context.Cluster = "default"
|
||||||
|
|
||||||
|
config.Clusters["default"] = cluster
|
||||||
|
config.AuthInfos["default"] = authInfo
|
||||||
|
config.Contexts["default"] = context
|
||||||
|
config.CurrentContext = "default"
|
||||||
|
|
||||||
|
return clientcmd.WriteToFile(*config, destFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
type Info struct {
|
type Info struct {
|
||||||
@ -50,42 +84,6 @@ func (i *Info) ToToken() string {
|
|||||||
return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password)
|
return fmt.Sprintf("K10%s::%s:%s", hashCA(i.CACerts), i.username, i.password)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *Info) WriteKubeConfig(destFile string) error {
|
|
||||||
return clientcmd.WriteToFile(*i.KubeConfig(), destFile)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (i *Info) KubeConfig() *clientcmdapi.Config {
|
|
||||||
config := clientcmdapi.NewConfig()
|
|
||||||
|
|
||||||
cluster := clientcmdapi.NewCluster()
|
|
||||||
cluster.CertificateAuthorityData = i.CACerts
|
|
||||||
cluster.Server = i.URL
|
|
||||||
|
|
||||||
authInfo := clientcmdapi.NewAuthInfo()
|
|
||||||
if i.password != "" {
|
|
||||||
authInfo.Username = i.username
|
|
||||||
authInfo.Password = i.password
|
|
||||||
} else if i.Token != "" {
|
|
||||||
if username, pass, ok := ParseUsernamePassword(i.Token); ok {
|
|
||||||
authInfo.Username = username
|
|
||||||
authInfo.Password = pass
|
|
||||||
} else {
|
|
||||||
authInfo.Token = i.Token
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
context := clientcmdapi.NewContext()
|
|
||||||
context.AuthInfo = "default"
|
|
||||||
context.Cluster = "default"
|
|
||||||
|
|
||||||
config.Clusters["default"] = cluster
|
|
||||||
config.AuthInfos["default"] = authInfo
|
|
||||||
config.Contexts["default"] = context
|
|
||||||
config.CurrentContext = "default"
|
|
||||||
|
|
||||||
return config
|
|
||||||
}
|
|
||||||
|
|
||||||
func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) {
|
func NormalizeAndValidateTokenForUser(server, token, user string) (string, error) {
|
||||||
if !strings.HasPrefix(token, "K10") {
|
if !strings.HasPrefix(token, "K10") {
|
||||||
token = "K10::" + user + ":" + token
|
token = "K10::" + user + ":" + token
|
||||||
@ -149,15 +147,6 @@ func ParseAndValidateToken(server, token string) (*Info, error) {
|
|||||||
return i, nil
|
return i, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func accessInfoToKubeConfig(destFile, server, token string) error {
|
|
||||||
info, err := ParseAndValidateToken(server, token)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return info.WriteKubeConfig(destFile)
|
|
||||||
}
|
|
||||||
|
|
||||||
func validateToken(u url.URL, cacerts []byte, username, password string) error {
|
func validateToken(u url.URL, cacerts []byte, username, password string) error {
|
||||||
u.Path = "/apis"
|
u.Path = "/apis"
|
||||||
_, err := get(u.String(), GetHTTPClient(cacerts), username, password)
|
_, err := get(u.String(), GetHTTPClient(cacerts), username, password)
|
||||||
|
@ -153,7 +153,6 @@ type ControlRuntime struct {
|
|||||||
ServingKubeAPICert string
|
ServingKubeAPICert string
|
||||||
ServingKubeAPIKey string
|
ServingKubeAPIKey string
|
||||||
ServingKubeletKey string
|
ServingKubeletKey string
|
||||||
ClientToken string
|
|
||||||
ServerToken string
|
ServerToken string
|
||||||
AgentToken string
|
AgentToken string
|
||||||
Handler http.Handler
|
Handler http.Handler
|
||||||
|
@ -365,9 +365,6 @@ func readTokens(runtime *config.ControlRuntime) error {
|
|||||||
if serverToken, ok := tokens.Pass("server"); ok {
|
if serverToken, ok := tokens.Pass("server"); ok {
|
||||||
runtime.ServerToken = "server:" + serverToken
|
runtime.ServerToken = "server:" + serverToken
|
||||||
}
|
}
|
||||||
if clientToken, ok := tokens.Pass("admin"); ok {
|
|
||||||
runtime.ClientToken = "admin:" + clientToken
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
@ -450,10 +447,6 @@ func genUsers(config *config.Control, runtime *config.ControlRuntime) error {
|
|||||||
|
|
||||||
nodePass := getNodePass(config, serverPass)
|
nodePass := getNodePass(config, serverPass)
|
||||||
|
|
||||||
if err := passwd.EnsureUser("admin", "system:masters", ""); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil {
|
if err := passwd.EnsureUser("node", "k3s:agent", nodePass); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -230,11 +230,6 @@ func printTokens(advertiseIP string, config *config.Control) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func writeKubeConfig(certs string, config *Config) error {
|
func writeKubeConfig(certs string, config *Config) error {
|
||||||
clientToken, err := FormatToken(config.ControlConfig.Runtime.ClientToken, certs)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
ip := config.ControlConfig.BindAddress
|
ip := config.ControlConfig.BindAddress
|
||||||
if ip == "" {
|
if ip == "" {
|
||||||
ip = "127.0.0.1"
|
ip = "127.0.0.1"
|
||||||
@ -257,7 +252,8 @@ func writeKubeConfig(certs string, config *Config) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = clientaccess.AgentAccessInfoToKubeConfig(kubeConfig, url, clientToken); err != nil {
|
if err = clientaccess.WriteClientKubeConfig(kubeConfig, url, config.ControlConfig.Runtime.ServerCA, config.ControlConfig.Runtime.ClientAdminCert,
|
||||||
|
config.ControlConfig.Runtime.ClientAdminKey); err != nil {
|
||||||
logrus.Errorf("Failed to generate kubeconfig: %v", err)
|
logrus.Errorf("Failed to generate kubeconfig: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user