mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-30 10:38:46 -04:00
Create kubernetes join token on demand
Signed-off-by: Malte Poll <mp@edgeless.systems>
This commit is contained in:
Malte Poll
Malte Poll
parent
ddcb4dc95f
commit
c9226de9ab
7 changed files with 85 additions and 114 deletions
|
|
@ -3,17 +3,19 @@ package core
|
|||
import (
|
||||
"context"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/coordinator/kubernetes"
|
||||
"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi/resources"
|
||||
"github.com/edgelesssys/constellation/coordinator/role"
|
||||
"github.com/edgelesssys/constellation/internal/constants"
|
||||
"go.uber.org/zap"
|
||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||
)
|
||||
|
||||
// GetK8sJoinArgs returns the args needed by a Node to join the cluster.
|
||||
func (c *Core) GetK8sJoinArgs() (*kubeadm.BootstrapTokenDiscovery, error) {
|
||||
return c.data().GetKubernetesJoinArgs()
|
||||
return c.kube.GetJoinToken(constants.KubernetesJoinTokenTTL)
|
||||
}
|
||||
|
||||
// GetK8SCertificateKey returns the key needed by a Coordinator to join the cluster.
|
||||
|
|
@ -71,7 +73,7 @@ func (c *Core) InitCluster(autoscalingNodeGroups []string, cloudServiceAccountUR
|
|||
}
|
||||
|
||||
c.zaplogger.Info("Initializing cluster")
|
||||
joinCommand, err := c.kube.InitCluster(kubernetes.InitClusterInput{
|
||||
if err := c.kube.InitCluster(kubernetes.InitClusterInput{
|
||||
APIServerAdvertiseIP: coordinatorVPNIP.String(),
|
||||
NodeIP: nodeIP,
|
||||
NodeName: k8sCompliantHostname(nodeName),
|
||||
|
|
@ -97,17 +99,11 @@ func (c *Core) InitCluster(autoscalingNodeGroups []string, cloudServiceAccountUR
|
|||
CloudNodeManagerImage: c.cloudNodeManager.Image(),
|
||||
CloudNodeManagerPath: c.cloudNodeManager.Path(),
|
||||
CloudNodeManagerExtraArgs: c.cloudNodeManager.ExtraArgs(),
|
||||
})
|
||||
if err != nil {
|
||||
}); err != nil {
|
||||
c.zaplogger.Error("Initializing cluster failed", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := c.data().PutKubernetesJoinArgs(joinCommand); err != nil {
|
||||
c.zaplogger.Error("Storing Kubernetes join command failed", zap.Error(err))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
kubeconfig, err := c.kube.GetKubeconfig()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -180,25 +176,23 @@ func (c *Core) JoinCluster(args *kubeadm.BootstrapTokenDiscovery, certKey string
|
|||
// Cluster manages the overall cluster lifecycle (init, join).
|
||||
type Cluster interface {
|
||||
// InitCluster bootstraps a new cluster with the current node being the master, returning the arguments required to join the cluster.
|
||||
InitCluster(kubernetes.InitClusterInput) (*kubeadm.BootstrapTokenDiscovery, error)
|
||||
InitCluster(kubernetes.InitClusterInput) error
|
||||
// JoinCluster will join the current node to an existing cluster.
|
||||
JoinCluster(args *kubeadm.BootstrapTokenDiscovery, nodeName, nodeIP, nodeVPNIP, providerID, certKey string, ccmSupported bool, peerRole role.Role) error
|
||||
// GetKubeconfig reads the kubeconfig from the filesystem. Only succeeds after cluster is initialized.
|
||||
GetKubeconfig() ([]byte, error)
|
||||
// GetKubeadmCertificateKey returns the 64-byte hex string key needed to join the cluster as control-plane. This function must be executed on a control-plane.
|
||||
GetKubeadmCertificateKey() (string, error)
|
||||
// GetJoinToken returns a bootstrap (join) token.
|
||||
GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscovery, error)
|
||||
}
|
||||
|
||||
// ClusterFake behaves like a real cluster, but does not actually initialize or join Kubernetes.
|
||||
type ClusterFake struct{}
|
||||
|
||||
// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
|
||||
func (c *ClusterFake) InitCluster(kubernetes.InitClusterInput) (*kubeadm.BootstrapTokenDiscovery, error) {
|
||||
return &kubeadm.BootstrapTokenDiscovery{
|
||||
APIServerEndpoint: "0.0.0.0",
|
||||
Token: "kube-fake-token",
|
||||
CACertHashes: []string{"sha256:a60ebe9b0879090edd83b40a4df4bebb20506bac1e51d518ff8f4505a721930f"},
|
||||
}, nil
|
||||
func (c *ClusterFake) InitCluster(kubernetes.InitClusterInput) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// JoinCluster will fake joining the current node to an existing cluster.
|
||||
|
|
@ -216,6 +210,15 @@ func (c *ClusterFake) GetKubeadmCertificateKey() (string, error) {
|
|||
return "controlPlaneCertficateKey", nil
|
||||
}
|
||||
|
||||
// GetJoinToken returns a bootstrap (join) token.
|
||||
func (c *ClusterFake) GetJoinToken(_ time.Duration) (*kubeadm.BootstrapTokenDiscovery, error) {
|
||||
return &kubeadm.BootstrapTokenDiscovery{
|
||||
APIServerEndpoint: "0.0.0.0",
|
||||
Token: "kube-fake-token",
|
||||
CACertHashes: []string{"sha256:a60ebe9b0879090edd83b40a4df4bebb20506bac1e51d518ff8f4505a721930f"},
|
||||
}, nil
|
||||
}
|
||||
|
||||
// k8sCompliantHostname transforms a hostname to an RFC 1123 compliant, lowercase subdomain as required by Kubernetes node names.
|
||||
// The following regex is used by k8s for validation: /^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$/ .
|
||||
// Only a simple heuristic is used for now (to lowercase, replace underscores).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue