Fixing Azure#3747 by setting --client-ca-file

PatrickLang · Aug 30, 2018 · 33ddbd7 · 33ddbd7
1 parent ce48c14
commit 33ddbd7
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 11 deletions.
diff --git a/parts/k8s/kuberneteswindowssetup.ps1 b/parts/k8s/kuberneteswindowssetup.ps1
@@ -51,8 +51,8 @@ $global:WindowsPackageSASURLBase = "{{WrapAsParameter "windowsPackageSASURLBase"
 $global:KubeBinariesVersion = "{{WrapAsParameter "kubeBinariesVersion"}}"
 $global:WindowsTelemetryGUID = "{{WrapAsParameter "windowsTelemetryGUID"}}"
 $global:KubeletNodeLabels = "{{GetAgentKubernetesLabels . "',variables('labelResourceGroup'),'"}}"
-$global:KubeletStartFile = $global:KubeDir + "\kubeletstart.ps1"
-$global:KubeProxyStartFile = $global:KubeDir + "\kubeproxystart.ps1"
+$global:KubeletStartFile = [io.path]::Combine($global:KubeDir, "kubeletstart.ps1")
+$global:KubeProxyStartFile = [io.path]::Combine($global:KubeDir, "kubeproxystart.ps1")
 $global:TenantId = "{{WrapAsVariable "tenantID"}}"
 $global:SubscriptionId = "{{WrapAsVariable "subscriptionId"}}"
 $global:ResourceGroup = "{{WrapAsVariable "resourceGroup"}}"
@@ -175,7 +175,7 @@ Update-WindowsPackages()
 function
 Write-AzureConfig()
 {
-    $azureConfigFile = $global:KubeDir + "\azure.json"
+    $azureConfigFile = [io.path]::Combine($global:KubeDir, "azure.json")
 
     $azureConfig = @"
 {
@@ -202,10 +202,18 @@ Write-AzureConfig()
     $azureConfig | Out-File -encoding ASCII -filepath "$azureConfigFile"
 }
 
+
+function
+Write-CACert()
+{
+    $caFile = [io.path]::Combine($global:KubeDir, "ca.crt")
+    [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($global:CACertificate)) | Out-File -Encoding ascii $caFile
+}
+
 function
 Write-KubeConfig()
 {
-    $kubeConfigFile = $global:KubeDir + "\config"
+    $kubeConfigFile = [io.path]::Combine($global:KubeDir, "config")
 
     $kubeConfig = @"
 ---
@@ -401,24 +409,24 @@ if (`$hnsNetwork)
     Remove-HnsNetwork `$hnsNetwork
     # Kill all cni instances & stale data left by cni
     # Cleanup all files related to cni
-    `$cnijson = "$global:KubeDir" + "\azure-vnet-ipam.json"
+    `$cnijson = [io.path]::Combine("$global:KubeDir", "azure-vnet-ipam.json")
     if ((Test-Path `$cnijson))
     {
         Remove-Item `$cnijson
     }
-    `$cnilock = "$global:KubeDir" + "\azure-vnet-ipam.lock"
+    `$cnilock = [io.path]::Combine("$global:KubeDir", "azure-vnet-ipam.lock")
     if ((Test-Path `$cnilock))
     {
         Remove-Item `$cnilock
     }
     taskkill /IM azure-vnet-ipam.exe /f
 
-    `$cnijson = "$global:KubeDir" + "\azure-vnet.json"
+    `$cnijson = [io.path]::Combine("$global:KubeDir", "azure-vnet.json")
     if ((Test-Path `$cnijson))
     {
         Remove-Item `$cnijson
     }
-    `$cnilock = "$global:KubeDir" + "\azure-vnet.lock"
+    `$cnilock = [io.path]::Combine("$global:KubeDir", "azure-vnet.lock")
     if ((Test-Path `$cnilock))
     {
         Remove-Item `$cnilock
@@ -677,6 +685,9 @@ try
         Write-Log "Write azure config"
         Write-AzureConfig
 
+        Write-Log "Write ca root"
+        Write-CACert
+
         Write-Log "Write kube config"
         Write-KubeConfig
 

diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go
@@ -33,13 +33,14 @@ func setKubeletConfig(cs *api.ContainerService) {
 	}
 
 	// Add Windows-specific overrides
+	// Eventually paths should not be hardcoded here. They should be relative to $global:KubeDir in the PowerShell script
 	staticWindowsKubeletConfig["--azure-container-registry-config"] = "c:\\k\\azure.json"
 	staticWindowsKubeletConfig["--pod-infra-container-image"] = "kubletwin/pause"
 	staticWindowsKubeletConfig["--kubeconfig"] = "c:\\k\\config"
 	staticWindowsKubeletConfig["--cloud-config"] = "c:\\k\\azure.json"
 	staticWindowsKubeletConfig["--cgroups-per-qos"] = "false"
 	staticWindowsKubeletConfig["--enforce-node-allocatable"] = "\"\"\"\""
-	staticWindowsKubeletConfig["--client-ca-file"] = "" // BUG - #3747 implement this on Windows
+	staticWindowsKubeletConfig["--client-ca-file"] = "c:\\k\\ca.crt"
 	staticWindowsKubeletConfig["--hairpin-mode"] = "promiscuous-bridge"
 	staticWindowsKubeletConfig["--image-pull-progress-deadline"] = "20m"
 	staticWindowsKubeletConfig["--resolv-conf"] = "\"\"\"\""
@@ -145,9 +146,7 @@ func setKubeletConfig(cs *api.ContainerService) {
 
 		if profile.OSType == "Windows" {
 			// Remove Linux-specific values
-			delete(profile.KubernetesConfig.KubeletConfig, "--client-ca-file")
 			delete(profile.KubernetesConfig.KubeletConfig, "--pod-manifest-path")
-			delete(profile.KubernetesConfig.KubeletConfig, "--anonymous-auth") // BUG: enable secure kubelet on Windows #3747
 		}
 
 		// For N Series (GPU) VMs