From 33ddbd7d7e108bc0dd187cfdad57a049f9ba70d2 Mon Sep 17 00:00:00 2001 From: Patrick Lang Date: Wed, 29 Aug 2018 17:44:05 -0700 Subject: [PATCH] Fixing #3747 by setting --client-ca-file --- parts/k8s/kuberneteswindowssetup.ps1 | 27 +++++++++++++++++++-------- pkg/acsengine/defaults-kubelet.go | 5 ++--- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/parts/k8s/kuberneteswindowssetup.ps1 b/parts/k8s/kuberneteswindowssetup.ps1 index 801e6a1db5..191b2d5524 100644 --- a/parts/k8s/kuberneteswindowssetup.ps1 +++ b/parts/k8s/kuberneteswindowssetup.ps1 @@ -51,8 +51,8 @@ $global:WindowsPackageSASURLBase = "{{WrapAsParameter "windowsPackageSASURLBase" $global:KubeBinariesVersion = "{{WrapAsParameter "kubeBinariesVersion"}}" $global:WindowsTelemetryGUID = "{{WrapAsParameter "windowsTelemetryGUID"}}" $global:KubeletNodeLabels = "{{GetAgentKubernetesLabels . "',variables('labelResourceGroup'),'"}}" -$global:KubeletStartFile = $global:KubeDir + "\kubeletstart.ps1" -$global:KubeProxyStartFile = $global:KubeDir + "\kubeproxystart.ps1" +$global:KubeletStartFile = [io.path]::Combine($global:KubeDir, "kubeletstart.ps1") +$global:KubeProxyStartFile = [io.path]::Combine($global:KubeDir, "kubeproxystart.ps1") $global:TenantId = "{{WrapAsVariable "tenantID"}}" $global:SubscriptionId = "{{WrapAsVariable "subscriptionId"}}" $global:ResourceGroup = "{{WrapAsVariable "resourceGroup"}}" @@ -175,7 +175,7 @@ Update-WindowsPackages() function Write-AzureConfig() { - $azureConfigFile = $global:KubeDir + "\azure.json" + $azureConfigFile = [io.path]::Combine($global:KubeDir, "azure.json") $azureConfig = @" { @@ -202,10 +202,18 @@ Write-AzureConfig() $azureConfig | Out-File -encoding ASCII -filepath "$azureConfigFile" } + +function +Write-CACert() +{ + $caFile = [io.path]::Combine($global:KubeDir, "ca.crt") + [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($global:CACertificate)) | Out-File -Encoding ascii $caFile +} + function Write-KubeConfig() { - $kubeConfigFile = $global:KubeDir + "\config" + $kubeConfigFile = [io.path]::Combine($global:KubeDir, "config") $kubeConfig = @" --- @@ -401,24 +409,24 @@ if (`$hnsNetwork) Remove-HnsNetwork `$hnsNetwork # Kill all cni instances & stale data left by cni # Cleanup all files related to cni - `$cnijson = "$global:KubeDir" + "\azure-vnet-ipam.json" + `$cnijson = [io.path]::Combine("$global:KubeDir", "azure-vnet-ipam.json") if ((Test-Path `$cnijson)) { Remove-Item `$cnijson } - `$cnilock = "$global:KubeDir" + "\azure-vnet-ipam.lock" + `$cnilock = [io.path]::Combine("$global:KubeDir", "azure-vnet-ipam.lock") if ((Test-Path `$cnilock)) { Remove-Item `$cnilock } taskkill /IM azure-vnet-ipam.exe /f - `$cnijson = "$global:KubeDir" + "\azure-vnet.json" + `$cnijson = [io.path]::Combine("$global:KubeDir", "azure-vnet.json") if ((Test-Path `$cnijson)) { Remove-Item `$cnijson } - `$cnilock = "$global:KubeDir" + "\azure-vnet.lock" + `$cnilock = [io.path]::Combine("$global:KubeDir", "azure-vnet.lock") if ((Test-Path `$cnilock)) { Remove-Item `$cnilock @@ -677,6 +685,9 @@ try Write-Log "Write azure config" Write-AzureConfig + Write-Log "Write ca root" + Write-CACert + Write-Log "Write kube config" Write-KubeConfig diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go index c7cd07ca5e..dcf73b1cbc 100644 --- a/pkg/acsengine/defaults-kubelet.go +++ b/pkg/acsengine/defaults-kubelet.go @@ -33,13 +33,14 @@ func setKubeletConfig(cs *api.ContainerService) { } // Add Windows-specific overrides + // Eventually paths should not be hardcoded here. They should be relative to $global:KubeDir in the PowerShell script staticWindowsKubeletConfig["--azure-container-registry-config"] = "c:\\k\\azure.json" staticWindowsKubeletConfig["--pod-infra-container-image"] = "kubletwin/pause" staticWindowsKubeletConfig["--kubeconfig"] = "c:\\k\\config" staticWindowsKubeletConfig["--cloud-config"] = "c:\\k\\azure.json" staticWindowsKubeletConfig["--cgroups-per-qos"] = "false" staticWindowsKubeletConfig["--enforce-node-allocatable"] = "\"\"\"\"" - staticWindowsKubeletConfig["--client-ca-file"] = "" // BUG - #3747 implement this on Windows + staticWindowsKubeletConfig["--client-ca-file"] = "c:\\k\\ca.crt" staticWindowsKubeletConfig["--hairpin-mode"] = "promiscuous-bridge" staticWindowsKubeletConfig["--image-pull-progress-deadline"] = "20m" staticWindowsKubeletConfig["--resolv-conf"] = "\"\"\"\"" @@ -145,9 +146,7 @@ func setKubeletConfig(cs *api.ContainerService) { if profile.OSType == "Windows" { // Remove Linux-specific values - delete(profile.KubernetesConfig.KubeletConfig, "--client-ca-file") delete(profile.KubernetesConfig.KubeletConfig, "--pod-manifest-path") - delete(profile.KubernetesConfig.KubeletConfig, "--anonymous-auth") // BUG: enable secure kubelet on Windows #3747 } // For N Series (GPU) VMs