This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
Auth token file support #418
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 5 commits
March 16, 2017 12:21
Since we'll be encrypting things that are not TLS certificates, it's time to rename the function in order to avoid any confusion.
The decryption of the token file should also happen provided it is put at the correct location. There are a couple of FIXME annotations that will be addressed in future commits.
k8s-ci-robot
added
the
cncf-cla: yes
Codecov Report
@@ Coverage Diff @@
## master #418 +/- ##
=========================================
+ Coverage 38.53% 40.2% +1.66%
=========================================
Files 30 31 +1
Lines 2351 2480 +129
=========================================
+ Hits 906 997 +91
- Misses 1324 1347 +23
- Partials 121 136 +15
Continue to review full report at Codecov.
|
added 10 commits
March 17, 2017 11:27
The function name suffix implied it created a file, which was not the case.
|
@mumoshu et al: I still want to add extra validation to ensure operators can only create clusters if the provided auth tokens file is valid according to the specs, but overall I think this PR is ready for review. Please let me know if there's anything I missed. |
|
All done! Waiting for reviews. |
|
The tests are kinda flaky right now, this is the error I've been seeing: I'll try again soon. |
added 4 commits
March 17, 2017 18:21
Before generating the encrypted version of the auth token file, parse it as a CSV and look for problems, such as comments and unmatching number of columns. If any problem is found, an error is raised, causing the cluster not to be created.
mumoshu
reviewed
Mar 20, 2017
| @@ -1178,7 +1203,7 @@ func (c ControllerSettings) Valid() error { | |||
| func (c Experimental) Valid() error { | |||
| for _, taint := range c.Taints { | |||
| if taint.Effect != "NoSchedule" && taint.Effect != "PreferNoSchedule" { | |||
| return fmt.Errorf("Effect must be NoSchdule or PreferNoSchedule, but was %s", taint.Effect) | |||
| return fmt.Errorf("Effect must be NoSchedule or PreferNoSchedule, but was %s", taint.Effect) | |||
| } | |||
mumoshu
reviewed
Mar 20, 2017
| @@ -1045,7 +1070,7 @@ func (c DeploymentSettings) Valid() (*DeploymentValidationResult, error) { | |||
| return &DeploymentValidationResult{vpcNet: vpcNet}, nil | |||
| } | |||
|
|
|||
| func (c DeploymentSettings) TLSAssetsEncryptionEnabled() bool { | |||
| func (c DeploymentSettings) AssetsEncryptionEnabled() bool { | |||
There was a problem hiding this comment.
Thanks for paying attention to the naming 👍
mumoshu
added a commit
to mumoshu/kube-aws
that referenced
this pull request
Mar 22, 2017
camilb
added a commit
to camilb/kube-aws
that referenced
this pull request
Apr 5, 2017
* kubernetes-incubator/master: (29 commits) Emit errors when kube-aws sees unexpected keys in cluster.yaml Resolves kubernetes-retired#404 Tag controller nodes appropriately with `kubernetes.io/role`. Resolves kubernetes-retired#370 Make Container Linux AMI fetching a bit more reliable Stop locksmithd errors on etcd nodes Upgrade heapster to version 1.3.0 (kubernetes-retired#420) Auth token file support (kubernetes-retired#418) Update README.md Update README accordingly to the new git repo AWS China region support (kubernetes-retired#390) Conform as a Kubernetes Incubator Project Fixed typo in template upgrade aws-sdk to latest version Fix kubernetes-retired#388 Upgrade Kubernetes version to v1.5.4 Fix assumed public hostnames for EC2 instances in us-east-1 Fix assumed public hostnames for EC2 instances in us-east-1 typo fix: etcdDataVolumeEncrypted not creating encrypted volumes fixes kubernetes-retired#383 Allow disabling wait signals fixes kubernetes-retired#371 Update file paths in readme Fix an issue with glue security group documentation ...
kylehodgetts
pushed a commit
to HotelsDotCom/kube-aws
that referenced
this pull request
Mar 27, 2018
Adds support for authentication via static token files, as documented [here](https://kubernetes.io/docs/admin/authentication/#static-token-file). The token file is a csv file with a minimum of 3 columns: token, user name, user uid, followed by optional group names. Note, if you have more than one group the column must be double quoted. Authentication via static token files, although not very flexible, is a pretty simple solution for users getting started with Kubernetes and/or want to have some mechanism to give access to different users, but do not want the complexity overhead of a more flexible solution, such as [dex](https://github.com/coreos/dex). This change will also be the foundation which kubernetes-retired#414 will be laid on. A more detailed change list follows: * Renamed function Since we'll be encrypting things that are not TLS certificates, it's time to rename the function in order to avoid any confusion. The function name suffix implied it created a file, which was not the case. * Updated test error message * Renamed systemd unit to match name changes * Defined a location in which to put the token auth file The decryption of the token file should also happen provided it is put at the correct location. * Should only attempt to decrypt tokens if the auth token file exists * Fixed typo * Added tests * Updated docs * Fixed script * Validate auth token file Before generating the encrypted version of the auth token file, parse it as a CSV and look for problems, such as comments and unmatching number of columns. If any problem is found, an error is raised, causing the cluster not to be created.
kylehodgetts
pushed a commit
to HotelsDotCom/kube-aws
that referenced
this pull request
Mar 27, 2018
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for authentication via static token files, as documented here.
Authentication via static token files, although not very flexible, is a pretty simple solution for users getting started with Kubernetes and/or want to have some mechanism to give access to different users, but do not want the complexity overhead of a more flexible solution, such as dex.
This PR will also be the foundation which #414 will be laid on.
Remaining TODOs:
[1] The token file is a csv file with a minimum of 3 columns: token, user name, user uid, followed by optional group names. Note, if you have more than one group the column must be double quoted