diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 3ed5c14bb9d53..858af0eefb5ff 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -231,6 +231,16 @@ spec: serviceNodePortRange: 30000-33000 ``` +#### Disable Basic Auth + +This will disable the passing of the `--basic-auth-file` flag. + +```yaml +spec: + kubeAPIServer: + disableBasicAuth: true +``` + ### externalDns This block contains configuration options for your `external-DNS` provider. diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go index 42806ca438d29..422cb8c891c46 100644 --- a/nodeup/pkg/model/kube_apiserver.go +++ b/nodeup/pkg/model/kube_apiserver.go @@ -283,9 +283,12 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) { kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") kubeAPIServer.TLSCertFile = filepath.Join(b.PathSrvKubernetes(), "server.cert") kubeAPIServer.TLSPrivateKeyFile = filepath.Join(b.PathSrvKubernetes(), "server.key") - kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv") kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv") + if !kubeAPIServer.DisableBasicAuth { + kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv") + } + if b.UseEtcdTLS() { kubeAPIServer.EtcdCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") kubeAPIServer.EtcdCertFile = filepath.Join(b.PathSrvKubernetes(), "etcd-client.pem") diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go index 309ad824aa16e..8d89b3c617502 100644 --- a/pkg/apis/kops/componentconfig.go +++ b/pkg/apis/kops/componentconfig.go @@ -216,6 +216,8 @@ type KubeProxyConfig struct { type KubeAPIServerConfig struct { // Image is the docker container used Image string `json:"image,omitempty"` + // DisableBasicAuth removes the --basic-auth-file flag + DisableBasicAuth bool `json:"disableBasicAuth,omitempty"` // LogLevel is the logging level of the api LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"` // CloudProvider is the name of the cloudProvider we are using, aws, gce etcd diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go index 7a3848f90348c..7f7c6049d426c 100644 --- a/pkg/apis/kops/v1alpha1/componentconfig.go +++ b/pkg/apis/kops/v1alpha1/componentconfig.go @@ -216,6 +216,8 @@ type KubeProxyConfig struct { type KubeAPIServerConfig struct { // Image is the docker container used Image string `json:"image,omitempty"` + // DisableBasicAuth removes the --basic-auth-file flag + DisableBasicAuth bool `json:"disableBasicAuth,omitempty"` // LogLevel is the logging level of the api LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"` // CloudProvider is the name of the cloudProvider we are using, aws, gce etcd diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go index 99690ff71914e..9d1ae15aafcd9 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go @@ -2153,6 +2153,7 @@ func Convert_kops_KopeioNetworkingSpec_To_v1alpha1_KopeioNetworkingSpec(in *kops func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *KubeAPIServerConfig, out *kops.KubeAPIServerConfig, s conversion.Scope) error { out.Image = in.Image + out.DisableBasicAuth = in.DisableBasicAuth out.LogLevel = in.LogLevel out.CloudProvider = in.CloudProvider out.SecurePort = in.SecurePort @@ -2224,6 +2225,7 @@ func Convert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *KubeAP func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *kops.KubeAPIServerConfig, out *KubeAPIServerConfig, s conversion.Scope) error { out.Image = in.Image + out.DisableBasicAuth = in.DisableBasicAuth out.LogLevel = in.LogLevel out.CloudProvider = in.CloudProvider out.SecurePort = in.SecurePort diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go index b963658007432..7cad0637063ba 100644 --- a/pkg/apis/kops/v1alpha2/componentconfig.go +++ b/pkg/apis/kops/v1alpha2/componentconfig.go @@ -216,6 +216,8 @@ type KubeProxyConfig struct { type KubeAPIServerConfig struct { // Image is the docker container used Image string `json:"image,omitempty"` + // DisableBasicAuth removes the --basic-auth-file flag + DisableBasicAuth bool `json:"disableBasicAuth,omitempty"` // LogLevel is the logging level of the api LogLevel int32 `json:"logLevel,omitempty" flag:"v" flag-empty:"0"` // CloudProvider is the name of the cloudProvider we are using, aws, gce etcd diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 7390fcb373143..e491d68c10dec 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -2417,6 +2417,7 @@ func Convert_kops_KopeioNetworkingSpec_To_v1alpha2_KopeioNetworkingSpec(in *kops func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *KubeAPIServerConfig, out *kops.KubeAPIServerConfig, s conversion.Scope) error { out.Image = in.Image + out.DisableBasicAuth = in.DisableBasicAuth out.LogLevel = in.LogLevel out.CloudProvider = in.CloudProvider out.SecurePort = in.SecurePort @@ -2488,6 +2489,7 @@ func Convert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *KubeAP func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *kops.KubeAPIServerConfig, out *KubeAPIServerConfig, s conversion.Scope) error { out.Image = in.Image + out.DisableBasicAuth = in.DisableBasicAuth out.LogLevel = in.LogLevel out.CloudProvider = in.CloudProvider out.SecurePort = in.SecurePort