From 4c285f55e4e403f9387b0dae579de883dc7e7e51 Mon Sep 17 00:00:00 2001 From: tstromberg Date: Fri, 7 Feb 2020 09:35:36 -0800 Subject: [PATCH 1/2] Add ca-certificates directory for distros that do not include it --- pkg/minikube/cluster/start.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/minikube/cluster/start.go b/pkg/minikube/cluster/start.go index d89ec2d757a3..8e0d3631b72d 100644 --- a/pkg/minikube/cluster/start.go +++ b/pkg/minikube/cluster/start.go @@ -55,6 +55,7 @@ var ( path.Join(vmpath.GuestPersistentDir, "images"), path.Join(vmpath.GuestPersistentDir, "binaries"), "/tmp/gvisor", + "/usr/share/ca-certificates", } ) From 97f926eeb1a5c252202b0c7f85448da81b9db20e Mon Sep 17 00:00:00 2001 From: tstromberg Date: Fri, 7 Feb 2020 13:06:00 -0800 Subject: [PATCH 2/2] Use vmpath constants where possible --- pkg/drivers/none/none.go | 2 +- pkg/gvisor/enable.go | 3 ++- pkg/minikube/assets/addons.go | 2 +- pkg/minikube/bootstrapper/bsutil/kubeadm.go | 2 +- pkg/minikube/bootstrapper/bsutil/versions.go | 2 +- pkg/minikube/bootstrapper/certs.go | 23 +++++++------------- pkg/minikube/cluster/start.go | 7 +++--- pkg/minikube/constants/constants.go | 3 --- pkg/minikube/vmpath/constants.go | 10 +++++++-- 9 files changed, 26 insertions(+), 28 deletions(-) diff --git a/pkg/drivers/none/none.go b/pkg/drivers/none/none.go index a2a43e8855f9..aa9a79bcf4de 100644 --- a/pkg/drivers/none/none.go +++ b/pkg/drivers/none/none.go @@ -42,7 +42,7 @@ import ( var cleanupPaths = []string{ vmpath.GuestEphemeralDir, vmpath.GuestManifestsDir, - "/var/lib/minikube", + vmpath.GuestPersistentDir, } // Driver is a driver designed to run kubeadm w/o VM management, and assumes systemctl. diff --git a/pkg/gvisor/enable.go b/pkg/gvisor/enable.go index 83b391156bb2..ab40bf55396a 100644 --- a/pkg/gvisor/enable.go +++ b/pkg/gvisor/enable.go @@ -32,6 +32,7 @@ import ( "github.com/pkg/errors" "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/constants" + "k8s.io/minikube/pkg/minikube/vmpath" ) const ( @@ -176,7 +177,7 @@ func copyAssetToDest(targetName, dest string) error { } // Now, copy the data from this asset to dest - src := filepath.Join(constants.GvisorFilesPath, asset.GetTargetName()) + src := filepath.Join(vmpath.GuestGvisorDir, asset.GetTargetName()) log.Printf("%s asset path: %s", targetName, src) contents, err := ioutil.ReadFile(src) if err != nil { diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index d2a50ed24c29..b25446e8f668 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -299,7 +299,7 @@ var Addons = map[string]*Addon{ false), MustBinAsset( "deploy/addons/gvisor/gvisor-config.toml", - constants.GvisorFilesPath, + vmpath.GuestGvisorDir, constants.GvisorConfigTomlTargetName, "0640", true), diff --git a/pkg/minikube/bootstrapper/bsutil/kubeadm.go b/pkg/minikube/bootstrapper/bsutil/kubeadm.go index 357c4e579d83..9f1ee3b65687 100644 --- a/pkg/minikube/bootstrapper/bsutil/kubeadm.go +++ b/pkg/minikube/bootstrapper/bsutil/kubeadm.go @@ -80,7 +80,7 @@ func GenerateKubeadmYAML(mc config.MachineConfig, r cruntime.Manager) ([]byte, e FeatureArgs map[string]bool NoTaintMaster bool }{ - CertDir: vmpath.GuestCertsDir, + CertDir: vmpath.GuestKubernetesCertsDir, ServiceCIDR: constants.DefaultServiceCIDR, PodSubnet: k8s.ExtraOptions.Get("pod-network-cidr", Kubeadm), AdvertiseAddress: cp.IP, diff --git a/pkg/minikube/bootstrapper/bsutil/versions.go b/pkg/minikube/bootstrapper/bsutil/versions.go index fdbbfa5add87..0d11ccf2e74a 100644 --- a/pkg/minikube/bootstrapper/bsutil/versions.go +++ b/pkg/minikube/bootstrapper/bsutil/versions.go @@ -90,7 +90,7 @@ var versionSpecificOpts = []config.VersionedExtraOption{ // Auth args config.NewUnversionedOption(Kubelet, "authorization-mode", "Webhook"), - config.NewUnversionedOption(Kubelet, "client-ca-file", path.Join(vmpath.GuestCertsDir, "ca.crt")), + config.NewUnversionedOption(Kubelet, "client-ca-file", path.Join(vmpath.GuestKubernetesCertsDir, "ca.crt")), // Cgroup args config.NewUnversionedOption(Kubelet, "cgroup-driver", "cgroupfs"), diff --git a/pkg/minikube/bootstrapper/certs.go b/pkg/minikube/bootstrapper/certs.go index b8bfb60f6a5f..ed5738a03e1a 100644 --- a/pkg/minikube/bootstrapper/certs.go +++ b/pkg/minikube/bootstrapper/certs.go @@ -45,13 +45,6 @@ import ( "github.com/juju/mutex" ) -const ( - // CACertificatesDir contains CA certificates - CACertificatesDir = "/usr/share/ca-certificates" - // SSLCertStoreDir contains SSL certificates - SSLCertStoreDir = "/etc/ssl/certs" -) - var ( certs = []string{ "ca.crt", "ca.key", "apiserver.crt", "apiserver.key", "proxy-client-ca.crt", @@ -89,7 +82,7 @@ func SetupCerts(cmd command.Runner, k8s config.KubernetesConfig, n config.Node) if strings.HasSuffix(cert, ".key") { perms = "0600" } - certFile, err := assets.NewFileAsset(p, vmpath.GuestCertsDir, cert, perms) + certFile, err := assets.NewFileAsset(p, vmpath.GuestKubernetesCertsDir, cert, perms) if err != nil { return err } @@ -112,9 +105,9 @@ func SetupCerts(cmd command.Runner, k8s config.KubernetesConfig, n config.Node) kcs := &kubeconfig.Settings{ ClusterName: n.Name, ClusterServerAddress: fmt.Sprintf("https://%s", net.JoinHostPort("localhost", fmt.Sprint(n.Port))), - ClientCertificate: path.Join(vmpath.GuestCertsDir, "apiserver.crt"), - ClientKey: path.Join(vmpath.GuestCertsDir, "apiserver.key"), - CertificateAuthority: path.Join(vmpath.GuestCertsDir, "ca.crt"), + ClientCertificate: path.Join(vmpath.GuestKubernetesCertsDir, "apiserver.crt"), + ClientKey: path.Join(vmpath.GuestKubernetesCertsDir, "apiserver.key"), + CertificateAuthority: path.Join(vmpath.GuestKubernetesCertsDir, "ca.crt"), KeepContext: false, } @@ -289,7 +282,7 @@ func collectCACerts() (map[string]string, error) { if validPem { filename := filepath.Base(hostpath) dst := fmt.Sprintf("%s.%s", strings.TrimSuffix(filename, ext), "pem") - certFiles[hostpath] = path.Join(CACertificatesDir, dst) + certFiles[hostpath] = path.Join(vmpath.GuestCertAuthDir, dst) } } } @@ -304,7 +297,7 @@ func collectCACerts() (map[string]string, error) { } // populates minikube CA - certFiles[filepath.Join(localPath, "ca.crt")] = path.Join(CACertificatesDir, "minikubeCA.pem") + certFiles[filepath.Join(localPath, "ca.crt")] = path.Join(vmpath.GuestCertAuthDir, "minikubeCA.pem") filtered := map[string]string{} for k, v := range certFiles { @@ -340,7 +333,7 @@ func configureCACerts(cr command.Runner, caCerts map[string]string) error { for _, caCertFile := range caCerts { dstFilename := path.Base(caCertFile) - certStorePath := path.Join(SSLCertStoreDir, dstFilename) + certStorePath := path.Join(vmpath.GuestCertStoreDir, dstFilename) cmd := fmt.Sprintf("test -f %s || ln -fs %s %s", caCertFile, certStorePath, caCertFile) if _, err := cr.RunCmd(exec.Command("sudo", "/bin/bash", "-c", cmd)); err != nil { return errors.Wrapf(err, "create symlink for %s", caCertFile) @@ -350,7 +343,7 @@ func configureCACerts(cr command.Runner, caCerts map[string]string) error { if err != nil { return errors.Wrapf(err, "calculate hash for cacert %s", caCertFile) } - subjectHashLink := path.Join(SSLCertStoreDir, fmt.Sprintf("%s.0", subjectHash)) + subjectHashLink := path.Join(vmpath.GuestCertStoreDir, fmt.Sprintf("%s.0", subjectHash)) // NOTE: This symlink may exist, but point to a missing file cmd := fmt.Sprintf("test -L %s || ln -fs %s %s", subjectHashLink, certStorePath, subjectHashLink) diff --git a/pkg/minikube/cluster/start.go b/pkg/minikube/cluster/start.go index 8e0d3631b72d..7f30942238df 100644 --- a/pkg/minikube/cluster/start.go +++ b/pkg/minikube/cluster/start.go @@ -51,11 +51,12 @@ var ( vmpath.GuestManifestsDir, vmpath.GuestEphemeralDir, vmpath.GuestPersistentDir, - vmpath.GuestCertsDir, + vmpath.GuestKubernetesCertsDir, path.Join(vmpath.GuestPersistentDir, "images"), path.Join(vmpath.GuestPersistentDir, "binaries"), - "/tmp/gvisor", - "/usr/share/ca-certificates", + vmpath.GuestGvisorDir, + vmpath.GuestCertAuthDir, + vmpath.GuestCertStoreDir, } ) diff --git a/pkg/minikube/constants/constants.go b/pkg/minikube/constants/constants.go index edf14a90e464..72349d31c9f7 100644 --- a/pkg/minikube/constants/constants.go +++ b/pkg/minikube/constants/constants.go @@ -111,9 +111,6 @@ var KubernetesReleaseBinaries = []string{"kubelet", "kubeadm", "kubectl"} var ImageCacheDir = localpath.MakeMiniPath("cache", "images") const ( - // GvisorFilesPath is the path to the gvisor files saved by go-bindata - GvisorFilesPath = "/tmp/gvisor" - // GvisorConfigTomlTargetName is the go-bindata target name for the gvisor config.toml GvisorConfigTomlTargetName = "gvisor-config.toml" ) diff --git a/pkg/minikube/vmpath/constants.go b/pkg/minikube/vmpath/constants.go index 7a6cf84f4fef..aa0d66e2eae2 100644 --- a/pkg/minikube/vmpath/constants.go +++ b/pkg/minikube/vmpath/constants.go @@ -25,6 +25,12 @@ const ( GuestEphemeralDir = "/var/tmp/minikube" // GuestPersistentDir is the path where persistent data should be stored within the VM (not tmpfs) GuestPersistentDir = "/var/lib/minikube" - // GuestCertsDir are where Kubernetes certificates are kept on the guest - GuestCertsDir = GuestPersistentDir + "/certs" + // GuestKubernetesCertsDir are where Kubernetes certificates are stored + GuestKubernetesCertsDir = GuestPersistentDir + "/certs" + // GuestCertAuthDir is where system CA certificates are installed to + GuestCertAuthDir = "/usr/share/ca-certificates" + // GuestCertStoreDir is where system SSL certificates are installed + GuestCertStoreDir = "/etc/ssl/certs" + // Where gvisor bootstraps from + GuestGvisorDir = "/tmp/gvisor" )