Make service-account secrets in kubectl form. #7011
Conversation
Changes approach taken in kubernetes#5470 Instead of creating a kubernetes_auth file, which we are tring to get away from, creates a kubeconfig file, which is the new hotness. Instead of creating the kubeconfig file in the kube-addon script on the master, it creates it at the time of salt-overlay generation. More information is available at this time. In particular, the master certs and master address are handy at this point, so those are included in the kubeconfig file. The kube-addons script is simplified because the secret objects are now just plain olf yaml files, which it knows how to create, just like it creates pods and services. Kubectl is used to generate the kubeconfig file. This ensures correct format and is more self-documenting, and matches how the admin credentials are done. TODO(erictune): do this for kubelet.
|
@zmerlynn reviewed the last PR like this. If he is available, he is a good reviewer for this. |
|
Sure. I need to grab a beer anyways. |
| mkdir -p $(dirname "${kubeconfig}") | ||
| touch "${kubeconfig}" | ||
| fi | ||
| local context="local" |
There was a problem hiding this comment.
Huh? What's going on here between this and line 79?
|
LGTM except some nits. |
| local kubeconfig=$1 | ||
| local kube_user=$2 | ||
| local token=$3 | ||
| local context="pod" # Any string would do here because a service account kubeconfig |
There was a problem hiding this comment.
Even if any string will do, I'd recommend something like service-account-context.
|
This doesn't work at all. So, configure-vm is the wrong place to be setting this stuff up. I am going to have to go back to the kube-addons approach. |
|
@erictune: Sorry for not noticing. I blame Friday afternoon. I have a silly proposal before you go the other route. I feel like the |
|
(In fact, I suspect the logical thing is to move |
|
Doing it before run-salt is still too early to use kubectl and too early to read the certs. |
Changes approach taken in #5470
Instead of creating a kubernetes_auth file,
which we are tring to get away from, creates
a kubeconfig file, which is the new hotness.
Instead of creating the kubeconfig file in the
kube-addon script on the master, it creates
it at the time of salt-overlay generation.
More information is available at this time.
In particular, the master certs and master address
are handy at this point, so those are included in
the kubeconfig file.
The kube-addons script is simplified because the secret objects
are now just plain olf yaml files, which it knows how to
create, just like it creates pods and services.
Kubectl is used to generate the kubeconfig file.
This ensures correct format and is more self-documenting,
and matches how the admin credentials are done.
TODO(erictune): do this for kubelet.