Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an ssh tunnel option to the /proxy endpoint #9292

Merged
merged 10 commits into from
Jun 8, 2015
Merged

Add an ssh tunnel option to the /proxy endpoint #9292

merged 10 commits into from
Jun 8, 2015

Conversation

cjcullen
Copy link
Member

@cjcullen cjcullen commented Jun 5, 2015

Key generation and propagation is handled on gce.
Tunnels are recycled after 5 minutes.
The ssh-proxy functionality is not enabled by default for the gce provider.

I can squash commits when this gets ready to merge.

@brendandburns

@cjcullen cjcullen force-pushed the test_pull_8946 branch 3 times, most recently from 58e01a8 to 0a20dbe Compare June 5, 2015 06:56
@k8s-bot
Copy link

k8s-bot commented Jun 5, 2015

EXPERIMENTAL JENKINS PR BUILDER: e2e build succeeded.

@ghost
Copy link

ghost commented Jun 5, 2015

This is a lot of new code. What issue does it address? Is it v1.0?

@ghost ghost self-assigned this Jun 5, 2015
@alex-mohr
Copy link
Contributor

I think part of #3168 ?

@cjcullen
Copy link
Member Author

cjcullen commented Jun 5, 2015

This addresses #3168 for the /proxy case (we won't need kubelet listening on the public internet for proxy).

@cjcullen cjcullen mentioned this pull request Jun 5, 2015
Closed
brendandburns
brendandburns reviewed Jun 5, 2015
View reviewed changes
pkg/util/ssh.go
return nil
}

func (l SSHTunnelList) Close() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Document that this is async, and tunnels won't be closed when the method returns.

@brendandburns
Copy link
Contributor

Generally LGTM, needs a rebase (and tests, if you felt like writing them...)

cjcullen and others added 8 commits June 5, 2015 14:54
@cjcullen
Mount cloud-config files for cloudproviders in kube-apiserver & kube-…
82afaaf 
…controllermanager.
@brendandburns @cjcullen
Add tunnelling to the proxy API handler.
631cf34
@brendandburns @cjcullen
Initial proxy tunnelling.
30a8996
@brendandburns @cjcullen
Add key generation.
5115fd5
@cjcullen
Specify sshUser, sshKeyfile in kube-apiserver manifest.
de9a5f4 
Trim space on ssh key so GCE doesn't treat it as 2 lines.
A couple other minor fixes.
@brendandburns @cjcullen
Add the SSHTunnel transport to the kubelet client.
7ea533d
@cjcullen
Fix transport creation logic.
1ae8801 
Refactor loadTunnels to allow one path for load, another for refresh.
Make SSHTunnelList.Close sleep for a minute before actually closing each tunnel.
@cjcullen
Some refactoring. Only selectively use ssh proxy.
cb31760 
Add NetworkName to gce.Config.
Add locking to uses of master.tunnels.
@k8s-bot
Copy link

k8s-bot commented Jun 5, 2015

EXPERIMENTAL JENKINS PR BUILDER: e2e build succeeded.

@cjcullen
Make sshproxy use a hostmount on master PD (don't spam sshKeys on upg…
04cd9b3 
…rade/reboot).

Add comment describing what SSHTunnelList.Close() does.
Simplify util.FileExists.
@k8s-bot
Copy link

k8s-bot commented Jun 5, 2015

EXPERIMENTAL JENKINS PR BUILDER: e2e build succeeded.

1 similar comment
@k8s-bot
Copy link

k8s-bot commented Jun 5, 2015

EXPERIMENTAL JENKINS PR BUILDER: e2e build succeeded.

@cjcullen
Change sshproxy to poll registry for nodes every 10 seconds (reduces …
9ab3298 
…window where closed tunnels from scaling down may exist).
@k8s-bot
Copy link

k8s-bot commented Jun 5, 2015

EXPERIMENTAL JENKINS PR BUILDER: e2e build succeeded.

@kprobst
Copy link

kprobst commented Jun 5, 2015

Mostly LGTM, a couple of nits.

@cjcullen
Copy link
Member Author

cjcullen commented Jun 5, 2015

Note: this is not enabled by default. On GCE, it will only be enabled if grains.proxy_ssh_user is set.

@brendandburns brendandburns added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 8, 2015
@ghost
Copy link

ghost commented Jun 8, 2015

@cjcullen and @brendanburns are working on the missing tests, which can come in a separate PR. This PR LGTM.

krousey added a commit that referenced this pull request Jun 8, 2015
@krousey
Merge pull request #9292 from cjcullen/test_pull_8946
5aa0219 
Add an ssh tunnel option to the /proxy endpoint
@krousey krousey merged commit 5aa0219 into kubernetes:master Jun 8, 2015
@j3ffml j3ffml mentioned this pull request Jun 30, 2015
Merged
j3ffml added a commit to j3ffml/kubernetes that referenced this pull request Jul 1, 2015
@j3ffml
Make UpgradeAwareProxyHandler use transport.Dial if provided
f0a36b0 
This change is required for the handler to work with sshtunnels.
Without it, `kubectl exec` and `kubectl port-forward` are broken
when an ssh proxy is used (see kubernetes#9292). I manually verified this
fixes that issue, e2e test coming shortly.
@cjcullen cjcullen unassigned ghost Aug 12, 2015
@liggitt liggitt mentioned this pull request Oct 8, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@cjcullen @k8s-bot @alex-mohr @brendandburns @kprobst @krousey @googlebot