// BuildSerializeableNodeConfig takes the NodeArgs (partially complete config) and uses them along with defaulting behavior to create the fully specified // config object for starting the node // TODO: reconcile that this is not used by CreateNodeConfig in all-in-one start. func (args NodeArgs) BuildSerializeableNodeConfig() (*configapi.NodeConfig, error) { var dnsIP string if len(args.ClusterDNS) > 0 { dnsIP = args.ClusterDNS.String() } config := &configapi.NodeConfig{ NodeName: args.NodeName, ServingInfo: configapi.ServingInfo{ BindAddress: net.JoinHostPort(args.ListenArg.ListenAddr.Host, strconv.Itoa(ports.KubeletPort)), }, ImageConfig: configapi.ImageConfig{ Format: args.ImageFormatArgs.ImageTemplate.Format, Latest: args.ImageFormatArgs.ImageTemplate.Latest, }, NetworkConfig: configapi.NodeNetworkConfig{ NetworkPluginName: args.NetworkPluginName, }, VolumeDirectory: args.VolumeDir, AllowDisabledDocker: args.AllowDisabledDocker, DNSDomain: args.ClusterDomain, DNSIP: dnsIP, MasterKubeConfig: admin.DefaultNodeKubeConfigFile(args.ConfigDir.Value()), PodManifestConfig: nil, EnableUnidling: true, } if args.ListenArg.UseTLS() { config.ServingInfo.ServerCert = admin.DefaultNodeServingCertInfo(args.ConfigDir.Value()) config.ServingInfo.ClientCA = admin.DefaultKubeletClientCAFile(args.MasterCertDir) } internal, err := applyDefaults(config, configapiv1.SchemeGroupVersion) if err != nil { return nil, err } config = internal.(*configapi.NodeConfig) // When creating a new config, use Protobuf configapi.SetProtobufClientDefaults(config.MasterClientConnectionOverrides) return config, nil }
// BuildSerializeableMasterConfig takes the MasterArgs (partially complete config) and uses them along with defaulting behavior to create the fully specified // config object for starting the master func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig, error) { masterPublicAddr, err := args.GetMasterPublicAddress() if err != nil { return nil, err } assetPublicAddr, err := args.GetAssetPublicAddress() if err != nil { return nil, err } dnsBindAddr, err := args.GetDNSBindAddress() if err != nil { return nil, err } listenServingInfo := servingInfoForAddr(&args.ListenArg.ListenAddr) // always include the all-in-one server's web console as an allowed CORS origin // always include localhost as an allowed CORS origin // always include master public address as an allowed CORS origin corsAllowedOrigins := sets.NewString(args.CORSAllowedOrigins...) corsAllowedOrigins.Insert(assetPublicAddr.Host, masterPublicAddr.Host, "localhost", "127.0.0.1") etcdAddress, err := args.GetEtcdAddress() if err != nil { return nil, err } builtInEtcd := !args.EtcdAddr.Provided var etcdConfig *configapi.EtcdConfig if builtInEtcd { etcdConfig, err = args.BuildSerializeableEtcdConfig() if err != nil { return nil, err } } builtInKubernetes := len(args.KubeConnectionArgs.ClientConfigLoadingRules.ExplicitPath) == 0 var kubernetesMasterConfig *configapi.KubernetesMasterConfig if builtInKubernetes { kubernetesMasterConfig, err = args.BuildSerializeableKubeMasterConfig() if err != nil { return nil, err } } oauthConfig, err := args.BuildSerializeableOAuthConfig() if err != nil { return nil, err } kubeletClientInfo := admin.DefaultMasterKubeletClientCertInfo(args.ConfigDir.Value()) etcdClientInfo := admin.DefaultMasterEtcdClientCertInfo(args.ConfigDir.Value()) serviceServingCertSigner := admin.DefaultServiceSignerCAInfo(args.ConfigDir.Value()) dnsServingInfo := servingInfoForAddr(&dnsBindAddr) config := &configapi.MasterConfig{ ServingInfo: configapi.HTTPServingInfo{ ServingInfo: listenServingInfo, }, CORSAllowedOrigins: corsAllowedOrigins.List(), MasterPublicURL: masterPublicAddr.String(), KubernetesMasterConfig: kubernetesMasterConfig, EtcdConfig: etcdConfig, OAuthConfig: oauthConfig, PauseControllers: args.PauseControllers, AssetConfig: &configapi.AssetConfig{ ServingInfo: configapi.HTTPServingInfo{ ServingInfo: listenServingInfo, }, LogoutURL: "", MasterPublicURL: masterPublicAddr.String(), PublicURL: assetPublicAddr.String(), }, DNSConfig: &configapi.DNSConfig{ BindAddress: dnsServingInfo.BindAddress, BindNetwork: dnsServingInfo.BindNetwork, AllowRecursiveQueries: true, }, MasterClients: configapi.MasterClients{ OpenShiftLoopbackKubeConfig: admin.DefaultKubeConfigFilename(args.ConfigDir.Value(), bootstrappolicy.MasterUnqualifiedUsername), ExternalKubernetesKubeConfig: args.KubeConnectionArgs.ClientConfigLoadingRules.ExplicitPath, }, EtcdClientInfo: configapi.EtcdConnectionInfo{ URLs: []string{etcdAddress.String()}, }, KubeletClientInfo: configapi.KubeletConnectionInfo{ Port: ports.KubeletPort, }, PolicyConfig: configapi.PolicyConfig{ BootstrapPolicyFile: args.GetPolicyFile(), OpenShiftSharedResourcesNamespace: bootstrappolicy.DefaultOpenShiftSharedResourcesNamespace, }, ImageConfig: configapi.ImageConfig{ Format: args.ImageFormatArgs.ImageTemplate.Format, Latest: args.ImageFormatArgs.ImageTemplate.Latest, }, ProjectConfig: configapi.ProjectConfig{ DefaultNodeSelector: "", ProjectRequestMessage: "", ProjectRequestTemplate: "", // Allocator defaults on SecurityAllocator: &configapi.SecurityAllocator{}, }, NetworkConfig: configapi.MasterNetworkConfig{ NetworkPluginName: args.NetworkArgs.NetworkPluginName, ClusterNetworkCIDR: args.NetworkArgs.ClusterNetworkCIDR, HostSubnetLength: args.NetworkArgs.HostSubnetLength, ServiceNetworkCIDR: args.NetworkArgs.ServiceNetworkCIDR, }, VolumeConfig: configapi.MasterVolumeConfig{ DynamicProvisioningEnabled: true, }, ControllerConfig: configapi.ControllerConfig{ ServiceServingCert: configapi.ServiceServingCert{ Signer: &serviceServingCertSigner, }, }, } if args.ListenArg.UseTLS() { config.ServingInfo.ServerCert = admin.DefaultMasterServingCertInfo(args.ConfigDir.Value()) config.ServingInfo.ClientCA = admin.DefaultAPIClientCAFile(args.ConfigDir.Value()) config.AssetConfig.ServingInfo.ServerCert = admin.DefaultAssetServingCertInfo(args.ConfigDir.Value()) if oauthConfig != nil { s := admin.DefaultCABundleFile(args.ConfigDir.Value()) oauthConfig.MasterCA = &s } // Only set up ca/cert info for kubelet connections if we're self-hosting Kubernetes if builtInKubernetes { config.KubeletClientInfo.CA = admin.DefaultRootCAFile(args.ConfigDir.Value()) config.KubeletClientInfo.ClientCert = kubeletClientInfo.CertLocation config.ServiceAccountConfig.MasterCA = admin.DefaultCABundleFile(args.ConfigDir.Value()) } // Only set up ca/cert info for etcd connections if we're self-hosting etcd if builtInEtcd { config.EtcdClientInfo.CA = admin.DefaultRootCAFile(args.ConfigDir.Value()) config.EtcdClientInfo.ClientCert = etcdClientInfo.CertLocation } } if builtInKubernetes { // When we start Kubernetes, we're responsible for generating all the managed service accounts config.ServiceAccountConfig.ManagedNames = []string{ bootstrappolicy.DefaultServiceAccountName, bootstrappolicy.BuilderServiceAccountName, bootstrappolicy.DeployerServiceAccountName, } // We also need the private key file to give to the token generator config.ServiceAccountConfig.PrivateKeyFile = admin.DefaultServiceAccountPrivateKeyFile(args.ConfigDir.Value()) // We also need the public key file to give to the authenticator config.ServiceAccountConfig.PublicKeyFiles = []string{ admin.DefaultServiceAccountPublicKeyFile(args.ConfigDir.Value()), } } else { // When running against an external Kubernetes, we're only responsible for the builder and deployer accounts. // We don't have the private key, but we need to get the public key to authenticate signed tokens. // TODO: JTL: take arg for public key(s)? config.ServiceAccountConfig.ManagedNames = []string{ bootstrappolicy.BuilderServiceAccountName, bootstrappolicy.DeployerServiceAccountName, } config.ServiceAccountConfig.PublicKeyFiles = []string{} } // embed a default policy for generated config defaultImagePolicy, err := bootstrap.Asset("pkg/image/admission/imagepolicy/api/v1/default-policy.yaml") if err != nil { return nil, fmt.Errorf("unable to find default image admission policy: %v", err) } // TODO: this should not be necessary, runtime.Unknown#MarshalJSON should handle YAML content type correctly defaultImagePolicy, err = yaml.ToJSON(defaultImagePolicy) if err != nil { return nil, err } if config.AdmissionConfig.PluginConfig == nil { config.AdmissionConfig.PluginConfig = make(map[string]configapi.AdmissionPluginConfig) } config.AdmissionConfig.PluginConfig[imagepolicyapi.PluginName] = configapi.AdmissionPluginConfig{ Configuration: &runtime.Unknown{Raw: defaultImagePolicy}, } internal, err := applyDefaults(config, configapiv1.SchemeGroupVersion) if err != nil { return nil, err } config = internal.(*configapi.MasterConfig) // When creating a new config, use Protobuf configapi.SetProtobufClientDefaults(config.MasterClients.OpenShiftLoopbackClientConnectionOverrides) configapi.SetProtobufClientDefaults(config.MasterClients.ExternalKubernetesClientConnectionOverrides) return config, nil }
func (o CreateNodeConfigOptions) MakeNodeConfig(serverCertFile, serverKeyFile, nodeClientCAFile, kubeConfigFile, nodeConfigFile string) error { config := &configapi.NodeConfig{ NodeName: o.NodeName, ServingInfo: configapi.ServingInfo{ BindAddress: net.JoinHostPort(o.ListenAddr.Host, strconv.Itoa(ports.KubeletPort)), }, VolumeDirectory: o.VolumeDir, AllowDisabledDocker: o.AllowDisabledDocker, ImageConfig: configapi.ImageConfig{ Format: o.ImageTemplate.Format, Latest: o.ImageTemplate.Latest, }, DNSDomain: o.DNSDomain, DNSIP: o.DNSIP, MasterKubeConfig: kubeConfigFile, NetworkConfig: configapi.NodeNetworkConfig{ NetworkPluginName: o.NetworkPluginName, }, EnableUnidling: true, } if o.UseTLS() { config.ServingInfo.ServerCert = configapi.CertInfo{ CertFile: serverCertFile, KeyFile: serverKeyFile, } config.ServingInfo.ClientCA = nodeClientCAFile } // Resolve relative to CWD cwd, err := os.Getwd() if err != nil { return err } if err := configapi.ResolveNodeConfigPaths(config, cwd); err != nil { return err } // Relativize to config file dir base, err := cmdutil.MakeAbs(o.NodeConfigDir, cwd) if err != nil { return err } if err := configapi.RelativizeNodeConfigPaths(config, base); err != nil { return err } // Roundtrip the config to v1 and back to ensure proper defaults are set. ext, err := configapi.Scheme.ConvertToVersion(config, latestconfigapi.Version) if err != nil { return err } internal, err := configapi.Scheme.ConvertToVersion(ext, configapi.SchemeGroupVersion) if err != nil { return err } config = internal.(*configapi.NodeConfig) // For new configurations, use protobuf. configapi.SetProtobufClientDefaults(config.MasterClientConnectionOverrides) content, err := latestconfigapi.WriteYAML(internal) if err != nil { return err } if err := ioutil.WriteFile(nodeConfigFile, content, 0644); err != nil { return err } return nil }