From 6fa106fe2a4e85ccedf8a51d5cd4e7716f0b22e7 Mon Sep 17 00:00:00 2001 From: Aaron Sheffield Date: Tue, 8 May 2018 13:47:25 -0500 Subject: [PATCH] Disable anonymous-auth - Turn off anonymous-auth. - Reworked haproxy helm test and updated test images. - Reworked kubernetes-apiserver readiness and liveness tests. Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7 --- charts/apiserver/templates/daemonset.yaml | 15 ++++++--- .../etc/_kubernetes-apiserver.yaml.tpl | 32 ++++++++++++------- .../templates/tests/test-haproxy-health.yaml | 2 +- charts/haproxy/values.yaml | 1 - examples/basic/armada-resources.yaml | 2 +- examples/complete/armada-resources.yaml | 2 +- .../manifests/bootstrap-armada.yaml | 2 +- .../manifests/kubernetes-apiserver.yaml | 2 +- 8 files changed, 36 insertions(+), 22 deletions(-) diff --git a/charts/apiserver/templates/daemonset.yaml b/charts/apiserver/templates/daemonset.yaml index 01d0d40e..4c990668 100644 --- a/charts/apiserver/templates/daemonset.yaml +++ b/charts/apiserver/templates/daemonset.yaml @@ -64,11 +64,16 @@ spec: - /tmp/bin/pre_stop readinessProbe: - httpGet: - host: 127.0.0.1 - path: /healthz - port: {{ .Values.network.kubernetes_apiserver.port }} - scheme: HTTPS + exec: + command: + - /bin/bash + - -c + - |- + if [ ! -f /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem ]; then + cat /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-key.pem /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem + fi + echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem,cafile=/host{{ .Values.apiserver.host_etc_path }}/pki/cluster-ca.pem | grep '200 OK' + exit $? initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl index 5da319b6..9d296ad2 100644 --- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl +++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl @@ -39,7 +39,7 @@ spec: - {{ . }} {{- end }} - --advertise-address=$(POD_IP) - - --anonymous-auth=true + - --anonymous-auth=false - --bind-address=0.0.0.0 - --secure-port={{ .Values.network.kubernetes_apiserver.port }} - --insecure-port=0 @@ -61,22 +61,32 @@ spec: - containerPort: {{ .Values.network.kubernetes_apiserver.port }} readinessProbe: - httpGet: - host: 127.0.0.1 - path: /healthz - port: {{ .Values.network.kubernetes_apiserver.port }} - scheme: HTTPS + exec: + command: + - /bin/bash + - -c + - |- + if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then + cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem + fi + echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK' + exit $? initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 livenessProbe: + exec: + command: + - /bin/bash + - -c + - |- + if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then + cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem + fi + echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK' + exit $? failureThreshold: 2 - httpGet: - host: 127.0.0.1 - path: /healthz - port: {{ .Values.network.kubernetes_apiserver.port }} - scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 diff --git a/charts/haproxy/templates/tests/test-haproxy-health.yaml b/charts/haproxy/templates/tests/test-haproxy-health.yaml index dd3782c7..7891b10b 100644 --- a/charts/haproxy/templates/tests/test-haproxy-health.yaml +++ b/charts/haproxy/templates/tests/test-haproxy-health.yaml @@ -33,7 +33,7 @@ spec: fieldRef: fieldPath: status.hostIP - name: 'HAPROXY_URL' - value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}/{{ .Values.endpoints.health.path }} + value: https://$(HOST_IP):{{ .Values.endpoints.health.port }} image: {{ .Values.images.tags.test }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} diff --git a/charts/haproxy/values.yaml b/charts/haproxy/values.yaml index 2c772ccb..3f8e32aa 100644 --- a/charts/haproxy/values.yaml +++ b/charts/haproxy/values.yaml @@ -70,7 +70,6 @@ manifests: endpoints: health: port: 6553 - path: "healthz" pod: lifecycle: diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 77589a54..7a61236b 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -613,7 +613,7 @@ data: tags: anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2 haproxy: haproxy:1.8.3 - test: busybox:1.28.3 + test: python:3.6 source: type: local diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index b872a3a7..0c34a979 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -647,7 +647,7 @@ data: tags: anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2 haproxy: haproxy:1.8.3 - test: busybox:1.28.3 + test: python:3.6 source: type: local diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml index 4abe43d8..f50d3eaa 100644 --- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml +++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml @@ -124,7 +124,7 @@ spec: - --advertise-address={{ config['Genesis:ip'] }} - --authorization-mode=Node,RBAC - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - - --anonymous-auth=true + - --anonymous-auth=false - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml index b0c43eeb..80ab27ad 100644 --- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml +++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml @@ -20,7 +20,7 @@ spec: - --advertise-address={{ config['Genesis:ip'] }} - --authorization-mode=Node,RBAC - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - - --anonymous-auth=true + - --anonymous-auth=false - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem