Commit 7090a7d5 authored by Erik Wilson's avatar Erik Wilson

Move node password to separate file

parent 29865fd9
...@@ -104,6 +104,7 @@ type ControlRuntime struct { ...@@ -104,6 +104,7 @@ type ControlRuntime struct {
ServerCAKey string ServerCAKey string
ServiceKey string ServiceKey string
PasswdFile string PasswdFile string
NodePasswdFile string
KubeConfigAdmin string KubeConfigAdmin string
KubeConfigController string KubeConfigController string
......
...@@ -263,6 +263,7 @@ func prepare(config *config.Control, runtime *config.ControlRuntime) error { ...@@ -263,6 +263,7 @@ func prepare(config *config.Control, runtime *config.ControlRuntime) error {
runtime.ServiceKey = path.Join(config.DataDir, "tls", "service.key") runtime.ServiceKey = path.Join(config.DataDir, "tls", "service.key")
runtime.PasswdFile = path.Join(config.DataDir, "cred", "passwd") runtime.PasswdFile = path.Join(config.DataDir, "cred", "passwd")
runtime.NodePasswdFile = path.Join(config.DataDir, "cred", "node-passwd")
runtime.KubeConfigAdmin = path.Join(config.DataDir, "cred", "admin.kubeconfig") runtime.KubeConfigAdmin = path.Join(config.DataDir, "cred", "admin.kubeconfig")
runtime.KubeConfigController = path.Join(config.DataDir, "cred", "controller.kubeconfig") runtime.KubeConfigController = path.Join(config.DataDir, "cred", "controller.kubeconfig")
......
...@@ -83,7 +83,7 @@ func getNodeInfo(req *http.Request) (string, string, error) { ...@@ -83,7 +83,7 @@ func getNodeInfo(req *http.Request) (string, string, error) {
return "", "", errors.New("node password not set") return "", "", errors.New("node password not set")
} }
return nodeNames[0], nodePasswords[0], nil return strings.ToLower(nodeNames[0]), nodePasswords[0], nil
} }
func getCACertAndKeys(caCertFile, caKeyFile, signingKeyFile string) ([]*x509.Certificate, crypto.Signer, crypto.Signer, error) { func getCACertAndKeys(caCertFile, caKeyFile, signingKeyFile string) ([]*x509.Certificate, crypto.Signer, crypto.Signer, error) {
...@@ -132,7 +132,7 @@ func servingKubeletCert(server *config.Control) http.Handler { ...@@ -132,7 +132,7 @@ func servingKubeletCert(server *config.Control) http.Handler {
sendError(err, resp) sendError(err, resp)
} }
if err := ensureNodePassword(server.Runtime.PasswdFile, nodeName, nodePassword); err != nil { if err := ensureNodePassword(server.Runtime.NodePasswdFile, nodeName, nodePassword); err != nil {
sendError(err, resp, http.StatusForbidden) sendError(err, resp, http.StatusForbidden)
return return
} }
...@@ -172,7 +172,7 @@ func clientKubeletCert(server *config.Control) http.Handler { ...@@ -172,7 +172,7 @@ func clientKubeletCert(server *config.Control) http.Handler {
sendError(err, resp) sendError(err, resp)
} }
if err := ensureNodePassword(server.Runtime.PasswdFile, nodeName, nodePassword); err != nil { if err := ensureNodePassword(server.Runtime.NodePasswdFile, nodeName, nodePassword); err != nil {
sendError(err, resp, http.StatusForbidden) sendError(err, resp, http.StatusForbidden)
return return
} }
...@@ -265,36 +265,37 @@ func sendError(err error, resp http.ResponseWriter, status ...int) { ...@@ -265,36 +265,37 @@ func sendError(err error, resp http.ResponseWriter, status ...int) {
} }
func ensureNodePassword(passwdFile, nodeName, passwd string) error { func ensureNodePassword(passwdFile, nodeName, passwd string) error {
f, err := os.Open(passwdFile)
if err != nil {
return err
}
defer f.Close()
user := strings.ToLower("node:" + nodeName)
records := [][]string{} records := [][]string{}
reader := csv.NewReader(f)
for { if _, err := os.Stat(passwdFile); !os.IsNotExist(err) {
record, err := reader.Read() f, err := os.Open(passwdFile)
if err == io.EOF {
break
}
if err != nil { if err != nil {
return err return err
} }
if len(record) < 3 { defer f.Close()
return fmt.Errorf("password file '%s' must have at least 3 columns (password, user name, user uid), found %d", passwdFile, len(record)) reader := csv.NewReader(f)
} for {
if record[1] == user { record, err := reader.Read()
if record[0] == passwd { if err == io.EOF {
return nil break
}
if err != nil {
return err
}
if len(record) < 2 {
return fmt.Errorf("password file '%s' must have at least 2 columns (password, nodeName), found %d", passwdFile, len(record))
}
if record[1] == nodeName {
if record[0] == passwd {
return nil
}
return fmt.Errorf("Node password validation failed for '%s', using passwd file '%s'", nodeName, passwdFile)
} }
return fmt.Errorf("Node password validation failed for '%s', using passwd file '%s'", nodeName, passwdFile) records = append(records, record)
} }
records = append(records, record) f.Close()
} }
records = append(records, []string{passwd, user, user, "system:node:" + nodeName})
f.Close() records = append(records, []string{passwd, nodeName})
return control.WritePasswords(passwdFile, records) return control.WritePasswords(passwdFile, records)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment