Added sshd, kubeconfig and insecure-serving flags to localkube for di… #1975
Conversation
k8s-ci-robot
added
cncf-cla: yes
aaron-prindle
force-pushed
the
sshd-dind
branch
2 times, most recently
from
21eefe8
to
2dbf0a0
Compare
cmd/localkube/cmd/options.go
Outdated
| APIServerName: constants.APIServerName, | ||
| ShouldGenerateKubeconfig: true, |
There was a problem hiding this comment.
Should this default to false?
aaron-prindle
force-pushed
the
sshd-dind
branch
3 times, most recently
from
8abbf57
to
75ddc1e
Compare
| RUN sed -i 's|authorized_keys|authorized_keys /etc/localkube-ssh/localkube_rsa.pub|g' /etc/ssh/sshd_config | ||
|
|
||
| ENV NOTVISIBLE "in users profile" | ||
| RUN echo "export VISIBLE=now" >> /etc/profile |
| --extra-config=kubelet.AllowPrivileged="true" | ||
| --extra-config=kubelet.AllowPrivileged="true" \ | ||
| --v=100 \ | ||
| --logtostderr &> /var/log/localkube/logs.txt |
There was a problem hiding this comment.
done. Also added auto-newline setting to editor, hopefully this will be the last newline comment
There was a problem hiding this comment.
theres a vs-code addon if you haven't gotten it 😂
pkg/localkube/proxy.go
Outdated
| @@ -62,7 +69,11 @@ func StartProxyServer(lk LocalkubeServer) func() error { | |||
|
|
|||
| return func() error { | |||
| // Creating this config requires the API Server to be up, so do it in the start function itself. | |||
| server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "") | |||
| url := "" | |||
pkg/localkube/proxy.go
Outdated
| server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "") | ||
| url := "" | ||
| if lk.APIServerInsecurePort != 0 { | ||
| url = lk.GetAPIServerInsecureURL() |
There was a problem hiding this comment.
Can this function just return "" if lk.APIServerInsecurePort == 0?
There was a problem hiding this comment.
Not sure what you mean. If insecureport is enabled, use that url as the parameter as was done previously. If not, do what is done currently and use "".
https://github.com/kubernetes/minikube/blob/master/pkg/localkube/proxy.go#L65
Are you suggesting to flip the case so that the url defaults to the insecureURL and then reverse the if statement so that it would set it oppositely? I don't understand what is gained.
There was a problem hiding this comment.
I meant
func (lk LocalkubeServer) GetAPIServerInsecureURL() {
if lk.APIServerInsecurePort != 0 {
return fmt.Sprintf("http://%s:%d", lk.APIServerInsecureAddress.String(), lk.APIServerInsecurePort)
}
return ""
}There was a problem hiding this comment.
Otherwise, you might end up calling GetAPIServerInsecureURL() with lk.APIServerInsecurePort == 0 and get
http://:0
It might as well give the default value of the return type instead of garbage, that way you can use it how you want to here.
pkg/localkube/ready.go
Outdated
| @@ -27,7 +27,26 @@ import ( | |||
|
|
|||
| type HealthCheck func() bool | |||
|
|
|||
| func healthCheck(addr string, lk LocalkubeServer) HealthCheck { | |||
| func healthCheckInsecure(addr string, lk LocalkubeServer) HealthCheck { | |||
There was a problem hiding this comment.
Can you refactor this to be more like
func healthCheck(addr, lk LocalkubeServer) {
transport := lk.GetTransport()
client := http.Client{Transport: transport}
...
}lk.GetTransport() will return a new http.Transport with the TLSconfig set if it is secure serving, otherwise just a http.Transport{} if not.
pkg/localkube/proxy.go
Outdated
| @@ -38,6 +40,11 @@ func (lk LocalkubeServer) NewProxyServer() Server { | |||
| } | |||
|
|
|||
| func StartProxyServer(lk LocalkubeServer) func() error { | |||
| fmt.Println(lk.APIServerAddress) | |||
pkg/localkube/apiserver.go
Outdated
| hostport := net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerPort)) | ||
| addr := "https://" + path.Join(hostport, "healthz") | ||
| return healthCheck(addr, lk) | ||
| if lk.APIServerInsecurePort != 0 { |
There was a problem hiding this comment.
changed to only have one invocation of healtCheck
pkg/localkube/proxy.go
Outdated
| fmt.Println(lk.APIServerAddress) | ||
| bindaddress := lk.APIServerAddress.String() | ||
| if lk.APIServerInsecurePort != 0 { | ||
| bindaddress = lk.APIServerInsecureAddress.String() |
There was a problem hiding this comment.
Might be worth it to split this out into another helper function where the logic is clearer:
If insecure serving and and secure serving are both enabled, the insecure serving address will be used as the bind address.
like
func (LocalkubeServer) GetAPIServerAddress() net.IP {
...
}which you could use here, anywhere else that needs to know how to talk to the API server, and for the healthchecks
aaron-prindle
force-pushed
the
sshd-dind
branch
4 times, most recently
from
b12827d
to
8043dbf
Compare
pkg/localkube/apiserver.go
Outdated
| return healthCheck(addr, lk) | ||
| protocol := "https://" | ||
| if lk.APIServerInsecurePort != 0 { | ||
| protocol = "http://" |
There was a problem hiding this comment.
I think you generally want to stay away from constructions like
default value
if condition {
overwrite default value
}
Here is another place where you're implicitly hiding the behavior of
"if both secure and insecure serving are enabled, use the insecure serving port"
which is a bit arbitrary and I'd like to minimize the amount of places that logic has to live, so its easy to change/maintain/notice
There was a problem hiding this comment.
This could live in the GetTransport function - since if you're adding a TLSConfig, you know that you'll be using https
pkg/localkube/ready.go
Outdated
| @@ -50,8 +50,8 @@ func healthCheck(addr string, lk LocalkubeServer) HealthCheck { | |||
| RootCAs: caCertPool, | |||
| } | |||
| tlsConfig.BuildNameToCertificate() | |||
| transport := &http.Transport{TLSClientConfig: tlsConfig} | |||
| client := &http.Client{Transport: transport} | |||
| transport := lk.GetTransport() | |||
There was a problem hiding this comment.
This function doesn't exist yet - you'll have to rip out the relevant parts from the existing healthCheck function
aaron-prindle
force-pushed
the
sshd-dind
branch
5 times, most recently
from
58e367d
to
085edef
Compare
aaron-prindle
force-pushed
the
sshd-dind
branch
from
085edef
to
ec17df3
Compare
Codecov Report
@@ Coverage Diff @@
## master #1975 +/- ##
=========================================
- Coverage 29.81% 29.6% -0.22%
=========================================
Files 77 77
Lines 4769 4810 +41
=========================================
+ Hits 1422 1424 +2
- Misses 3167 3204 +37
- Partials 180 182 +2
Continue to review full report at Codecov.
|
| if s.ShouldGenerateKubeconfig { | ||
| if err := s.GenerateKubeconfig(); err != nil { | ||
| fmt.Println("Failed to create kubeconfig!") | ||
| panic(err) |
There was a problem hiding this comment.
handle this error by logging it to glog and exiting
There was a problem hiding this comment.
sorry I didn't see this, merged the PR. ShouldGenerateCerts panics also. We should add a PR to change both of them.
|
PTAL |
…nd image