def test_get_ingress_address(self, network_get):
network_get.return_value = {
"ingress-addresses": ["1.2.3.4", "5.6.7.8"]
}
ingress = kubernetes_common.get_ingress_address("endpoint-name")
assert ingress == "1.2.3.4"
ingress = kubernetes_common.get_ingress_address(
"endpoint-name", ["1.2.3.4"])
assert ingress == "5.6.7.8"
def request_server_certificates():
'''Send the data that is required to create a server certificate for
this server.'''
website = endpoint_from_flag('website.available')
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
# Create SANs that the tls layer will add to the server cert.
sans = [
hookenv.unit_public_ip(),
get_ingress_address(website.endpoint_name),
socket.gethostname(),
]
hacluster = endpoint_from_flag('ha.connected')
if hacluster:
vips = hookenv.config('ha-cluster-vip').split()
dns_record = hookenv.config('ha-cluster-dns')
if vips:
sans.extend(vips)
else:
sans.append(dns_record)
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('extra_sans')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sans,
crt_path=server_crt_path,
key_path=server_key_path)
def start_worker():
''' Start kubelet using the provided API and DNS info.'''
# Note that the DNS server doesn't necessarily exist at this point. We know
# what its IP will eventually be, though, so we can go ahead and configure
# kubelet with that info. This ensures that early pods are configured with
# the correct DNS even though the server isn't ready yet.
kube_api = endpoint_from_flag('kube-api-endpoint.available')
kube_control = endpoint_from_flag('kube-control.dns.available')
cni = endpoint_from_flag('cni.available')
servers = get_kube_api_servers(kube_api)
dns = kube_control.get_dns()
ingress_ip = get_ingress_address(kube_control.relation_name)
cluster_cidr = cni.get_config()['cidr']
if cluster_cidr is None:
hookenv.log('Waiting for cluster cidr.')
return
creds = db.get('credentials')
data_changed('kube-control.creds', creds)
create_config(servers[get_unit_number() % len(servers)], creds)
configure_kubelet(dns, ingress_ip)
configure_kube_proxy(configure_prefix, servers, cluster_cidr)
set_state('kubernetes-worker.config.created')
restart_unit_services()
update_kubelet_status()
set_state('kubernetes-worker.label-config-required')
remove_state('kubernetes-worker.restart-needed')
def send_data():
'''Send the data that is required to create a server certificate for
this server.'''
kube_control = endpoint_from_flag('kube-control.connected')
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
ingress_ip = get_ingress_address(kube_control.endpoint_name)
# Create SANs that the tls layer will add to the server cert.
sans = [
hookenv.unit_public_ip(),
ingress_ip,
gethostname()
]
# Request a server cert with this information.
layer.tls_client.request_server_cert(common_name, sorted(set(sans)),
crt_path=server_crt_path,
key_path=server_key_path)
# Request a client cert for kubelet.
layer.tls_client.request_client_cert('system:kubelet',
crt_path=client_crt_path,
key_path=client_key_path)
def send_data(tls, kube_control):
'''Send the data that is required to create a server certificate for
this server.'''
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
ingress_ip = get_ingress_address(kube_control.relation_name)
# Create SANs that the tls layer will add to the server cert.
sans = [hookenv.unit_public_ip(), ingress_ip, gethostname()]
# Create a path safe name by removing path characters from the unit name.
certificate_name = hookenv.local_unit().replace('/', '_')
# Request a server cert with this information.
tls.request_server_cert(common_name, sans, certificate_name)
def request_server_certificates(tls, website):
'''Send the data that is required to create a server certificate for
this server.'''
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
# Create SANs that the tls layer will add to the server cert.
sans = [
hookenv.unit_public_ip(),
get_ingress_address(website.endpoint_name),
socket.gethostname(),
]
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('extra_sans')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Create a path safe name by removing path characters from the unit name.
certificate_name = hookenv.local_unit().replace('/', '_')
# Request a server cert with this information.
tls.request_server_cert(common_name, sans, certificate_name)
def request_server_certificates():
'''Send the data that is required to create a server certificate for
this server.'''
website = endpoint_from_flag('website.available')
# Use the public ip of this unit as the Common Name for the certificate.
common_name = hookenv.unit_public_ip()
bind_ips = kubernetes_common.get_bind_addrs(ipv4=True, ipv6=True)
# Create SANs that the tls layer will add to the server cert.
sans = [
# The CN field is checked as a hostname, so if it's an IP, it
# won't match unless also included in the SANs as an IP field.
common_name,
kubernetes_common.get_ingress_address(website.endpoint_name),
socket.gethostname(),
socket.getfqdn(),
] + bind_ips
forced_lb_ips = hookenv.config('loadbalancer-ips').split()
if forced_lb_ips:
sans.extend(forced_lb_ips)
else:
hacluster = endpoint_from_flag('ha.connected')
if hacluster:
vips = hookenv.config('ha-cluster-vip').split()
dns_record = hookenv.config('ha-cluster-dns')
if vips:
sans.extend(vips)
elif dns_record:
sans.append(dns_record)
# maybe they have extra names they want as SANs
extra_sans = hookenv.config('extra_sans')
if extra_sans and not extra_sans == "":
sans.extend(extra_sans.split())
# Request a server cert with this information.
tls_client.request_server_cert(common_name,
sorted(set(sans)),
crt_path=server_crt_path,
key_path=server_key_path)
def configure_hacluster():
"""Configure HA resources in corosync"""
hacluster = endpoint_from_flag('ha.connected')
vips = hookenv.config('ha-cluster-vip').split()
dns_record = hookenv.config('ha-cluster-dns')
if vips and dns_record:
set_flag('layer-hacluster.dns_vip.invalid')
msg = "Unsupported configuration. " \
"ha-cluster-vip and ha-cluster-dns cannot both be set",
hookenv.log(msg)
return
else:
clear_flag('layer-hacluster.dns_vip.invalid')
if vips:
for vip in vips:
hacluster.add_vip(hookenv.application_name(), vip)
elif dns_record:
layer_options = layer.options('hacluster')
binding_address = layer_options.get('binding_address')
ip = get_ingress_address(binding_address)
hacluster.add_dnsha(hookenv.application_name(), ip, dns_record,
'public')
services = db.get('layer-hacluster.services', {
'current_services': {},
'desired_services': {},
'deleted_services': {}
})
for name, service in services['deleted_services'].items():
hacluster.remove_systemd_service(name, service)
for name, service in services['desired_services'].items():
hacluster.add_systemd_service(name, service)
services['current_services'][name] = service
services['deleted_services'] = {}
services['desired_services'] = {}
hacluster.bind_resources()
set_flag('layer-hacluster.configured')
