def remove_callback_token(node): """ Remove a callback token :param node: the node """ tmp_file = "{}.tmp".format(callback_tokens_file) if not os.path.isfile(callback_tokens_file): open(callback_tokens_file, 'a+') os.chmod(callback_tokens_file, 0o600) with open(tmp_file, "w") as backup_fp: os.chmod(tmp_file, 0o600) with open(callback_tokens_file, 'r+') as callback_fp: for _, line in enumerate(callback_fp): parts = line.split() if parts[0] == node: continue else: backup_fp.write(line) try_set_file_permissions(tmp_file) shutil.move(tmp_file, callback_tokens_file)
def remove_callback_token(node): """ Remove a callback token :param node: the node """ tmp_file = "{}.tmp".format(callback_tokens_file) if not os.path.isfile(callback_tokens_file): open(callback_tokens_file, "a+") os.chmod(callback_tokens_file, 0o600) with open(tmp_file, "w") as backup_fp: os.chmod(tmp_file, 0o600) with open(callback_tokens_file, "r+") as callback_fp: # Entries are of the format: 'node_hostname:agent_port token' # We need to get the node_hostname part for line in callback_fp: parts = line.split(":") if parts[0] == node: continue else: backup_fp.write(line) try_set_file_permissions(tmp_file) shutil.move(tmp_file, callback_tokens_file)
def get_client_cert(master_ip, master_port, fname, token, username, group=None): """ Get a signed cert. See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs :param master_ip: master ip :param master_port: master port :param fname: file name prefix for the certificate :param token: token to contact the master with :param username: the username of the cert's owner :param group: the group the owner belongs to """ info = "/CN={}".format(username) if group: info = "{}/O={}".format(info, group) cer_req_file = "/var/snap/microk8s/current/certs/{}.csr".format(fname) cer_key_file = "/var/snap/microk8s/current/certs/{}.key".format(fname) cer_file = "/var/snap/microk8s/current/certs/{}.crt".format(fname) if not os.path.exists(cer_key_file): cmd_gen_cert_key = "{snap}/usr/bin/openssl genrsa -out {key} 2048".format( snap=snap_path, key=cer_key_file ) subprocess.check_call( cmd_gen_cert_key.split(), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL ) try_set_file_permissions(cer_key_file) cmd_cert = "{snap}/usr/bin/openssl req -new -sha256 -key {key} -out {csr} -subj {info}".format( snap=snap_path, snapdata=snapdata_path, key=cer_key_file, csr=cer_req_file, info=info, ) subprocess.check_call(cmd_cert.split(), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) with open(cer_req_file) as fp: csr = fp.read() req_data = {"token": token, "request": csr} # TODO: enable ssl verification signed = requests.post( "https://{}:{}/{}/sign-cert".format(master_ip, master_port, CLUSTER_API), json=req_data, verify=False, ) if signed.status_code != 200: error = "Failed to sign {} certificate ({}).".format(fname, signed.status_code) try: if "error" in signed.json(): error = "{} {}".format(error, format(signed.json()["error"])) except ValueError: print("Make sure the cluster you connect to supports joining worker nodes.") print(error) exit(1) info = signed.json() with open(cer_file, "w") as cert_fp: cert_fp.write(info["certificate"]) try_set_file_permissions(cer_file) return { "certificate_location": cer_file, "certificate_key_location": cer_key_file, }