def remove_callback_token(node):
"""
Remove a callback token
:param node: the node
"""
tmp_file = "{}.tmp".format(callback_tokens_file)
if not os.path.isfile(callback_tokens_file):
open(callback_tokens_file, 'a+')
os.chmod(callback_tokens_file, 0o600)
with open(tmp_file, "w") as backup_fp:
os.chmod(tmp_file, 0o600)
with open(callback_tokens_file, 'r+') as callback_fp:
for _, line in enumerate(callback_fp):
parts = line.split()
if parts[0] == node:
continue
else:
backup_fp.write(line)
try_set_file_permissions(tmp_file)
shutil.move(tmp_file, callback_tokens_file)
def remove_callback_token(node):
"""
Remove a callback token
:param node: the node
"""
tmp_file = "{}.tmp".format(callback_tokens_file)
if not os.path.isfile(callback_tokens_file):
open(callback_tokens_file, "a+")
os.chmod(callback_tokens_file, 0o600)
with open(tmp_file, "w") as backup_fp:
os.chmod(tmp_file, 0o600)
with open(callback_tokens_file, "r+") as callback_fp:
# Entries are of the format: 'node_hostname:agent_port token'
# We need to get the node_hostname part
for line in callback_fp:
parts = line.split(":")
if parts[0] == node:
continue
else:
backup_fp.write(line)
try_set_file_permissions(tmp_file)
shutil.move(tmp_file, callback_tokens_file)
def get_client_cert(master_ip, master_port, fname, token, username, group=None):
"""
Get a signed cert.
See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs
:param master_ip: master ip
:param master_port: master port
:param fname: file name prefix for the certificate
:param token: token to contact the master with
:param username: the username of the cert's owner
:param group: the group the owner belongs to
"""
info = "/CN={}".format(username)
if group:
info = "{}/O={}".format(info, group)
cer_req_file = "/var/snap/microk8s/current/certs/{}.csr".format(fname)
cer_key_file = "/var/snap/microk8s/current/certs/{}.key".format(fname)
cer_file = "/var/snap/microk8s/current/certs/{}.crt".format(fname)
if not os.path.exists(cer_key_file):
cmd_gen_cert_key = "{snap}/usr/bin/openssl genrsa -out {key} 2048".format(
snap=snap_path, key=cer_key_file
)
subprocess.check_call(
cmd_gen_cert_key.split(), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
)
try_set_file_permissions(cer_key_file)
cmd_cert = "{snap}/usr/bin/openssl req -new -sha256 -key {key} -out {csr} -subj {info}".format(
snap=snap_path,
snapdata=snapdata_path,
key=cer_key_file,
csr=cer_req_file,
info=info,
)
subprocess.check_call(cmd_cert.split(), stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
with open(cer_req_file) as fp:
csr = fp.read()
req_data = {"token": token, "request": csr}
# TODO: enable ssl verification
signed = requests.post(
"https://{}:{}/{}/sign-cert".format(master_ip, master_port, CLUSTER_API),
json=req_data,
verify=False,
)
if signed.status_code != 200:
error = "Failed to sign {} certificate ({}).".format(fname, signed.status_code)
try:
if "error" in signed.json():
error = "{} {}".format(error, format(signed.json()["error"]))
except ValueError:
print("Make sure the cluster you connect to supports joining worker nodes.")
print(error)
exit(1)
info = signed.json()
with open(cer_file, "w") as cert_fp:
cert_fp.write(info["certificate"])
try_set_file_permissions(cer_file)
return {
"certificate_location": cer_file,
"certificate_key_location": cer_key_file,
}
