def test_get_ingress_address(self, network_get): network_get.return_value = { "ingress-addresses": ["1.2.3.4", "5.6.7.8"] } ingress = kubernetes_common.get_ingress_address("endpoint-name") assert ingress == "1.2.3.4" ingress = kubernetes_common.get_ingress_address( "endpoint-name", ["1.2.3.4"]) assert ingress == "5.6.7.8"
def request_server_certificates(): '''Send the data that is required to create a server certificate for this server.''' website = endpoint_from_flag('website.available') # Use the public ip of this unit as the Common Name for the certificate. common_name = hookenv.unit_public_ip() # Create SANs that the tls layer will add to the server cert. sans = [ hookenv.unit_public_ip(), get_ingress_address(website.endpoint_name), socket.gethostname(), ] hacluster = endpoint_from_flag('ha.connected') if hacluster: vips = hookenv.config('ha-cluster-vip').split() dns_record = hookenv.config('ha-cluster-dns') if vips: sans.extend(vips) else: sans.append(dns_record) # maybe they have extra names they want as SANs extra_sans = hookenv.config('extra_sans') if extra_sans and not extra_sans == "": sans.extend(extra_sans.split()) # Request a server cert with this information. tls_client.request_server_cert(common_name, sans, crt_path=server_crt_path, key_path=server_key_path)
def start_worker(): ''' Start kubelet using the provided API and DNS info.''' # Note that the DNS server doesn't necessarily exist at this point. We know # what its IP will eventually be, though, so we can go ahead and configure # kubelet with that info. This ensures that early pods are configured with # the correct DNS even though the server isn't ready yet. kube_api = endpoint_from_flag('kube-api-endpoint.available') kube_control = endpoint_from_flag('kube-control.dns.available') cni = endpoint_from_flag('cni.available') servers = get_kube_api_servers(kube_api) dns = kube_control.get_dns() ingress_ip = get_ingress_address(kube_control.relation_name) cluster_cidr = cni.get_config()['cidr'] if cluster_cidr is None: hookenv.log('Waiting for cluster cidr.') return creds = db.get('credentials') data_changed('kube-control.creds', creds) create_config(servers[get_unit_number() % len(servers)], creds) configure_kubelet(dns, ingress_ip) configure_kube_proxy(configure_prefix, servers, cluster_cidr) set_state('kubernetes-worker.config.created') restart_unit_services() update_kubelet_status() set_state('kubernetes-worker.label-config-required') remove_state('kubernetes-worker.restart-needed')
def send_data(): '''Send the data that is required to create a server certificate for this server.''' kube_control = endpoint_from_flag('kube-control.connected') # Use the public ip of this unit as the Common Name for the certificate. common_name = hookenv.unit_public_ip() ingress_ip = get_ingress_address(kube_control.endpoint_name) # Create SANs that the tls layer will add to the server cert. sans = [ hookenv.unit_public_ip(), ingress_ip, gethostname() ] # Request a server cert with this information. layer.tls_client.request_server_cert(common_name, sorted(set(sans)), crt_path=server_crt_path, key_path=server_key_path) # Request a client cert for kubelet. layer.tls_client.request_client_cert('system:kubelet', crt_path=client_crt_path, key_path=client_key_path)
def send_data(tls, kube_control): '''Send the data that is required to create a server certificate for this server.''' # Use the public ip of this unit as the Common Name for the certificate. common_name = hookenv.unit_public_ip() ingress_ip = get_ingress_address(kube_control.relation_name) # Create SANs that the tls layer will add to the server cert. sans = [hookenv.unit_public_ip(), ingress_ip, gethostname()] # Create a path safe name by removing path characters from the unit name. certificate_name = hookenv.local_unit().replace('/', '_') # Request a server cert with this information. tls.request_server_cert(common_name, sans, certificate_name)
def request_server_certificates(tls, website): '''Send the data that is required to create a server certificate for this server.''' # Use the public ip of this unit as the Common Name for the certificate. common_name = hookenv.unit_public_ip() # Create SANs that the tls layer will add to the server cert. sans = [ hookenv.unit_public_ip(), get_ingress_address(website.endpoint_name), socket.gethostname(), ] # maybe they have extra names they want as SANs extra_sans = hookenv.config('extra_sans') if extra_sans and not extra_sans == "": sans.extend(extra_sans.split()) # Create a path safe name by removing path characters from the unit name. certificate_name = hookenv.local_unit().replace('/', '_') # Request a server cert with this information. tls.request_server_cert(common_name, sans, certificate_name)
def request_server_certificates(): '''Send the data that is required to create a server certificate for this server.''' website = endpoint_from_flag('website.available') # Use the public ip of this unit as the Common Name for the certificate. common_name = hookenv.unit_public_ip() bind_ips = kubernetes_common.get_bind_addrs(ipv4=True, ipv6=True) # Create SANs that the tls layer will add to the server cert. sans = [ # The CN field is checked as a hostname, so if it's an IP, it # won't match unless also included in the SANs as an IP field. common_name, kubernetes_common.get_ingress_address(website.endpoint_name), socket.gethostname(), socket.getfqdn(), ] + bind_ips forced_lb_ips = hookenv.config('loadbalancer-ips').split() if forced_lb_ips: sans.extend(forced_lb_ips) else: hacluster = endpoint_from_flag('ha.connected') if hacluster: vips = hookenv.config('ha-cluster-vip').split() dns_record = hookenv.config('ha-cluster-dns') if vips: sans.extend(vips) elif dns_record: sans.append(dns_record) # maybe they have extra names they want as SANs extra_sans = hookenv.config('extra_sans') if extra_sans and not extra_sans == "": sans.extend(extra_sans.split()) # Request a server cert with this information. tls_client.request_server_cert(common_name, sorted(set(sans)), crt_path=server_crt_path, key_path=server_key_path)
def configure_hacluster(): """Configure HA resources in corosync""" hacluster = endpoint_from_flag('ha.connected') vips = hookenv.config('ha-cluster-vip').split() dns_record = hookenv.config('ha-cluster-dns') if vips and dns_record: set_flag('layer-hacluster.dns_vip.invalid') msg = "Unsupported configuration. " \ "ha-cluster-vip and ha-cluster-dns cannot both be set", hookenv.log(msg) return else: clear_flag('layer-hacluster.dns_vip.invalid') if vips: for vip in vips: hacluster.add_vip(hookenv.application_name(), vip) elif dns_record: layer_options = layer.options('hacluster') binding_address = layer_options.get('binding_address') ip = get_ingress_address(binding_address) hacluster.add_dnsha(hookenv.application_name(), ip, dns_record, 'public') services = db.get('layer-hacluster.services', { 'current_services': {}, 'desired_services': {}, 'deleted_services': {} }) for name, service in services['deleted_services'].items(): hacluster.remove_systemd_service(name, service) for name, service in services['desired_services'].items(): hacluster.add_systemd_service(name, service) services['current_services'][name] = service services['deleted_services'] = {} services['desired_services'] = {} hacluster.bind_resources() set_flag('layer-hacluster.configured')