kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

allow pods to be refreshed

pull/11486/head
Sharif Elgamal 2021-05-25 13:43:25 -07:00
parent 86f9feb535
commit a823439257
2 changed files with 100 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl.tmpl
View File

@ -164,7 +164,7 @@ webhooks:
namespace: gcp-auth namespace: gcp-auth
path: "/mutate" path: "/mutate"
rules: rules:
- operations: ["CREATE", "UPDATE"] - operations: ["CREATE"]
apiGroups: ["*"] apiGroups: ["*"]
apiVersions: ["*"] apiVersions: ["*"]
resources: ["pods"] resources: ["pods"]

123
pkg/addons/addons_gcpauth.go
View File

@ -45,6 +45,7 @@ const (
credentialsPath = "/var/lib/minikube/google_application_credentials.json" credentialsPath = "/var/lib/minikube/google_application_credentials.json"
projectPath = "/var/lib/minikube/google_cloud_project" projectPath = "/var/lib/minikube/google_cloud_project"
secretName = "gcp-auth" secretName = "gcp-auth"
namespaceName = "gcp-auth"
) )
// enableOrDisableGCPAuth enables or disables the gcp-auth addon depending on the val parameter // enableOrDisableGCPAuth enables or disables the gcp-auth addon depending on the val parameter
@ -84,7 +85,45 @@ func enableAddonGCPAuth(cfg *config.ClusterConfig) error {
} }
// Create a registry secret in every namespace we can find // Create a registry secret in every namespace we can find
client, err := service.K8s.GetCoreClient(cfg.Name) err = createPullSecret(cfg, creds)
if err != nil {
return err
}
// First check if the project env var is explicitly set
projectEnv := os.Getenv("GOOGLE_CLOUD_PROJECT")
if projectEnv != "" {
f := assets.NewMemoryAssetTarget([]byte(projectEnv), projectPath, "0444")
return r.Copy(f)
}
// We're currently assuming gcloud is installed and in the user's path
proj, err := exec.Command("gcloud", "config", "get-value", "project").Output()
if err == nil && len(proj) > 0 {
f := assets.NewMemoryAssetTarget(bytes.TrimSpace(proj), projectPath, "0444")
return r.Copy(f)
}
out.WarningT("Could not determine a Google Cloud project, which might be ok.")
out.Styled(style.Tip, `To set your Google Cloud project, run:
gcloud config set project <project name>
or set the GOOGLE_CLOUD_PROJECT environment variable.`)
// Copy an empty file in to avoid errors about missing files
emptyFile := assets.NewMemoryAssetTarget([]byte{}, projectPath, "0444")
return r.Copy(emptyFile)
}
func createPullSecret(cc *config.ClusterConfig, creds *google.Credentials) error {
client, err := service.K8s.GetCoreClient(cc.Name)
if err != nil {
return err
}
namespaces, err := client.Namespaces().List(context.TODO(), metav1.ListOptions{})
if err != nil { if err != nil {
return err return err
} }
@ -96,11 +135,6 @@ func enableAddonGCPAuth(cfg *config.ClusterConfig) error {
".dockercfg": []byte(fmt.Sprintf(`{"https://gcr.io":{"username":"oauth2accesstoken","password":"%s","email":"none"}, "https://us-docker.pkg.dev":{"username":"oauth2accesstoken","password":"%s","email":"none"}}`, token.AccessToken, token.AccessToken)), ".dockercfg": []byte(fmt.Sprintf(`{"https://gcr.io":{"username":"oauth2accesstoken","password":"%s","email":"none"}, "https://us-docker.pkg.dev":{"username":"oauth2accesstoken","password":"%s","email":"none"}}`, token.AccessToken, token.AccessToken)),
} }
namespaces, err := client.Namespaces().List(context.TODO(), metav1.ListOptions{})
if err != nil {
return err
}
for _, n := range namespaces.Items { for _, n := range namespaces.Items {
secrets := client.Secrets(n.Name) secrets := client.Secrets(n.Name)
@ -147,7 +181,7 @@ func enableAddonGCPAuth(cfg *config.ClusterConfig) error {
time.Sleep(1 * time.Second) time.Sleep(1 * time.Second)
} }
ips := corev1.LocalObjectReference{Name: "gcp-auth"} ips := corev1.LocalObjectReference{Name: secretName}
for _, sa := range salist.Items { for _, sa := range salist.Items {
sa.ImagePullSecrets = append(sa.ImagePullSecrets, ips) sa.ImagePullSecrets = append(sa.ImagePullSecrets, ips)
_, err := serviceaccounts.Update(context.TODO(), &sa, metav1.UpdateOptions{}) _, err := serviceaccounts.Update(context.TODO(), &sa, metav1.UpdateOptions{})
@ -158,31 +192,59 @@ func enableAddonGCPAuth(cfg *config.ClusterConfig) error {
} }
} }
return nil
}
// First check if the project env var is explicitly set func refreshExistingPods(cc *config.ClusterConfig) error {
projectEnv := os.Getenv("GOOGLE_CLOUD_PROJECT") client, err := service.K8s.GetCoreClient(cc.Name)
if projectEnv != "" { if err != nil {
f := assets.NewMemoryAssetTarget([]byte(projectEnv), projectPath, "0444") return err
return r.Copy(f)
} }
// We're currently assuming gcloud is installed and in the user's path namespaces, err := client.Namespaces().List(context.TODO(), metav1.ListOptions{})
project, err := exec.Command("gcloud", "config", "get-value", "project").Output() if err != nil {
if err == nil && len(project) > 0 { return err
f := assets.NewMemoryAssetTarget(bytes.TrimSpace(project), projectPath, "0444")
return r.Copy(f)
} }
for _, n := range namespaces.Items {
// Ignore kube-system and gcp-auth namespaces
if n.Name == metav1.NamespaceSystem || n.Name == namespaceName {
continue
}
out.WarningT("Could not determine a Google Cloud project, which might be ok.") pods := client.Pods(n.Name)
out.Styled(style.Tip, `To set your Google Cloud project, run: podList, err := pods.List(context.TODO(), metav1.ListOptions{})
if err != nil {
return err
}
gcloud config set project <project name> for _, p := range podList.Items {
// Skip pods we're explicitly told to skip
if _, ok := p.Labels["gcp-auth-skip-secret"]; ok {
continue
}
or set the GOOGLE_CLOUD_PROJECT environment variable.`) // Recreating the pod should pickup the necessary changes
err := pods.Delete(context.TODO(), p.Name, metav1.DeleteOptions{})
if err != nil {
return err
}
// Copy an empty file in to avoid errors about missing files p.ResourceVersion = ""
emptyFile := assets.NewMemoryAssetTarget([]byte{}, projectPath, "0444")
return r.Copy(emptyFile) _, err = pods.Get(context.TODO(), p.Name, metav1.GetOptions{})
for err == nil {
time.Sleep(time.Second)
_, err = pods.Get(context.TODO(), p.Name, metav1.GetOptions{})
}
_, err = pods.Create(context.TODO(), &p, metav1.CreateOptions{})
if err != nil {
return err
}
}
}
return nil
} }
func disableAddonGCPAuth(cfg *config.ClusterConfig) error { func disableAddonGCPAuth(cfg *config.ClusterConfig) error {
@ -231,10 +293,23 @@ func verifyGCPAuthAddon(cc *config.ClusterConfig, name string, val string) error
return errors.Wrapf(err, "parsing bool: %s", name) return errors.Wrapf(err, "parsing bool: %s", name)
} }
err = verifyAddonStatusInternal(cc, name, val, "gcp-auth") err = verifyAddonStatusInternal(cc, name, val, "gcp-auth")
if err != nil {
return err
}
if Force {
err = refreshExistingPods(cc)
if err != nil {
return err
}
}
if enable && err == nil { if enable && err == nil {
out.Styled(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cc.Name}) out.Styled(style.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cc.Name})
out.Styled(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.") out.Styled(style.Notice, "If you don't want your credentials mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.")
if !Force {
out.Styled(style.Notice, "If you want existing pods to be mounted with credentials, either recreate them or rerun addons enable with --force.")
}
} }
return err return err