mirror of
https://github.com/siderolabs/talos.git
synced 2025-09-14 10:21:11 +02:00
a941eb7da0
Fixes #3765 See #3581 There are several changes: * `kube-controller-manager` insecure port is disabled * `kube-controller-manager` and `kube-scheduler` now listen securely only on localhost by default, this can be overridden with `--bind-addr` in extra args * `kube-controller-manager` and `kube-scheduler` now use kubeconfig with limited access role instead of admin one Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
100 lines
2.5 KiB
Go
100 lines
2.5 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package kubeconfig_test
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/suite"
|
|
"github.com/talos-systems/crypto/x509"
|
|
"k8s.io/client-go/tools/clientcmd"
|
|
|
|
"github.com/talos-systems/talos/internal/pkg/kubeconfig"
|
|
"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1"
|
|
)
|
|
|
|
type GenerateSuite struct {
|
|
suite.Suite
|
|
}
|
|
|
|
func (suite *GenerateSuite) TestGenerateAdmin() {
|
|
for _, rsa := range []bool{true, false} {
|
|
rsa := rsa
|
|
|
|
suite.Run(fmt.Sprintf("RSA=%v", rsa), func() {
|
|
ca, err := x509.NewSelfSignedCertificateAuthority(x509.RSA(rsa))
|
|
suite.Require().NoError(err)
|
|
|
|
u, err := url.Parse("http://localhost:3333/api")
|
|
suite.Require().NoError(err)
|
|
|
|
cfg := &v1alpha1.ClusterConfig{
|
|
ClusterName: "talos1",
|
|
ClusterCA: &x509.PEMEncodedCertificateAndKey{
|
|
Crt: ca.CrtPEM,
|
|
Key: ca.KeyPEM,
|
|
},
|
|
ControlPlane: &v1alpha1.ControlPlaneConfig{
|
|
Endpoint: &v1alpha1.Endpoint{
|
|
URL: u,
|
|
},
|
|
},
|
|
AdminKubeconfigConfig: &v1alpha1.AdminKubeconfigConfig{
|
|
AdminKubeconfigCertLifetime: time.Hour,
|
|
},
|
|
}
|
|
|
|
var buf bytes.Buffer
|
|
|
|
suite.Require().NoError(kubeconfig.GenerateAdmin(cfg, &buf))
|
|
|
|
// verify config via k8s client
|
|
config, err := clientcmd.Load(buf.Bytes())
|
|
suite.Require().NoError(err)
|
|
|
|
suite.Assert().NoError(clientcmd.ConfirmUsable(*config, fmt.Sprintf("admin@%s", cfg.ClusterName)))
|
|
})
|
|
}
|
|
}
|
|
|
|
func (suite *GenerateSuite) TestGenerate() {
|
|
ca, err := x509.NewSelfSignedCertificateAuthority(x509.RSA(false))
|
|
suite.Require().NoError(err)
|
|
|
|
k8sCA := x509.NewCertificateAndKeyFromCertificateAuthority(ca)
|
|
|
|
input := kubeconfig.GenerateInput{
|
|
ClusterName: "foo",
|
|
|
|
CA: k8sCA,
|
|
CertificateLifetime: time.Hour,
|
|
|
|
CommonName: "system:kube-controller-manager",
|
|
Organization: "system:kube-controller-manager",
|
|
|
|
Endpoint: "https://localhost:6443/",
|
|
Username: "kube-controller-manager",
|
|
ContextName: "kube-controller-manager",
|
|
}
|
|
|
|
var buf bytes.Buffer
|
|
|
|
suite.Require().NoError(kubeconfig.Generate(&input, &buf))
|
|
|
|
// verify config via k8s client
|
|
config, err := clientcmd.Load(buf.Bytes())
|
|
suite.Require().NoError(err)
|
|
|
|
suite.Assert().NoError(clientcmd.ConfirmUsable(*config, "kube-controller-manager@foo"))
|
|
}
|
|
|
|
func TestGenerateSuite(t *testing.T) {
|
|
suite.Run(t, new(GenerateSuite))
|
|
}
|