On 16 November 2017 at 09:26, Sébastien Bernard <[email protected]> wrote:
> On 16/11/2017 13:08, Guru Shetty wrote: > > > > On 16 November 2017 at 01:56, Sébastien Bernard <[email protected]> > wrote: > >> Ok, >> >> I got to reproduce the error I had yesterday. >> >> Here's the path : >> >> 1- one vm with centos 7 >> >> 2- install kubeadm v1.8.3 >> >> 3- kubeadm init >> >> 4- install openvswitch (v2.8.1) >> >> 5- follow the instruction of set-master.sh >> >> 6- ln -s /etc/kubernetes/pki/ca.crt /etc/openvswitch/k8s-ca.crt >> >> 7- cp etc/ovn-k8s.conf /etc/openvswitch / >> >> 8- try to start ovn-k8s-watcher and watch it fails. See the log below. >> Seems the watcher really needs a kubeconfig file to use. >> >> cmdline : >> >> ovn-k8s-watcher --overlay --pidfile --log-file -vfile:info >> -vconsole:emer >> >> kubeadm init set RBAC by default. It seems the watcher is not able to >> provide authentication. >> > > You are right. I will work on a fix. > > ovn-k8s-watcher is able to look for a token in the external_ids. > > In get_api_params: > > k8s_api_token = ovs_vsctl("--if-exists", "get", "Open_vSwitch", ".", > "external_ids:k8s-api-token").strip('"') > An then in stream_api function : > > if api_token: > headers['Authorization'] = 'Bearer %s' % api_token > > So, it should missing a few configuration parameters (a Role, a > serviceaccount, and RoleBinding). > > I'll figure out something from flannel-rbac.yaml. It shouldn't be too > different. > I got a bit of time to try kubeadm. One thing was that the port API server was listening on was 6443. Since it was not using API token, I had to get certificates from kubeconfig. A patch like this would work (after a 'pip install kubernetes'. But the same change is needed at multiple places. diff --git a/ovn_k8s/common/kubernetes.py b/ovn_k8s/common/kubernetes.py index a837111..26f7bdd 100644 --- a/ovn_k8s/common/kubernetes.py +++ b/ovn_k8s/common/kubernetes.py @@ -12,6 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +from __future__ import absolute_import import json import requests @@ -23,6 +24,9 @@ from ovn_k8s.common import exceptions from ovn_k8s.common.util import ovs_vsctl from ovn_k8s.common import variables +import kubernetes +import kubernetes.config + CA_CERTIFICATE = config.get_option('k8s_ca_certificate') vlog = ovs.vlog.Vlog("kubernetes") @@ -161,12 +165,19 @@ def set_pod_annotation(server, namespace, pod, key, value): def _get_objects(url, namespace, resource_type, resource_id): + kubernetes.config.load_kube_config() + apiclient = kubernetes.config.new_client_from_config() + ca_certificate, api_token = _get_api_params() headers = {} if api_token: headers['Authorization'] = 'Bearer %s' % api_token - if ca_certificate: + + if apiclient.configuration.cert_file: + response = requests.get(url, headers=headers, verify=apiclient.configuration.ssl_ca_cert, + cert=(apiclient.configuration.cert_file, apiclient.configuration.key_file)) + elif ca_certificate: response = requests.get(url, headers=headers, verify=ca_certificate) else: response = requests.get(url, headers=headers) The client that I used to test was: import ovn_k8s.common.kubernetes pods = ovn_k8s.common.kubernetes.get_all_pods("https://10.33.75.67:6443";) print pods I need to think about what is a nice way to do this though... > > Seb > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > >
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
