Kubebuilder认证配置文件的加载

本文主要是介绍Kubebuilder认证配置文件的加载，对大家解决编程问题具有一定的参考价值，需要的程序猿们随着小编来一起学习吧！

在kubernetes二次开发-Kubebuilder最佳实践中，我们简单使用了Kubebuilder来资源创建、验证等操作，那么你一定很好奇，程序是如何连接到Kubernetes的，下面我们来简单看下。

来到main.go

	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
		Scheme:                 scheme,
		MetricsBindAddress:     metricsAddr,
		Port:                   9443,
		HealthProbeBindAddress: probeAddr,
		LeaderElection:         enableLeaderElection,
		LeaderElectionID:       "1de8eaa9.demo.kubebuilder.io",
	})

重点就在“ctrl.GetConfigOrDie()”中，追踪后，最终会来到这个地方：

sigs.k8s.io/controller-runtime/pkg/client/config/config.go

// loadConfig loads a REST Config as per the rules specified in GetConfig.
func loadConfig(context string) (*rest.Config, error) {
	// If a flag is specified with the config location, use that
	if len(kubeconfig) > 0 {
		return loadConfigWithContext("", &clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfig}, context)
	}

	// If the recommended kubeconfig env variable is not specified,
	// try the in-cluster config.
	kubeconfigPath := os.Getenv(clientcmd.RecommendedConfigPathEnvVar)
	if len(kubeconfigPath) == 0 {
		if c, err := loadInClusterConfig(); err == nil {
			return c, nil
		}
	}

	// If the recommended kubeconfig env variable is set, or there
	// is no in-cluster config, try the default recommended locations.
	//
	// NOTE: For default config file locations, upstream only checks
	// $HOME for the user's home directory, but we can also try
	// os/user.HomeDir when $HOME is unset.
	//
	// TODO(jlanford): could this be done upstream?
	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
	if _, ok := os.LookupEnv("HOME"); !ok {
		u, err := user.Current()
		if err != nil {
			return nil, fmt.Errorf("could not get current user: %v", err)
		}
		loadingRules.Precedence = append(loadingRules.Precedence, filepath.Join(u.HomeDir, clientcmd.RecommendedHomeDir, clientcmd.RecommendedFileName))
	}

	return loadConfigWithContext("", loadingRules, context)
}

该方法完成的功能如下：

• （1）如果初始化了kubeconfig，则从kubeconfig中读取集群配置

• （2）否则从环境变量KUBECONFIG读取，若没有则从集群内部读取，这种场景适用于将kubebuilder部署到了kubernetes中的场景，它是这样读取的：

  // InClusterConfig returns a config object which uses the service account
  // kubernetes gives to pods. It's intended for clients that expect to be
  // running inside a pod running on kubernetes. It will return ErrNotInCluster
  // if called from a process not running in a kubernetes environment.
  func InClusterConfig() (*Config, error) {
      const (
          tokenFile  = "/var/run/secrets/kubernetes.io/serviceaccount/token"
          rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
      )
      host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")
      if len(host) == 0 || len(port) == 0 {
          return nil, ErrNotInCluster
      }
  
      token, err := ioutil.ReadFile(tokenFile)
      if err != nil {
          return nil, err
      }
  
      tlsClientConfig := TLSClientConfig{}
  
      if _, err := certutil.NewPool(rootCAFile); err != nil {
          klog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
      } else {
          tlsClientConfig.CAFile = rootCAFile
      }
  
      return &Config{
          // TODO: switch to using cluster DNS.
          Host:            "https://" + net.JoinHostPort(host, port),
          TLSClientConfig: tlsClientConfig,
          BearerToken:     string(token),
          BearerTokenFile: tokenFile,
      }, nil
  }
  

  读取POD上内“/var/run/secrets/kubernetes.io/serviceaccount/”下的“token”和“ca.crt”文件，如：

  [root@master kubebuilder-demo]# kubectl get pods
  NAME             READY   STATUS    RESTARTS   AGE
  redis-sample-0   1/1     Running   0          25m
  redis-sample-1   1/1     Running   0          25m
  #
  [root@master kubebuilder-demo]# kubectl exec -it redis-sample-0 -- sh
  /data # ls -l /var/run/secrets/kubernetes.io/serviceaccount
  total 0
  lrwxrwxrwx    1 root     root            13 Feb 17 10:16 ca.crt -> ..data/ca.crt
  lrwxrwxrwx    1 root     root            16 Feb 17 10:16 namespace -> ..data/namespace
  lrwxrwxrwx    1 root     root            12 Feb 17 10:16 token -> ..data/token
  /data # 
  /data # cat /var/run/secrets/kubernetes.io/serviceaccount/token
  eyJhbGciOiJSUzI1NiIsImtpZCI6IkxONVBTQm90R3JaT21ET3pkdmZhaWN1ak9lcGZ0WjRNemRudUhndjNmRGcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjc2NjI4OTc0LCJpYXQiOjE2NDUwOTI5NzQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJyZWRpcy1zYW1wbGUtMCIsInVpZCI6ImZmMTA3YWNhLTU1NzYtNDc4NS04Y2YwLWE4YWE4ZTE2NmU4ZCJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6ImZkNWMzNTQ3LWY5ZjctNDZlOC1iNjFhLTdjNWVmMjczMWU4ZSJ9LCJ3YXJuYWZ0ZXIiOjE2NDUwOTY1ODF9LCJuYmYiOjE2NDUwOTI5NzQsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xUf0OZxfTPitPgFF9AUKX439G_BJv5MDY25uTvpa8zj5QkZzaaV-238cZEpMU_cG3i2gtA_xfsw2nXKvfedmv1ZPbtcnovEVP-rCunO5DD8tSm478lsx0RxgzhJpvaVLxwyxwPeQyM8wcVPsXUvYt1ZvlemWWYqX739bRApHFsXIKtUhMAcvhz7byCfATBYLO0TFbrEUWNkT8y8ZDgqoogzRYs6cKi1thGuEaqF406Kt0GYUl06KjEAOdbzHyVpu-bsTz_OOZXWQVxSCquMrTZdffOK11DJrtADORPdavEQOde1Kf-LXaRdxh_-NbUVo9alFyfwiv9gegcUjXNHc6w/data # 
  /data # cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  -----BEGIN CERTIFICATE-----
  MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
  cm5ldGVzMB4XDTIyMDIwOTA1MzIyOVoXDTMyMDIwNzA1MzIyOVowFTETMBEGA1UE
  AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuF
  j6sLBDFDukzsS6WmwyhqHqkFpz2IZpVT8SaPdxtuKJcLRQGZWs5slWIlJY2tYhb0
  BUO1YUP4b83lT61ZlBASZJYfKQ3UUyMiCkAUqy/Bxih8ItibYBJxXcK8nVMqgZVF
  aFSKF0psfm3MZsNWuStYn2qLrdLAE1P4JeDkd+E+iX0t+DfEQdjvgfuJwzfUC7Ip
  bN3XvXCBkV3oTo+61Ijv0aygUhQ3nD5H9Q+Fyh8pWwFBQUVec++2t/MVRtriSXoS
  510YbtsYr08RXzjv7w0kUV7TFnYaDdSbiIYgYGwbRwhNsQua8AH4jtbYGbzvFx0u
  vmV+kx3mtZ71NiwpNK0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
  /wQFMAMBAf8wHQYDVR0OBBYEFMC5ezheys2mejyq1qMrijX6jgCrMA0GCSqGSIb3
  DQEBCwUAA4IBAQAUgRrfXor/MegRzLtUZITVZTM7nXM13BYVeqjxMIdT16A5pwZM
  N44SG9Q2xezC3WhPoT69qg8tR+EoqJBY+o/00mH4uMOkED+Dbu4J6QCwBg0g/v2T
  4sifXh4tmYybCxCvdh/ZS7lmROFXYJXpoPbIQ/n1cIABpwbGPLaQKk+apIlmE61Q
  5iLSeT7RAKULm2gpJc122wVDHvk1vzhn0u+6SDGHKmjQIYFceGWLecfzNAjTqOx8
  13MMYR2rck90ATArxyXKm6gtCbCs74jspU5dvUnJQxHIcrcVL4RWlo/tmU3+wci6
  S17d5NVpPFOnmjYeg2Cq0VsTDXjUHF/dNOuF
  -----END CERTIFICATE-----
  /data #
  

• （3）如果上面两个地方都没有找到，则会读取默认配置。即：$HOME下

  //拼凑路径：
  filepath.Join(u.HomeDir, clientcmd.RecommendedHomeDir, clientcmd.RecommendedFileName)//
  

  const (
  	RecommendedConfigPathFlag   = "kubeconfig"
  	RecommendedConfigPathEnvVar = "KUBECONFIG"
  	RecommendedHomeDir          = ".kube"
  	RecommendedFileName         = "config"
  	RecommendedSchemaName       = "schema"
  )
  

这篇关于Kubebuilder认证配置文件的加载的文章就介绍到这儿，希望我们推荐的文章对大家有所帮助，也希望大家多多支持为之网！