Commit 1be39437 authored by HQ's avatar HQ
Browse files

Bug fixes and performance improvements

parent 45a4c4a7
......@@ -13,13 +13,14 @@ my $mserver = show_management_server();
if ($mserver) {
$mip = $mserver->{internalip};
}
my $extip = get_externalip();
if ($intip && $mip) {
if ($intip eq $mip) {
if (-e "/usr/share/webmin/stabile/tabs/kubernetes/joincmd.sh") {
;
} else {
my $kinit = `kubeadm init --pod-network-cidr=10.244.0.0/16 | tee /root/initout.log 2>\&1`;
my $kinit = `kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans=$extip | tee /root/initout.log 2>\&1`;
if ($kinit =~ /(kubeadm join .+--discovery-token-ca-cert-hash sha256:.+)/s) {
my $joincmd = $1;
$joincmd =~ s/\n//;
......@@ -134,11 +135,31 @@ if ($intip && $mip) {
`cp -i /etc/kubernetes/admin.conf /home/stabile/.kube/config`;
`chown -R stabile:stabile /home/stabile/.kube`;
# Make kubeconfig available for download
`cp -i /etc/kubernetes/admin.conf /usr/share/webmin/stabile/kubeconfig`;
`perl -pi -e 's/server: https.*/server: https:\\\/\\\/$extip:6443/' /usr/share/webmin/stabile/kubeconfig`;
`echo "Done..." >> /root/initout.log`;
} else {
`echo "$kinit" > /root/initerr`
}
}
# Limit access to apiserver (port 6443) and bird (port 179)
my $localnet = "$ipstart.0/24";
print `iptables -D INPUT -p tcp --dport 6443 -s 127.0.0.1 -j ACCEPT 2>/dev/null`;
print `iptables -D INPUT -p tcp --dport 6443 -s $localnet -j ACCEPT 2>/dev/null`;
print `iptables -D INPUT -p tcp --dport 6443 -j DROP 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 6443 -s 127.0.0.1 -j ACCEPT 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 6443 -s $localnet -j ACCEPT 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 6443 -j DROP 2>/dev/null`;
print `iptables -D INPUT -p tcp --dport 179 -s 127.0.0.1 -j ACCEPT 2>/dev/null`;
print `iptables -D INPUT -p tcp --dport 179 -s $localnet -j ACCEPT 2>/dev/null`;
print `iptables -D INPUT -p tcp --dport 179 -j DROP 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 179 -s 127.0.0.1 -j ACCEPT 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 179 -s $localnet -j ACCEPT 2>/dev/null`;
print `iptables -A INPUT -p tcp --dport 179 -j DROP 2>/dev/null`;
} else {
if (-e "/root/joincmd.sh") {
;
......@@ -194,3 +215,22 @@ sub get_internalip {
}
return $internalip;
}
sub get_externalip {
my $externalip;
if (!(-e "/tmp/externalip")) {
$externalip = $1 if (`curl -sk https://$gw/stabile/networks/this` =~ /"externalip" : "(.+)",/);
chomp $externalip;
if ($externalip eq '--') {
# Assume we have ens4 up with an external IP address
$externalip = `ifconfig ens4 | grep -o 'inet addr:\\\S*' | sed -n -e 's/^inet addr://p'`;
chomp $externalip;
}
`echo "$externalip" > /tmp/externalip` if ($externalip);
} else {
$externalip = `cat /tmp/externalip` if (-e "/tmp/externalip");
chomp $externalip;
}
return $externalip;
}
......@@ -18,7 +18,7 @@ sub kubernetes {
my $kubepwform = <<END
<form class="passwordform" id="kubepassword_form" action="index.cgi?action=kubepassword&tab=kubernetes" method="post" onsubmit="limitKubeSpinner('kubepassword'); \$('#kubepassword').val(''); return false;" accept-charset="utf-8" id="linform" autocomplete="off">
<div class="small">Set password for dashboard user "admin" user:</div>
<div class="small">Set password for dashboard user "admin":</div>
<div class="row">
<div class="col-sm-10">
<input id="kubepassword" type="password" name="kubepassword" autocomplete="off" value="" class="password">
......@@ -29,16 +29,17 @@ sub kubernetes {
</div>
</form>
<div class="small">
After allowing access from your IP address, you can access the <a target="_blank" href="https://$externalip:10002/">dashboard</a> with username 'admin'.
After allowing access from your IP address, you can access the <a target="_blank" href="https://$externalip:10002/">dashboard</a> with username 'admin'.<br>
You can also download a <a href="kubeconfig" download="kubeconfig">kubeconfig file</a> to access your cluster with kubectl.
</div>
END
;
my $kubelimitform = <<END
<h6>Dashboard</h6>
<h6>Dashboard and kubeconfig</h6>
<div>
<form class="passwordform" id="limitkube_form" action="index.cgi?action=limitkube&tab=kubernetes" method="post" onsubmit="limitKubeSpinner(); return false;" accept-charset="utf-8">
<div class="small">Allow Kubernetes dashboard login from:</div>
<div class="small">Allow Kubernetes kubectl and dashboard login from:</div>
<div class="row">
<div class="col-sm-10">
<input id="limitkube" type="text" name="limitkube" value="$kubelimit" placeholder="IP address or network, e.g. '192.168.0.0/24 127.0.0.1'">
......@@ -406,12 +407,19 @@ END
my $message = "Please supply a limit!";
if (defined $in{limitkube}) {
my $limit = $in{limitkube};
my ($validlimit, $mess) = validate_limit($limit);
my ($validlimit, $sshlimit, $mess) = validate_limit($limit);
my $conf = "/etc/apache2/sites-available/kubernetes-ssl.conf";
if ($validlimit) {
if (`grep 'allow from' /etc/apache2/sites-available/kubernetes-ssl.conf`)
{
$message = "Kubernetes dashboard access was changed!";
$message = "Kubernetes apiserver and dashboard access was changed!";
my @limits = split(" ", $validlimit);
$message .= `iptables -D INPUT -p tcp --dport 6443 -j DROP 2>/dev/null`;
foreach my $lim (@limits) {
$message .= `iptables -D INPUT -p tcp --dport 6443 -s $lim -j ACCEPT 2>/dev/null`;
$message .= `iptables -A INPUT -p tcp --dport 6443 -s $lim -j ACCEPT 2>/dev/null`;
}
$message .= `iptables -A INPUT -p tcp --dport 6443 -j DROP 2>/dev/null`;
$message .= `perl -pi -e 's/allow from (.*)/allow from $validlimit/;' $conf`;
} else {
$message = "Unable to process kubernetes-ssl.conf!";
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment