add secret for kubeadmin pre-idp user

cmd/openshift-install/create.go

@@ -249,7 +249,8 @@ func logComplete(directory string) error {
 		return err
 	}
 	kubeconfig := filepath.Join(absDir, "auth", "kubeconfig")
-	logrus.Infof("Install complete! Run 'export KUBECONFIG=%s' to manage your cluster.", kubeconfig)
-	logrus.Info("After exporting your kubeconfig, run 'oc -h' for a list of OpenShift client commands.")
+	// TODO: Direct users to web-console
+	// TODO: Get kubeadmin password, log here
+	logrus.Infof("Install complete! The kubeconfig is located here: %s.", kubeconfig)
 	return nil
 }

data/data/manifests/tectonic/kubeadmin-password-secret.yaml.template

@@ -0,0 +1,7 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  namespace: kube-system
+  name: kubeadmin
+data:
+  kubeadmin: {{.Base64encodeKubeadminPwHash}}

pkg/asset/manifests/tectonic.go

@@ -2,16 +2,23 @@ package manifests
 
 import (
 	"encoding/base64"
+	"math/rand"
 	"path/filepath"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/ghodss/yaml"
+	"github.com/pkg/errors"
 
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/asset/machines"
 	"github.com/openshift/installer/pkg/asset/templates/content/tectonic"
+
+	"golang.org/x/crypto/bcrypt"
+	// TODO: remove this,temporary debugging
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -43,6 +50,7 @@ func (t *Tectonic) Dependencies() []asset.Asset {
 
 		&tectonic.BindingDiscovery{},
 		&tectonic.CloudCredsSecret{},
+		&tectonic.KubeadminPasswordSecret{},
 		&tectonic.RoleCloudCredsSecretReader{},
 	}
 }
@@ -54,6 +62,13 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	worker := &machines.Worker{}
 	master := &machines.Master{}
 	dependencies.Get(installConfig, clusterk8sio, worker, master)
+	kubeadminPassword, kubeadminPasswordHash, err := generateRandomPasswordHash()
+	if err != nil {
+		return errors.Wrap(err, "failed to create kubeadmin password")
+	}
+	// TODO: remove this, save and log at install completion
+	logrus.Infof("kubeadmin password: %s", kubeadminPassword)
+
 	var cloudCreds cloudCredsSecretData
 	platform := installConfig.Config.Platform.Name()
 	switch platform {
@@ -91,18 +106,22 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	}
 
 	templateData := &tectonicTemplateData{
-		CloudCreds: cloudCreds,
+		CloudCreds:                  cloudCreds,
+		Base64encodeKubeadminPwHash: base64.StdEncoding.EncodeToString(kubeadminPasswordHash),
 	}
 
 	bindingDiscovery := &tectonic.BindingDiscovery{}
 	cloudCredsSecret := &tectonic.CloudCredsSecret{}
+	kubeadminPasswordSecret := &tectonic.KubeadminPasswordSecret{}
 	roleCloudCredsSecretReader := &tectonic.RoleCloudCredsSecretReader{}
 	dependencies.Get(
 		bindingDiscovery,
 		cloudCredsSecret,
+		kubeadminPasswordSecret,
 		roleCloudCredsSecretReader)
 	assetData := map[string][]byte{
 		"99_binding-discovery.yaml":                             []byte(bindingDiscovery.Files()[0].Data),
+		"99_kubeadmin-password-secret.yaml":                     applyTemplateData(kubeadminPasswordSecret.Files()[0].Data, templateData),
 		"99_openshift-cluster-api_cluster.yaml":                 clusterk8sio.Raw,
 		"99_openshift-cluster-api_master-machines.yaml":         master.MachinesRaw,
 		"99_openshift-cluster-api_master-user-data-secret.yaml": master.UserDataSecretRaw,
@@ -127,6 +146,39 @@ func (t *Tectonic) Generate(dependencies asset.Parents) error {
 	return nil
 }
 
+// generateRandomPasswordHash generates a hash of a random ASCII 14 char string with at least
+// one digit and one special character.
+func generateRandomPasswordHash() (string, []byte, error) {
+	rand.New(rand.NewSource(time.Now().UnixNano()))
+	const (
+		lowercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+		uppercase = "abcdefghijklmnopqrstuvwxyz"
+		digits = "0123456789"
+	)
+	length := 23
+	all := uppercase + lowercase + digits
+	buf := make([]byte, length)
+	buf[0] = digits[rand.Intn(len(digits))]
+	buf[1] = lowercase[rand.Intn(len(lowercase))]
+	buf[2] = uppercase[rand.Intn(len(uppercase))]
+	for i := 3; i < length; i++ {
+		buf[i] = all[rand.Intn(len(all))]
+	}
+	rand.Shuffle(len(buf), func(i, j int) {
+		buf[i], buf[j] = buf[j], buf[i]
+	})
+	for _, replace := range []int{5, 11, 17} {
+        buf[replace] = '-'
+	}
+
+	password := string(buf)
+	bytes, err := bcrypt.GenerateFromPassword(buf, bcrypt.DefaultCost)
+	if err != nil {
+		return "", nil, err
+	}
+	return password, bytes, nil
+}
+
 // Files returns the files generated by the asset.
 func (t *Tectonic) Files() []*asset.File {
 	return t.FileList

pkg/asset/manifests/template.go

@@ -36,5 +36,6 @@ type bootkubeTemplateData struct {
 }
 
 type tectonicTemplateData struct {
-	CloudCreds cloudCredsSecretData
+	CloudCreds                  cloudCredsSecretData
+	Base64encodeKubeadminPwHash string
 }

pkg/asset/templates/content/tectonic/kubeadmin-password-secret.go

@@ -0,0 +1,65 @@
+package tectonic
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeadminPasswordSecretFileName = "kubeadmin-password-secret.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeadminPasswordSecret)(nil)
+
+// KubeadminPasswordSecret is the constant to represent contents of kubeadmin-password-secret.yaml.template file
+type KubeadminPasswordSecret struct {
+	fileName string
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeadminPasswordSecret) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeadminPasswordSecret) Name() string {
+	return "KubeadminPasswordSecret"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeadminPasswordSecret) Generate(parents asset.Parents) error {
+	t.fileName = kubeadminPasswordSecretFileName
+	data, err := content.GetTectonicTemplate(t.fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, t.fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeadminPasswordSecret) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeadminPasswordSecret) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeadminPasswordSecretFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}

pkg/asset/templates/templates.go

@@ -41,6 +41,7 @@ func (m *Templates) Dependencies() []asset.Asset {
 		&bootkube.HostEtcdServiceKubeSystem{},
 		&tectonic.BindingDiscovery{},
 		&tectonic.CloudCredsSecret{},
+		&tectonic.KubeadminPasswordSecret{},
 		&tectonic.RoleCloudCredsSecretReader{},
 	}
 }
@@ -66,6 +67,7 @@ func (m *Templates) Generate(dependencies asset.Parents) error {
 
 	bindingDiscovery := &tectonic.BindingDiscovery{}
 	cloudCredsSecret := &tectonic.CloudCredsSecret{}
+	kubeadminPasswordSecret := &tectonic.KubeadminPasswordSecret{}
 	roleCloudCredsSecretReader := &tectonic.RoleCloudCredsSecretReader{}
 
 	dependencies.Get(
@@ -87,6 +89,7 @@ func (m *Templates) Generate(dependencies asset.Parents) error {
 		hostEtcdServiceKubeSystem,
 		bindingDiscovery,
 		cloudCredsSecret,
+		kubeadminPasswordSecret,
 		roleCloudCredsSecretReader)
 
 	m.FileList = []*asset.File{}
@@ -109,6 +112,7 @@ func (m *Templates) Generate(dependencies asset.Parents) error {
 
 	m.FileList = append(m.FileList, bindingDiscovery.Files()...)
 	m.FileList = append(m.FileList, cloudCredsSecret.Files()...)
+	m.FileList = append(m.FileList, kubeadminPasswordSecret.Files()...)
 	m.FileList = append(m.FileList, roleCloudCredsSecretReader.Files()...)
 
 	return nil