From 33a81a7882d71e5d8f4a3850947c1d87677bf783 Mon Sep 17 00:00:00 2001 From: Moshe Levi Date: Tue, 19 Feb 2019 22:56:55 +0200 Subject: [PATCH] Move kubelet cert generation when starting kubelet Running local-up-cluster with START_MODE='kubeletonly' requires cert and kubeconfig. Currently, all the certs and the kubeconfig are created in the start_apiserver so it won't be created when only kubelet is started. This change moves the creation of the kubelet cert and kubeconfig to start_kubelet. This is helpful if you want to run kubelet with local-up-cluster and to connect to an existing master node. Change-Id: Iaba0bf975297346fbede44342f163024caa256cf Signed-off-by: Moshe Levi --- hack/local-up-cluster.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 0ba8ef2100..1c097ffdf7 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -477,7 +477,6 @@ function generate_certs { kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP} # Create client certs signed with client-ca, given id, given CN and a number of groups - kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler @@ -492,6 +491,11 @@ function generate_certs { kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator } +function generate_kubelet_certs { + kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes + kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kubelet +} + function start_apiserver { security_admission="" if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then @@ -598,7 +602,6 @@ function start_apiserver { # Create kubeconfigs for all components, using client certs kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" admin ${CONTROLPLANE_SUDO} chown "${USER}" "${CERT_DIR}/client-admin.key" # make readable for kubectl - kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kubelet kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-proxy kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" controller kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" scheduler @@ -781,6 +784,10 @@ function start_kubelet { ${KUBELET_FLAGS} ) + if [[ "${REUSE_CERTS}" != true ]]; then + generate_kubelet_certs + fi + if [[ -z "${DOCKERIZE_KUBELET}" ]]; then sudo -E "${GO_OUT}/hyperkube" kubelet "${all_kubelet_flags[@]}" >"${KUBELET_LOG}" 2>&1 & KUBELET_PID=$!