mirror of https://github.com/k3s-io/k3s
Add REUSE_CERT to skip creaing new ca/cert files
It's maybe useful with PERSERVE_ETCD to run apiserver using existed certs, so that service account secrets will keep valid.pull/58/head
Xiangyang Chu
parent
e763a3c56d
commit
385d18d05e
|
|
@ -231,6 +231,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
|
||||||
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
||||||
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
||||||
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
||||||
|
# Reuse certs will skip generate new ca/cert files under CERT_DIR
|
||||||
|
# it's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
|
||||||
|
REUSE_CERTS=${REUSE_CERTS:-"false"}
|
||||||
|
|
||||||
# name of the cgroup driver, i.e. cgroupfs or systemd
|
# name of the cgroup driver, i.e. cgroupfs or systemd
|
||||||
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
|
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
|
||||||
|
|
@ -449,6 +452,39 @@ function set_service_accounts {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function generate_certs {
|
||||||
|
# Create CA signers
|
||||||
|
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
||||||
|
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
||||||
|
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
||||||
|
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
||||||
|
else
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create auth proxy client ca
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
||||||
|
|
||||||
|
# serving cert for kube-apiserver
|
||||||
|
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
||||||
|
|
||||||
|
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
||||||
|
|
||||||
|
# Create matching certificates for kube-aggregator
|
||||||
|
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
||||||
|
# TODO remove masters and add rolebinding
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
||||||
|
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
||||||
|
}
|
||||||
|
|
||||||
function start_apiserver {
|
function start_apiserver {
|
||||||
security_admission=""
|
security_admission=""
|
||||||
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
|
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
|
||||||
|
|
@ -514,37 +550,11 @@ function start_apiserver {
|
||||||
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
|
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create CA signers
|
if [[ "${REUSE_CERTS}" == "false" ]]; then
|
||||||
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
# Create Certs
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
generate_certs
|
||||||
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
|
||||||
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
|
||||||
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
|
||||||
else
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create auth proxy client ca
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
|
||||||
|
|
||||||
# serving cert for kube-apiserver
|
|
||||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
|
||||||
|
|
||||||
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
|
||||||
|
|
||||||
# Create matching certificates for kube-aggregator
|
|
||||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
|
||||||
# TODO remove masters and add rolebinding
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
|
||||||
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
|
||||||
|
|
||||||
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
|
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
|
||||||
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
|
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
|
||||||
cloud_config_arg="--cloud-provider=external"
|
cloud_config_arg="--cloud-provider=external"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue