mirror of https://github.com/k3s-io/k3s
Merge pull request #68778 from xychu/add-reuse-certs
Add REUSE_CERT to skip creaing new ca/cert filespull/58/head
k8s-ci-robot
GitHub
commit
9f681f0f6e
|
|
@ -233,6 +233,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
|
|||
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
||||
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
||||
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
||||
# Reuse certs will skip generate new ca/cert files under CERT_DIR
|
||||
# it's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
|
||||
REUSE_CERTS=${REUSE_CERTS:-false}
|
||||
|
||||
# name of the cgroup driver, i.e. cgroupfs or systemd
|
||||
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
|
||||
|
|
@ -451,6 +454,39 @@ function set_service_accounts {
|
|||
fi
|
||||
}
|
||||
|
||||
function generate_certs {
|
||||
# Create CA signers
|
||||
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
||||
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
||||
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
||||
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
||||
else
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
||||
fi
|
||||
|
||||
# Create auth proxy client ca
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
||||
|
||||
# serving cert for kube-apiserver
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
||||
|
||||
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
||||
|
||||
# Create matching certificates for kube-aggregator
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
||||
# TODO remove masters and add rolebinding
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
||||
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
||||
}
|
||||
|
||||
function start_apiserver {
|
||||
security_admission=""
|
||||
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
|
||||
|
|
@ -516,37 +552,11 @@ function start_apiserver {
|
|||
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
|
||||
fi
|
||||
|
||||
# Create CA signers
|
||||
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
||||
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
||||
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
||||
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
||||
else
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
||||
if [[ "${REUSE_CERTS}" != true ]]; then
|
||||
# Create Certs
|
||||
generate_certs
|
||||
fi
|
||||
|
||||
# Create auth proxy client ca
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
||||
|
||||
# serving cert for kube-apiserver
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
||||
|
||||
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
||||
|
||||
# Create matching certificates for kube-aggregator
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
||||
# TODO remove masters and add rolebinding
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
||||
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
||||
|
||||
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
|
||||
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
|
||||
cloud_config_arg="--cloud-provider=external"
|
||||
|
|
|
|||
Loading…
Reference in New Issue