make the on-infrastructure of kube-aggregator case easier

2017-02-15 13:01:13 -05:00 · 2017-02-15 13:01:13 -05:00 · b53b7f2062
parent 23b22d645e
commit b53b7f2062
18 changed files with 110 additions and 258 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@ -34,6 +34,7 @@ NET_PLUGIN=${NET_PLUGIN:-""}
 # Place the binaries required by NET_PLUGIN in this directory, eg: "/home/kubernetes/bin".
 NET_PLUGIN_DIR=${NET_PLUGIN_DIR:-""}
 SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/24}
+FIRST_SERVICE_CLUSTER_IP=${FIRST_SERVICE_CLUSTER_IP:-10.0.0.1}
 # if enabled, must set CGROUP_ROOT
 CGROUPS_PER_QOS=${CGROUPS_PER_QOS:-false}
 # this is not defaulted to preserve backward compatibility.
@ -404,7 +405,7 @@ function start_apiserver {
    kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'

    # serving cert for kube-apiserver
-    kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST}
+    kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}

    # Create client certs signed with client-ca, given id, given CN and a number of groups
    kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
@ -484,7 +485,7 @@ function start_apiserver {
    ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create namespace kube-public
    ${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
    ${CONTROLPLANE_SUDO} chown $(whoami) "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
-    ${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:9443"
+    ${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:31090"
    echo "use 'kubectl --kubeconfig=${CERT_DIR}/admin-kube-aggregator.kubeconfig' to use the aggregated API server"

 }
@ -515,7 +516,6 @@ function start_controller_manager {
 function start_kubelet {
    KUBELET_LOG=/tmp/kubelet.log
    mkdir -p ${POD_MANIFEST_PATH} || true
-    cp ${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/hostpath-pods/insecure-etcd-pod.yaml ${POD_MANIFEST_PATH}/kube-aggregator.yaml

    priv_arg=""
    if [[ -n "${ALLOW_PRIVILEGED}" ]]; then
--- a/hack/local-up-kube-aggregator.sh
+++ b/hack/local-up-kube-aggregator.sh
@ -1,105 +0,0 @@
-#!/bin/bash
-
-# Copyright 2016 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# starts kube-aggregator as a pod after you've run `local-up-cluster.sh`
-
-
-KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
-source "${KUBE_ROOT}/hack/lib/init.sh"
-
-DISCOVERY_SECURE_PORT=${DISCOVERY_SECURE_PORT:-31090}
-API_HOST=${API_HOST:-localhost}
-API_HOST_IP=${API_HOST_IP:-"127.0.0.1"}
-CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"}
-ROOT_CA_FILE=$CERT_DIR/apiserver.crt
-
-# Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig
-mkdir -p "${CERT_DIR}" &>/dev/null || sudo mkdir -p "${CERT_DIR}"
-sudo=$(test -w "${CERT_DIR}" || echo "sudo -E")
-
-
-kubectl=$(kube::util::find-binary kubectl)
-
-function kubectl_core {
-	${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@
-}
-
-function sudo_kubectl_core {
-	${sudo} ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@
-}
-
-# start_kube-aggregator relies on certificates created by start_apiserver
-function start_kube-aggregator {
-	kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator" '"server auth"'
-	# sign the kube-aggregator cert to be good for the local node too, so that we can trust it
-	kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
-
-	 # Create serving and client CA.  etcd only takes one arg
-	kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "etcd" '"client auth","server auth"'
-	kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc
-	# etcd doesn't seem to have separate signers for serving and client trust
-	kube::util::create_client_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd
-
-	# don't fail if the namespace already exists or something
-	# If this fails for some reason, the script will fail during creation of other resources
-	kubectl_core create namespace kube-public || true
-
-	# grant permission to run delegated authentication and authorization checks
-	kubectl_core delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true
-	kubectl_core delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true
-	kubectl_core create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator
-	kubectl_core create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator
-
-	# make sure the resources we're about to create don't exist
-	kubectl_core -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true
-	kubectl_core -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true
-	kubectl_core -n kube-public delete -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up" > /dev/null 2>&1 || true
-
-	sudo_kubectl_core -n kube-public create secret tls auth-proxy-client --cert="${CERT_DIR}/client-auth-proxy.crt" --key="${CERT_DIR}/client-auth-proxy.key"
-	sudo_kubectl_core -n kube-public create secret tls serving-etcd --cert="${CERT_DIR}/serving-etcd.crt" --key="${CERT_DIR}/serving-etcd.key"
-	sudo_kubectl_core -n kube-public create secret tls serving-kube-aggregator --cert="${CERT_DIR}/serving-kube-aggregator.crt" --key="${CERT_DIR}/serving-kube-aggregator.key"
-	sudo_kubectl_core -n kube-public create secret tls kube-aggregator-etcd --cert="${CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${CERT_DIR}/client-kube-aggregator-etcd.key"
-	kubectl_core -n kube-public create configmap etcd-ca --from-file="ca.crt=${CERT_DIR}/etcd-ca.crt" || true
-	kubectl_core -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${CERT_DIR}/kube-aggregator-ca.crt" || true
-	kubectl_core -n kube-public create configmap client-ca --from-file="ca.crt=${CERT_DIR}/client-ca.crt" || true
-	kubectl_core -n kube-public create configmap request-header-ca --from-file="ca.crt=${CERT_DIR}/request-header-ca.crt" || true
-
-	${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/hack/build-image.sh
-
-	kubectl_core -n kube-public create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up"
-
-	${sudo} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
-	${sudo} chown ${USER} "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
-	${kubectl} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --certificate-authority="${CERT_DIR}/kube-aggregator-ca.crt" --embed-certs --server="https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}"
-
-	# Wait for kube-aggregator to come up before launching the rest of the components.
-	# This should work since we're creating a node port service.
-	echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version"
-	kube::util::wait_for_url "https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1
-
-	# something is weird with the proxy
-	sleep 1
-
-	# create the "normal" api services for the core API server
-	${kubectl} --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/core-apiservices"
-}
-
-kube::util::test_openssl_installed
-kube::util::test_cfssl_installed
-
-start_kube-aggregator
-
-echo "kuberentes-kube-aggregator available at https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT} from 'api.kube-public.svc'"
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/legacy.yaml
@ -1,11 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1.
-spec:
-  version: v1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.authorization.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1.authorization.k8s.io
-spec:
-  group: authorization.k8s.io
-  version: v1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.autoscaling.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1.autoscaling
-spec:
-  group: autoscaling
-  version: v1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1.batch.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1.batch
-spec:
-  group: batch
-  version: v1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.certificates.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1alpha1.certificates.k8s.io
-spec:
-  group: certificates.k8s.io
-  version: v1alpha1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1alpha1.rbac.authorization.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1alpha1.rbac.authorization.k8s.io
-spec:
-  group: rbac.authorization.k8s.io
-  version: v1alpha1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.apps.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.apps
-spec:
-  group: apps
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authentication.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.authentication.k8s.io
-spec:
-  group: authentication.k8s.io
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.authorization.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.authorization.k8s.io
-spec:
-  group: authorization.k8s.io
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.extensions.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.extensions
-spec:
-  group: extensions
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 150
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.policy.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.policy
-spec:
-  group: policy
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/core-apiservices/v1beta1.storage.k8s.io.yaml
@ -1,12 +0,0 @@
-apiVersion: apiregistration.k8s.io/v1alpha1
-kind: APIService
-metadata:
-  name: v1beta1.storage.k8s.io
-spec:
-  group: storage.k8s.io
-  version: v1beta1
-  service:
-    namespace: default
-    name: kubernetes
-  insecureSkipTLSVerify: true
-  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml
+++ b/staging/src/k8s.io/kube-aggregator/artifacts/self-contained/kubernetes-discover-pod.yaml
@ -84,14 +84,14 @@ spec:
      - name: volume-etcd-client-cert
        secret:
          defaultMode: 420
-          secretName: discovery-etcd
+          secretName: kube-aggregator-etcd
      - name: volume-serving-cert
        secret:
          defaultMode: 420
-          secretName: serving-discovery
+          secretName: serving-kube-aggregator
      - configMap:
          defaultMode: 420
-          name: discovery-ca
+          name: kube-aggregator-ca
        name: volume-serving-ca
      - configMap:
          defaultMode: 420
--- a/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml
+++ b/staging/src/k8s.io/kube-aggregator/hack/apiservice-template.yaml
@ -8,5 +8,5 @@ spec:
  service:
    namespace: SERVICE_NAMESPACE
    name: SERVICE_NAME
-  insecureSkipTLSVerify: true
+  caBundle: CA_BUNDLE
  priority: 100
--- a/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
+++ b/staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Copyright 2016 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# starts kube-aggregator as a pod after you've run `local-up-cluster.sh`
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+AGG_ROOT=$(dirname "${BASH_SOURCE}")/..
+KUBE_ROOT=${AGG_ROOT}/../../../..
+source "${KUBE_ROOT}/hack/lib/init.sh"
+
+AGGREGATOR_SECURE_PORT=${AGGREGATOR_SECURE_PORT:-31090}
+API_HOST=${API_HOST:-localhost}
+API_HOST_IP=${API_HOST_IP:-"127.0.0.1"}
+AGGREGATOR_CERT_DIR=${AGGREGATOR_CERT_DIR:-"/var/run/kubernetes/aggregator"}
+
+KUBE_CERT_DIR=${KUBE_CERT_DIR:-"/var/run/kubernetes"}
+SERVING_CERT_CA_CERT=${SERVING_CERT_CA_CERT:-"${KUBE_CERT_DIR}/server-ca.crt"}
+CLIENT_CERT_CA_CERT=${CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/client-ca.crt"}
+FRONT_PROXY_CLIENT_CERT_CA_CERT=${FRONT_PROXY_CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/request-header-ca.crt"}
+SERVING_CERT=${SERVING_CERT:-"${KUBE_CERT_DIR}/serving-kube-aggregator.crt"}
+SERVING_KEY=${SERVING_KEY:-"${KUBE_CERT_DIR}/serving-kube-aggregator.key"}
+FRONT_PROXY_CLIENT_CERT=${FRONT_PROXY_CLIENT_CERT:-"${KUBE_CERT_DIR}/client-auth-proxy.crt"}
+FRONT_PROXY_CLIENT_KEY=${FRONT_PROXY_CLIENT_KEY:-"${KUBE_CERT_DIR}/client-auth-proxy.key"}
+
+
+# Ensure AGGREGATOR_CERT_DIR is created for auto-generated crt/key and kubeconfig
+mkdir -p "${AGGREGATOR_CERT_DIR}" &>/dev/null || sudo mkdir -p "${AGGREGATOR_CERT_DIR}"
+sudo=$(test -w "${AGGREGATOR_CERT_DIR}" || echo "sudo -E")
+
+# start_kube-aggregator relies on certificates created by start_apiserver
+function start_kube-aggregator {
+	 # Create serving and client CA.  etcd only takes one arg
+	kube::util::create_signing_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd" '"client auth","server auth"'
+	kube::util::create_serving_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc
+	# etcd doesn't seem to have separate signers for serving and client trust
+	kube::util::create_client_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd
+
+	# don't fail if the namespace already exists or something
+	# If this fails for some reason, the script will fail during creation of other resources
+	kubectl create namespace kube-public || true
+
+	# grant permission to run delegated authentication and authorization checks
+	kubectl delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true
+	kubectl delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true
+	kubectl create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator
+	kubectl create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator
+
+	# make sure the resources we're about to create don't exist
+	kubectl -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true
+	kubectl -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true
+	kubectl -n kube-public delete -f "${AGG_ROOT}/artifacts/self-contained" > /dev/null 2>&1 || true
+
+	kubectl -n kube-public create secret tls auth-proxy-client --cert="${FRONT_PROXY_CLIENT_CERT}" --key="${FRONT_PROXY_CLIENT_KEY}"
+	kubectl -n kube-public create secret tls serving-etcd --cert="${AGGREGATOR_CERT_DIR}/serving-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/serving-etcd.key"
+	kubectl -n kube-public create secret tls serving-kube-aggregator --cert="${SERVING_CERT}" --key="${SERVING_KEY}"
+	kubectl -n kube-public create secret tls kube-aggregator-etcd --cert="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.key"
+	kubectl -n kube-public create configmap etcd-ca --from-file="ca.crt=${AGGREGATOR_CERT_DIR}/etcd-ca.crt" || true
+	kubectl -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${SERVING_CERT_CA_CERT}" || true
+	kubectl -n kube-public create configmap client-ca --from-file="ca.crt=${CLIENT_CERT_CA_CERT}" || true
+	kubectl -n kube-public create configmap request-header-ca --from-file="ca.crt=${FRONT_PROXY_CLIENT_CERT_CA_CERT}" || true
+
+	kubectl -n kube-public create -f "${AGG_ROOT}/artifacts/self-contained"
+
+	# Wait for kube-aggregator to come up before launching the rest of the components.
+	# This should work since we're creating a node port service.
+	echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version"
+	kube::util::wait_for_url "https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1
+}
+
+kube::util::test_openssl_installed
+kube::util::test_cfssl_installed
+
+start_kube-aggregator
+
+echo "kube-aggregator available at https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT} from 'api.kube-public.svc'"
--- a/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh
+++ b/staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh
@ -28,6 +28,14 @@ else
  exit 1
 fi

+dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX")
+# Register function to be called on EXIT to remove generated binary.
+function cleanup {
+  rm -rf "${dir}"
+}
+trap cleanup EXIT
+
+
 scriptDir=$(dirname "${BASH_SOURCE}")

 # this uses discovery from a kube-like API server to register ALL the API versions that server provides
@ -42,8 +50,7 @@ SERVICE_NAME=${3}
 AGG_KUBECONFIG=${4}


-dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX")
-
+caBundle=$(base64 /var/run/kubernetes/server-ca.crt | awk 'BEGIN{ORS="";} {print}')

 # if we have a /api endpoint, then we need to register that
 if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then
@ -57,9 +64,10 @@ if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then
 	${SED} -i "s/API_VERSION/${version}/" ${resourceFileName}
 	${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName}
 	${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName}
+	${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName}
 	echo "registering ${resourceName} using ${resourceFileName}"

-	kubectl --kubeconfig=${AGG_KUBECONFIG} create --v=8 -f ${resourceFileName}
+	kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName}
 fi

 groupVersions=( $(kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep /apis/ | sed 's/",.*//' | sed 's|.*"/apis/||' | grep '/') )
@ -75,6 +83,7 @@ for groupVersion in "${groupVersions[@]}"; do
 	${SED} -i "s/API_VERSION/${version}/" ${resourceFileName}
 	${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName}
 	${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName}
+	${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName}
 	echo "registering ${resourceName} using ${resourceFileName}"

 	kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName}