github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

extra discovery start and cert generation

pull/6/head
deads2k 2016-12-09 10:56:50 -05:00
parent 59c313730c
commit bcb8d8b8bb
2 changed files with 153 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
hack/lib/util.sh
View File

@ -32,7 +32,7 @@ kube::util::wait_for_url() {
local i local i
for i in $(seq 1 $times); do for i in $(seq 1 $times); do
local out local out
if out=$(curl -gkfs $url 2>/dev/null); then if out=$(curl --max-time 1 -gkfs $url 2>/dev/null); then
kube::log::status "On try ${i}, ${prefix}: ${out}" kube::log::status "On try ${i}, ${prefix}: ${out}"
return 0 return 0
fi fi
@ -443,4 +443,137 @@ kube::util::download_file() {
return 1 return 1
} }
# Test whether cfssl and cfssljson are installed.
# Sets:
# CFSSL_BIN: The path of the installed cfssl binary
# CFSSLJSON_BIN: The path of the installed cfssljson binary
function kube::util::test_cfssl_installed {
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
exit 1
fi
CFSSL_BIN=$(command -v cfssl)
CFSSLJSON_BIN=$(command -v cfssljson)
}
# Test whether openssl is installed.
# Sets:
# OPENSSL_BIN: The path to the openssl binary to use
function test_openssl_installed {
openssl version >& /dev/null
if [ "$?" != "0" ]; then
echo "Failed to run openssl. Please ensure openssl is installed"
exit 1
fi
OPENSSL_BIN=$(command -v openssl)
}
# creates a client CA, args are sudo, dest-dir, ca-id, purpose
# purpose is dropped in after "key encipherment", you usually want
# '"client auth"'
# '"server auth"'
# '"client auth","server auth"'
function kube::util::create_signing_certkey {
local sudo=$1
local dest_dir=$2
local id=$3
local purpose=$4
# Create client ca
${sudo} /bin/bash -e <<EOF
rm -f "${dest_dir}/${id}-ca.crt" "${dest_dir}/${id}-ca.key"
${OPENSSL_BIN} req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "${dest_dir}/${id}-ca.key" -out "${dest_dir}/${id}-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment",${purpose}]}}}' > "${dest_dir}/${id}-ca-config.json"
EOF
}
# signs a client certificate: args are sudo, dest-dir, CA, filename (roughly), username, groups...
function kube::util::create_client_certkey {
local sudo=$1
local dest_dir=$2
local ca=$3
local id=$4
local cn=${5:-$4}
local groups=""
local SEP=""
shift 5
while [ -n "${1:-}" ]; do
groups+="${SEP}{\"O\":\"$1\"}"
SEP=","
shift 1
done
${sudo} /bin/bash -e <<EOF
cd ${dest_dir}
echo '{"CN":"${cn}","names":[${groups}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare client-${id}
mv "client-${id}-key.pem" "client-${id}.key"
mv "client-${id}.pem" "client-${id}.crt"
rm -f "client-${id}.csr"
EOF
}
# signs a serving certificate: args are sudo, dest-dir, ca, filename (roughly), subject, hosts...
function kube::util::create_serving_certkey {
local sudo=$1
local dest_dir=$2
local ca=$3
local id=$4
local cn=${5:-$4}
local hosts=""
local SEP=""
shift 5
while [ -n "${1:-}" ]; do
hosts+="${SEP}\"$1\""
SEP=","
shift 1
done
${sudo} /bin/bash -e <<EOF
cd ${dest_dir}
echo '{"CN":"${cn}","hosts":[${hosts}],"key":{"algo":"rsa","size":2048}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare serving-${id}
mv "serving-${id}-key.pem" "serving-${id}.key"
mv "serving-${id}.pem" "serving-${id}.crt"
rm -f "serving-${id}.csr"
EOF
}
# creates a self-contained kubeconfig: args are sudo, dest-dir, ca file, host, port, client id, token(optional)
function kube::util::write_client_kubeconfig {
local sudo=$1
local dest_dir=$2
local ca_file=$3
local api_host=$4
local api_port=$5
local client_id=$6
local token=${7:-}
cat <<EOF | ${sudo} tee "${dest_dir}"/${client_id}.kubeconfig > /dev/null
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: ${ca_file}
server: https://${api_host}:${api_port}/
name: local-up-cluster
users:
- user:
token: ${token}
client-certificate: ${dest_dir}/client-${client_id}.crt
client-key: ${dest_dir}/client-${client_id}.key
name: local-up-cluster
contexts:
- context:
cluster: local-up-cluster
user: local-up-cluster
name: local-up-cluster
current-context: local-up-cluster
EOF
# flatten the kubeconfig files to make them self contained
username=$(whoami)
${sudo} /bin/bash -e <<EOF
${GO_OUT}/kubectl --kubeconfig="${dest_dir}/${client_id}.kubeconfig" config view --minify --flatten > "/tmp/${client_id}.kubeconfig"
mv -f "/tmp/${client_id}.kubeconfig" "${dest_dir}/${client_id}.kubeconfig"
chown ${username} "${dest_dir}/${client_id}.kubeconfig"
EOF
}
# ex: ts=2 sw=2 et filetype=sh # ex: ts=2 sw=2 et filetype=sh

183
hack/local-up-cluster.sh
View File

@ -14,6 +14,8 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
# This command builds and runs a local kubernetes cluster. It's just like # This command builds and runs a local kubernetes cluster. It's just like
# local-up.sh, but this one launches the three separate binaries. # local-up.sh, but this one launches the three separate binaries.
# You may need to run this as root to allow kubelet to open docker's socket, # You may need to run this as root to allow kubelet to open docker's socket,
@ -31,7 +33,6 @@ KUBELET_AUTHENTICATION_WEBHOOK=${KUBELET_AUTHENTICATION_WEBHOOK:-""}
NET_PLUGIN=${NET_PLUGIN:-""} NET_PLUGIN=${NET_PLUGIN:-""}
# Place the binaries required by NET_PLUGIN in this directory, eg: "/home/kubernetes/bin". # Place the binaries required by NET_PLUGIN in this directory, eg: "/home/kubernetes/bin".
NET_PLUGIN_DIR=${NET_PLUGIN_DIR:-""} NET_PLUGIN_DIR=${NET_PLUGIN_DIR:-""}
KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/24} SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/24}
# if enabled, must set CGROUP_ROOT # if enabled, must set CGROUP_ROOT
EXPERIMENTAL_CGROUPS_PER_QOS=${EXPERIMENTAL_CGROUPS_PER_QOS:-false} EXPERIMENTAL_CGROUPS_PER_QOS=${EXPERIMENTAL_CGROUPS_PER_QOS:-false}
@ -68,7 +69,6 @@ KUBE_CACHE_MUTATION_DETECTOR="${KUBE_CACHE_MUTATION_DETECTOR:-true}"
export KUBE_CACHE_MUTATION_DETECTOR export KUBE_CACHE_MUTATION_DETECTOR
# START_MODE can be 'all', 'kubeletonly', or 'nokubelet' # START_MODE can be 'all', 'kubeletonly', or 'nokubelet'
START_MODE=${START_MODE:-"all"} START_MODE=${START_MODE:-"all"}
@ -111,7 +111,7 @@ function guess_built_binary_path {
} }
### Allow user to supply the source directory. ### Allow user to supply the source directory.
GO_OUT="" GO_OUT=${GO_OUT:-}
while getopts "o:O" OPTION while getopts "o:O" OPTION
do do
case $OPTION in case $OPTION in
@ -148,20 +148,6 @@ function test_docker {
fi fi
} }
# Test whether cfssl and cfssljson are installed.
# Sets:
# CFSSL_BIN: The path of the installed cfssl binary
# CFSSLJSON_BIN: The path of the installed cfssljson binary
function test_cfssl_installed {
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
exit 1
fi
CFSSL_BIN=$(command -v cfssl)
CFSSLJSON_BIN=$(command -v cfssljson)
}
function test_rkt { function test_rkt {
if [[ -n "${RKT_PATH}" ]]; then if [[ -n "${RKT_PATH}" ]]; then
${RKT_PATH} list 2> /dev/null 1> /dev/null ${RKT_PATH} list 2> /dev/null 1> /dev/null
@ -178,17 +164,6 @@ function test_rkt {
fi fi
} }
# Test whether openssl is installed.
# Sets:
# OPENSSL_BIN: The path to the openssl binary to use
function test_openssl_installed {
openssl version >& /dev/null
if [ "$?" != "0" ]; then
echo "Failed to run openssl. Please ensure openssl is installed"
exit 1
fi
OPENSSL_BIN=$(command -v openssl)
}
# Shut down anyway if there's an error. # Shut down anyway if there's an error.
set +e set +e
@ -218,7 +193,6 @@ ENABLE_CONTROLLER_ATTACH_DETACH=${ENABLE_CONTROLLER_ATTACH_DETACH:-"true"} # cur
CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"} CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"}
ROOT_CA_FILE=$CERT_DIR/apiserver.crt ROOT_CA_FILE=$CERT_DIR/apiserver.crt
EXPERIMENTAL_CRI=${EXPERIMENTAL_CRI:-"false"} EXPERIMENTAL_CRI=${EXPERIMENTAL_CRI:-"false"}
DISCOVERY_SECURE_PORT=${DISCOVERY_SECURE_PORT:-9090}
# Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig # Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig
@ -322,10 +296,6 @@ cleanup()
[[ -n "${APISERVER_PID-}" ]] && APISERVER_PIDS=$(pgrep -P ${APISERVER_PID} ; ps -o pid= -p ${APISERVER_PID}) [[ -n "${APISERVER_PID-}" ]] && APISERVER_PIDS=$(pgrep -P ${APISERVER_PID} ; ps -o pid= -p ${APISERVER_PID})
[[ -n "${APISERVER_PIDS-}" ]] && sudo kill ${APISERVER_PIDS} [[ -n "${APISERVER_PIDS-}" ]] && sudo kill ${APISERVER_PIDS}
# Check if the discovery server is still running
[[ -n "${DISCOVERY_PID-}" ]] && DISCOVERY_PIDS=$(pgrep -P ${DISCOVERY_PID} ; ps -o pid= -p ${DISCOVERY_PID})
[[ -n "${DISCOVERY_PIDS-}" ]] && sudo kill ${DISCOVERY_PIDS}
# Check if the controller-manager is still running # Check if the controller-manager is still running
[[ -n "${CTLRMGR_PID-}" ]] && CTLRMGR_PIDS=$(pgrep -P ${CTLRMGR_PID} ; ps -o pid= -p ${CTLRMGR_PID}) [[ -n "${CTLRMGR_PID-}" ]] && CTLRMGR_PIDS=$(pgrep -P ${CTLRMGR_PID} ; ps -o pid= -p ${CTLRMGR_PID})
[[ -n "${CTLRMGR_PIDS-}" ]] && sudo kill ${CTLRMGR_PIDS} [[ -n "${CTLRMGR_PIDS-}" ]] && sudo kill ${CTLRMGR_PIDS}
@ -368,59 +338,6 @@ function set_service_accounts {
fi fi
} }
function create_client_certkey {
local CA=$1
local ID=$2
local CN=${3:-$2}
local NAMES=""
local SEP=""
shift 3
while [ -n "${1:-}" ]; do
NAMES+="${SEP}{\"O\":\"$1\"}"
SEP=","
shift 1
done
${CONTROLPLANE_SUDO} /bin/bash -e <<EOF
cd ${CERT_DIR}
echo '{"CN":"${CN}","names":[${NAMES}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=${CA}.crt -ca-key=${CA}.key -config=client-ca-config.json - | "${CFSSLJSON_BIN}" -bare client-${ID}
mv "client-${ID}-key.pem" "client-${ID}.key"
mv "client-${ID}.pem" "client-${ID}.crt"
rm -f "client-${ID}.csr"
EOF
}
function write_client_kubeconfig {
cat <<EOF | ${CONTROLPLANE_SUDO} tee "${CERT_DIR}"/$1.kubeconfig > /dev/null
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: ${ROOT_CA_FILE}
server: https://${API_HOST}:${API_SECURE_PORT}/
name: local-up-cluster
users:
- user:
token: ${KUBECONFIG_TOKEN:-}
client-certificate: ${CERT_DIR}/client-$1.crt
client-key: ${CERT_DIR}/client-$1.key
name: local-up-cluster
contexts:
- context:
cluster: local-up-cluster
user: local-up-cluster
name: local-up-cluster
current-context: local-up-cluster
EOF
# flatten the kubeconfig files to make them self contained
username=$(whoami)
${CONTROLPLANE_SUDO} /bin/bash -e <<EOF
${GO_OUT}/kubectl --kubeconfig="${CERT_DIR}/$1.kubeconfig" config view --minify --flatten > "/tmp/$1.kubeconfig"
mv -f "/tmp/$1.kubeconfig" "${CERT_DIR}/$1.kubeconfig"
chown ${username} "${CERT_DIR}/$1.kubeconfig"
EOF
}
function start_apiserver { function start_apiserver {
security_admission="" security_admission=""
if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then if [[ -z "${ALLOW_SECURITY_CONTEXT}" ]]; then
@ -462,27 +379,19 @@ function start_apiserver {
fi fi
# Create client ca # Create client ca
${CONTROLPLANE_SUDO} /bin/bash -e <<EOF kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
rm -f "${CERT_DIR}/client-ca.crt" "${CERT_DIR}/client-ca.key"
"${OPENSSL_BIN}" req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "${CERT_DIR}/client-ca.key" -out "${CERT_DIR}/client-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "${CERT_DIR}/client-ca-config.json"
EOF
# Create client certs signed with client-ca, given id, given CN and a number of groups # Create client certs signed with client-ca, given id, given CN and a number of groups
# NOTE: system:masters will be removed in the future # NOTE: system:masters will be removed in the future
create_client_certkey client-ca kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
create_client_certkey client-ca kube-proxy system:kube-proxy system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
create_client_certkey client-ca controller system:controller system:masters kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:controller system:masters
create_client_certkey client-ca scheduler system:scheduler system:masters kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:scheduler system:masters
create_client_certkey client-ca admin system:admin system:masters kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
# Create auth proxy client ca # Create auth proxy client ca
sudo /bin/bash -e <<EOF kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
rm -f "${CERT_DIR}/auth-proxy-client-ca.crt" "${CERT_DIR}/auth-proxy-client-ca.key" kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
"${OPENSSL_BIN}" req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "${CERT_DIR}/auth-proxy-client-ca.key" -out "${CERT_DIR}/auth-proxy-client-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "${CERT_DIR}/auth-proxy-client-ca-config.json"
EOF
create_client_certkey auth-proxy-client-ca auth-proxy system:auth-proxy
APISERVER_LOG=/tmp/kube-apiserver.log APISERVER_LOG=/tmp/kube-apiserver.log
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\ ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
@ -506,7 +415,7 @@ EOF
--requestheader-username-headers=X-Remote-User \ --requestheader-username-headers=X-Remote-User \
--requestheader-group-headers=X-Remote-Group \ --requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \ --requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file="${CERT_DIR}/auth-proxy-client-ca.crt" \ --requestheader-client-ca-file="${CERT_DIR}/request-header-ca.crt" \
--requestheader-allowed-names=system:auth-proxy \ --requestheader-allowed-names=system:auth-proxy \
--cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 & --cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 &
APISERVER_PID=$! APISERVER_PID=$!
@ -516,11 +425,11 @@ EOF
kube::util::wait_for_url "https://${API_HOST}:${API_SECURE_PORT}/version" "apiserver: " 1 ${WAIT_FOR_URL_API_SERVER} || exit 1 kube::util::wait_for_url "https://${API_HOST}:${API_SECURE_PORT}/version" "apiserver: " 1 ${WAIT_FOR_URL_API_SERVER} || exit 1
# Create kubeconfigs for all components, using client certs # Create kubeconfigs for all components, using client certs
write_client_kubeconfig admin kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" admin
write_client_kubeconfig kubelet kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kubelet
write_client_kubeconfig kube-proxy kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-proxy
write_client_kubeconfig controller kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" controller
write_client_kubeconfig scheduler kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" scheduler
if [[ -z "${AUTH_ARGS}" ]]; then if [[ -z "${AUTH_ARGS}" ]]; then
if [[ "${ALLOW_ANY_TOKEN}" = true ]]; then if [[ "${ALLOW_ANY_TOKEN}" = true ]]; then
@ -537,54 +446,6 @@ EOF
fi fi
} }
# start_discovery relies on certificates created by start_apiserver
function start_discovery {
# TODO generate serving certificates
create_client_certkey client-ca discovery-auth system:discovery-auth
write_client_kubeconfig discovery-auth
# grant permission to run delegated authentication and authorization checks
if [[ "${ENABLE_RBAC}" = true ]]; then
${KUBECTL} ${AUTH_ARGS} create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth
fi
curl --silent -k -g $API_HOST:$DISCOVERY_SECURE_PORT
if [ ! $? -eq 0 ]; then
echo "Kubernetes Discovery secure port is free, proceeding..."
else
echo "ERROR starting Kubernetes Discovery, exiting. Some process on $API_HOST is serving already on $DISCOVERY_SECURE_PORT"
return
fi
${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-discovery.kubeconfig"
${CONTROLPLANE_SUDO} ${GO_OUT}/kubectl config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig" --insecure-skip-tls-verify --server="https://${API_HOST}:${DISCOVERY_SECURE_PORT}"
DISCOVERY_SERVER_LOG=/tmp/kubernetes-discovery.log
${CONTROLPLANE_SUDO} "${GO_OUT}/kubernetes-discovery" \
--cert-dir="${CERT_DIR}" \
--client-ca-file="${CERT_DIR}/client-ca.crt" \
--authentication-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
--authorization-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
--requestheader-username-headers=X-Remote-User \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file="${CERT_DIR}/auth-proxy-client-ca.crt" \
--requestheader-allowed-names=system:auth-proxy \
--bind-address="${API_BIND_ADDR}" \
--secure-port="${DISCOVERY_SECURE_PORT}" \
--tls-ca-file="${ROOT_CA_FILE}" \
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" >"${DISCOVERY_SERVER_LOG}" 2>&1 &
DISCOVERY_PID=$!
# Wait for kubernetes-discovery to come up before launching the rest of the components.
echo "Waiting for kubernetes-discovery to come up"
kube::util::wait_for_url "https://${API_HOST}:${DISCOVERY_SECURE_PORT}/version" "kubernetes-discovery: " 1 ${WAIT_FOR_URL_API_SERVER} || exit 1
# create the "normal" api services for the core API server
${CONTROLPLANE_SUDO} ${GO_OUT}/kubectl create -f "${KUBE_ROOT}/cmd/kubernetes-discovery/artifacts/core-apiservices" --kubeconfig="${CERT_DIR}/admin-discovery.kubeconfig"
}
function start_controller_manager { function start_controller_manager {
node_cidr_args="" node_cidr_args=""
if [[ "${NET_PLUGIN}" == "kubenet" ]]; then if [[ "${NET_PLUGIN}" == "kubenet" ]]; then
@ -786,7 +647,6 @@ Logs:
${CTLRMGR_LOG:-} ${CTLRMGR_LOG:-}
${PROXY_LOG:-} ${PROXY_LOG:-}
${SCHEDULER_LOG:-} ${SCHEDULER_LOG:-}
${DISCOVERY_SERVER_LOG:-}
EOF EOF
fi fi
@ -833,8 +693,8 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
test_apiserver_off test_apiserver_off
fi fi
test_openssl_installed kube::util::test_openssl_installed
test_cfssl_installed kube::util::test_cfssl_installed
### IF the user didn't supply an output/ for the build... Then we detect. ### IF the user didn't supply an output/ for the build... Then we detect.
if [ "$GO_OUT" == "" ]; then if [ "$GO_OUT" == "" ]; then
@ -861,11 +721,6 @@ if [[ "${START_MODE}" != "nokubelet" ]]; then
start_kubelet start_kubelet
fi fi
START_DISCOVERY=${START_DISCOVERY:-false}
if [[ "${START_DISCOVERY}" = true ]]; then
start_discovery
fi
print_success print_success
if [[ "${ENABLE_DAEMON}" = false ]]; then if [[ "${ENABLE_DAEMON}" = false ]]; then