Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
385d18d0
Commit
385d18d0
authored
Sep 18, 2018
by
Xiangyang Chu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add REUSE_CERT to skip creaing new ca/cert files
It's maybe useful with PERSERVE_ETCD to run apiserver using existed certs, so that service account secrets will keep valid.
parent
e763a3c5
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
39 additions
and
29 deletions
+39
-29
local-up-cluster.sh
hack/local-up-cluster.sh
+39
-29
No files found.
hack/local-up-cluster.sh
View file @
385d18d0
...
...
@@ -231,6 +231,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
ROOT_CA_KEY=
${
CERT_DIR
}
/server-ca.key
CLUSTER_SIGNING_CERT_FILE=
${
CLUSTER_SIGNING_CERT_FILE
:-
"
${
ROOT_CA_FILE
}
"
}
CLUSTER_SIGNING_KEY_FILE=
${
CLUSTER_SIGNING_KEY_FILE
:-
"
${
ROOT_CA_KEY
}
"
}
# Reuse certs will skip generate new ca/cert files under CERT_DIR
# it
's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
REUSE_CERTS=${REUSE_CERTS:-"false"}
# name of the cgroup driver, i.e. cgroupfs or systemd
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
...
...
@@ -449,6 +452,39 @@ function set_service_accounts {
fi
}
function generate_certs {
# Create CA signers
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '
"client auth"
,
"server auth"
'
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
else
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '
"server auth"
'
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '
"client auth"
'
fi
# Create auth proxy client ca
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '
"client auth"
'
# serving cert for kube-apiserver
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
# Create client certs signed with client-ca, given id, given CN and a number of groups
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kube-proxy system:kube-proxy system:nodes
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' controller system:kube-controller-manager
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' scheduler system:kube-scheduler
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' admin system:admin system:masters
# Create matching certificates for kube-aggregator
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
# TODO remove masters and add rolebinding
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kube-aggregator system:kube-aggregator system:masters
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
}
function start_apiserver {
security_admission=""
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
...
...
@@ -514,37 +550,11 @@ function start_apiserver {
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
fi
# Create CA signers
if
[[
"
${
ENABLE_SINGLE_CA_SIGNER
:-}
"
=
true
]]
;
then
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
server
'"client auth","server auth"'
sudo cp
"
${
CERT_DIR
}
/server-ca.key"
"
${
CERT_DIR
}
/client-ca.key"
sudo cp
"
${
CERT_DIR
}
/server-ca.crt"
"
${
CERT_DIR
}
/client-ca.crt"
sudo cp
"
${
CERT_DIR
}
/server-ca-config.json"
"
${
CERT_DIR
}
/client-ca-config.json"
else
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
server
'"server auth"'
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
client
'"client auth"'
if [[ "${REUSE_CERTS}" == "false" ]]; then
# Create Certs
generate_certs
fi
# Create auth proxy client ca
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
request-header
'"client auth"'
# serving cert for kube-apiserver
kube::util::create_serving_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"server-ca"
kube-apiserver kubernetes.default kubernetes.default.svc
"localhost"
${
API_HOST_IP
}
${
API_HOST
}
${
FIRST_SERVICE_CLUSTER_IP
}
# Create client certs signed with client-ca, given id, given CN and a number of groups
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kubelet system:node:
${
HOSTNAME_OVERRIDE
}
system:nodes
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kube-proxy system:kube-proxy system:nodes
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
controller system:kube-controller-manager
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
scheduler system:kube-scheduler
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
admin system:admin system:masters
# Create matching certificates for kube-aggregator
kube::util::create_serving_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"server-ca"
kube-aggregator api.kube-public.svc
"localhost"
${
API_HOST_IP
}
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
request-header-ca auth-proxy system:auth-proxy
# TODO remove masters and add rolebinding
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kube-aggregator system:kube-aggregator system:masters
kube::util::write_client_kubeconfig
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"
${
ROOT_CA_FILE
}
"
"
${
API_HOST
}
"
"
${
API_SECURE_PORT
}
"
kube-aggregator
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
cloud_config_arg="--cloud-provider=external"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment