Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
9f681f0f
Unverified
Commit
9f681f0f
authored
Sep 26, 2018
by
k8s-ci-robot
Committed by
GitHub
Sep 26, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #68778 from xychu/add-reuse-certs
Add REUSE_CERT to skip creaing new ca/cert files
parents
4ca9fa73
f4d8aa1c
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
39 additions
and
29 deletions
+39
-29
local-up-cluster.sh
hack/local-up-cluster.sh
+39
-29
No files found.
hack/local-up-cluster.sh
View file @
9f681f0f
...
@@ -233,6 +233,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
...
@@ -233,6 +233,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
ROOT_CA_KEY=
${
CERT_DIR
}
/server-ca.key
ROOT_CA_KEY=
${
CERT_DIR
}
/server-ca.key
CLUSTER_SIGNING_CERT_FILE=
${
CLUSTER_SIGNING_CERT_FILE
:-
"
${
ROOT_CA_FILE
}
"
}
CLUSTER_SIGNING_CERT_FILE=
${
CLUSTER_SIGNING_CERT_FILE
:-
"
${
ROOT_CA_FILE
}
"
}
CLUSTER_SIGNING_KEY_FILE=
${
CLUSTER_SIGNING_KEY_FILE
:-
"
${
ROOT_CA_KEY
}
"
}
CLUSTER_SIGNING_KEY_FILE=
${
CLUSTER_SIGNING_KEY_FILE
:-
"
${
ROOT_CA_KEY
}
"
}
# Reuse certs will skip generate new ca/cert files under CERT_DIR
# it
's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
REUSE_CERTS=${REUSE_CERTS:-false}
# name of the cgroup driver, i.e. cgroupfs or systemd
# name of the cgroup driver, i.e. cgroupfs or systemd
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
...
@@ -451,6 +454,39 @@ function set_service_accounts {
...
@@ -451,6 +454,39 @@ function set_service_accounts {
fi
fi
}
}
function generate_certs {
# Create CA signers
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '
"client auth"
,
"server auth"
'
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
else
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '
"server auth"
'
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '
"client auth"
'
fi
# Create auth proxy client ca
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '
"client auth"
'
# serving cert for kube-apiserver
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
# Create client certs signed with client-ca, given id, given CN and a number of groups
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kube-proxy system:kube-proxy system:nodes
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' controller system:kube-controller-manager
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' scheduler system:kube-scheduler
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' admin system:admin system:masters
# Create matching certificates for kube-aggregator
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
# TODO remove masters and add rolebinding
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kube-aggregator system:kube-aggregator system:masters
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
}
function start_apiserver {
function start_apiserver {
security_admission=""
security_admission=""
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
...
@@ -516,37 +552,11 @@ function start_apiserver {
...
@@ -516,37 +552,11 @@ function start_apiserver {
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
fi
fi
# Create CA signers
if [[ "${REUSE_CERTS}" != true ]]; then
if
[[
"
${
ENABLE_SINGLE_CA_SIGNER
:-}
"
=
true
]]
;
then
# Create Certs
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
server
'"client auth","server auth"'
generate_certs
sudo cp
"
${
CERT_DIR
}
/server-ca.key"
"
${
CERT_DIR
}
/client-ca.key"
sudo cp
"
${
CERT_DIR
}
/server-ca.crt"
"
${
CERT_DIR
}
/client-ca.crt"
sudo cp
"
${
CERT_DIR
}
/server-ca-config.json"
"
${
CERT_DIR
}
/client-ca-config.json"
else
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
server
'"server auth"'
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
client
'"client auth"'
fi
fi
# Create auth proxy client ca
kube::util::create_signing_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
request-header
'"client auth"'
# serving cert for kube-apiserver
kube::util::create_serving_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"server-ca"
kube-apiserver kubernetes.default kubernetes.default.svc
"localhost"
${
API_HOST_IP
}
${
API_HOST
}
${
FIRST_SERVICE_CLUSTER_IP
}
# Create client certs signed with client-ca, given id, given CN and a number of groups
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kubelet system:node:
${
HOSTNAME_OVERRIDE
}
system:nodes
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kube-proxy system:kube-proxy system:nodes
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
controller system:kube-controller-manager
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
scheduler system:kube-scheduler
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
admin system:admin system:masters
# Create matching certificates for kube-aggregator
kube::util::create_serving_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"server-ca"
kube-aggregator api.kube-public.svc
"localhost"
${
API_HOST_IP
}
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
request-header-ca auth-proxy system:auth-proxy
# TODO remove masters and add rolebinding
kube::util::create_client_certkey
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
'client-ca'
kube-aggregator system:kube-aggregator system:masters
kube::util::write_client_kubeconfig
"
${
CONTROLPLANE_SUDO
}
"
"
${
CERT_DIR
}
"
"
${
ROOT_CA_FILE
}
"
"
${
API_HOST
}
"
"
${
API_SECURE_PORT
}
"
kube-aggregator
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
cloud_config_arg="--cloud-provider=external"
cloud_config_arg="--cloud-provider=external"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment