add templates for certs and keys
This commit is contained in:
Mark Burnett
parent
0faaddbaa4
commit
dee398d5e9
@ -41,6 +41,7 @@ class Document:
|
||||
raise AssertionError('Did not get expected keys')
|
||||
assert data['apiVersion'] == 'promenade/v1'
|
||||
assert data['kind'] in self.SUPPORTED_KINDS
|
||||
assert data['metadata']['name']
|
||||
|
||||
self.data = data
|
||||
|
||||
@ -48,6 +49,10 @@ class Document:
|
||||
def kind(self):
|
||||
return self.data['kind']
|
||||
|
||||
@property
|
||||
def name(self):
|
||||
return self.metadata['name']
|
||||
|
||||
@property
|
||||
def target(self):
|
||||
return self.metadata.get('target')
|
||||
@ -64,6 +69,19 @@ class Configuration:
|
||||
def __init__(self, documents):
|
||||
self.documents = sorted(documents, key=attrgetter('kind', 'target'))
|
||||
|
||||
self.validate()
|
||||
|
||||
def validate(self):
|
||||
identifiers = set()
|
||||
for document in self.documents:
|
||||
identifier = (document.kind, document.name)
|
||||
if identifier in identifiers:
|
||||
LOG.error('Found duplicate document in config: kind=%s name=%s',
|
||||
document.kind, document.name)
|
||||
raise RuntimeError('Duplicate document')
|
||||
else:
|
||||
identifiers.add(identifier)
|
||||
|
||||
def __getitem__(self, key):
|
||||
results = [d for d in self.documents if d.kind == key]
|
||||
if len(results) < 1:
|
||||
@ -73,6 +91,11 @@ class Configuration:
|
||||
else:
|
||||
return results[0]
|
||||
|
||||
def get(self, *, kind, name):
|
||||
for document in self.documents:
|
||||
if document.kind == kind and document.name == name:
|
||||
return document
|
||||
|
||||
def iterate(self, *, kind=None, target=None):
|
||||
if target:
|
||||
docs = self._iterate_with_target(target)
|
||||
|
||||
@ -123,6 +123,7 @@ class Generator:
|
||||
role_specific_documents.extend([
|
||||
admin_cert,
|
||||
admin_cert_key,
|
||||
cluster_ca_key,
|
||||
etcd_client_ca,
|
||||
etcd_peer_ca,
|
||||
sa_priv,
|
||||
@ -140,7 +141,7 @@ class Generator:
|
||||
role_specific_documents.extend(_genesis_config(hostname, data,
|
||||
masters, network, keys))
|
||||
role_specific_documents.append(_genesis_etcd_config(cluster_name, hostname))
|
||||
node.data['is_genesis'] = True
|
||||
node.data['spec']['is_genesis'] = True
|
||||
|
||||
c = config.Configuration(common_documents + role_specific_documents)
|
||||
c.write(os.path.join(output_dir, hostname + '.yaml'))
|
||||
@ -156,6 +157,7 @@ class Generator:
|
||||
'kind': 'Masters',
|
||||
'metadata': {
|
||||
'cluster': cluster_name,
|
||||
'name': cluster_name,
|
||||
'target': 'all',
|
||||
},
|
||||
'spec': {
|
||||
@ -172,7 +174,8 @@ def _master_etcd_config(cluster_name, genesis_hostname, hostname, masters):
|
||||
'auxiliary-etcd-0=https://%s:12380' % genesis_hostname,
|
||||
'auxiliary-etcd-1=https://%s:22380' % genesis_hostname,
|
||||
])
|
||||
return _etcd_config(cluster_name, target=hostname,
|
||||
return _etcd_config(cluster_name, name='master-etcd',
|
||||
target=hostname,
|
||||
initial_cluster=initial_cluster,
|
||||
initial_cluster_state='existing')
|
||||
|
||||
@ -183,18 +186,20 @@ def _genesis_etcd_config(cluster_name, hostname):
|
||||
'auxiliary-etcd-0=https://%s:12380' % hostname,
|
||||
'auxiliary-etcd-1=https://%s:22380' % hostname,
|
||||
]
|
||||
return _etcd_config(cluster_name, target=hostname,
|
||||
return _etcd_config(cluster_name, name='genesis-etcd',
|
||||
target=hostname,
|
||||
initial_cluster=initial_cluster,
|
||||
initial_cluster_state='new')
|
||||
|
||||
|
||||
def _etcd_config(cluster_name, *, target,
|
||||
def _etcd_config(cluster_name, *, name, target,
|
||||
initial_cluster, initial_cluster_state):
|
||||
return config.Document({
|
||||
'apiVersion': 'promenade/v1',
|
||||
'kind': 'Etcd',
|
||||
'metadata': {
|
||||
'cluster': cluster_name,
|
||||
'name': name,
|
||||
'target': target,
|
||||
},
|
||||
'spec': {
|
||||
@ -221,6 +226,13 @@ def _master_config(hostname, host_data, masters, network, keys):
|
||||
hosts=kube_domains + [hostname, host_data['ip']],
|
||||
target=hostname,
|
||||
))
|
||||
docs.extend(keys.generate_certificate(
|
||||
alias='etcd-apiserver-client',
|
||||
name='etcd:client:apiserver:%s' % hostname,
|
||||
ca_name='etcd-client',
|
||||
hosts=[hostname, host_data['ip']],
|
||||
target=hostname,
|
||||
))
|
||||
docs.extend(keys.generate_certificate(
|
||||
alias='etcd-peer',
|
||||
name='etcd:peer:%s' % hostname,
|
||||
@ -271,13 +283,14 @@ def _genesis_config(hostname, host_data, masters, network, keys):
|
||||
|
||||
for i in range(2):
|
||||
docs.extend(keys.generate_certificate(
|
||||
name='auxiliary-etcd-client-%d' % i,
|
||||
name='auxiliary-etcd-%d-client' % i,
|
||||
ca_name='etcd-client',
|
||||
hosts=[hostname, host_data['ip']],
|
||||
target=hostname,
|
||||
))
|
||||
|
||||
docs.extend(keys.generate_certificate(
|
||||
name='auxiliary-etcd-client-%d' % i,
|
||||
name='auxiliary-etcd-%d-peer' % i,
|
||||
ca_name='etcd-peer',
|
||||
hosts=[hostname, host_data['ip']],
|
||||
target=hostname,
|
||||
@ -299,6 +312,7 @@ def _construct_node_config(cluster_name, hostname, data):
|
||||
'kind': 'Node',
|
||||
'metadata': {
|
||||
'cluster': cluster_name,
|
||||
'name': hostname,
|
||||
'target': hostname,
|
||||
},
|
||||
'spec': spec,
|
||||
|
||||
@ -18,7 +18,7 @@ spec:
|
||||
- proxy
|
||||
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
||||
- --hostname-override=$(NODE_NAME)
|
||||
- --kubeconfig=/etc/kubernetes/config/kubeconfig.yaml
|
||||
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
|
||||
- --proxy-mode=iptables
|
||||
- --v=5
|
||||
env:
|
||||
@ -30,7 +30,7 @@ spec:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/kubernetes
|
||||
mountPath: /etc/kubernetes/proxy
|
||||
readOnly: true
|
||||
hostNetwork: true
|
||||
volumes:
|
||||
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='kubelet')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='kubelet')['data'] }}
|
||||
@ -3,7 +3,7 @@ apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://kubernetes
|
||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
||||
certificate-authority: /etc/kubernetes/proxy/pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
@ -16,5 +16,5 @@ preferences: {}
|
||||
users:
|
||||
- name: proxy
|
||||
user:
|
||||
client-certificate: /etc/kubernetes/pki/proxy.pem
|
||||
client-key: /etc/kubernetes/pki/proxy-key.pem
|
||||
client-certificate: /etc/kubernetes/proxy/pki/proxy.pem
|
||||
client-key: /etc/kubernetes/proxy/pki/proxy-key.pem
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='proxy')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='proxy')['data'] }}
|
||||
@ -3,7 +3,7 @@ apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://kubernetes
|
||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
||||
certificate-authority: /etc/kubernetes/asset-loader/pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
@ -16,5 +16,5 @@ preferences: {}
|
||||
users:
|
||||
- name: asset-loader
|
||||
user:
|
||||
client-certificate: /etc/kubernetes/pki/asset-loader.pem
|
||||
client-key: /etc/kubernetes/pki/asset-loader-key.pem
|
||||
client-certificate: /etc/kubernetes/asset-loader/pki/asset-loader.pem
|
||||
client-key: /etc/kubernetes/asset-loader/pki/asset-loader-key.pem
|
||||
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='admin')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='admin')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='auxiliary-etcd-0-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='auxiliary-etcd-0-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='auxiliary-etcd-1-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='auxiliary-etcd-1-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||
@ -3,7 +3,7 @@ apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://127.0.0.1
|
||||
certificate-authority: /target/etc/kubernetes/genesis/pki/cluster-ca.pem
|
||||
certificate-authority: /target/etc/kubernetes/admin/pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
@ -16,5 +16,5 @@ preferences: {}
|
||||
users:
|
||||
- name: genesis
|
||||
user:
|
||||
client-certificate: /target/etc/kubernetes/genesis/pki/genesis.pem
|
||||
client-key: /target/etc/kubernetes/genesis/pki/genesis-key.pem
|
||||
client-certificate: /target/etc/kubernetes/admin/pki/admin.pem
|
||||
client-key: /target/etc/kubernetes/admin/pki/admin-key.pem
|
||||
|
||||
@ -21,12 +21,12 @@ spec:
|
||||
while true; do
|
||||
sleep 60
|
||||
/kubectl \
|
||||
--kubeconfig /etc/kubernetes/kubeconfig.yaml \
|
||||
apply -f /etc/kubernetes/assets
|
||||
--kubeconfig /etc/kubernetes/asset-loader/kubeconfig.yaml \
|
||||
apply -f /etc/kubernetes/asset-loader/assets
|
||||
done
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/kubernetes
|
||||
mountPath: /etc/kubernetes/asset-loader
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: config
|
||||
|
||||
@ -22,21 +22,21 @@ spec:
|
||||
- name: ETCD_DATA_DIR
|
||||
value: /var/lib/auxiliary-etcd-0
|
||||
- name: ETCD_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem
|
||||
- name: ETCD_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem
|
||||
- name: ETCD_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem
|
||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem
|
||||
- name: ETCD_PEER_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem
|
||||
- name: ETCD_PEER_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem
|
||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||
value: https://$(ETCD_NAME):12379
|
||||
value: https://{{ config['Node']['hostname'] }}:12379
|
||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||
value: https://$(ETCD_NAME):12380
|
||||
value: https://{{ config['Node']['hostname'] }}:12380
|
||||
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
||||
value: promenade-kube-etcd-token
|
||||
- name: ETCD_LISTEN_CLIENT_URLS
|
||||
@ -60,8 +60,8 @@ spec:
|
||||
volumeMounts:
|
||||
- name: data-0
|
||||
mountPath: /var/lib/auxiliary-etcd-0
|
||||
- name: pki
|
||||
mountPath: /etc/etcd-pki
|
||||
- name: pki-0
|
||||
mountPath: /etc/kubernetes/auxiliary-etcd-0/pki
|
||||
readOnly: true
|
||||
- name: auxiliary-etcd-1
|
||||
image: quay.io/coreos/etcd:v3.0.17
|
||||
@ -75,21 +75,21 @@ spec:
|
||||
- name: ETCD_DATA_DIR
|
||||
value: /var/lib/auxiliary-etcd-1
|
||||
- name: ETCD_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem
|
||||
- name: ETCD_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem
|
||||
- name: ETCD_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem
|
||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem
|
||||
- name: ETCD_PEER_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem
|
||||
- name: ETCD_PEER_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem
|
||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||
value: https://$(ETCD_NAME):22379
|
||||
value: https://{{ config['Node']['hostname'] }}:22379
|
||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||
value: https://$(ETCD_NAME):22380
|
||||
value: https://{{ config['Node']['hostname'] }}:22380
|
||||
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
||||
value: promenade-kube-etcd-token
|
||||
- name: ETCD_LISTEN_CLIENT_URLS
|
||||
@ -113,8 +113,8 @@ spec:
|
||||
volumeMounts:
|
||||
- name: data-1
|
||||
mountPath: /var/lib/auxiliary-etcd-1
|
||||
- name: pki
|
||||
mountPath: /etc/etcd-pki
|
||||
- name: pki-1
|
||||
mountPath: /etc/kubernetes/auxiliary-etcd-1/pki
|
||||
readOnly: true
|
||||
- name: cluster-monitor
|
||||
image: quay.io/coreos/etcd:v3.0.17
|
||||
@ -137,7 +137,12 @@ spec:
|
||||
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-1 | cut -d , -f 1)
|
||||
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-0 | cut -d , -f 1)
|
||||
sleep 60
|
||||
rm -rf /var/lib/auxiliary-etcd-0 /var/lib/auxiliary-etcd-1 /etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml
|
||||
rm -rf \
|
||||
/var/lib/auxiliary-etcd-0 \
|
||||
/var/lib/auxiliary-etcd-1 \
|
||||
/etc/kubernetes/auxiliary-etcd-0 \
|
||||
/etc/kubernetes/auxiliary-etcd-1 \
|
||||
/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml
|
||||
sleep 10000
|
||||
fi
|
||||
done
|
||||
@ -150,16 +155,16 @@ spec:
|
||||
- name: ETCDCTL_API
|
||||
value: "3"
|
||||
- name: ETCDCTL_CACERT
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/etcd/pki/client-ca.pem
|
||||
- name: ETCDCTL_CERT
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-client.pem
|
||||
- name: ETCDCTL_ENDPOINTS
|
||||
value: https://127.0.0.1:12379
|
||||
value: https://{{ config['Node']['ip'] }}:2379
|
||||
- name: ETCDCTL_KEY
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-client-key.pem
|
||||
volumeMounts:
|
||||
- name: pki
|
||||
mountPath: /etc/etcd-pki
|
||||
mountPath: /etc/kubernetes/etcd/pki
|
||||
readOnly: true
|
||||
- name: manifests
|
||||
mountPath: /etc/kubernetes/kubelet/manifests
|
||||
@ -175,6 +180,12 @@ spec:
|
||||
- name: pki
|
||||
hostPath:
|
||||
path: /etc/kubernetes/etcd/pki
|
||||
- name: pki-0
|
||||
hostPath:
|
||||
path: /etc/kubernetes/auxiliary-etcd-0/pki
|
||||
- name: pki-1
|
||||
hostPath:
|
||||
path: /etc/kubernetes/auxiliary-etcd-1/pki
|
||||
- name: manifests
|
||||
hostPath:
|
||||
path: /etc/kubernetes/kubelet/manifests
|
||||
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='admin')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='admin')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='apiserver')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='apiserver')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='etcd-apiserver-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='etcd-apiserver-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='PublicKey', name='service-account')['data'] }}
|
||||
@ -3,7 +3,7 @@ apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://kubernetes
|
||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
||||
certificate-authority: /etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
@ -16,5 +16,5 @@ preferences: {}
|
||||
users:
|
||||
- name: controller-manager
|
||||
user:
|
||||
client-certificate: /etc/kubernetes/pki/controller-manager.pem
|
||||
client-key: /etc/kubernetes/pki/controller-manager-key.pem
|
||||
client-certificate: /etc/kubernetes/controller-manager/pki/controller-manager.pem
|
||||
client-key: /etc/kubernetes/controller-manager/pki/controller-manager-key.pem
|
||||
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthorityKey', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='controller-manager')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='controller-manager')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='PrivateKey', name='service-account')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='etcd-client')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='etcd-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='etcd-peer')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||
@ -27,12 +27,12 @@ spec:
|
||||
- --secure-port=443
|
||||
- --allow-privileged=true
|
||||
- --etcd-servers=https://kubernetes:2379
|
||||
- --etcd-cafile=/etc/kubernetes/pki/cluster-ca.pem
|
||||
- --etcd-certfile=/etc/kubernetes/pki/apiserver.pem
|
||||
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-key.pem
|
||||
- --etcd-cafile=/etc/kubernetes/pki/etcd-client-ca.pem
|
||||
- --etcd-certfile=/etc/kubernetes/pki/etcd-client.pem
|
||||
- --etcd-keyfile=/etc/kubernetes/pki/etcd-client-key.pem
|
||||
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||
- --service-account-key-file=/etc/kubernetes/pki/sa.pem
|
||||
- --service-account-key-file=/etc/kubernetes/pki/service-account.pub
|
||||
- --tls-cert-file=/etc/kubernetes/pki/apiserver.pem
|
||||
- --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem
|
||||
- --v=5
|
||||
|
||||
@ -20,19 +20,19 @@ spec:
|
||||
- controller-manager
|
||||
- --allocate-node-cidrs=true
|
||||
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
||||
- --cluster-signing-cert-file=/etc/kubernetes/pki/cluster-ca.pem
|
||||
- --cluster-signing-key-file=/etc/kubernetes/pki/cluster-ca-key.pem
|
||||
- --cluster-signing-cert-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||
- --cluster-signing-key-file=/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem
|
||||
- --configure-cloud-routes=false
|
||||
- --leader-elect=true
|
||||
- --kubeconfig=/etc/kubernetes/kubeconfig.yaml
|
||||
- --root-ca-file=/etc/kubernetes/pki/cluster-ca.pem
|
||||
- --service-account-private-key-file=/etc/kubernetes/pki/sa-key.pem
|
||||
- --kubeconfig=/etc/kubernetes/controller-manager/kubeconfig.yaml
|
||||
- --root-ca-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||
- --service-account-private-key-file=/etc/kubernetes/controller-manager/pki/service-account.key
|
||||
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
||||
- --use-service-account-credentials=true
|
||||
- --v=5
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/kubernetes
|
||||
mountPath: /etc/kubernetes/controller-manager
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: config
|
||||
|
||||
@ -24,17 +24,17 @@ spec:
|
||||
- name: ETCD_DATA_DIR
|
||||
value: /var/lib/kube-etcd
|
||||
- name: ETCD_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/etcd/pki/client-ca.pem
|
||||
- name: ETCD_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-client.pem
|
||||
- name: ETCD_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-client-key.pem
|
||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||
value: /etc/etcd-pki/cluster-ca.pem
|
||||
value: /etc/kubernetes/etcd/pki/peer-ca.pem
|
||||
- name: ETCD_PEER_CERT_FILE
|
||||
value: /etc/etcd-pki/etcd.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-peer.pem
|
||||
- name: ETCD_PEER_KEY_FILE
|
||||
value: /etc/etcd-pki/etcd-key.pem
|
||||
value: /etc/kubernetes/etcd/pki/etcd-peer-key.pem
|
||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||
value: https://$(ETCD_NAME):2379
|
||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||
@ -58,7 +58,7 @@ spec:
|
||||
- name: data
|
||||
mountPath: /var/lib/kube-etcd
|
||||
- name: pki
|
||||
mountPath: /etc/etcd-pki
|
||||
mountPath: /etc/kubernetes/etcd/pki
|
||||
volumes:
|
||||
- name: data
|
||||
hostPath:
|
||||
|
||||
@ -18,11 +18,11 @@ spec:
|
||||
- ./hyperkube
|
||||
- scheduler
|
||||
- --leader-elect=true
|
||||
- --kubeconfig=/etc/kubernetes/kubeconfig.yaml
|
||||
- --kubeconfig=/etc/kubernetes/scheduler/kubeconfig.yaml
|
||||
- --v=5
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/kubernetes
|
||||
mountPath: /etc/kubernetes/scheduler
|
||||
volumes:
|
||||
- name: config
|
||||
hostPath:
|
||||
|
||||
@ -3,7 +3,7 @@ apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://kubernetes
|
||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
||||
certificate-authority: /etc/kubernetes/scheduler/pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
@ -16,5 +16,5 @@ preferences: {}
|
||||
users:
|
||||
- name: scheduler
|
||||
user:
|
||||
client-certificate: /etc/kubernetes/pki/scheduler.pem
|
||||
client-key: /etc/kubernetes/pki/scheduler-key.pem
|
||||
client-certificate: /etc/kubernetes/scheduler/pki/scheduler.pem
|
||||
client-key: /etc/kubernetes/scheduler/pki/scheduler-key.pem
|
||||
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='CertificateKey', name='scheduler')['data'] }}
|
||||
@ -0,0 +1 @@
|
||||
{{ config.get(kind='Certificate', name='scheduler')['data'] }}
|
||||
Loading…
Reference in New Issue
Block a user