Merge "Move all kubernetes files in /etc/kubernetes"
This commit is contained in:
commit
1964ef0f34
@ -40,7 +40,7 @@ if [ -z "$KUBE_NODE_IP" ]; then
|
||||
fi
|
||||
|
||||
myip="${KUBE_NODE_IP}"
|
||||
cert_dir="/srv/kubernetes"
|
||||
cert_dir="/etc/kubernetes/certs"
|
||||
protocol="https"
|
||||
|
||||
if [ "$TLS_DISABLED" = "True" ]; then
|
||||
|
@ -8,6 +8,8 @@ sed -i '
|
||||
/^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/
|
||||
' /etc/kubernetes/config
|
||||
|
||||
CERT_DIR=/etc/kubernetes/certs
|
||||
|
||||
KUBE_API_ARGS="--runtime-config=api/all=true"
|
||||
if [ "$TLS_DISABLED" == "True" ]; then
|
||||
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0 --insecure-port=$KUBE_API_PORT"
|
||||
@ -15,9 +17,9 @@ else
|
||||
KUBE_API_ADDRESS="--bind-address=0.0.0.0 --secure-port=$KUBE_API_PORT"
|
||||
# insecure port is used internaly
|
||||
KUBE_API_ADDRESS="$KUBE_API_ADDRESS --insecure-port=8080"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --tls-cert-file=/srv/kubernetes/server.crt"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=/srv/kubernetes/server.key"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --tls-cert-file=$CERT_DIR/server.crt"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
|
||||
fi
|
||||
|
||||
@ -27,7 +29,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
fi
|
||||
|
||||
if [ -n "$TRUST_ID" ]; then
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/kubernetes/kube_openstack_config --cloud-provider=openstack"
|
||||
fi
|
||||
|
||||
sed -i '
|
||||
@ -42,11 +44,11 @@ sed -i '
|
||||
# Add controller manager args
|
||||
KUBE_CONTROLLER_MANAGER_ARGS=""
|
||||
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key --root-ca-file=/srv/kubernetes/ca.crt"
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=$CERT_DIR/server.key --root-ca-file=$CERT_DIR/ca.crt"
|
||||
fi
|
||||
|
||||
if [ -n "$TRUST_ID" ]; then
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/kubernetes/kube_openstack_config --cloud-provider=openstack"
|
||||
fi
|
||||
|
||||
sed -i '
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
echo "configuring kubernetes (minion)"
|
||||
|
||||
CERT_DIR=/srv/kubernetes
|
||||
CERT_DIR=/etc/kubernetes/certs
|
||||
PROTOCOL=https
|
||||
FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \
|
||||
-etcd-certfile $CERT_DIR/client.crt \
|
||||
@ -31,7 +31,7 @@ EOF
|
||||
if [ "$TLS_DISABLED" = "True" ]; then
|
||||
KUBE_PROTOCOL="http"
|
||||
else
|
||||
KUBE_CONFIG="--kubeconfig=/srv/kubernetes/kubeconfig.yaml"
|
||||
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig.yaml"
|
||||
fi
|
||||
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
||||
|
||||
@ -52,7 +52,7 @@ KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=4194
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
|
||||
|
||||
if [ -n "$TRUST_ID" ]; then
|
||||
KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/sysconfig/kube_openstack_config"
|
||||
KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/kubernetes/kube_openstack_config"
|
||||
fi
|
||||
|
||||
# Workaround for Cinder support (fixed in k8s >= 1.6)
|
||||
|
@ -62,22 +62,16 @@ $(generate_pod_args " - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
|
||||
- mountPath: /etc/ssl/certs
|
||||
name: ssl-certs-host
|
||||
readOnly: true
|
||||
- mountPath: /srv/kubernetes
|
||||
- mountPath: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
readOnly: true
|
||||
- mountPath: /etc/sysconfig
|
||||
name: sysconfig
|
||||
readOnly: true
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /etc/ssl/certs
|
||||
name: ssl-certs-host
|
||||
- hostPath:
|
||||
path: /srv/kubernetes
|
||||
path: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
- hostPath:
|
||||
path: /etc/sysconfig
|
||||
name: sysconfig
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -114,22 +108,16 @@ $(generate_pod_args " - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
|
||||
- mountPath: /etc/ssl/certs
|
||||
name: ssl-certs-host
|
||||
readOnly: true
|
||||
- mountPath: /srv/kubernetes
|
||||
- mountPath: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
readOnly: true
|
||||
- mountPath: /etc/sysconfig
|
||||
name: sysconfig
|
||||
readOnly: true
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /etc/ssl/certs
|
||||
name: ssl-certs-host
|
||||
- hostPath:
|
||||
path: /srv/kubernetes
|
||||
path: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
- hostPath:
|
||||
path: /etc/sysconfig
|
||||
name: sysconfig
|
||||
EOF
|
||||
}
|
||||
}
|
||||
|
@ -10,7 +10,7 @@ fi
|
||||
|
||||
init_templates () {
|
||||
local KUBE_PROTOCOL="https"
|
||||
local KUBE_CONFIG="/srv/kubernetes/kubeconfig.yaml"
|
||||
local KUBE_CONFIG="/etc/kubernetes/kubeconfig.yaml"
|
||||
if [ "${TLS_DISABLED}" = "True" ]; then
|
||||
KUBE_PROTOCOL="http"
|
||||
KUBE_CONFIG=
|
||||
@ -42,13 +42,13 @@ spec:
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /srv/kubernetes
|
||||
name: "srv-kube"
|
||||
- mountPath: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
readOnly: true
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: "/srv/kubernetes"
|
||||
name: "srv-kube"
|
||||
path: /etc/kubernetes
|
||||
name: kubernetes-config
|
||||
EOF
|
||||
}
|
||||
}
|
||||
|
@ -24,11 +24,9 @@ if [ "$TLS_DISABLED" == "True" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cert_dir=/srv/kubernetes
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
cert_dir=/etc/kubernetes/certs
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
|
||||
CA_CERT=$cert_dir/ca.crt
|
||||
CLIENT_CERT=$cert_dir/client.crt
|
||||
@ -67,7 +65,7 @@ curl -k -X GET \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
|
||||
|
||||
# Create config for client's csr
|
||||
cat > ${cert_conf_dir}/client.conf <<EOF
|
||||
cat > ${cert_dir}/client.conf <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = req_ext
|
||||
@ -91,7 +89,7 @@ openssl req -new -days 1000 \
|
||||
-key "${CLIENT_KEY}" \
|
||||
-out "${CLIENT_CSR}" \
|
||||
-reqexts req_ext \
|
||||
-config "${cert_conf_dir}/client.conf"
|
||||
-config "${cert_dir}/client.conf"
|
||||
|
||||
# Send csr to Magnum to have it signed
|
||||
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
|
||||
@ -115,4 +113,4 @@ sed -i '
|
||||
s|CA_CERT|'"$CA_CERT"'|
|
||||
s|CLIENT_CERT|'"$CLIENT_CERT"'|
|
||||
s|CLIENT_KEY|'"$CLIENT_KEY"'|
|
||||
' /srv/kubernetes/kubeconfig.yaml
|
||||
' /etc/kubernetes/kubeconfig.yaml
|
||||
|
@ -57,11 +57,8 @@ sans="${sans},IP:${KUBE_SERVICE_IP}"
|
||||
|
||||
sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
|
||||
|
||||
cert_dir=/srv/kubernetes
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
|
||||
cert_dir=/etc/kubernetes/certs
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
|
||||
CA_CERT=$cert_dir/ca.crt
|
||||
SERVER_CERT=$cert_dir/server.crt
|
||||
@ -100,7 +97,7 @@ curl -k -X GET \
|
||||
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
|
||||
|
||||
# Create config for server's csr
|
||||
cat > ${cert_conf_dir}/server.conf <<EOF
|
||||
cat > ${cert_dir}/server.conf <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = req_ext
|
||||
@ -119,7 +116,7 @@ openssl req -new -days 1000 \
|
||||
-key "${SERVER_KEY}" \
|
||||
-out "${SERVER_CSR}" \
|
||||
-reqexts req_ext \
|
||||
-config "${cert_conf_dir}/server.conf"
|
||||
-config "${cert_dir}/server.conf"
|
||||
|
||||
# Send csr to Magnum to have it signed
|
||||
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
|
||||
|
@ -5,7 +5,7 @@
|
||||
if [ "$NETWORK_DRIVER" != "flannel" ]; then
|
||||
exit 0
|
||||
fi
|
||||
CERT_DIR=/srv/kubernetes
|
||||
CERT_DIR=/etc/kubernetes/certs
|
||||
PROTOCOL=https
|
||||
FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \
|
||||
-etcd-certfile $CERT_DIR/server.crt \
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
. /etc/sysconfig/heat-params
|
||||
|
||||
KUBE_OS_CLOUD_CONFIG=/etc/sysconfig/kube_openstack_config
|
||||
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/kube_openstack_config
|
||||
|
||||
# Generate a the configuration for Kubernetes services
|
||||
# to talk to OpenStack Neutron
|
||||
|
@ -1,7 +1,7 @@
|
||||
#cloud-config
|
||||
merge_how: dict(recurse_array)+list(append)
|
||||
write_files:
|
||||
- path: /srv/kubernetes/kubeconfig.yaml
|
||||
- path: /etc/kubernetes/kubeconfig.yaml
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
|
Loading…
x
Reference in New Issue
Block a user