openstack
/
magnum
Code Issues Proposed changes

Merge "Improve consistency for SSL PATH accross template"

This commit is contained in:
Jenkins 2017-02-10 00:20:33 +00:00 committed by Gerrit Code Review
parent 94a8c87cc9 fb0aa7d3e1
commit 1c5569f735
14 changed files with 45 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml
View File

@ -25,7 +25,6 @@ write_files:
DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
mkdir -p $(dirname $DROP_IN_FILE) mkdir -p $(dirname $DROP_IN_FILE)
cert_dir="/etc/kubernetes/ssl"
protocol="https" protocol="https"
if [ "$TLS_DISABLED" = "True" ]; then if [ "$TLS_DISABLED" = "True" ]; then
@ -46,12 +45,12 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then if [ "$TLS_DISABLED" = "False" ]; then
cat >> $DROP_IN_FILE <<EOF cat >> $DROP_IN_FILE <<EOF
Environment=ETCD_CA_FILE=$cert_dir/ca.pem Environment=ETCD_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_CERT_FILE=$cert_dir/apiserver.pem Environment=ETCD_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_KEY_FILE=$cert_dir/apiserver-key.pem Environment=ETCD_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
Environment=ETCD_PEER_CA_FILE=$cert_dir/ca.pem Environment=ETCD_PEER_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_PEER_CERT_FILE=$cert_dir/apiserver.pem Environment=ETCD_PEER_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_PEER_KEY_FILE=$cert_dir/apiserver-key.pem Environment=ETCD_PEER_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
EOF EOF
fi fi

5
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
View File

@ -23,9 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
@ -75,7 +72,7 @@ write_files:
hostPort: 8080 hostPort: 8080
name: local name: local
volumeMounts: volumeMounts:
- mountPath: /etc/kubernetes/ssl - mountPath: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes name: ssl-certs-kubernetes
readOnly: true readOnly: true
- mountPath: /etc/ssl/certs - mountPath: /etc/ssl/certs

2
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml
View File

@ -21,8 +21,6 @@ write_files:
content: | content: |
#!/bin/sh #!/bin/sh
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
SYSCONFIG_PATH=/etc/sysconfig SYSCONFIG_PATH=/etc/sysconfig
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem

2
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml
View File

@ -23,8 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
HOST_CERTS_PATH=/usr/share/ca-certificates
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
mkdir -p $(dirname ${TEMPLATE}) mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF cat > ${TEMPLATE} <<EOF

13
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml
View File

@ -23,7 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
KUBE_CONFIG_PATH=/etc/kubernetes/config KUBE_CONFIG_PATH=/etc/kubernetes/config
KUBE_PROTOCOL="https" KUBE_PROTOCOL="https"
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml" KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
@ -56,17 +55,17 @@ write_files:
securityContext: securityContext:
privileged: true privileged: true
volumeMounts: volumeMounts:
- mountPath: /etc/kubernetes/config - mountPath: ${KUBE_CONFIG_PATH}
name: "kubeconfig" name: kubeconfig
readOnly: true readOnly: true
- mountPath: /etc/kubernetes/ssl - mountPath: ${KUBE_CERTS_PATH}
name: "etc-kube-ssl" name: ssl-certs-kubernetes
readOnly: true readOnly: true
volumes: volumes:
- name: "kubeconfig" - name: kubeconfig
hostPath: hostPath:
path: ${KUBE_CONFIG_PATH} path: ${KUBE_CONFIG_PATH}
- name: "etc-kube-ssl" - name: ssl-certs-kubernetes
hostPath: hostPath:
path: ${KUBE_CERTS_PATH} path: ${KUBE_CERTS_PATH}
EOF EOF

1
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml
View File

@ -23,7 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
KUBE_PROTOCOL="https" KUBE_PROTOCOL="https"

9
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml
View File

@ -28,7 +28,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1} ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
CERT_DIR=/etc/kubernetes/ssl
PROTOCOL=https PROTOCOL=https
if [ "$TLS_DISABLED" = "True" ]; then if [ "$TLS_DISABLED" = "True" ]; then
@ -44,9 +43,9 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then if [ "$TLS_DISABLED" = "False" ]; then
cat >> $ENV_FILE <<EOF cat >> $ENV_FILE <<EOF
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
FLANNELD_ETCD_CERTFILE=$CERT_DIR/worker.pem FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/worker.pem
FLANNELD_ETCD_KEYFILE=$CERT_DIR/worker-key.pem FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/worker-key.pem
EOF EOF
fi fi
@ -54,7 +53,7 @@ write_files:
mkdir -p $(dirname $DROP_IN_FILE) mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF cat > $DROP_IN_FILE <<EOF
[Service] [Service]
Environment="ETCD_SSL_DIR=$CERT_DIR" Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF EOF

9
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml
View File

@ -28,7 +28,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1} ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
CERT_DIR=/etc/kubernetes/ssl
PROTOCOL=https PROTOCOL=https
if [ "$TLS_DISABLED" = "True" ]; then if [ "$TLS_DISABLED" = "True" ]; then
@ -44,9 +43,9 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then if [ "$TLS_DISABLED" = "False" ]; then
cat >> $ENV_FILE <<EOF cat >> $ENV_FILE <<EOF
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
FLANNELD_ETCD_CERTFILE=$CERT_DIR/apiserver.pem FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/apiserver.pem
FLANNELD_ETCD_KEYFILE=$CERT_DIR/apiserver-key.pem FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/apiserver-key.pem
EOF EOF
fi fi
@ -54,7 +53,7 @@ write_files:
mkdir -p $(dirname $DROP_IN_FILE) mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF cat > $DROP_IN_FILE <<EOF
[Service] [Service]
Environment="ETCD_SSL_DIR=$CERT_DIR" Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF EOF

18
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
View File

@ -42,16 +42,14 @@ write_files:
exit 0 exit 0
fi fi
cert_dir=/etc/kubernetes/ssl cert_conf_dir=${KUBE_CERTS_PATH}/conf
cert_conf_dir=${cert_dir}/conf
mkdir -p "$cert_dir" mkdir -p ${cert_conf_dir}
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.pem CA_CERT=${KUBE_CERTS_PATH}/ca.pem
CLIENT_CERT=$cert_dir/worker.pem CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
CLIENT_CSR=$cert_dir/worker.csr CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
CLIENT_KEY=$cert_dir/worker-key.pem CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
#Get a token by user credentials and trust #Get a token by user credentials and trust
cat > auth.json << EOF cat > auth.json << EOF
@ -129,5 +127,5 @@ write_files:
$MAGNUM_URL/certificates) $MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT} parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${cert_dir}/*-key.pem chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
chown root:root ${cert_dir}/*-key.pem chown root:root ${KUBE_CERTS_PATH}/*-key.pem

18
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
View File

@ -65,16 +65,14 @@ write_files:
fi fi
sans="${sans},IP:127.0.0.1" sans="${sans},IP:127.0.0.1"
cert_dir=/etc/kubernetes/ssl cert_conf_dir=${KUBE_CERTS_PATH}/conf
cert_conf_dir=${cert_dir}/conf
mkdir -p "$cert_dir" mkdir -p ${cert_conf_dir}
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.pem CA_CERT=${KUBE_CERTS_PATH}/ca.pem
SERVER_CERT=$cert_dir/apiserver.pem SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_CSR=$cert_dir/apiserver.pem SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_KEY=$cert_dir/apiserver-key.pem SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
#Get a token by user credentials and trust #Get a token by user credentials and trust
cat > auth.json << EOF cat > auth.json << EOF
@ -148,6 +146,6 @@ write_files:
$MAGNUM_URL/certificates) $MAGNUM_URL/certificates)
parse_json_response "${server_cert_json}" > ${SERVER_CERT} parse_json_response "${server_cert_json}" > ${SERVER_CERT}
chmod 600 ${cert_dir}/*-key.pem chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
# Certs will also be used by etcd service # Certs will also be used by etcd service
chown -R etcd:etcd ${cert_dir} chown -R etcd:etcd ${KUBE_CERTS_PATH}

2
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
View File

@ -39,3 +39,5 @@ write_files:
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL" INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY" SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT" SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"

2
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
View File

@ -40,3 +40,5 @@ write_files:
TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID" TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
TRUST_ID="$TRUST_ID" TRUST_ID="$TRUST_ID"
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL" INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"

2
magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
View File

@ -232,6 +232,8 @@ resources:
"$TRUSTEE_PASSWORD": {get_param: trustee_password} "$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id} "$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url} "$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
configure_etcd: configure_etcd:
type: OS::Heat::SoftwareConfig type: OS::Heat::SoftwareConfig

2
magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
View File

@ -164,6 +164,8 @@ resources:
"$TRUSTEE_PASSWORD": {get_param: trustee_password} "$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id} "$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url} "$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
write_kubeconfig: write_kubeconfig:
type: OS::Heat::SoftwareConfig type: OS::Heat::SoftwareConfig