Move all kubernetes files in /etc/kubernetes

Kubernetes uses cetificates, kubeconfig and the kubernetes openstack
cloud provider configuration from /srv/kubernetes and /etc/sysconfig.

The upstream kubernetes system containers used with atomic hosts
mounts /etc/kubernetes, we can unify the location of all kubernetes
configuration and also be able to use the upstream containers
unmodified.

Implements: blueprint run-kube-as-container

Change-Id: I9b2da390745836d9a66b7c8fc995a35cb74993e9
changes/08/484308/8
Mathieu Velten 5 years ago
parent d1a41f74f3
commit 4a39ad699b
  1. 2
      magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
  2. 14
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
  3. 6
      magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
  4. 20
      magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
  5. 10
      magnum/drivers/common/templates/kubernetes/fragments/enable-kube-proxy-minion.sh
  6. 10
      magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
  7. 9
      magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
  8. 2
      magnum/drivers/common/templates/kubernetes/fragments/network-config-service.sh
  9. 2
      magnum/drivers/common/templates/kubernetes/fragments/write-kube-os-config.sh
  10. 2
      magnum/drivers/common/templates/kubernetes/fragments/write-kubeconfig.yaml

@ -40,7 +40,7 @@ if [ -z "$KUBE_NODE_IP" ]; then
fi
myip="${KUBE_NODE_IP}"
cert_dir="/srv/kubernetes"
cert_dir="/etc/kubernetes/certs"
protocol="https"
if [ "$TLS_DISABLED" = "True" ]; then

@ -8,6 +8,8 @@ sed -i '
/^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/
' /etc/kubernetes/config
CERT_DIR=/etc/kubernetes/certs
KUBE_API_ARGS="--runtime-config=api/all=true"
if [ "$TLS_DISABLED" == "True" ]; then
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0 --insecure-port=$KUBE_API_PORT"
@ -15,9 +17,9 @@ else
KUBE_API_ADDRESS="--bind-address=0.0.0.0 --secure-port=$KUBE_API_PORT"
# insecure port is used internaly
KUBE_API_ADDRESS="$KUBE_API_ADDRESS --insecure-port=8080"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-cert-file=/srv/kubernetes/server.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=/srv/kubernetes/server.key"
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=/srv/kubernetes/ca.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-cert-file=$CERT_DIR/server.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
fi
@ -27,7 +29,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
fi
if [ -n "$TRUST_ID" ]; then
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-config=/etc/kubernetes/kube_openstack_config --cloud-provider=openstack"
fi
sed -i '
@ -42,11 +44,11 @@ sed -i '
# Add controller manager args
KUBE_CONTROLLER_MANAGER_ARGS=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key --root-ca-file=/srv/kubernetes/ca.crt"
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=$CERT_DIR/server.key --root-ca-file=$CERT_DIR/ca.crt"
fi
if [ -n "$TRUST_ID" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/kubernetes/kube_openstack_config --cloud-provider=openstack"
fi
sed -i '

@ -4,7 +4,7 @@
echo "configuring kubernetes (minion)"
CERT_DIR=/srv/kubernetes
CERT_DIR=/etc/kubernetes/certs
PROTOCOL=https
FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \
-etcd-certfile $CERT_DIR/client.crt \
@ -31,7 +31,7 @@ EOF
if [ "$TLS_DISABLED" = "True" ]; then
KUBE_PROTOCOL="http"
else
KUBE_CONFIG="--kubeconfig=/srv/kubernetes/kubeconfig.yaml"
KUBE_CONFIG="--kubeconfig=/etc/kubernetes/kubeconfig.yaml"
fi
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
@ -52,7 +52,7 @@ KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=4194
KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
if [ -n "$TRUST_ID" ]; then
KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/sysconfig/kube_openstack_config"
KUBELET_ARGS="$KUBELET_ARGS --cloud-provider=openstack --cloud-config=/etc/kubernetes/kube_openstack_config"
fi
# Workaround for Cinder support (fixed in k8s >= 1.6)

@ -62,22 +62,16 @@ $(generate_pod_args " - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /srv/kubernetes
- mountPath: /etc/kubernetes
name: kubernetes-config
readOnly: true
- mountPath: /etc/sysconfig
name: sysconfig
readOnly: true
volumes:
- hostPath:
path: /etc/ssl/certs
name: ssl-certs-host
- hostPath:
path: /srv/kubernetes
path: /etc/kubernetes
name: kubernetes-config
- hostPath:
path: /etc/sysconfig
name: sysconfig
EOF
}
@ -114,22 +108,16 @@ $(generate_pod_args " - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /srv/kubernetes
- mountPath: /etc/kubernetes
name: kubernetes-config
readOnly: true
- mountPath: /etc/sysconfig
name: sysconfig
readOnly: true
volumes:
- hostPath:
path: /etc/ssl/certs
name: ssl-certs-host
- hostPath:
path: /srv/kubernetes
path: /etc/kubernetes
name: kubernetes-config
- hostPath:
path: /etc/sysconfig
name: sysconfig
EOF
}
}

@ -10,7 +10,7 @@ fi
init_templates () {
local KUBE_PROTOCOL="https"
local KUBE_CONFIG="/srv/kubernetes/kubeconfig.yaml"
local KUBE_CONFIG="/etc/kubernetes/kubeconfig.yaml"
if [ "${TLS_DISABLED}" = "True" ]; then
KUBE_PROTOCOL="http"
KUBE_CONFIG=
@ -42,13 +42,13 @@ spec:
securityContext:
privileged: true
volumeMounts:
- mountPath: /srv/kubernetes
name: "srv-kube"
- mountPath: /etc/kubernetes
name: kubernetes-config
readOnly: true
volumes:
- hostPath:
path: "/srv/kubernetes"
name: "srv-kube"
path: /etc/kubernetes
name: kubernetes-config
EOF
}
}

@ -24,11 +24,9 @@ if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
cert_dir=/srv/kubernetes
cert_conf_dir=${cert_dir}/conf
cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.crt
CLIENT_CERT=$cert_dir/client.crt
@ -67,7 +65,7 @@ curl -k -X GET \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > $CA_CERT
# Create config for client's csr
cat > ${cert_conf_dir}/client.conf <<EOF
cat > ${cert_dir}/client.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
@ -91,7 +89,7 @@ openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/client.conf"
-config "${cert_dir}/client.conf"
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${CLIENT_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")
@ -115,4 +113,4 @@ sed -i '
s|CA_CERT|'"$CA_CERT"'|
s|CLIENT_CERT|'"$CLIENT_CERT"'|
s|CLIENT_KEY|'"$CLIENT_KEY"'|
' /srv/kubernetes/kubeconfig.yaml
' /etc/kubernetes/kubeconfig.yaml

@ -57,11 +57,8 @@ sans="${sans},IP:${KUBE_SERVICE_IP}"
sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
cert_dir=/srv/kubernetes
cert_conf_dir=${cert_dir}/conf
cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.crt
SERVER_CERT=$cert_dir/server.crt
@ -100,7 +97,7 @@ curl -k -X GET \
$MAGNUM_URL/certificates/$CLUSTER_UUID | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CA_CERT}
# Create config for server's csr
cat > ${cert_conf_dir}/server.conf <<EOF
cat > ${cert_dir}/server.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
@ -119,7 +116,7 @@ openssl req -new -days 1000 \
-key "${SERVER_KEY}" \
-out "${SERVER_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/server.conf"
-config "${cert_dir}/server.conf"
# Send csr to Magnum to have it signed
csr_req=$(python -c "import json; fp = open('${SERVER_CSR}'); print json.dumps({'cluster_uuid': '$CLUSTER_UUID', 'csr': fp.read()}); fp.close()")

@ -5,7 +5,7 @@
if [ "$NETWORK_DRIVER" != "flannel" ]; then
exit 0
fi
CERT_DIR=/srv/kubernetes
CERT_DIR=/etc/kubernetes/certs
PROTOCOL=https
FLANNEL_OPTIONS="-etcd-cafile $CERT_DIR/ca.crt \
-etcd-certfile $CERT_DIR/server.crt \

@ -2,7 +2,7 @@
. /etc/sysconfig/heat-params
KUBE_OS_CLOUD_CONFIG=/etc/sysconfig/kube_openstack_config
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/kube_openstack_config
# Generate a the configuration for Kubernetes services
# to talk to OpenStack Neutron

@ -1,7 +1,7 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /srv/kubernetes/kubeconfig.yaml
- path: /etc/kubernetes/kubeconfig.yaml
owner: "root:root"
permissions: "0644"
content: |

Loading…
Cancel
Save