Make kubelet and kube-proxy use the secure port
Create certificates for kubelet and kube-proxy on control-plane
nodes similar to worker nodes. Use the secure kube-apiserver
port on control-plane nodes.
story: 2008524
task: 41602
Change-Id: Ibeb32a24ca25914cab32c63a9ccafaf711148a84
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
(cherry picked from commit d11f4e8393
)
This commit is contained in:
parent
210984fa26
commit
7f5c6354a5
|
@ -46,6 +46,7 @@ elif [ "$NETWORK_DRIVER" = "flannel" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
KUBE_MASTER_URI="https://127.0.0.1:$KUBE_API_PORT"
|
||||||
mkdir -p /srv/magnum/kubernetes/
|
mkdir -p /srv/magnum/kubernetes/
|
||||||
cat > /etc/kubernetes/config <<EOF
|
cat > /etc/kubernetes/config <<EOF
|
||||||
KUBE_LOGTOSTDERR="--logtostderr=true"
|
KUBE_LOGTOSTDERR="--logtostderr=true"
|
||||||
|
@ -277,16 +278,16 @@ cat > /etc/kubernetes/proxy << EOF
|
||||||
KUBE_PROXY_ARGS="${KUBE_PROXY_ARGS} ${KUBEPROXY_OPTIONS}"
|
KUBE_PROXY_ARGS="${KUBE_PROXY_ARGS} ${KUBEPROXY_OPTIONS}"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > ${PROXY_KUBECONFIG} << EOF
|
cat << EOF >> ${PROXY_KUBECONFIG}
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
certificate-authority: ${CERT_DIR}/ca.crt
|
certificate-authority: ${CERT_DIR}/ca.crt
|
||||||
server: http://127.0.0.1:8080
|
server: ${KUBE_MASTER_URI}
|
||||||
name: kubernetes
|
name: ${CLUSTER_UUID}
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
cluster: kubernetes
|
cluster: ${CLUSTER_UUID}
|
||||||
user: kube-proxy
|
user: kube-proxy
|
||||||
name: default
|
name: default
|
||||||
current-context: default
|
current-context: default
|
||||||
|
@ -296,6 +297,8 @@ users:
|
||||||
- name: kube-proxy
|
- name: kube-proxy
|
||||||
user:
|
user:
|
||||||
as-user-extra: {}
|
as-user-extra: {}
|
||||||
|
client-certificate: ${CERT_DIR}/proxy.crt
|
||||||
|
client-key: ${CERT_DIR}/proxy.key
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
sed -i '
|
sed -i '
|
||||||
|
@ -383,7 +386,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
certificate-authority: ${CERT_DIR}/ca.crt
|
certificate-authority: ${CERT_DIR}/ca.crt
|
||||||
server: https://127.0.0.1:$KUBE_API_PORT
|
server: ${KUBE_MASTER_URI}
|
||||||
name: ${CLUSTER_UUID}
|
name: ${CLUSTER_UUID}
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
@ -468,11 +471,11 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
certificate-authority: ${CERT_DIR}/ca.crt
|
certificate-authority: ${CERT_DIR}/ca.crt
|
||||||
server: http://127.0.0.1:8080
|
server: ${KUBE_MASTER_URI}
|
||||||
name: kubernetes
|
name: ${CLUSTER_UUID}
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
cluster: kubernetes
|
cluster: ${CLUSTER_UUID}
|
||||||
user: system:node:${INSTANCE_NAME}
|
user: system:node:${INSTANCE_NAME}
|
||||||
name: default
|
name: default
|
||||||
current-context: default
|
current-context: default
|
||||||
|
@ -482,8 +485,8 @@ users:
|
||||||
- name: system:node:${INSTANCE_NAME}
|
- name: system:node:${INSTANCE_NAME}
|
||||||
user:
|
user:
|
||||||
as-user-extra: {}
|
as-user-extra: {}
|
||||||
client-certificate: ${CERT_DIR}/server.crt
|
client-certificate: ${CERT_DIR}/kubelet.crt
|
||||||
client-key: ${CERT_DIR}/server.key
|
client-key: ${CERT_DIR}/kubelet.key
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
|
cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
|
||||||
|
|
|
@ -838,6 +838,7 @@ resources:
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
|
- get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
|
- get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
|
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
|
||||||
|
- get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
|
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
|
||||||
params:
|
params:
|
||||||
|
|
|
@ -858,6 +858,7 @@ resources:
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
|
- get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
|
- get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
|
||||||
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
|
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
|
||||||
|
- get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
|
||||||
- str_replace:
|
- str_replace:
|
||||||
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
|
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
|
||||||
params:
|
params:
|
||||||
|
|
Loading…
Reference in New Issue