Improve consistency for SSL PATH accross template

Multiple variables names where used in different fragments. This commit
makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params
fragment and use them inside fragments instead of hardcoded value and
different variables names

Implements: blueprint coreos-best-pratice
Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
This commit is contained in:
Kevin Lefevre 2017-02-01 10:39:30 +01:00 committed by ArchiFleKs
parent 220675d42a
commit fb0aa7d3e1
14 changed files with 45 additions and 53 deletions

View File

@ -25,7 +25,6 @@ write_files:
DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
mkdir -p $(dirname $DROP_IN_FILE)
cert_dir="/etc/kubernetes/ssl"
protocol="https"
if [ "$TLS_DISABLED" = "True" ]; then
@ -46,12 +45,12 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then
cat >> $DROP_IN_FILE <<EOF
Environment=ETCD_CA_FILE=$cert_dir/ca.pem
Environment=ETCD_CERT_FILE=$cert_dir/apiserver.pem
Environment=ETCD_KEY_FILE=$cert_dir/apiserver-key.pem
Environment=ETCD_PEER_CA_FILE=$cert_dir/ca.pem
Environment=ETCD_PEER_CERT_FILE=$cert_dir/apiserver.pem
Environment=ETCD_PEER_KEY_FILE=$cert_dir/apiserver-key.pem
Environment=ETCD_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
Environment=ETCD_PEER_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_PEER_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_PEER_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
EOF
fi

View File

@ -23,9 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
@ -75,7 +72,7 @@ write_files:
hostPort: 8080
name: local
volumeMounts:
- mountPath: /etc/kubernetes/ssl
- mountPath: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs

View File

@ -21,8 +21,6 @@ write_files:
content: |
#!/bin/sh
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
SYSCONFIG_PATH=/etc/sysconfig
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem

View File

@ -23,8 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
HOST_CERTS_PATH=/usr/share/ca-certificates
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF

View File

@ -23,7 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
KUBE_CONFIG_PATH=/etc/kubernetes/config
KUBE_PROTOCOL="https"
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
@ -56,17 +55,17 @@ write_files:
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/kubernetes/config
name: "kubeconfig"
- mountPath: ${KUBE_CONFIG_PATH}
name: kubeconfig
readOnly: true
- mountPath: /etc/kubernetes/ssl
name: "etc-kube-ssl"
- mountPath: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
readOnly: true
volumes:
- name: "kubeconfig"
- name: kubeconfig
hostPath:
path: ${KUBE_CONFIG_PATH}
- name: "etc-kube-ssl"
- name: ssl-certs-kubernetes
hostPath:
path: ${KUBE_CERTS_PATH}
EOF

View File

@ -23,7 +23,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
KUBE_CERTS_PATH=/etc/kubernetes/ssl
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
KUBE_PROTOCOL="https"

View File

@ -28,7 +28,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
CERT_DIR=/etc/kubernetes/ssl
PROTOCOL=https
if [ "$TLS_DISABLED" = "True" ]; then
@ -44,9 +43,9 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then
cat >> $ENV_FILE <<EOF
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
FLANNELD_ETCD_CERTFILE=$CERT_DIR/worker.pem
FLANNELD_ETCD_KEYFILE=$CERT_DIR/worker-key.pem
FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/worker.pem
FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/worker-key.pem
EOF
fi
@ -54,7 +53,7 @@ write_files:
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
Environment="ETCD_SSL_DIR=$CERT_DIR"
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF

View File

@ -28,7 +28,6 @@ write_files:
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
CERT_DIR=/etc/kubernetes/ssl
PROTOCOL=https
if [ "$TLS_DISABLED" = "True" ]; then
@ -44,9 +43,9 @@ write_files:
if [ "$TLS_DISABLED" = "False" ]; then
cat >> $ENV_FILE <<EOF
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
FLANNELD_ETCD_CERTFILE=$CERT_DIR/apiserver.pem
FLANNELD_ETCD_KEYFILE=$CERT_DIR/apiserver-key.pem
FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/apiserver.pem
FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/apiserver-key.pem
EOF
fi
@ -54,7 +53,7 @@ write_files:
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
Environment="ETCD_SSL_DIR=$CERT_DIR"
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF

View File

@ -42,16 +42,14 @@ write_files:
exit 0
fi
cert_dir=/etc/kubernetes/ssl
cert_conf_dir=${cert_dir}/conf
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
mkdir -p ${cert_conf_dir}
CA_CERT=$cert_dir/ca.pem
CLIENT_CERT=$cert_dir/worker.pem
CLIENT_CSR=$cert_dir/worker.csr
CLIENT_KEY=$cert_dir/worker-key.pem
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
@ -129,5 +127,5 @@ write_files:
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${cert_dir}/*-key.pem
chown root:root ${cert_dir}/*-key.pem
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
chown root:root ${KUBE_CERTS_PATH}/*-key.pem

View File

@ -65,16 +65,14 @@ write_files:
fi
sans="${sans},IP:127.0.0.1"
cert_dir=/etc/kubernetes/ssl
cert_conf_dir=${cert_dir}/conf
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
mkdir -p ${cert_conf_dir}
CA_CERT=$cert_dir/ca.pem
SERVER_CERT=$cert_dir/apiserver.pem
SERVER_CSR=$cert_dir/apiserver.pem
SERVER_KEY=$cert_dir/apiserver-key.pem
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
@ -148,6 +146,6 @@ write_files:
$MAGNUM_URL/certificates)
parse_json_response "${server_cert_json}" > ${SERVER_CERT}
chmod 600 ${cert_dir}/*-key.pem
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
# Certs will also be used by etcd service
chown -R etcd:etcd ${cert_dir}
chown -R etcd:etcd ${KUBE_CERTS_PATH}

View File

@ -39,3 +39,5 @@ write_files:
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"

View File

@ -40,3 +40,5 @@ write_files:
TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
TRUST_ID="$TRUST_ID"
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"

View File

@ -232,6 +232,8 @@ resources:
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
configure_etcd:
type: OS::Heat::SoftwareConfig

View File

@ -164,6 +164,8 @@ resources:
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
write_kubeconfig:
type: OS::Heat::SoftwareConfig