Improve consistency for SSL PATH accross template
Multiple variables names where used in different fragments. This commit makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params fragment and use them inside fragments instead of hardcoded value and different variables names Implements: blueprint coreos-best-pratice Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
This commit is contained in:
parent
220675d42a
commit
fb0aa7d3e1
|
@ -25,7 +25,6 @@ write_files:
|
|||
|
||||
DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
|
||||
mkdir -p $(dirname $DROP_IN_FILE)
|
||||
cert_dir="/etc/kubernetes/ssl"
|
||||
protocol="https"
|
||||
|
||||
if [ "$TLS_DISABLED" = "True" ]; then
|
||||
|
@ -46,12 +45,12 @@ write_files:
|
|||
if [ "$TLS_DISABLED" = "False" ]; then
|
||||
|
||||
cat >> $DROP_IN_FILE <<EOF
|
||||
Environment=ETCD_CA_FILE=$cert_dir/ca.pem
|
||||
Environment=ETCD_CERT_FILE=$cert_dir/apiserver.pem
|
||||
Environment=ETCD_KEY_FILE=$cert_dir/apiserver-key.pem
|
||||
Environment=ETCD_PEER_CA_FILE=$cert_dir/ca.pem
|
||||
Environment=ETCD_PEER_CERT_FILE=$cert_dir/apiserver.pem
|
||||
Environment=ETCD_PEER_KEY_FILE=$cert_dir/apiserver-key.pem
|
||||
Environment=ETCD_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
Environment=ETCD_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
Environment=ETCD_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
Environment=ETCD_PEER_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
Environment=ETCD_PEER_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
Environment=ETCD_PEER_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
EOF
|
||||
|
||||
fi
|
||||
|
|
|
@ -23,9 +23,6 @@ write_files:
|
|||
|
||||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
|
||||
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
|
@ -75,7 +72,7 @@ write_files:
|
|||
hostPort: 8080
|
||||
name: local
|
||||
volumeMounts:
|
||||
- mountPath: /etc/kubernetes/ssl
|
||||
- mountPath: ${KUBE_CERTS_PATH}
|
||||
name: ssl-certs-kubernetes
|
||||
readOnly: true
|
||||
- mountPath: /etc/ssl/certs
|
||||
|
|
|
@ -21,8 +21,6 @@ write_files:
|
|||
content: |
|
||||
#!/bin/sh
|
||||
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
SYSCONFIG_PATH=/etc/sysconfig
|
||||
|
||||
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
|
|
|
@ -23,8 +23,6 @@ write_files:
|
|||
|
||||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
|
||||
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
|
||||
mkdir -p $(dirname ${TEMPLATE})
|
||||
cat > ${TEMPLATE} <<EOF
|
||||
|
|
|
@ -23,7 +23,6 @@ write_files:
|
|||
|
||||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
KUBE_CONFIG_PATH=/etc/kubernetes/config
|
||||
KUBE_PROTOCOL="https"
|
||||
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
|
||||
|
@ -56,17 +55,17 @@ write_files:
|
|||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /etc/kubernetes/config
|
||||
name: "kubeconfig"
|
||||
- mountPath: ${KUBE_CONFIG_PATH}
|
||||
name: kubeconfig
|
||||
readOnly: true
|
||||
- mountPath: /etc/kubernetes/ssl
|
||||
name: "etc-kube-ssl"
|
||||
- mountPath: ${KUBE_CERTS_PATH}
|
||||
name: ssl-certs-kubernetes
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: "kubeconfig"
|
||||
- name: kubeconfig
|
||||
hostPath:
|
||||
path: ${KUBE_CONFIG_PATH}
|
||||
- name: "etc-kube-ssl"
|
||||
- name: ssl-certs-kubernetes
|
||||
hostPath:
|
||||
path: ${KUBE_CERTS_PATH}
|
||||
EOF
|
||||
|
|
|
@ -23,7 +23,6 @@ write_files:
|
|||
|
||||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
|
||||
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
|
||||
KUBE_PROTOCOL="https"
|
||||
|
|
|
@ -28,7 +28,6 @@ write_files:
|
|||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
|
||||
|
||||
CERT_DIR=/etc/kubernetes/ssl
|
||||
PROTOCOL=https
|
||||
|
||||
if [ "$TLS_DISABLED" = "True" ]; then
|
||||
|
@ -44,9 +43,9 @@ write_files:
|
|||
|
||||
if [ "$TLS_DISABLED" = "False" ]; then
|
||||
cat >> $ENV_FILE <<EOF
|
||||
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
|
||||
FLANNELD_ETCD_CERTFILE=$CERT_DIR/worker.pem
|
||||
FLANNELD_ETCD_KEYFILE=$CERT_DIR/worker-key.pem
|
||||
FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/worker.pem
|
||||
FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/worker-key.pem
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
@ -54,7 +53,7 @@ write_files:
|
|||
mkdir -p $(dirname $DROP_IN_FILE)
|
||||
cat > $DROP_IN_FILE <<EOF
|
||||
[Service]
|
||||
Environment="ETCD_SSL_DIR=$CERT_DIR"
|
||||
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
|
||||
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
|
||||
EOF
|
||||
|
||||
|
|
|
@ -28,7 +28,6 @@ write_files:
|
|||
myip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
|
||||
|
||||
CERT_DIR=/etc/kubernetes/ssl
|
||||
PROTOCOL=https
|
||||
|
||||
if [ "$TLS_DISABLED" = "True" ]; then
|
||||
|
@ -44,9 +43,9 @@ write_files:
|
|||
|
||||
if [ "$TLS_DISABLED" = "False" ]; then
|
||||
cat >> $ENV_FILE <<EOF
|
||||
FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
|
||||
FLANNELD_ETCD_CERTFILE=$CERT_DIR/apiserver.pem
|
||||
FLANNELD_ETCD_KEYFILE=$CERT_DIR/apiserver-key.pem
|
||||
FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
@ -54,7 +53,7 @@ write_files:
|
|||
mkdir -p $(dirname $DROP_IN_FILE)
|
||||
cat > $DROP_IN_FILE <<EOF
|
||||
[Service]
|
||||
Environment="ETCD_SSL_DIR=$CERT_DIR"
|
||||
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
|
||||
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
|
||||
EOF
|
||||
|
||||
|
|
|
@ -42,16 +42,14 @@ write_files:
|
|||
exit 0
|
||||
fi
|
||||
|
||||
cert_dir=/etc/kubernetes/ssl
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
cert_conf_dir=${KUBE_CERTS_PATH}/conf
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
mkdir -p ${cert_conf_dir}
|
||||
|
||||
CA_CERT=$cert_dir/ca.pem
|
||||
CLIENT_CERT=$cert_dir/worker.pem
|
||||
CLIENT_CSR=$cert_dir/worker.csr
|
||||
CLIENT_KEY=$cert_dir/worker-key.pem
|
||||
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
|
||||
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
|
||||
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
|
||||
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
|
@ -129,5 +127,5 @@ write_files:
|
|||
$MAGNUM_URL/certificates)
|
||||
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
|
||||
|
||||
chmod 600 ${cert_dir}/*-key.pem
|
||||
chown root:root ${cert_dir}/*-key.pem
|
||||
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
|
||||
chown root:root ${KUBE_CERTS_PATH}/*-key.pem
|
||||
|
|
|
@ -65,16 +65,14 @@ write_files:
|
|||
fi
|
||||
sans="${sans},IP:127.0.0.1"
|
||||
|
||||
cert_dir=/etc/kubernetes/ssl
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
cert_conf_dir=${KUBE_CERTS_PATH}/conf
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
mkdir -p ${cert_conf_dir}
|
||||
|
||||
CA_CERT=$cert_dir/ca.pem
|
||||
SERVER_CERT=$cert_dir/apiserver.pem
|
||||
SERVER_CSR=$cert_dir/apiserver.pem
|
||||
SERVER_KEY=$cert_dir/apiserver-key.pem
|
||||
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
|
||||
SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
|
@ -148,6 +146,6 @@ write_files:
|
|||
$MAGNUM_URL/certificates)
|
||||
parse_json_response "${server_cert_json}" > ${SERVER_CERT}
|
||||
|
||||
chmod 600 ${cert_dir}/*-key.pem
|
||||
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
|
||||
# Certs will also be used by etcd service
|
||||
chown -R etcd:etcd ${cert_dir}
|
||||
chown -R etcd:etcd ${KUBE_CERTS_PATH}
|
||||
|
|
|
@ -39,3 +39,5 @@ write_files:
|
|||
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
|
||||
SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
|
||||
SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
|
||||
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
|
||||
HOST_CERTS_PATH="$HOST_CERTS_PATH"
|
||||
|
|
|
@ -40,3 +40,5 @@ write_files:
|
|||
TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
|
||||
TRUST_ID="$TRUST_ID"
|
||||
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
|
||||
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
|
||||
HOST_CERTS_PATH="$HOST_CERTS_PATH"
|
||||
|
|
|
@ -232,6 +232,8 @@ resources:
|
|||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
|
||||
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
|
||||
|
||||
configure_etcd:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
|
@ -164,6 +164,8 @@ resources:
|
|||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
|
||||
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
|
Loading…
Reference in New Issue