mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
generate kubelet auth cert on upgrades
This commit is contained in:
parent
d64434c056
commit
19a68ef51c
@ -88,6 +88,7 @@ function upgrade-master() {
|
|||||||
|
|
||||||
detect-master
|
detect-master
|
||||||
parse-master-env
|
parse-master-env
|
||||||
|
backfile-kubeletauth-certs
|
||||||
|
|
||||||
# Delete the master instance. Note that the master-pd is created
|
# Delete the master instance. Note that the master-pd is created
|
||||||
# with auto-delete=no, so it should not be deleted.
|
# with auto-delete=no, so it should not be deleted.
|
||||||
@ -101,6 +102,51 @@ function upgrade-master() {
|
|||||||
wait-for-master
|
wait-for-master
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# TODO(mikedanese): delete when we don't support < 1.6
|
||||||
|
function backfile-kubeletauth-certs() {
|
||||||
|
if [[ ! -z "${KUBEAPISERVER_CERT_BASE64:-}" && ! -z "${KUBEAPISERVER_CERT_BASE64:-}" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p "${KUBE_TEMP}/pki"
|
||||||
|
echo "${CA_KEY_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.key"
|
||||||
|
echo "${CA_CERT_BASE64}" | base64 -d > "${KUBE_TEMP}/pki/ca.crt"
|
||||||
|
(cd "${KUBE_TEMP}/pki"
|
||||||
|
download-cfssl
|
||||||
|
cat <<EOF > ca-config.json
|
||||||
|
{
|
||||||
|
"signing": {
|
||||||
|
"client": {
|
||||||
|
"expiry": "43800h",
|
||||||
|
"usages": [
|
||||||
|
"signing",
|
||||||
|
"key encipherment",
|
||||||
|
"client auth"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
# the name kube-apiserver is bound to the node proxy
|
||||||
|
# subpaths required for the apiserver to hit proxy
|
||||||
|
# endpoints on the kubelet's handler.
|
||||||
|
cat <<EOF \
|
||||||
|
| "${KUBE_TEMP}/cfssl/cfssl" gencert \
|
||||||
|
-ca=ca.crt \
|
||||||
|
-ca-key=ca.key \
|
||||||
|
-config=ca-config.json \
|
||||||
|
-profile=client \
|
||||||
|
- \
|
||||||
|
| "${KUBE_TEMP}/cfssl/cfssljson" -bare kube-apiserver
|
||||||
|
{
|
||||||
|
"CN": "kube-apiserver"
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/pki/kube-apiserver.pem" | base64 | tr -d '\r\n')
|
||||||
|
KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/pki/kube-apiserver-key.pem" | base64 | tr -d '\r\n')
|
||||||
|
}
|
||||||
|
|
||||||
function wait-for-master() {
|
function wait-for-master() {
|
||||||
echo "== Waiting for new master to respond to API requests =="
|
echo "== Waiting for new master to respond to API requests =="
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user