github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Distribute the cluster CA cert to cluster addon pods through

Browse Source 
the kubeconfig file. Use the $KUBERNETES_MASTER_NAME from the
kube-env for skydns, because it can't use the service name.
This commit is contained in:
Robert Bailey 2015-05-22 14:31:30 -07:00
parent b68e08f55f
commit 2feb658ed7
4 changed files with 50 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/addons/dns/skydns-rc.yaml.in
View File

@ -35,7 +35,6 @@ spec:
# command = "/kube2sky" # command = "/kube2sky"
- -domain={{ pillar['dns_domain'] }} - -domain={{ pillar['dns_domain'] }}
- -kubecfg_file=/etc/dns_token/kubeconfig - -kubecfg_file=/etc/dns_token/kubeconfig
- -kube_master_url=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
volumeMounts: volumeMounts:
- mountPath: /etc/dns_token - mountPath: /etc/dns_token
name: dns-token name: dns-token

1
cluster/gce/coreos/helper.sh
View File

@ -51,6 +51,7 @@ KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-}) KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-})
ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-}) ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-})
MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE}) MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE})
KUBERNETES_MASTER_NAME=$(yaml-quote ${MASTER_NAME})
KUBERNETES_CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME}) KUBERNETES_CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME})
RKT_VERSION: $(yaml-quote ${RKT_VERSION}) RKT_VERSION: $(yaml-quote ${RKT_VERSION})
CA_CERT: $(yaml-quote ${CA_CERT_BASE64}) CA_CERT: $(yaml-quote ${CA_CERT_BASE64})

2
cluster/gce/debian/helper.sh
View File

@ -30,6 +30,7 @@ CLUSTER_IP_RANGE: $(yaml-quote ${CLUSTER_IP_RANGE:-10.244.0.0/16})
SERVER_BINARY_TAR_URL: $(yaml-quote ${SERVER_BINARY_TAR_URL}) SERVER_BINARY_TAR_URL: $(yaml-quote ${SERVER_BINARY_TAR_URL})
SALT_TAR_URL: $(yaml-quote ${SALT_TAR_URL}) SALT_TAR_URL: $(yaml-quote ${SALT_TAR_URL})
SERVICE_CLUSTER_IP_RANGE: $(yaml-quote ${SERVICE_CLUSTER_IP_RANGE}) SERVICE_CLUSTER_IP_RANGE: $(yaml-quote ${SERVICE_CLUSTER_IP_RANGE})
KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME})
ALLOCATE_NODE_CIDRS: $(yaml-quote ${ALLOCATE_NODE_CIDRS:-false}) ALLOCATE_NODE_CIDRS: $(yaml-quote ${ALLOCATE_NODE_CIDRS:-false})
ENABLE_CLUSTER_MONITORING: $(yaml-quote ${ENABLE_CLUSTER_MONITORING:-none}) ENABLE_CLUSTER_MONITORING: $(yaml-quote ${ENABLE_CLUSTER_MONITORING:-none})
ENABLE_NODE_MONITORING: $(yaml-quote ${ENABLE_NODE_MONITORING:-false}) ENABLE_NODE_MONITORING: $(yaml-quote ${ENABLE_NODE_MONITORING:-false})
@ -68,7 +69,6 @@ EOF
# Node-only env vars. # Node-only env vars.
cat >>$file <<EOF cat >>$file <<EOF
KUBERNETES_MASTER: "false" KUBERNETES_MASTER: "false"
KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME})
ZONE: $(yaml-quote ${ZONE}) ZONE: $(yaml-quote ${ZONE})
EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS}) EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS})
ENABLE_DOCKER_REGISTRY_CACHE: $(yaml-quote ${ENABLE_DOCKER_REGISTRY_CACHE:-false}) ENABLE_DOCKER_REGISTRY_CACHE: $(yaml-quote ${ENABLE_DOCKER_REGISTRY_CACHE:-false})

55
cluster/saltbase/salt/kube-addons/kube-addons.sh
View File

@ -22,14 +22,14 @@ KUBECTL=/usr/local/bin/kubectl
function create-kubeconfig-secret() { function create-kubeconfig-secret() {
local -r token=$1 local -r token=$1
local -r username=$2 local -r username=$2
local -r server=$3
local -r safe_username=$(tr -s ':_' '--' <<< "${username}") local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
# Make a kubeconfig file with the token. # Make a kubeconfig file with the token.
# TODO(etune): put apiserver certs into secret too, and reference from authfile, if [[ ! -z "${CA_CERT:-}" ]]; then
# so that "Insecure" is not needed. # If the CA cert is available, put it into the secret rather than using
# Point the kubeconfig file at https://kubernetes:443. Pods/components that # insecure-skip-tls-verify.
# do not have DNS available will have to override the server. read -r -d '' kubeconfig <<EOF
read -r -d '' kubeconfig <<EOF
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
users: users:
@ -39,7 +39,27 @@ users:
clusters: clusters:
- name: local - name: local
cluster: cluster:
server: "https://kubernetes:443" server: ${server}
certificate-authority-data: ${CA_CERT}
contexts:
- context:
cluster: local
user: ${username}
name: service-account-context
current-context: service-account-context
EOF
else
read -r -d '' kubeconfig <<EOF
apiVersion: v1
kind: Config
users:
- name: ${username}
user:
token: ${token}
clusters:
- name: local
cluster:
server: ${server}
insecure-skip-tls-verify: true insecure-skip-tls-verify: true
contexts: contexts:
- context: - context:
@ -48,6 +68,8 @@ contexts:
name: service-account-context name: service-account-context
current-context: service-account-context current-context: service-account-context
EOF EOF
fi
local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0) local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
read -r -d '' secretyaml <<EOF read -r -d '' secretyaml <<EOF
apiVersion: v1beta3 apiVersion: v1beta3
@ -98,6 +120,18 @@ function create-resource-from-string() {
# managed result is of that. Start everything below that directory. # managed result is of that. Start everything below that directory.
echo "== Kubernetes addon manager started at $(date -Is) ==" echo "== Kubernetes addon manager started at $(date -Is) =="
# Load the kube-env, which has all the environment variables we care
# about, in a flat yaml format.
kube_env_yaml="/var/cache/kubernetes-install/kube_env.yaml"
if [ ! -e "${kubelet_kubeconfig_file}" ]; then
eval $(python -c '''
import pipes,sys,yaml
for k,v in yaml.load(sys.stdin).iteritems():
print "readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))
''' < "${kube_env_yaml}")
fi
# Generate secrets for "internal service accounts". # Generate secrets for "internal service accounts".
# TODO(etune): move to a completely yaml/object based # TODO(etune): move to a completely yaml/object based
# workflow so that service accounts can be created # workflow so that service accounts can be created
@ -110,7 +144,14 @@ while read line; do
IFS=',' read -a parts <<< "${line}" IFS=',' read -a parts <<< "${line}"
token=${parts[0]} token=${parts[0]}
username=${parts[1]} username=${parts[1]}
create-kubeconfig-secret "${token}" "${username}" # DNS is special, since it's necessary for cluster bootstrapping.
if [[ "${username}" == "system:dns" ]] && [[ ! -z "${KUBERNETES_MASTER_NAME:-}" ]]; then
create-kubeconfig-secret "${token}" "${username}" "https://${KUBERNETES_MASTER_NAME}"
else
# Set the server to https://kubernetes. Pods/components that
# do not have DNS available will have to override the server.
create-kubeconfig-secret "${token}" "${username}" "https://kubernetes"
fi
done < /srv/kubernetes/known_tokens.csv done < /srv/kubernetes/known_tokens.csv
# Create admission_control objects if defined before any other addon services. If the limits # Create admission_control objects if defined before any other addon services. If the limits