update centos deployment scripts call make-ca-cert.sh to generate certs

cluster/centos/config-default.sh

@@ -41,6 +41,9 @@ export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-"192.168.3.0/24"}
 # define the IP range used for flannel overlay network, should not conflict with above SERVICE_CLUSTER_IP_RANGE
 export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"}
 
+# Admission Controllers to invoke prior to persisting objects in cluster
+export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny
+
 # Extra options to set on the Docker command line.
 # This is useful for setting --insecure-registry for local registries.
 export DOCKER_OPTS=${DOCKER_OPTS:-""} 

cluster/centos/master/scripts/apiserver.sh

@@ -18,6 +18,7 @@
 MASTER_ADDRESS=${1:-"8.8.8.18"}
 ETCD_SERVERS=${2:-"http://8.8.8.18:4001"}
 SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"}
+ADMISSION_CONTROL=${4:-""}
 
 cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
 # --logtostderr=true: log to standard error instead of files
@@ -52,8 +53,21 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
 #   LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, 
 #   NamespaceLifecycle, NamespaceAutoProvision, DenyExecOnPrivileged, 
 #   AlwaysAdmit, ServiceAccount, ResourceQuota
-#KUBE_ADMISSION_CONTROL=""
+#KUBE_ADMISSION_CONTROL="--admission-control=\"${ADMISSION_CONTROL}\""
 
+# --client-ca-file="": If set, any request presenting a client certificate signed
+# by one of the authorities in the client-ca-file is authenticated with an identity
+# corresponding to the CommonName of the client certificate.
+KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt"
+
+# --tls-cert-file="": File containing x509 Certificate for HTTPS.  (CA cert, if any,
+# concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file
+# and --tls-private-key-file are not provided, a self-signed certificate and key are
+# generated for the public address and saved to /var/run/kubernetes.
+KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert"
+
+# --tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
+KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key"
 EOF
 
 KUBE_APISERVER_OPTS="   \${KUBE_LOGTOSTDERR}         \\
@@ -63,7 +77,10 @@ KUBE_APISERVER_OPTS="   \${KUBE_LOGTOSTDERR}         \\
                         \${KUBE_API_PORT}            \\
                         \${MINION_PORT}              \\
                         \${KUBE_ALLOW_PRIV}          \\
-                        \${KUBE_SERVICE_ADDRESSES}"
+                        \${KUBE_SERVICE_ADDRESSES}   \\
+                        \${KUBE_API_CLIENT_CA_FILE}  \\
+                        \${KUBE_API_TLS_CERT_FILE}   \\
+                        \${KUBE_API_TLS_PRIVATE_KEY_FILE}"
 
 
 cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service

cluster/centos/master/scripts/controller-manager.sh

@@ -22,11 +22,20 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 KUBE_LOG_LEVEL="--v=4"
 KUBE_MASTER="--master=${MASTER_ADDRESS}:8080"
 
+# --root-ca-file="": If set, this root certificate authority will be included in
+# service account's token secret. This must be a valid PEM-encoded CA bundle.
+KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE="--root-ca-file=/srv/kubernetes/ca.crt"
+
+# --service-account-private-key-file="": Filename containing a PEM-encoded private
+# RSA key used to sign service account tokens.
+KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE="--service-account-private-key-file=/srv/kubernetes/server.key"
 EOF
 
 KUBE_CONTROLLER_MANAGER_OPTS="  \${KUBE_LOGTOSTDERR} \\
                                 \${KUBE_LOG_LEVEL}   \\
-                                \${KUBE_MASTER}"
+                                \${KUBE_MASTER}      \\
+                                \${KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE} \\
+                                \${KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE}"
 
 cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
 [Unit]

cluster/centos/util.sh

@@ -150,7 +150,7 @@ function verify-master() {
         validated="1"
         ((try_count=try_count+2))
         if [[ ${try_count} -gt ${PROCESS_CHECK_TIMEOUT} ]]; then
-          printf "\nWarning: Process \"${daemon}\" status check timeout, please check manually.\n"
+          printf "\nWarning: Process \"${daemon}\" failed to run on ${MASTER}, please check.\n"
           exit 1
         fi
         sleep 2
@@ -178,7 +178,7 @@ function verify-minion() {
         validated="1"
         ((try_count=try_count+2))
         if [[ ${try_count} -gt ${PROCESS_CHECK_TIMEOUT} ]] ; then
-          printf "\nWarning: Process \"${daemon}\" status check timeout, please check manually.\n"
+          printf "\nWarning: Process \"${daemon}\" failed to run on ${1}, please check.\n"
           exit 1
         fi
         sleep 2
@@ -237,13 +237,14 @@ function provision-master() {
   ensure-setup-dir ${MASTER}
 
   # scp -r ${SSH_OPTS} master config-default.sh copy-files.sh util.sh "${MASTER}:${KUBE_TEMP}" 
-  kube-scp ${MASTER} "${ROOT}/binaries/master ${ROOT}/master ${ROOT}/config-default.sh ${ROOT}/util.sh" "${KUBE_TEMP}" 
+  kube-scp ${MASTER} "${ROOT}/../saltbase/salt/generate-cert/make-ca-cert.sh ${ROOT}/binaries/master ${ROOT}/master ${ROOT}/config-default.sh ${ROOT}/util.sh" "${KUBE_TEMP}" 
   (
     echo "cp -r ${KUBE_TEMP}/master/bin /opt/kubernetes"
     echo "chmod -R +x /opt/kubernetes/bin"
 
+    echo "bash ${KUBE_TEMP}/make-ca-cert.sh ${master_ip} IP:${master_ip},IP:${SERVICE_CLUSTER_IP_RANGE%.*}.1,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
     echo "bash ${KUBE_TEMP}/master/scripts/etcd.sh"
-    echo "bash ${KUBE_TEMP}/master/scripts/apiserver.sh ${master_ip} ${ETCD_SERVERS} ${SERVICE_CLUSTER_IP_RANGE}"
+    echo "bash ${KUBE_TEMP}/master/scripts/apiserver.sh ${master_ip} ${ETCD_SERVERS} ${SERVICE_CLUSTER_IP_RANGE} ${ADMISSION_CONTROL}"
     echo "bash ${KUBE_TEMP}/master/scripts/controller-manager.sh ${master_ip}"
     echo "bash ${KUBE_TEMP}/master/scripts/scheduler.sh ${master_ip}"
 
@@ -265,10 +266,10 @@ function provision-minion() {
   local master_ip=${MASTER#*@}
   local minion=$1
   local minion_ip=${minion#*@}
-  ensure-setup-dir ${minion_ip}
+  ensure-setup-dir ${minion}
 
   # scp -r ${SSH_OPTS} minion config-default.sh copy-files.sh util.sh "${minion_ip}:${KUBE_TEMP}" 
-  kube-scp ${minion_ip} "${ROOT}/binaries/minion ${ROOT}/minion ${ROOT}/config-default.sh ${ROOT}/util.sh" ${KUBE_TEMP}
+  kube-scp ${minion} "${ROOT}/binaries/minion ${ROOT}/minion ${ROOT}/config-default.sh ${ROOT}/util.sh" ${KUBE_TEMP}
   (
     echo "cp -r ${KUBE_TEMP}/minion/bin /opt/kubernetes"
     echo "chmod -R +x /opt/kubernetes/bin"
@@ -278,7 +279,7 @@ function provision-minion() {
     echo "bash ${KUBE_TEMP}/minion/scripts/kubelet.sh ${master_ip} ${minion_ip}"
     echo "bash ${KUBE_TEMP}/minion/scripts/proxy.sh ${master_ip}"
 
-  ) | kube-ssh "${minion_ip}"
+  ) | kube-ssh "${minion}"
 }
 
 # Create dirs that'll be used during setup on target machine.
@@ -297,7 +298,7 @@ function ensure-setup-dir() {
 function kube-ssh() {
   local host="$1"
   shift
-  ssh ${SSH_OPTS-} "${host}" "$@" >/dev/null 2>&1
+  ssh ${SSH_OPTS-} "${host}" "$@" # >/dev/null 2>&1
 }
 
 # Copy file recursively over ssh