update centos deployment scripts call make-ca-cert.sh to generate certs

2026-01-04 23:17:50 +00:00 · 2015-09-02 15:35:48 +00:00
parent 5f985045f4
commit 4e2613575d
4 changed files with 41 additions and 11 deletions
--- a/cluster/centos/master/scripts/apiserver.sh
+++ b/cluster/centos/master/scripts/apiserver.sh
@@ -18,6 +18,7 @@
 MASTER_ADDRESS=${1:-"8.8.8.18"}
 ETCD_SERVERS=${2:-"http://8.8.8.18:4001"}
 SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"}
+ADMISSION_CONTROL=${4:-""}

 cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
 # --logtostderr=true: log to standard error instead of files
@@ -52,8 +53,21 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
 #   LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, 
 #   NamespaceLifecycle, NamespaceAutoProvision, DenyExecOnPrivileged, 
 #   AlwaysAdmit, ServiceAccount, ResourceQuota
-#KUBE_ADMISSION_CONTROL=""
+#KUBE_ADMISSION_CONTROL="--admission-control=\"${ADMISSION_CONTROL}\""

+# --client-ca-file="": If set, any request presenting a client certificate signed
+# by one of the authorities in the client-ca-file is authenticated with an identity
+# corresponding to the CommonName of the client certificate.
+KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt"
+
+# --tls-cert-file="": File containing x509 Certificate for HTTPS.  (CA cert, if any,
+# concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file
+# and --tls-private-key-file are not provided, a self-signed certificate and key are
+# generated for the public address and saved to /var/run/kubernetes.
+KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert"
+
+# --tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
+KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key"
 EOF

 KUBE_APISERVER_OPTS="   \${KUBE_LOGTOSTDERR}         \\
@@ -63,7 +77,10 @@ KUBE_APISERVER_OPTS="   \${KUBE_LOGTOSTDERR}         \\
                        \${KUBE_API_PORT}            \\
                        \${MINION_PORT}              \\
                        \${KUBE_ALLOW_PRIV}          \\
-                        \${KUBE_SERVICE_ADDRESSES}"
+                        \${KUBE_SERVICE_ADDRESSES}   \\
+                        \${KUBE_API_CLIENT_CA_FILE}  \\
+                        \${KUBE_API_TLS_CERT_FILE}   \\
+                        \${KUBE_API_TLS_PRIVATE_KEY_FILE}"


 cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
--- a/cluster/centos/master/scripts/controller-manager.sh
+++ b/cluster/centos/master/scripts/controller-manager.sh
@@ -22,11 +22,20 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 KUBE_LOG_LEVEL="--v=4"
 KUBE_MASTER="--master=${MASTER_ADDRESS}:8080"

+# --root-ca-file="": If set, this root certificate authority will be included in
+# service account's token secret. This must be a valid PEM-encoded CA bundle.
+KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE="--root-ca-file=/srv/kubernetes/ca.crt"
+
+# --service-account-private-key-file="": Filename containing a PEM-encoded private
+# RSA key used to sign service account tokens.
+KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE="--service-account-private-key-file=/srv/kubernetes/server.key"
 EOF

 KUBE_CONTROLLER_MANAGER_OPTS="  \${KUBE_LOGTOSTDERR} \\
                                \${KUBE_LOG_LEVEL}   \\
-                                \${KUBE_MASTER}"
+                                \${KUBE_MASTER}      \\
+                                \${KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE} \\
+                                \${KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE}"

 cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
 [Unit]