From 2feb658ed7a6a9f9726b04ac4c890b5dee14c0a8 Mon Sep 17 00:00:00 2001 From: Robert Bailey Date: Fri, 22 May 2015 14:31:30 -0700 Subject: [PATCH 1/2] Distribute the cluster CA cert to cluster addon pods through the kubeconfig file. Use the $KUBERNETES_MASTER_NAME from the kube-env for skydns, because it can't use the service name. --- cluster/addons/dns/skydns-rc.yaml.in | 1 - cluster/gce/coreos/helper.sh | 1 + cluster/gce/debian/helper.sh | 2 +- .../saltbase/salt/kube-addons/kube-addons.sh | 55 ++++++++++++++++--- 4 files changed, 50 insertions(+), 9 deletions(-) diff --git a/cluster/addons/dns/skydns-rc.yaml.in b/cluster/addons/dns/skydns-rc.yaml.in index 17f792d06b9..69dd8423093 100644 --- a/cluster/addons/dns/skydns-rc.yaml.in +++ b/cluster/addons/dns/skydns-rc.yaml.in @@ -35,7 +35,6 @@ spec: # command = "/kube2sky" - -domain={{ pillar['dns_domain'] }} - -kubecfg_file=/etc/dns_token/kubeconfig - - -kube_master_url=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT} volumeMounts: - mountPath: /etc/dns_token name: dns-token diff --git a/cluster/gce/coreos/helper.sh b/cluster/gce/coreos/helper.sh index 654329ca5db..3901666ca5b 100644 --- a/cluster/gce/coreos/helper.sh +++ b/cluster/gce/coreos/helper.sh @@ -51,6 +51,7 @@ KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-}) KUBE_PROXY_TOKEN: $(yaml-quote ${KUBE_PROXY_TOKEN:-}) ADMISSION_CONTROL: $(yaml-quote ${ADMISSION_CONTROL:-}) MASTER_IP_RANGE: $(yaml-quote ${MASTER_IP_RANGE}) +KUBERNETES_MASTER_NAME=$(yaml-quote ${MASTER_NAME}) KUBERNETES_CONTAINER_RUNTIME: $(yaml-quote ${CONTAINER_RUNTIME}) RKT_VERSION: $(yaml-quote ${RKT_VERSION}) CA_CERT: $(yaml-quote ${CA_CERT_BASE64}) diff --git a/cluster/gce/debian/helper.sh b/cluster/gce/debian/helper.sh index ed6b73e152d..264c4259eea 100644 --- a/cluster/gce/debian/helper.sh +++ b/cluster/gce/debian/helper.sh @@ -30,6 +30,7 @@ CLUSTER_IP_RANGE: $(yaml-quote ${CLUSTER_IP_RANGE:-10.244.0.0/16}) SERVER_BINARY_TAR_URL: $(yaml-quote ${SERVER_BINARY_TAR_URL}) SALT_TAR_URL: $(yaml-quote ${SALT_TAR_URL}) SERVICE_CLUSTER_IP_RANGE: $(yaml-quote ${SERVICE_CLUSTER_IP_RANGE}) +KUBERNETES_MASTER_NAME: $(yaml-quote ${MASTER_NAME}) ALLOCATE_NODE_CIDRS: $(yaml-quote ${ALLOCATE_NODE_CIDRS:-false}) ENABLE_CLUSTER_MONITORING: $(yaml-quote ${ENABLE_CLUSTER_MONITORING:-none}) ENABLE_NODE_MONITORING: $(yaml-quote ${ENABLE_NODE_MONITORING:-false}) @@ -68,7 +69,6 @@ EOF # Node-only env vars. cat >>$file < Date: Mon, 8 Jun 2015 14:00:01 -0700 Subject: [PATCH 2/2] Add 'kubernetes' (the service name) and the master name as SANs on the master's certificate. --- cluster/gce/util.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 5ebe3546151..54de81ee9bb 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -541,7 +541,7 @@ function create-certs { cd easy-rsa-master/easyrsa3 ./easyrsa init-pki > /dev/null 2>&1 ./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass > /dev/null 2>&1 - ./easyrsa --subject-alt-name=IP:"${cert_ip}" build-server-full "${MASTER_NAME}" nopass > /dev/null 2>&1 + ./easyrsa --subject-alt-name=IP:"${cert_ip}",DNS:kubernetes,DNS:"${MASTER_NAME}" build-server-full "${MASTER_NAME}" nopass > /dev/null 2>&1 ./easyrsa build-client-full kubelet nopass > /dev/null 2>&1 ./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1) || { # If there was an error in the subshell, just die.