mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #38389 from sttts/sttts-local-cluster-up-on-mac
Automatic merge from submit-queue Fix local-cluster-up on Mac and discovery on all systems - use cfssl on the host, not from Docker. Solves a number of permission problem with selinux and Mac - fix discovery startup
This commit is contained in:
commit
79f497bca7
@ -148,6 +148,14 @@ function test_docker {
|
||||
fi
|
||||
}
|
||||
|
||||
function test_cfssl_installed {
|
||||
if ! command -v cfssl &>/dev/null || ! command -v cfssljson &>/dev/null; then
|
||||
echo "Failed to successfully run 'cfssl', please verify that cfssl and cfssljson are in \$PATH."
|
||||
echo "Hint: export PATH=\$PATH:\$GOPATH/bin; go get -u github.com/cloudflare/cfssl/cmd/..."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
function test_rkt {
|
||||
if [[ -n "${RKT_PATH}" ]]; then
|
||||
${RKT_PATH} list 2> /dev/null 1> /dev/null
|
||||
@ -362,11 +370,12 @@ function create_client_certkey {
|
||||
SEP=","
|
||||
shift 1
|
||||
done
|
||||
echo "{\"CN\":\"${CN}\",\"names\":[${NAMES}],\"hosts\":[\"\"],\"key\":{\"algo\":\"rsa\",\"size\":2048}}" | docker run -i --entrypoint /bin/bash -v "${CERT_DIR}:/certs" -w /certs cfssl/cfssl:latest -ec "cfssl gencert -ca=${CA}.crt -ca-key=${CA}.key -config=client-ca-config.json - | cfssljson -bare client-${ID}"
|
||||
${CONTROLPLANE_SUDO} /bin/bash -e <<EOF
|
||||
mv "${CERT_DIR}/client-${ID}-key.pem" "${CERT_DIR}/client-${ID}.key"
|
||||
mv "${CERT_DIR}/client-${ID}.pem" "${CERT_DIR}/client-${ID}.crt"
|
||||
rm -f "${CERT_DIR}/client-${ID}.csr"
|
||||
cd ${CERT_DIR}
|
||||
echo '{"CN":"${CN}","names":[${NAMES}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=${CA}.crt -ca-key=${CA}.key -config=client-ca-config.json - | cfssljson -bare client-${ID}
|
||||
mv "client-${ID}-key.pem" "client-${ID}.key"
|
||||
mv "client-${ID}.pem" "client-${ID}.crt"
|
||||
rm -f "client-${ID}.csr"
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -517,12 +526,22 @@ function start_discovery {
|
||||
write_client_kubeconfig discovery-auth
|
||||
|
||||
# grant permission to run delegated authentication and authorization checks
|
||||
kubectl create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth
|
||||
if [[ "${ENABLE_RBAC}" = true ]]; then
|
||||
${KUBECTL} ${AUTH_ARGS} create clusterrolebinding discovery:system:auth-delegator --clusterrole=system:auth-delegator --user=system:discovery-auth
|
||||
fi
|
||||
|
||||
curl --silent -k -g $API_HOST:$DISCOVERY_SECURE_PORT
|
||||
if [ ! $? -eq 0 ]; then
|
||||
echo "Kubernetes Discovery secure port is free, proceeding..."
|
||||
else
|
||||
echo "ERROR starting Kubernetes Discovery, exiting. Some process on $API_HOST is serving already on $DISCOVERY_SECURE_PORT"
|
||||
return
|
||||
fi
|
||||
|
||||
DISCOVERY_SERVER_LOG=/tmp/kubernetes-discovery.log
|
||||
${CONTROLPLANE_SUDO} "${GO_OUT}/kubernetes-discovery" \
|
||||
--cert-dir="${CERT_DIR}" \
|
||||
--client-ca-file="${CERT_DIR}/client-ca-bundle.crt" \
|
||||
--client-ca-file="${CERT_DIR}/client-ca.crt" \
|
||||
--authentication-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
|
||||
--authorization-kubeconfig="${CERT_DIR}/discovery-auth.kubeconfig" \
|
||||
--requestheader-username-headers=X-Remote-User \
|
||||
@ -747,6 +766,7 @@ Logs:
|
||||
${CTLRMGR_LOG:-}
|
||||
${PROXY_LOG:-}
|
||||
${SCHEDULER_LOG:-}
|
||||
${DISCOVERY_SERVER_LOG:-}
|
||||
EOF
|
||||
fi
|
||||
|
||||
@ -794,6 +814,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
|
||||
fi
|
||||
|
||||
test_openssl_installed
|
||||
test_cfssl_installed
|
||||
|
||||
### IF the user didn't supply an output/ for the build... Then we detect.
|
||||
if [ "$GO_OUT" == "" ]; then
|
||||
|
Loading…
Reference in New Issue
Block a user