mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 12:43:23 +00:00
aggr: don't write empty CA files
write now if the metadata is not supplied, we write an empty file for these certs. we should just fail
This commit is contained in:
Mike Danese
parent
ebf24c14a9
commit
9ee240dfcf
@ -324,17 +324,20 @@ function create-master-pki {
|
|||||||
ln -sf "${APISERVER_SERVER_KEY_PATH}" /etc/srv/kubernetes/server.key
|
ln -sf "${APISERVER_SERVER_KEY_PATH}" /etc/srv/kubernetes/server.key
|
||||||
ln -sf "${APISERVER_SERVER_CERT_PATH}" /etc/srv/kubernetes/server.cert
|
ln -sf "${APISERVER_SERVER_CERT_PATH}" /etc/srv/kubernetes/server.cert
|
||||||
|
|
||||||
AGGREGATOR_CA_KEY_PATH="${pki_dir}/aggr_ca.key"
|
|
||||||
echo "${AGGREGATOR_CA_KEY:-}" | base64 --decode > "${AGGREGATOR_CA_KEY_PATH}"
|
|
||||||
|
|
||||||
REQUESTHEADER_CA_CERT_PATH="${pki_dir}/aggr_ca.crt"
|
if [[ ! -z "${REQUESTHEADER_CA_CERT:-}" ]]; then
|
||||||
echo "${REQUESTHEADER_CA_CERT:-}" | base64 --decode > "${REQUESTHEADER_CA_CERT_PATH}"
|
AGGREGATOR_CA_KEY_PATH="${pki_dir}/aggr_ca.key"
|
||||||
|
echo "${AGGREGATOR_CA_KEY}" | base64 --decode > "${AGGREGATOR_CA_KEY_PATH}"
|
||||||
|
|
||||||
PROXY_CLIENT_KEY_PATH="${pki_dir}/proxy_client.key"
|
REQUESTHEADER_CA_CERT_PATH="${pki_dir}/aggr_ca.crt"
|
||||||
echo "${PROXY_CLIENT_KEY:-}" | base64 --decode > "${PROXY_CLIENT_KEY_PATH}"
|
echo "${REQUESTHEADER_CA_CERT}" | base64 --decode > "${REQUESTHEADER_CA_CERT_PATH}"
|
||||||
|
|
||||||
PROXY_CLIENT_CERT_PATH="${pki_dir}/proxy_client.crt"
|
PROXY_CLIENT_KEY_PATH="${pki_dir}/proxy_client.key"
|
||||||
echo "${PROXY_CLIENT_CERT:-}" | base64 --decode > "${PROXY_CLIENT_CERT_PATH}"
|
echo "${PROXY_CLIENT_KEY}" | base64 --decode > "${PROXY_CLIENT_KEY_PATH}"
|
||||||
|
|
||||||
|
PROXY_CLIENT_CERT_PATH="${pki_dir}/proxy_client.crt"
|
||||||
|
echo "${PROXY_CLIENT_CERT}" | base64 --decode > "${PROXY_CLIENT_CERT_PATH}"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# After the first boot and on upgrade, these files exist on the master-pd
|
# After the first boot and on upgrade, these files exist on the master-pd
|
||||||
@ -1235,7 +1238,7 @@ function start-kube-apiserver {
|
|||||||
params+=" --secure-port=443"
|
params+=" --secure-port=443"
|
||||||
params+=" --tls-cert-file=${APISERVER_SERVER_CERT_PATH}"
|
params+=" --tls-cert-file=${APISERVER_SERVER_CERT_PATH}"
|
||||||
params+=" --tls-private-key-file=${APISERVER_SERVER_KEY_PATH}"
|
params+=" --tls-private-key-file=${APISERVER_SERVER_KEY_PATH}"
|
||||||
if [[ ! -z "${REQUESTHEADER_CA_CERT:-}" ]]; then
|
if [[ -s "${REQUESTHEADER_CA_CERT_PATH:-}" ]]; then
|
||||||
params+=" --requestheader-client-ca-file=${REQUESTHEADER_CA_CERT_PATH}"
|
params+=" --requestheader-client-ca-file=${REQUESTHEADER_CA_CERT_PATH}"
|
||||||
params+=" --requestheader-allowed-names=aggregator"
|
params+=" --requestheader-allowed-names=aggregator"
|
||||||
params+=" --requestheader-extra-headers-prefix=X-Remote-Extra-"
|
params+=" --requestheader-extra-headers-prefix=X-Remote-Extra-"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user