mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 05:03:09 +00:00
Merge pull request #68778 from xychu/add-reuse-certs
Add REUSE_CERT to skip creaing new ca/cert files
This commit is contained in:
k8s-ci-robot
GitHub
commit
9f681f0f6e
@ -233,6 +233,9 @@ ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
|
|||||||
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
||||||
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
||||||
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
||||||
|
# Reuse certs will skip generate new ca/cert files under CERT_DIR
|
||||||
|
# it's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
|
||||||
|
REUSE_CERTS=${REUSE_CERTS:-false}
|
||||||
|
|
||||||
# name of the cgroup driver, i.e. cgroupfs or systemd
|
# name of the cgroup driver, i.e. cgroupfs or systemd
|
||||||
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
|
if [[ ${CONTAINER_RUNTIME} == "docker" ]]; then
|
||||||
@ -451,6 +454,39 @@ function set_service_accounts {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function generate_certs {
|
||||||
|
# Create CA signers
|
||||||
|
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
||||||
|
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
||||||
|
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
||||||
|
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
||||||
|
else
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create auth proxy client ca
|
||||||
|
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
||||||
|
|
||||||
|
# serving cert for kube-apiserver
|
||||||
|
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
||||||
|
|
||||||
|
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
||||||
|
|
||||||
|
# Create matching certificates for kube-aggregator
|
||||||
|
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
||||||
|
# TODO remove masters and add rolebinding
|
||||||
|
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
||||||
|
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
||||||
|
}
|
||||||
|
|
||||||
function start_apiserver {
|
function start_apiserver {
|
||||||
security_admission=""
|
security_admission=""
|
||||||
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
|
if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then
|
||||||
@ -516,37 +552,11 @@ function start_apiserver {
|
|||||||
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
|
node_port_range="--service-node-port-range=${NODE_PORT_RANGE}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create CA signers
|
if [[ "${REUSE_CERTS}" != true ]]; then
|
||||||
if [[ "${ENABLE_SINGLE_CA_SIGNER:-}" = true ]]; then
|
# Create Certs
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"client auth","server auth"'
|
generate_certs
|
||||||
sudo cp "${CERT_DIR}/server-ca.key" "${CERT_DIR}/client-ca.key"
|
|
||||||
sudo cp "${CERT_DIR}/server-ca.crt" "${CERT_DIR}/client-ca.crt"
|
|
||||||
sudo cp "${CERT_DIR}/server-ca-config.json" "${CERT_DIR}/client-ca-config.json"
|
|
||||||
else
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" server '"server auth"'
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" client '"client auth"'
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create auth proxy client ca
|
|
||||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
|
||||||
|
|
||||||
# serving cert for kube-apiserver
|
|
||||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
|
||||||
|
|
||||||
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters
|
|
||||||
|
|
||||||
# Create matching certificates for kube-aggregator
|
|
||||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy
|
|
||||||
# TODO remove masters and add rolebinding
|
|
||||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters
|
|
||||||
kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator
|
|
||||||
|
|
||||||
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
|
cloud_config_arg="--cloud-provider=${CLOUD_PROVIDER} --cloud-config=${CLOUD_CONFIG}"
|
||||||
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
|
if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then
|
||||||
cloud_config_arg="--cloud-provider=external"
|
cloud_config_arg="--cloud-provider=external"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user