mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-31 15:25:57 +00:00
Merge pull request #2341 from jbeda/cert-gen
Give the API server access to TLS certs.
This commit is contained in:
commit
d4108ec47e
@ -400,9 +400,9 @@ function kube-up {
|
||||
# config file. Distribute the same way the htpasswd is done.
|
||||
(
|
||||
umask 077
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /usr/share/nginx/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /usr/share/nginx/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /usr/share/nginx/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /srv/kubernetes/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /srv/kubernetes/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
ssh -oStrictHostKeyChecking=no -i ~/.ssh/kube_aws_rsa ubuntu@${KUBE_MASTER_IP} sudo cat /srv/kubernetes/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
|
||||
cat << EOF > ~/.kubernetes_auth
|
||||
{
|
||||
|
@ -422,9 +422,9 @@ function kube-up {
|
||||
# TODO: generate ADMIN (and KUBELET) tokens and put those in the master's
|
||||
# config file. Distribute the same way the htpasswd is done.
|
||||
(umask 077
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /usr/share/nginx/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /srv/kubernetes/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /srv/kubernetes/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
gcutil ssh "${MASTER_NAME}" sudo cat /srv/kubernetes/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
|
||||
cat << EOF > ~/.kubernetes_auth
|
||||
{
|
||||
|
@ -27,4 +27,7 @@
|
||||
{% set portal_net = "-portal_net=" + pillar['portal_net'] %}
|
||||
{% endif %}
|
||||
|
||||
DAEMON_ARGS="{{daemon_args}} {{address}} {{etcd_servers}} {{ cloud_provider }} --allow_privileged={{pillar['allow_privileged']}} {{portal_net}}"
|
||||
{% set cert_file = "-tls_cert_file=/srv/kubernetes/server.cert" %}
|
||||
{% set key_file = "-tls_private_key_file=/srv/kubernetes/server.key" %}
|
||||
|
||||
DAEMON_ARGS="{{daemon_args}} {{address}} {{etcd_servers}} {{ cloud_provider }} --allow_privileged={{pillar['allow_privileged']}} {{portal_net}} {{cert_file}} {{key_file}}"
|
||||
|
38
cluster/saltbase/salt/generate-cert/init.sls
Normal file
38
cluster/saltbase/salt/generate-cert/init.sls
Normal file
@ -0,0 +1,38 @@
|
||||
{% if grains.cloud is defined %}
|
||||
{% if grains.cloud == 'gce' %}
|
||||
{% set cert_ip='_use_gce_external_ip_' %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'aws' %}
|
||||
{% set cert_ip='_use_aws_external_ip_' %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'vagrant' %}
|
||||
{% set cert_ip=grains.fqdn_ip4 %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'vsphere' %}
|
||||
{% set cert_ip=grains.ip_interfaces.eth0[0] %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# If there is a pillar defined, override any defaults.
|
||||
{% if pillar['cert_ip'] is defined %}
|
||||
{% set cert_ip=pillar['cert_ip'] %}
|
||||
{% endif %}
|
||||
|
||||
{% set certgen="make-cert.sh" %}
|
||||
{% if cert_ip is defined %}
|
||||
{% set certgen="make-ca-cert.sh" %}
|
||||
{% endif %}
|
||||
|
||||
kubernetes-cert:
|
||||
cmd.script:
|
||||
- unless: test -f /srv/kubernetes/server.cert
|
||||
- source: salt://generate-cert/{{certgen}}
|
||||
{% if cert_ip is defined %}
|
||||
- args: {{cert_ip}}
|
||||
- require:
|
||||
- pkg: curl
|
||||
{% endif %}
|
||||
- cwd: /
|
||||
- user: root
|
||||
- group: root
|
||||
- shell: /bin/bash
|
@ -19,6 +19,9 @@ set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
cert_ip=$1
|
||||
cert_dir=/srv/kubernetes
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
|
||||
# TODO: Add support for discovery on other providers?
|
||||
if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
|
||||
@ -33,19 +36,28 @@ tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
|
||||
trap 'rm -rf "${tmpdir}"' EXIT
|
||||
cd "${tmpdir}"
|
||||
|
||||
# TODO: For now, this is a patched repo that makes subject-alt-name work, when the fix is upstream
|
||||
# move back to the upstream easyrsa
|
||||
curl -L -J -O https://github.com/brendandburns/easy-rsa/archive/master.tar.gz > /dev/null 2>&1
|
||||
tar xzf easy-rsa-master.tar.gz > /dev/null 2>&1
|
||||
# TODO: For now, this is a patched tool that makes subject-alt-name work, when
|
||||
# the fix is upstream move back to the upstream easyrsa. This is cached in GCS
|
||||
# but is originally taken from:
|
||||
# https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
|
||||
#
|
||||
# To update, do the following:
|
||||
# curl -o easy-rsa.tar.gz https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
|
||||
# gsutil cp easy-rsa.tar.gz gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
|
||||
# gsutil acl ch -R -g all:R gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
|
||||
#
|
||||
# Due to GCS caching of public objects, it may take time for this to be widely
|
||||
# distributed.
|
||||
curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz > /dev/null 2>&1
|
||||
tar xzf easy-rsa.tar.gz > /dev/null 2>&1
|
||||
|
||||
cd easy-rsa-master/easyrsa3
|
||||
./easyrsa init-pki > /dev/null 2>&1
|
||||
./easyrsa --batch build-ca nopass > /dev/null 2>&1
|
||||
./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
|
||||
./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
|
||||
cp -p pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
|
||||
cp -p pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
|
||||
cp -p pki/ca.crt /usr/share/nginx/ca.crt
|
||||
cp -p pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
|
||||
cp -p pki/private/kubecfg.key /usr/share/nginx/kubecfg.key
|
||||
|
||||
cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
|
||||
cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
|
||||
cp -p pki/ca.crt "${cert_dir}/ca.crt"
|
||||
cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
|
||||
cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
|
@ -14,6 +14,8 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
cert_dir=/srv/kubernetes
|
||||
|
||||
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
|
||||
-subj "/CN=kubernetes.invalid/O=Kubernetes" \
|
||||
-keyout /usr/share/nginx/server.key -out /usr/share/nginx/server.cert
|
||||
-keyout "${cert_dir}/server.key" -out "${cert_dir}/server.cert"
|
@ -8,45 +8,7 @@ nginx:
|
||||
- file: /etc/nginx/nginx.conf
|
||||
- file: /etc/nginx/sites-enabled/default
|
||||
- file: /usr/share/nginx/htpasswd
|
||||
- cmd: /usr/share/nginx/server.cert
|
||||
|
||||
{% if grains.cloud is defined %}
|
||||
{% if grains.cloud == 'gce' %}
|
||||
{% set cert_ip='_use_gce_external_ip_' %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'aws' %}
|
||||
{% set cert_ip='_use_aws_external_ip_' %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'vagrant' %}
|
||||
{% set cert_ip=grains.fqdn_ip4 %}
|
||||
{% endif %}
|
||||
{% if grains.cloud == 'vsphere' %}
|
||||
{% set cert_ip=grains.ip_interfaces.eth0[0] %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
# If there is a pillar defined, override any defaults.
|
||||
{% if pillar['cert_ip'] is defined %}
|
||||
{% set cert_ip=pillar['cert_ip'] %}
|
||||
{% endif %}
|
||||
|
||||
{% set certgen="make-cert.sh" %}
|
||||
{% if cert_ip is defined %}
|
||||
{% set certgen="make-ca-cert.sh" %}
|
||||
{% endif %}
|
||||
|
||||
/usr/share/nginx/server.cert:
|
||||
cmd.script:
|
||||
- unless: test -f /usr/share/nginx/server.cert
|
||||
- source: salt://nginx/{{certgen}}
|
||||
{% if cert_ip is defined %}
|
||||
- args: {{cert_ip}}
|
||||
- require:
|
||||
- pkg: curl
|
||||
{% endif %}
|
||||
- cwd: /
|
||||
- user: root
|
||||
- group: root
|
||||
- shell: /bin/bash
|
||||
- cmd: kubernetes-cert
|
||||
|
||||
/etc/nginx/nginx.conf:
|
||||
file:
|
||||
|
@ -33,8 +33,8 @@ server {
|
||||
index index.html index.htm;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /usr/share/nginx/server.cert;
|
||||
ssl_certificate_key /usr/share/nginx/server.key;
|
||||
ssl_certificate /srv/kubernetes/server.cert;
|
||||
ssl_certificate_key /srv/kubernetes/server.key;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
|
@ -26,6 +26,7 @@ base:
|
||||
|
||||
'roles:kubernetes-master':
|
||||
- match: grain
|
||||
- generate-cert
|
||||
- etcd
|
||||
- apiserver
|
||||
- controller-manager
|
||||
|
@ -397,9 +397,9 @@ function kube-up {
|
||||
(
|
||||
umask 077
|
||||
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /usr/share/nginx/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /usr/share/nginx/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /usr/share/nginx/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /srv/kubernetes/kubecfg.crt >"${HOME}/${kube_cert}" 2>/dev/null
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /srv/kubernetes/kubecfg.key >"${HOME}/${kube_key}" 2>/dev/null
|
||||
kube-ssh "${KUBE_MASTER_IP}" sudo cat /srv/kubernetes/ca.crt >"${HOME}/${ca_cert}" 2>/dev/null
|
||||
|
||||
cat << EOF > ~/.kubernetes_auth
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user