Revert "Add per node kubelet server certificate"

This reverts commit b860e634db.
2025-09-25 06:33:56 +00:00 · 2019-08-07 17:35:19 +02:00
parent b860e634db
commit 3f94e86706
12 changed files with 113 additions and 210 deletions
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@@ -59,7 +59,7 @@ func GetClusterCertsFromKubernetes(ctx context.Context, kubeCluster *Cluster) (m
 	}

 	for _, etcdHost := range kubeCluster.EtcdHosts {
-		etcdName := pki.GetCrtNameForAddress(etcdHost.InternalAddress, pki.EtcdCertName)
+		etcdName := pki.GetEtcdCrtName(etcdHost.InternalAddress)
 		certificatesNames = append(certificatesNames, etcdName)
 	}

@@ -154,13 +154,13 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags,
 	var (
 		serviceAccountTokenKey string
 	)
-	componentsCertsFuncMap := map[string][]pki.GenFunc{
-		services.KubeAPIContainerName:        []pki.GenFunc{pki.GenerateKubeAPICertificate},
-		services.KubeControllerContainerName: []pki.GenFunc{pki.GenerateKubeControllerCertificate},
-		services.SchedulerContainerName:      []pki.GenFunc{pki.GenerateKubeSchedulerCertificate},
-		services.KubeproxyContainerName:      []pki.GenFunc{pki.GenerateKubeProxyCertificate},
-		services.KubeletContainerName:        []pki.GenFunc{pki.GenerateKubeNodeCertificate, pki.GenerateKubeletCertificate},
-		services.EtcdContainerName:           []pki.GenFunc{pki.GenerateEtcdCertificates},
+	componentsCertsFuncMap := map[string]pki.GenFunc{
+		services.KubeAPIContainerName:        pki.GenerateKubeAPICertificate,
+		services.KubeControllerContainerName: pki.GenerateKubeControllerCertificate,
+		services.SchedulerContainerName:      pki.GenerateKubeSchedulerCertificate,
+		services.KubeproxyContainerName:      pki.GenerateKubeProxyCertificate,
+		services.KubeletContainerName:        pki.GenerateKubeNodeCertificate,
+		services.EtcdContainerName:           pki.GenerateEtcdCertificates,
 	}
 	rotateFlags := c.RancherKubernetesEngineConfig.RotateCertificates
 	if rotateFlags.CACertificates {
@@ -171,12 +171,10 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags,
 		rotateFlags.Services = nil
 	}
 	for _, k8sComponent := range rotateFlags.Services {
-		genFunctions := componentsCertsFuncMap[k8sComponent]
-		if genFunctions != nil {
-			for _, genFunc := range genFunctions {
-				if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
-					return err
-				}
+		genFunc := componentsCertsFuncMap[k8sComponent]
+		if genFunc != nil {
+			if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
+				return err
 			}
 		}
 	}
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -123,25 +123,24 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, prefixPath string, svcOp
 	}

 	CommandArgs := map[string]string{
-		"client-ca-file":                pki.GetCertPath(pki.CACertName),
-		"cloud-provider":                c.CloudProvider.Name,
-		"etcd-cafile":                   etcdCAClientCert,
-		"etcd-certfile":                 etcdClientCert,
-		"etcd-keyfile":                  etcdClientKey,
-		"etcd-prefix":                   etcdPathPrefix,
-		"etcd-servers":                  etcdConnectionString,
-		"kubelet-client-certificate":    pki.GetCertPath(pki.KubeAPICertName),
-		"kubelet-client-key":            pki.GetKeyPath(pki.KubeAPICertName),
-		"kubelet-certificate-authority": pki.GetCertPath(pki.CACertName),
-		"proxy-client-cert-file":        pki.GetCertPath(pki.APIProxyClientCertName),
-		"proxy-client-key-file":         pki.GetKeyPath(pki.APIProxyClientCertName),
-		"requestheader-allowed-names":   pki.APIProxyClientCertName,
-		"requestheader-client-ca-file":  pki.GetCertPath(pki.RequestHeaderCACertName),
-		"service-account-key-file":      pki.GetKeyPath(pki.ServiceAccountTokenKeyName),
-		"service-cluster-ip-range":      c.Services.KubeAPI.ServiceClusterIPRange,
-		"service-node-port-range":       c.Services.KubeAPI.ServiceNodePortRange,
-		"tls-cert-file":                 pki.GetCertPath(pki.KubeAPICertName),
-		"tls-private-key-file":          pki.GetKeyPath(pki.KubeAPICertName),
+		"client-ca-file":               pki.GetCertPath(pki.CACertName),
+		"cloud-provider":               c.CloudProvider.Name,
+		"etcd-cafile":                  etcdCAClientCert,
+		"etcd-certfile":                etcdClientCert,
+		"etcd-keyfile":                 etcdClientKey,
+		"etcd-prefix":                  etcdPathPrefix,
+		"etcd-servers":                 etcdConnectionString,
+		"kubelet-client-certificate":   pki.GetCertPath(pki.KubeAPICertName),
+		"kubelet-client-key":           pki.GetKeyPath(pki.KubeAPICertName),
+		"proxy-client-cert-file":       pki.GetCertPath(pki.APIProxyClientCertName),
+		"proxy-client-key-file":        pki.GetKeyPath(pki.APIProxyClientCertName),
+		"requestheader-allowed-names":  pki.APIProxyClientCertName,
+		"requestheader-client-ca-file": pki.GetCertPath(pki.RequestHeaderCACertName),
+		"service-account-key-file":     pki.GetKeyPath(pki.ServiceAccountTokenKeyName),
+		"service-cluster-ip-range":     c.Services.KubeAPI.ServiceClusterIPRange,
+		"service-node-port-range":      c.Services.KubeAPI.ServiceNodePortRange,
+		"tls-cert-file":                pki.GetCertPath(pki.KubeAPICertName),
+		"tls-private-key-file":         pki.GetKeyPath(pki.KubeAPICertName),
 	}
 	if len(c.CloudProvider.Name) > 0 {
 		CommandArgs["cloud-config"] = cloudConfigFileName
@@ -348,8 +347,6 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, prefixPath string, svcOp
 		"fail-swap-on":              strconv.FormatBool(c.Services.Kubelet.FailSwapOn),
 		"hostname-override":         host.HostnameOverride,
 		"kubeconfig":                pki.GetConfigPath(pki.KubeNodeCertName),
-		"tls-cert-file":             pki.GetCertPath(pki.GetCrtNameForAddress(host.InternalAddress, pki.KubeletCertName)),
-		"tls-private-key-file":      pki.GetCertPath(fmt.Sprintf("%s-key", pki.GetCrtNameForAddress(host.InternalAddress, pki.KubeletCertName))),
 		"pod-infra-container-image": c.Services.Kubelet.InfraContainerImage,
 		"root-dir":                  path.Join(prefixPath, "/var/lib/kubelet"),
 	}
@@ -662,7 +659,7 @@ func (c *Cluster) BuildSidecarProcess() v3.Process {
 }

 func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, prefixPath string) v3.Process {
-	nodeName := pki.GetCrtNameForAddress(host.InternalAddress, pki.EtcdCertName)
+	nodeName := pki.GetEtcdCrtName(host.InternalAddress)
 	initCluster := ""
 	architecture := "amd64"
 	if len(etcdHosts) == 0 {
--- a/cluster/reconcile.go
+++ b/cluster/reconcile.go
@@ -328,7 +328,7 @@ func restartComponentsWhenCertChanges(ctx context.Context, currentCluster, kubeC
 	}

 	for _, host := range kubeCluster.EtcdHosts {
-		etcdCertName := pki.GetCrtNameForAddress(host.Address, pki.EtcdCertName)
+		etcdCertName := pki.GetEtcdCrtName(host.Address)
 		certMap := map[string]bool{
 			etcdCertName: false,
 		}
--- a/cluster/validation.go
+++ b/cluster/validation.go
@@ -168,12 +168,10 @@ func validateIngressOptions(c *Cluster) error {

 func ValidateHostCount(c *Cluster) error {
 	if len(c.EtcdHosts) == 0 && len(c.Services.Etcd.ExternalURLs) == 0 {
-		if len(c.InactiveHosts) > 0 {
-			failedEtcdHosts := []string{}
-			for _, host := range c.InactiveHosts {
-				if host.IsEtcd {
-					failedEtcdHosts = append(failedEtcdHosts, host.Address)
-				}
+		failedEtcdHosts := []string{}
+		for _, host := range c.InactiveHosts {
+			if host.IsEtcd {
+				failedEtcdHosts = append(failedEtcdHosts, host.Address)
 			}
 			return fmt.Errorf("Cluster must have at least one etcd plane host: failed to connect to the following etcd host(s) %v", failedEtcdHosts)
 		}