Add support for API aggregation layer

Add API server parameters `requestheader-client-ca-file`, `requestheader-allowed-names`, `proxy-client-key-file` and `proxy-client-cert-file`. After we added this parameters into API server, the API aggregation server will be supported when it is deployed in rke cluster.
2025-09-18 08:06:20 +00:00 · 2018-06-22 11:00:12 +08:00
parent 241f7857d6
commit 9f7a37845e
5 changed files with 45 additions and 20 deletions
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -129,6 +129,10 @@ func (c *Cluster) BuildKubeAPIProcess(prefixPath string) v3.Process {
 		"etcd-keyfile":                    etcdClientKey,
 		"etcd-servers":                    etcdConnectionString,
 		"etcd-prefix":                     etcdPathPrefix,
+		"requestheader-client-ca-file":    pki.GetCertPath(pki.RequestHeaderCACertName),
+		"requestheader-allowed-names":     pki.APIProxyClientCertName,
+		"proxy-client-key-file":           pki.GetKeyPath(pki.APIProxyClientCertName),
+		"proxy-client-cert-file":          pki.GetCertPath(pki.APIProxyClientCertName),
 	}
 	if len(c.CloudProvider.Name) > 0 && c.CloudProvider.Name != aws.AWSCloudProviderName {
 		CommandArgs["cloud-config"] = CloudConfigPath
--- a/pki/constants.go
+++ b/pki/constants.go
@@ -11,6 +11,7 @@ const (
 	BundleCertPath          = "/backup/pki.bundle.tar.gz"

 	CACertName              = "kube-ca"
+	RequestHeaderCACertName = "kube-apiserver-requestheader-ca"
 	KubeAPICertName         = "kube-apiserver"
 	KubeControllerCertName  = "kube-controller-manager"
 	KubeSchedulerCertName   = "kube-scheduler"
@@ -19,6 +20,7 @@ const (
 	EtcdCertName            = "kube-etcd"
 	EtcdClientCACertName    = "kube-etcd-client-ca"
 	EtcdClientCertName      = "kube-etcd-client"
+	APIProxyClientCertName  = "kube-apiserver-proxy-client"

 	KubeNodeCommonName       = "system:node"
 	KubeNodeOrganizationName = "system:nodes"
--- a/pki/deploy.go
+++ b/pki/deploy.go
@@ -107,7 +107,6 @@ func DeployCertificatesOnHost(ctx context.Context, host *hosts.Host, crtMap map[
 		"CRTS_DEPLOY_PATH=" + certPath,
 	}
 	for _, crt := range crtMap {
-
 		env = append(env, crt.ToEnv()...)
 	}
 	return doRunDeployer(ctx, host, env, certDownloaderImage, prsMap)
@@ -125,6 +124,8 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
 		KubeProxyCertName:       true,
 		KubeNodeCertName:        true,
 		KubeAdminCertName:       false,
+		RequestHeaderCACertName: false,
+		APIProxyClientCertName:  false,
 	}

 	for _, etcdHost := range extraHosts {
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -43,7 +43,7 @@ func GenerateRKECerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineC
 	certs := make(map[string]CertificatePKI)
 	// generate CA certificate and key
 	log.Infof(ctx, "[certificates] Generating CA kubernetes certificates")
-	caCrt, caKey, err := generateCACertAndKey()
+	caCrt, caKey, err := generateCACertAndKey(CACertName)
 	if err != nil {
 		return nil, err
 	}
@@ -151,6 +151,22 @@ func GenerateRKECerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineC
 		certs[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey)
 	}

+	// generate request header client CA certificate and key
+	log.Infof(ctx, "[certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates")
+	requestHeaderCACrt, requestHeaderCAKey, err := generateCACertAndKey(RequestHeaderCACertName)
+	if err != nil {
+		return nil, err
+	}
+	certs[RequestHeaderCACertName] = ToCertObject(RequestHeaderCACertName, "", "", requestHeaderCACrt, requestHeaderCAKey)
+
+	//generate API server proxy client key and certs
+	log.Infof(ctx, "[certificates] Generating Kubernetes API server porxy client certificates")
+	apiserverProxyClientCrt, apiserverProxyClientKey, err := GenerateSignedCertAndKey(requestHeaderCACrt, requestHeaderCAKey, false, APIProxyClientCertName, nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	certs[APIProxyClientCertName] = ToCertObject(APIProxyClientCertName, "", "", apiserverProxyClientCrt, apiserverProxyClientKey)
+
 	return certs, nil
 }

--- a/pki/util.go
+++ b/pki/util.go
@@ -51,13 +51,13 @@ func GenerateSignedCertAndKey(
 	return clientCert, rootKey, nil
 }

-func generateCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
+func generateCACertAndKey(commonName string) (*x509.Certificate, *rsa.PrivateKey, error) {
 	rootKey, err := cert.NewPrivateKey()
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed to generate private key for CA certificate: %v", err)
 	}
 	caConfig := cert.Config{
-		CommonName: CACertName,
+		CommonName: commonName,
 	}
 	kubeCACert, err := cert.NewSelfSignedCACert(caConfig, rootKey)
 	if err != nil {
@@ -233,6 +233,8 @@ func getControlCertKeys() []string {
 		KubeNodeCertName,
 		EtcdClientCertName,
 		EtcdClientCACertName,
+		RequestHeaderCACertName,
+		APIProxyClientCertName,
 	}
 }