Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
6a979704
Commit
6a979704
authored
Jun 09, 2015
by
krousey
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #9419 from roberthbailey/kube2sky-secure-gce
Distribute the cluster CA cert to cluster addon pods through the kubeconfig file
parents
3e7bcd1e
aeb00685
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
50 additions
and
9 deletions
+50
-9
skydns-rc.yaml.in
cluster/addons/dns/skydns-rc.yaml.in
+0
-1
helper.sh
cluster/gce/coreos/helper.sh
+1
-0
helper.sh
cluster/gce/debian/helper.sh
+1
-1
util.sh
cluster/gce/util.sh
+1
-1
kube-addons.sh
cluster/saltbase/salt/kube-addons/kube-addons.sh
+47
-6
No files found.
cluster/addons/dns/skydns-rc.yaml.in
View file @
6a979704
...
@@ -35,7 +35,6 @@ spec:
...
@@ -35,7 +35,6 @@ spec:
# command = "/kube2sky"
# command = "/kube2sky"
- -domain={{ pillar['dns_domain'] }}
- -domain={{ pillar['dns_domain'] }}
- -kubecfg_file=/etc/dns_token/kubeconfig
- -kubecfg_file=/etc/dns_token/kubeconfig
- -kube_master_url=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
volumeMounts:
volumeMounts:
- mountPath: /etc/dns_token
- mountPath: /etc/dns_token
name: dns-token
name: dns-token
...
...
cluster/gce/coreos/helper.sh
View file @
6a979704
...
@@ -51,6 +51,7 @@ KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
...
@@ -51,6 +51,7 @@ KUBELET_TOKEN: $(yaml-quote ${KUBELET_TOKEN:-})
KUBE_PROXY_TOKEN:
$(
yaml-quote
${
KUBE_PROXY_TOKEN
:-})
KUBE_PROXY_TOKEN:
$(
yaml-quote
${
KUBE_PROXY_TOKEN
:-})
ADMISSION_CONTROL:
$(
yaml-quote
${
ADMISSION_CONTROL
:-})
ADMISSION_CONTROL:
$(
yaml-quote
${
ADMISSION_CONTROL
:-})
MASTER_IP_RANGE:
$(
yaml-quote
${
MASTER_IP_RANGE
})
MASTER_IP_RANGE:
$(
yaml-quote
${
MASTER_IP_RANGE
})
KUBERNETES_MASTER_NAME=
$(
yaml-quote
${
MASTER_NAME
})
KUBERNETES_CONTAINER_RUNTIME:
$(
yaml-quote
${
CONTAINER_RUNTIME
})
KUBERNETES_CONTAINER_RUNTIME:
$(
yaml-quote
${
CONTAINER_RUNTIME
})
RKT_VERSION:
$(
yaml-quote
${
RKT_VERSION
})
RKT_VERSION:
$(
yaml-quote
${
RKT_VERSION
})
CA_CERT:
$(
yaml-quote
${
CA_CERT_BASE64
})
CA_CERT:
$(
yaml-quote
${
CA_CERT_BASE64
})
...
...
cluster/gce/debian/helper.sh
View file @
6a979704
...
@@ -30,6 +30,7 @@ CLUSTER_IP_RANGE: $(yaml-quote ${CLUSTER_IP_RANGE:-10.244.0.0/16})
...
@@ -30,6 +30,7 @@ CLUSTER_IP_RANGE: $(yaml-quote ${CLUSTER_IP_RANGE:-10.244.0.0/16})
SERVER_BINARY_TAR_URL:
$(
yaml-quote
${
SERVER_BINARY_TAR_URL
})
SERVER_BINARY_TAR_URL:
$(
yaml-quote
${
SERVER_BINARY_TAR_URL
})
SALT_TAR_URL:
$(
yaml-quote
${
SALT_TAR_URL
})
SALT_TAR_URL:
$(
yaml-quote
${
SALT_TAR_URL
})
SERVICE_CLUSTER_IP_RANGE:
$(
yaml-quote
${
SERVICE_CLUSTER_IP_RANGE
})
SERVICE_CLUSTER_IP_RANGE:
$(
yaml-quote
${
SERVICE_CLUSTER_IP_RANGE
})
KUBERNETES_MASTER_NAME:
$(
yaml-quote
${
MASTER_NAME
})
ALLOCATE_NODE_CIDRS:
$(
yaml-quote
${
ALLOCATE_NODE_CIDRS
:-
false
})
ALLOCATE_NODE_CIDRS:
$(
yaml-quote
${
ALLOCATE_NODE_CIDRS
:-
false
})
ENABLE_CLUSTER_MONITORING:
$(
yaml-quote
${
ENABLE_CLUSTER_MONITORING
:-
none
})
ENABLE_CLUSTER_MONITORING:
$(
yaml-quote
${
ENABLE_CLUSTER_MONITORING
:-
none
})
ENABLE_NODE_MONITORING:
$(
yaml-quote
${
ENABLE_NODE_MONITORING
:-
false
})
ENABLE_NODE_MONITORING:
$(
yaml-quote
${
ENABLE_NODE_MONITORING
:-
false
})
...
@@ -68,7 +69,6 @@ EOF
...
@@ -68,7 +69,6 @@ EOF
# Node-only env vars.
# Node-only env vars.
cat
>>
$file
<<
EOF
cat
>>
$file
<<
EOF
KUBERNETES_MASTER: "false"
KUBERNETES_MASTER: "false"
KUBERNETES_MASTER_NAME:
$(
yaml-quote
${
MASTER_NAME
})
ZONE:
$(
yaml-quote
${
ZONE
})
ZONE:
$(
yaml-quote
${
ZONE
})
EXTRA_DOCKER_OPTS:
$(
yaml-quote
${
EXTRA_DOCKER_OPTS
})
EXTRA_DOCKER_OPTS:
$(
yaml-quote
${
EXTRA_DOCKER_OPTS
})
ENABLE_DOCKER_REGISTRY_CACHE:
$(
yaml-quote
${
ENABLE_DOCKER_REGISTRY_CACHE
:-
false
})
ENABLE_DOCKER_REGISTRY_CACHE:
$(
yaml-quote
${
ENABLE_DOCKER_REGISTRY_CACHE
:-
false
})
...
...
cluster/gce/util.sh
View file @
6a979704
...
@@ -541,7 +541,7 @@ function create-certs {
...
@@ -541,7 +541,7 @@ function create-certs {
cd
easy-rsa-master/easyrsa3
cd
easy-rsa-master/easyrsa3
./easyrsa init-pki
>
/dev/null 2>&1
./easyrsa init-pki
>
/dev/null 2>&1
./easyrsa
--batch
"--req-cn=
${
cert_ip
}
@
$(
date
+%s
)
"
build-ca nopass
>
/dev/null 2>&1
./easyrsa
--batch
"--req-cn=
${
cert_ip
}
@
$(
date
+%s
)
"
build-ca nopass
>
/dev/null 2>&1
./easyrsa
--subject-alt-name
=
IP:
"
${
cert_ip
}
"
build-server-full
"
${
MASTER_NAME
}
"
nopass
>
/dev/null 2>&1
./easyrsa
--subject-alt-name
=
IP:
"
${
cert_ip
}
"
,DNS:kubernetes,DNS:
"
${
MASTER_NAME
}
"
build-server-full
"
${
MASTER_NAME
}
"
nopass
>
/dev/null 2>&1
./easyrsa build-client-full kubelet nopass
>
/dev/null 2>&1
./easyrsa build-client-full kubelet nopass
>
/dev/null 2>&1
./easyrsa build-client-full kubecfg nopass
>
/dev/null 2>&1
)
||
{
./easyrsa build-client-full kubecfg nopass
>
/dev/null 2>&1
)
||
{
# If there was an error in the subshell, just die.
# If there was an error in the subshell, just die.
...
...
cluster/saltbase/salt/kube-addons/kube-addons.sh
View file @
6a979704
...
@@ -22,13 +22,33 @@ KUBECTL=/usr/local/bin/kubectl
...
@@ -22,13 +22,33 @@ KUBECTL=/usr/local/bin/kubectl
function
create-kubeconfig-secret
()
{
function
create-kubeconfig-secret
()
{
local
-r
token
=
$1
local
-r
token
=
$1
local
-r
username
=
$2
local
-r
username
=
$2
local
-r
server
=
$3
local
-r
safe_username
=
$(
tr
-s
':_'
'--'
<<<
"
${
username
}
"
)
local
-r
safe_username
=
$(
tr
-s
':_'
'--'
<<<
"
${
username
}
"
)
# Make a kubeconfig file with the token.
# Make a kubeconfig file with the token.
# TODO(etune): put apiserver certs into secret too, and reference from authfile,
if
[[
!
-z
"
${
CA_CERT
:-}
"
]]
;
then
# so that "Insecure" is not needed.
# If the CA cert is available, put it into the secret rather than using
# Point the kubeconfig file at https://kubernetes:443. Pods/components that
# insecure-skip-tls-verify.
# do not have DNS available will have to override the server.
read
-r
-d
''
kubeconfig
<<
EOF
apiVersion: v1
kind: Config
users:
- name:
${
username
}
user:
token:
${
token
}
clusters:
- name: local
cluster:
server:
${
server
}
certificate-authority-data:
${
CA_CERT
}
contexts:
- context:
cluster: local
user:
${
username
}
name: service-account-context
current-context: service-account-context
EOF
else
read
-r
-d
''
kubeconfig
<<
EOF
read
-r
-d
''
kubeconfig
<<
EOF
apiVersion: v1
apiVersion: v1
kind: Config
kind: Config
...
@@ -39,7 +59,7 @@ users:
...
@@ -39,7 +59,7 @@ users:
clusters:
clusters:
- name: local
- name: local
cluster:
cluster:
server:
"https://kubernetes:443"
server:
${
server
}
insecure-skip-tls-verify: true
insecure-skip-tls-verify: true
contexts:
contexts:
- context:
- context:
...
@@ -48,6 +68,8 @@ contexts:
...
@@ -48,6 +68,8 @@ contexts:
name: service-account-context
name: service-account-context
current-context: service-account-context
current-context: service-account-context
EOF
EOF
fi
local
-r
kubeconfig_base64
=
$(
echo
"
${
kubeconfig
}
"
|
base64
-w0
)
local
-r
kubeconfig_base64
=
$(
echo
"
${
kubeconfig
}
"
|
base64
-w0
)
read
-r
-d
''
secretyaml
<<
EOF
read
-r
-d
''
secretyaml
<<
EOF
apiVersion: v1beta3
apiVersion: v1beta3
...
@@ -98,6 +120,18 @@ function create-resource-from-string() {
...
@@ -98,6 +120,18 @@ function create-resource-from-string() {
# managed result is of that. Start everything below that directory.
# managed result is of that. Start everything below that directory.
echo
"== Kubernetes addon manager started at
$(
date
-Is
)
=="
echo
"== Kubernetes addon manager started at
$(
date
-Is
)
=="
# Load the kube-env, which has all the environment variables we care
# about, in a flat yaml format.
kube_env_yaml
=
"/var/cache/kubernetes-install/kube_env.yaml"
if
[
!
-e
"
${
kubelet_kubeconfig_file
}
"
]
;
then
eval
$(
python
-c
'''
import pipes,sys,yaml
for k,v in yaml.load(sys.stdin).iteritems():
print "readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))
'''
<
"
${
kube_env_yaml
}
"
)
fi
# Generate secrets for "internal service accounts".
# Generate secrets for "internal service accounts".
# TODO(etune): move to a completely yaml/object based
# TODO(etune): move to a completely yaml/object based
# workflow so that service accounts can be created
# workflow so that service accounts can be created
...
@@ -110,7 +144,14 @@ while read line; do
...
@@ -110,7 +144,14 @@ while read line; do
IFS
=
','
read
-a
parts
<<<
"
${
line
}
"
IFS
=
','
read
-a
parts
<<<
"
${
line
}
"
token
=
${
parts
[0]
}
token
=
${
parts
[0]
}
username
=
${
parts
[1]
}
username
=
${
parts
[1]
}
create-kubeconfig-secret
"
${
token
}
"
"
${
username
}
"
# DNS is special, since it's necessary for cluster bootstrapping.
if
[[
"
${
username
}
"
==
"system:dns"
]]
&&
[[
!
-z
"
${
KUBERNETES_MASTER_NAME
:-}
"
]]
;
then
create-kubeconfig-secret
"
${
token
}
"
"
${
username
}
"
"https://
${
KUBERNETES_MASTER_NAME
}
"
else
# Set the server to https://kubernetes. Pods/components that
# do not have DNS available will have to override the server.
create-kubeconfig-secret
"
${
token
}
"
"
${
username
}
"
"https://kubernetes"
fi
done
< /srv/kubernetes/known_tokens.csv
done
< /srv/kubernetes/known_tokens.csv
# Create admission_control objects if defined before any other addon services. If the limits
# Create admission_control objects if defined before any other addon services. If the limits
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment