diff --git a/promenade/config.py b/promenade/config.py index 63777e86..05bdba68 100644 --- a/promenade/config.py +++ b/promenade/config.py @@ -41,6 +41,7 @@ class Document: raise AssertionError('Did not get expected keys') assert data['apiVersion'] == 'promenade/v1' assert data['kind'] in self.SUPPORTED_KINDS + assert data['metadata']['name'] self.data = data @@ -48,6 +49,10 @@ class Document: def kind(self): return self.data['kind'] + @property + def name(self): + return self.metadata['name'] + @property def target(self): return self.metadata.get('target') @@ -64,6 +69,19 @@ class Configuration: def __init__(self, documents): self.documents = sorted(documents, key=attrgetter('kind', 'target')) + self.validate() + + def validate(self): + identifiers = set() + for document in self.documents: + identifier = (document.kind, document.name) + if identifier in identifiers: + LOG.error('Found duplicate document in config: kind=%s name=%s', + document.kind, document.name) + raise RuntimeError('Duplicate document') + else: + identifiers.add(identifier) + def __getitem__(self, key): results = [d for d in self.documents if d.kind == key] if len(results) < 1: @@ -73,6 +91,11 @@ class Configuration: else: return results[0] + def get(self, *, kind, name): + for document in self.documents: + if document.kind == kind and document.name == name: + return document + def iterate(self, *, kind=None, target=None): if target: docs = self._iterate_with_target(target) diff --git a/promenade/generator.py b/promenade/generator.py index 90b3fb81..297011ac 100644 --- a/promenade/generator.py +++ b/promenade/generator.py @@ -123,6 +123,7 @@ class Generator: role_specific_documents.extend([ admin_cert, admin_cert_key, + cluster_ca_key, etcd_client_ca, etcd_peer_ca, sa_priv, @@ -140,7 +141,7 @@ class Generator: role_specific_documents.extend(_genesis_config(hostname, data, masters, network, keys)) role_specific_documents.append(_genesis_etcd_config(cluster_name, hostname)) - node.data['is_genesis'] = True + node.data['spec']['is_genesis'] = True c = config.Configuration(common_documents + role_specific_documents) c.write(os.path.join(output_dir, hostname + '.yaml')) @@ -156,6 +157,7 @@ class Generator: 'kind': 'Masters', 'metadata': { 'cluster': cluster_name, + 'name': cluster_name, 'target': 'all', }, 'spec': { @@ -172,7 +174,8 @@ def _master_etcd_config(cluster_name, genesis_hostname, hostname, masters): 'auxiliary-etcd-0=https://%s:12380' % genesis_hostname, 'auxiliary-etcd-1=https://%s:22380' % genesis_hostname, ]) - return _etcd_config(cluster_name, target=hostname, + return _etcd_config(cluster_name, name='master-etcd', + target=hostname, initial_cluster=initial_cluster, initial_cluster_state='existing') @@ -183,18 +186,20 @@ def _genesis_etcd_config(cluster_name, hostname): 'auxiliary-etcd-0=https://%s:12380' % hostname, 'auxiliary-etcd-1=https://%s:22380' % hostname, ] - return _etcd_config(cluster_name, target=hostname, + return _etcd_config(cluster_name, name='genesis-etcd', + target=hostname, initial_cluster=initial_cluster, initial_cluster_state='new') -def _etcd_config(cluster_name, *, target, +def _etcd_config(cluster_name, *, name, target, initial_cluster, initial_cluster_state): return config.Document({ 'apiVersion': 'promenade/v1', 'kind': 'Etcd', 'metadata': { 'cluster': cluster_name, + 'name': name, 'target': target, }, 'spec': { @@ -221,6 +226,13 @@ def _master_config(hostname, host_data, masters, network, keys): hosts=kube_domains + [hostname, host_data['ip']], target=hostname, )) + docs.extend(keys.generate_certificate( + alias='etcd-apiserver-client', + name='etcd:client:apiserver:%s' % hostname, + ca_name='etcd-client', + hosts=[hostname, host_data['ip']], + target=hostname, + )) docs.extend(keys.generate_certificate( alias='etcd-peer', name='etcd:peer:%s' % hostname, @@ -271,13 +283,14 @@ def _genesis_config(hostname, host_data, masters, network, keys): for i in range(2): docs.extend(keys.generate_certificate( - name='auxiliary-etcd-client-%d' % i, + name='auxiliary-etcd-%d-client' % i, ca_name='etcd-client', hosts=[hostname, host_data['ip']], target=hostname, )) + docs.extend(keys.generate_certificate( - name='auxiliary-etcd-client-%d' % i, + name='auxiliary-etcd-%d-peer' % i, ca_name='etcd-peer', hosts=[hostname, host_data['ip']], target=hostname, @@ -299,6 +312,7 @@ def _construct_node_config(cluster_name, hostname, data): 'kind': 'Node', 'metadata': { 'cluster': cluster_name, + 'name': hostname, 'target': hostname, }, 'spec': spec, diff --git a/promenade/templates/common/etc/kubernetes/kubelet/manifests/kube-proxy.yaml b/promenade/templates/common/etc/kubernetes/kubelet/manifests/kube-proxy.yaml index 6617b9ab..17053925 100644 --- a/promenade/templates/common/etc/kubernetes/kubelet/manifests/kube-proxy.yaml +++ b/promenade/templates/common/etc/kubernetes/kubelet/manifests/kube-proxy.yaml @@ -18,7 +18,7 @@ spec: - proxy - --cluster-cidr={{ config['Network']['pod_ip_cidr'] }} - --hostname-override=$(NODE_NAME) - - --kubeconfig=/etc/kubernetes/config/kubeconfig.yaml + - --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml - --proxy-mode=iptables - --v=5 env: @@ -30,7 +30,7 @@ spec: privileged: true volumeMounts: - name: config - mountPath: /etc/kubernetes + mountPath: /etc/kubernetes/proxy readOnly: true hostNetwork: true volumes: diff --git a/promenade/templates/common/etc/kubernetes/kubelet/pki/cluster-ca.pem b/promenade/templates/common/etc/kubernetes/kubelet/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/kubelet/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem new file mode 100644 index 00000000..4292cfb7 --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='kubelet')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem new file mode 100644 index 00000000..2cf83517 --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/kubelet/pki/kubelet.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='kubelet')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/proxy/config/kubeconfig.yaml b/promenade/templates/common/etc/kubernetes/proxy/kubeconfig.yaml similarity index 59% rename from promenade/templates/common/etc/kubernetes/proxy/config/kubeconfig.yaml rename to promenade/templates/common/etc/kubernetes/proxy/kubeconfig.yaml index 3889f1c9..c38da35d 100644 --- a/promenade/templates/common/etc/kubernetes/proxy/config/kubeconfig.yaml +++ b/promenade/templates/common/etc/kubernetes/proxy/kubeconfig.yaml @@ -3,7 +3,7 @@ apiVersion: v1 clusters: - cluster: server: https://kubernetes - certificate-authority: /etc/kubernetes/pki/cluster-ca.pem + certificate-authority: /etc/kubernetes/proxy/pki/cluster-ca.pem name: kubernetes contexts: - context: @@ -16,5 +16,5 @@ preferences: {} users: - name: proxy user: - client-certificate: /etc/kubernetes/pki/proxy.pem - client-key: /etc/kubernetes/pki/proxy-key.pem + client-certificate: /etc/kubernetes/proxy/pki/proxy.pem + client-key: /etc/kubernetes/proxy/pki/proxy-key.pem diff --git a/promenade/templates/common/etc/kubernetes/proxy/pki/cluster-ca.pem b/promenade/templates/common/etc/kubernetes/proxy/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/proxy/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem new file mode 100644 index 00000000..2e388910 --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='proxy')['data'] }} diff --git a/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem new file mode 100644 index 00000000..7841403a --- /dev/null +++ b/promenade/templates/common/etc/kubernetes/proxy/pki/proxy.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='proxy')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/asset-loader/kubeconfig.yaml b/promenade/templates/genesis/etc/kubernetes/asset-loader/kubeconfig.yaml index 56a747a1..4509a40d 100644 --- a/promenade/templates/genesis/etc/kubernetes/asset-loader/kubeconfig.yaml +++ b/promenade/templates/genesis/etc/kubernetes/asset-loader/kubeconfig.yaml @@ -3,7 +3,7 @@ apiVersion: v1 clusters: - cluster: server: https://kubernetes - certificate-authority: /etc/kubernetes/pki/cluster-ca.pem + certificate-authority: /etc/kubernetes/asset-loader/pki/cluster-ca.pem name: kubernetes contexts: - context: @@ -16,5 +16,5 @@ preferences: {} users: - name: asset-loader user: - client-certificate: /etc/kubernetes/pki/asset-loader.pem - client-key: /etc/kubernetes/pki/asset-loader-key.pem + client-certificate: /etc/kubernetes/asset-loader/pki/asset-loader.pem + client-key: /etc/kubernetes/asset-loader/pki/asset-loader-key.pem diff --git a/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader-key.pem b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader-key.pem new file mode 100644 index 00000000..a9dfb2dd --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='admin')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader.pem b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader.pem new file mode 100644 index 00000000..3cfb3dc9 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/asset-loader.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='admin')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/cluster-ca.pem b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/asset-loader/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem new file mode 100644 index 00000000..6f6fbed3 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem new file mode 100644 index 00000000..9073d56b --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem new file mode 100644 index 00000000..ebd8c5e7 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='auxiliary-etcd-0-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem new file mode 100644 index 00000000..b5ce1958 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem new file mode 100644 index 00000000..92076936 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='auxiliary-etcd-0-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem new file mode 100644 index 00000000..04003625 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem new file mode 100644 index 00000000..6f6fbed3 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem new file mode 100644 index 00000000..65821b61 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem new file mode 100644 index 00000000..602dcd29 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='auxiliary-etcd-1-client')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem new file mode 100644 index 00000000..3ebf84f7 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem new file mode 100644 index 00000000..66b11820 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='auxiliary-etcd-1-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem new file mode 100644 index 00000000..04003625 --- /dev/null +++ b/promenade/templates/genesis/etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }} diff --git a/promenade/templates/genesis/etc/kubernetes/genesis/kubeconfig.yaml b/promenade/templates/genesis/etc/kubernetes/genesis/kubeconfig.yaml index 6595050e..9df887fb 100644 --- a/promenade/templates/genesis/etc/kubernetes/genesis/kubeconfig.yaml +++ b/promenade/templates/genesis/etc/kubernetes/genesis/kubeconfig.yaml @@ -3,7 +3,7 @@ apiVersion: v1 clusters: - cluster: server: https://127.0.0.1 - certificate-authority: /target/etc/kubernetes/genesis/pki/cluster-ca.pem + certificate-authority: /target/etc/kubernetes/admin/pki/cluster-ca.pem name: kubernetes contexts: - context: @@ -16,5 +16,5 @@ preferences: {} users: - name: genesis user: - client-certificate: /target/etc/kubernetes/genesis/pki/genesis.pem - client-key: /target/etc/kubernetes/genesis/pki/genesis-key.pem + client-certificate: /target/etc/kubernetes/admin/pki/admin.pem + client-key: /target/etc/kubernetes/admin/pki/admin-key.pem diff --git a/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/asset-loader.yaml b/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/asset-loader.yaml index db7fb163..a5232ac8 100644 --- a/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/asset-loader.yaml +++ b/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/asset-loader.yaml @@ -21,12 +21,12 @@ spec: while true; do sleep 60 /kubectl \ - --kubeconfig /etc/kubernetes/kubeconfig.yaml \ - apply -f /etc/kubernetes/assets + --kubeconfig /etc/kubernetes/asset-loader/kubeconfig.yaml \ + apply -f /etc/kubernetes/asset-loader/assets done volumeMounts: - name: config - mountPath: /etc/kubernetes + mountPath: /etc/kubernetes/asset-loader readOnly: true volumes: - name: config diff --git a/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml b/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml index ce19a87a..7a8ed07a 100644 --- a/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml +++ b/promenade/templates/genesis/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml @@ -22,21 +22,21 @@ spec: - name: ETCD_DATA_DIR value: /var/lib/auxiliary-etcd-0 - name: ETCD_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem - name: ETCD_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem - name: ETCD_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem - name: ETCD_PEER_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem - name: ETCD_PEER_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem - name: ETCD_PEER_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem - name: ETCD_ADVERTISE_CLIENT_URLS - value: https://$(ETCD_NAME):12379 + value: https://{{ config['Node']['hostname'] }}:12379 - name: ETCD_INITIAL_ADVERTISE_PEER_URLS - value: https://$(ETCD_NAME):12380 + value: https://{{ config['Node']['hostname'] }}:12380 - name: ETCD_INITIAL_CLUSTER_TOKEN value: promenade-kube-etcd-token - name: ETCD_LISTEN_CLIENT_URLS @@ -60,8 +60,8 @@ spec: volumeMounts: - name: data-0 mountPath: /var/lib/auxiliary-etcd-0 - - name: pki - mountPath: /etc/etcd-pki + - name: pki-0 + mountPath: /etc/kubernetes/auxiliary-etcd-0/pki readOnly: true - name: auxiliary-etcd-1 image: quay.io/coreos/etcd:v3.0.17 @@ -75,21 +75,21 @@ spec: - name: ETCD_DATA_DIR value: /var/lib/auxiliary-etcd-1 - name: ETCD_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem - name: ETCD_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem - name: ETCD_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem - name: ETCD_PEER_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem - name: ETCD_PEER_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem - name: ETCD_PEER_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem - name: ETCD_ADVERTISE_CLIENT_URLS - value: https://$(ETCD_NAME):22379 + value: https://{{ config['Node']['hostname'] }}:22379 - name: ETCD_INITIAL_ADVERTISE_PEER_URLS - value: https://$(ETCD_NAME):22380 + value: https://{{ config['Node']['hostname'] }}:22380 - name: ETCD_INITIAL_CLUSTER_TOKEN value: promenade-kube-etcd-token - name: ETCD_LISTEN_CLIENT_URLS @@ -113,8 +113,8 @@ spec: volumeMounts: - name: data-1 mountPath: /var/lib/auxiliary-etcd-1 - - name: pki - mountPath: /etc/etcd-pki + - name: pki-1 + mountPath: /etc/kubernetes/auxiliary-etcd-1/pki readOnly: true - name: cluster-monitor image: quay.io/coreos/etcd:v3.0.17 @@ -137,7 +137,12 @@ spec: etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-1 | cut -d , -f 1) etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-0 | cut -d , -f 1) sleep 60 - rm -rf /var/lib/auxiliary-etcd-0 /var/lib/auxiliary-etcd-1 /etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml + rm -rf \ + /var/lib/auxiliary-etcd-0 \ + /var/lib/auxiliary-etcd-1 \ + /etc/kubernetes/auxiliary-etcd-0 \ + /etc/kubernetes/auxiliary-etcd-1 \ + /etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml sleep 10000 fi done @@ -150,16 +155,16 @@ spec: - name: ETCDCTL_API value: "3" - name: ETCDCTL_CACERT - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/etcd/pki/client-ca.pem - name: ETCDCTL_CERT - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/etcd/pki/etcd-client.pem - name: ETCDCTL_ENDPOINTS - value: https://127.0.0.1:12379 + value: https://{{ config['Node']['ip'] }}:2379 - name: ETCDCTL_KEY - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/etcd/pki/etcd-client-key.pem volumeMounts: - name: pki - mountPath: /etc/etcd-pki + mountPath: /etc/kubernetes/etcd/pki readOnly: true - name: manifests mountPath: /etc/kubernetes/kubelet/manifests @@ -175,6 +180,12 @@ spec: - name: pki hostPath: path: /etc/kubernetes/etcd/pki + - name: pki-0 + hostPath: + path: /etc/kubernetes/auxiliary-etcd-0/pki + - name: pki-1 + hostPath: + path: /etc/kubernetes/auxiliary-etcd-1/pki - name: manifests hostPath: path: /etc/kubernetes/kubelet/manifests diff --git a/promenade/templates/master/etc/kubernetes/admin/pki/admin-key.pem b/promenade/templates/master/etc/kubernetes/admin/pki/admin-key.pem new file mode 100644 index 00000000..a9dfb2dd --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/admin/pki/admin-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='admin')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/admin/pki/admin.pem b/promenade/templates/master/etc/kubernetes/admin/pki/admin.pem new file mode 100644 index 00000000..3cfb3dc9 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/admin/pki/admin.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='admin')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/admin/pki/cluster-ca.pem b/promenade/templates/master/etc/kubernetes/admin/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/admin/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem new file mode 100644 index 00000000..6b161631 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='apiserver')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem new file mode 100644 index 00000000..ef52b8c3 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/apiserver.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='apiserver')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/cluster-ca.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-ca.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-ca.pem new file mode 100644 index 00000000..6f6fbed3 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem new file mode 100644 index 00000000..71669eac --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='etcd-apiserver-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem new file mode 100644 index 00000000..eb432bfd --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/etcd-client.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='etcd-apiserver-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/apiserver/pki/service-account.pub b/promenade/templates/master/etc/kubernetes/apiserver/pki/service-account.pub new file mode 100644 index 00000000..30866284 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/apiserver/pki/service-account.pub @@ -0,0 +1 @@ +{{ config.get(kind='PublicKey', name='service-account')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/kubeconfig.yaml b/promenade/templates/master/etc/kubernetes/controller-manager/kubeconfig.yaml index 17275f1f..ee6b4e02 100644 --- a/promenade/templates/master/etc/kubernetes/controller-manager/kubeconfig.yaml +++ b/promenade/templates/master/etc/kubernetes/controller-manager/kubeconfig.yaml @@ -3,7 +3,7 @@ apiVersion: v1 clusters: - cluster: server: https://kubernetes - certificate-authority: /etc/kubernetes/pki/cluster-ca.pem + certificate-authority: /etc/kubernetes/controller-manager/pki/cluster-ca.pem name: kubernetes contexts: - context: @@ -16,5 +16,5 @@ preferences: {} users: - name: controller-manager user: - client-certificate: /etc/kubernetes/pki/controller-manager.pem - client-key: /etc/kubernetes/pki/controller-manager-key.pem + client-certificate: /etc/kubernetes/controller-manager/pki/controller-manager.pem + client-key: /etc/kubernetes/controller-manager/pki/controller-manager-key.pem diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem new file mode 100644 index 00000000..58a75ff2 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthorityKey', name='cluster')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem new file mode 100644 index 00000000..994f3871 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='controller-manager')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem new file mode 100644 index 00000000..c4a560c5 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/controller-manager.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='controller-manager')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/controller-manager/pki/service-account.key b/promenade/templates/master/etc/kubernetes/controller-manager/pki/service-account.key new file mode 100644 index 00000000..cc5068aa --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/controller-manager/pki/service-account.key @@ -0,0 +1 @@ +{{ config.get(kind='PrivateKey', name='service-account')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/client-ca.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/client-ca.pem new file mode 100644 index 00000000..6f6fbed3 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/client-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem new file mode 100644 index 00000000..9dc5c126 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem new file mode 100644 index 00000000..82f9534d --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-client.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='etcd-client')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem new file mode 100644 index 00000000..38e507e7 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='etcd-peer')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem new file mode 100644 index 00000000..12e325b6 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/etcd-peer.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='etcd-peer')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/etcd/pki/peer-ca.pem b/promenade/templates/master/etc/kubernetes/etcd/pki/peer-ca.pem new file mode 100644 index 00000000..04003625 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/etcd/pki/peer-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-apiserver.yaml b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-apiserver.yaml index 35ea29fb..a7049e33 100644 --- a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-apiserver.yaml +++ b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-apiserver.yaml @@ -27,12 +27,12 @@ spec: - --secure-port=443 - --allow-privileged=true - --etcd-servers=https://kubernetes:2379 - - --etcd-cafile=/etc/kubernetes/pki/cluster-ca.pem - - --etcd-certfile=/etc/kubernetes/pki/apiserver.pem - - --etcd-keyfile=/etc/kubernetes/pki/apiserver-key.pem + - --etcd-cafile=/etc/kubernetes/pki/etcd-client-ca.pem + - --etcd-certfile=/etc/kubernetes/pki/etcd-client.pem + - --etcd-keyfile=/etc/kubernetes/pki/etcd-client-key.pem - --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }} - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --service-account-key-file=/etc/kubernetes/pki/sa.pem + - --service-account-key-file=/etc/kubernetes/pki/service-account.pub - --tls-cert-file=/etc/kubernetes/pki/apiserver.pem - --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem - --v=5 diff --git a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-controller-manager.yaml b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-controller-manager.yaml index 3ab1c816..5d678bf1 100644 --- a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-controller-manager.yaml +++ b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-controller-manager.yaml @@ -20,19 +20,19 @@ spec: - controller-manager - --allocate-node-cidrs=true - --cluster-cidr={{ config['Network']['pod_ip_cidr'] }} - - --cluster-signing-cert-file=/etc/kubernetes/pki/cluster-ca.pem - - --cluster-signing-key-file=/etc/kubernetes/pki/cluster-ca-key.pem + - --cluster-signing-cert-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem + - --cluster-signing-key-file=/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem - --configure-cloud-routes=false - --leader-elect=true - - --kubeconfig=/etc/kubernetes/kubeconfig.yaml - - --root-ca-file=/etc/kubernetes/pki/cluster-ca.pem - - --service-account-private-key-file=/etc/kubernetes/pki/sa-key.pem + - --kubeconfig=/etc/kubernetes/controller-manager/kubeconfig.yaml + - --root-ca-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem + - --service-account-private-key-file=/etc/kubernetes/controller-manager/pki/service-account.key - --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }} - --use-service-account-credentials=true - --v=5 volumeMounts: - name: config - mountPath: /etc/kubernetes + mountPath: /etc/kubernetes/controller-manager readOnly: true volumes: - name: config diff --git a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-etcd.yaml b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-etcd.yaml index 7cdd9ac9..6f862c62 100644 --- a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-etcd.yaml +++ b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-etcd.yaml @@ -24,17 +24,17 @@ spec: - name: ETCD_DATA_DIR value: /var/lib/kube-etcd - name: ETCD_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/etcd/pki/client-ca.pem - name: ETCD_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/etcd/pki/etcd-client.pem - name: ETCD_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/etcd/pki/etcd-client-key.pem - name: ETCD_PEER_TRUSTED_CA_FILE - value: /etc/etcd-pki/cluster-ca.pem + value: /etc/kubernetes/etcd/pki/peer-ca.pem - name: ETCD_PEER_CERT_FILE - value: /etc/etcd-pki/etcd.pem + value: /etc/kubernetes/etcd/pki/etcd-peer.pem - name: ETCD_PEER_KEY_FILE - value: /etc/etcd-pki/etcd-key.pem + value: /etc/kubernetes/etcd/pki/etcd-peer-key.pem - name: ETCD_ADVERTISE_CLIENT_URLS value: https://$(ETCD_NAME):2379 - name: ETCD_INITIAL_ADVERTISE_PEER_URLS @@ -58,7 +58,7 @@ spec: - name: data mountPath: /var/lib/kube-etcd - name: pki - mountPath: /etc/etcd-pki + mountPath: /etc/kubernetes/etcd/pki volumes: - name: data hostPath: diff --git a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-scheduler.yaml b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-scheduler.yaml index 5160514d..9c451996 100644 --- a/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-scheduler.yaml +++ b/promenade/templates/master/etc/kubernetes/kubelet/manifests/kube-scheduler.yaml @@ -18,11 +18,11 @@ spec: - ./hyperkube - scheduler - --leader-elect=true - - --kubeconfig=/etc/kubernetes/kubeconfig.yaml + - --kubeconfig=/etc/kubernetes/scheduler/kubeconfig.yaml - --v=5 volumeMounts: - name: config - mountPath: /etc/kubernetes + mountPath: /etc/kubernetes/scheduler volumes: - name: config hostPath: diff --git a/promenade/templates/master/etc/kubernetes/scheduler/kubeconfig.yaml b/promenade/templates/master/etc/kubernetes/scheduler/kubeconfig.yaml index 59577f72..4f215d0d 100644 --- a/promenade/templates/master/etc/kubernetes/scheduler/kubeconfig.yaml +++ b/promenade/templates/master/etc/kubernetes/scheduler/kubeconfig.yaml @@ -3,7 +3,7 @@ apiVersion: v1 clusters: - cluster: server: https://kubernetes - certificate-authority: /etc/kubernetes/pki/cluster-ca.pem + certificate-authority: /etc/kubernetes/scheduler/pki/cluster-ca.pem name: kubernetes contexts: - context: @@ -16,5 +16,5 @@ preferences: {} users: - name: scheduler user: - client-certificate: /etc/kubernetes/pki/scheduler.pem - client-key: /etc/kubernetes/pki/scheduler-key.pem + client-certificate: /etc/kubernetes/scheduler/pki/scheduler.pem + client-key: /etc/kubernetes/scheduler/pki/scheduler-key.pem diff --git a/promenade/templates/master/etc/kubernetes/scheduler/pki/cluster-ca.pem b/promenade/templates/master/etc/kubernetes/scheduler/pki/cluster-ca.pem new file mode 100644 index 00000000..51adb572 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/scheduler/pki/cluster-ca.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem new file mode 100644 index 00000000..2aa13e4d --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler-key.pem @@ -0,0 +1 @@ +{{ config.get(kind='CertificateKey', name='scheduler')['data'] }} diff --git a/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem new file mode 100644 index 00000000..d5f8d631 --- /dev/null +++ b/promenade/templates/master/etc/kubernetes/scheduler/pki/scheduler.pem @@ -0,0 +1 @@ +{{ config.get(kind='Certificate', name='scheduler')['data'] }}