add templates for certs and keys
This commit is contained in:
Mark Burnett
parent
0faaddbaa4
commit
dee398d5e9
|
|
@ -41,6 +41,7 @@ class Document:
|
||||||
raise AssertionError('Did not get expected keys')
|
raise AssertionError('Did not get expected keys')
|
||||||
assert data['apiVersion'] == 'promenade/v1'
|
assert data['apiVersion'] == 'promenade/v1'
|
||||||
assert data['kind'] in self.SUPPORTED_KINDS
|
assert data['kind'] in self.SUPPORTED_KINDS
|
||||||
|
assert data['metadata']['name']
|
||||||
|
|
||||||
self.data = data
|
self.data = data
|
||||||
|
|
||||||
|
|
@ -48,6 +49,10 @@ class Document:
|
||||||
def kind(self):
|
def kind(self):
|
||||||
return self.data['kind']
|
return self.data['kind']
|
||||||
|
|
||||||
|
@property
|
||||||
|
def name(self):
|
||||||
|
return self.metadata['name']
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def target(self):
|
def target(self):
|
||||||
return self.metadata.get('target')
|
return self.metadata.get('target')
|
||||||
|
|
@ -64,6 +69,19 @@ class Configuration:
|
||||||
def __init__(self, documents):
|
def __init__(self, documents):
|
||||||
self.documents = sorted(documents, key=attrgetter('kind', 'target'))
|
self.documents = sorted(documents, key=attrgetter('kind', 'target'))
|
||||||
|
|
||||||
|
self.validate()
|
||||||
|
|
||||||
|
def validate(self):
|
||||||
|
identifiers = set()
|
||||||
|
for document in self.documents:
|
||||||
|
identifier = (document.kind, document.name)
|
||||||
|
if identifier in identifiers:
|
||||||
|
LOG.error('Found duplicate document in config: kind=%s name=%s',
|
||||||
|
document.kind, document.name)
|
||||||
|
raise RuntimeError('Duplicate document')
|
||||||
|
else:
|
||||||
|
identifiers.add(identifier)
|
||||||
|
|
||||||
def __getitem__(self, key):
|
def __getitem__(self, key):
|
||||||
results = [d for d in self.documents if d.kind == key]
|
results = [d for d in self.documents if d.kind == key]
|
||||||
if len(results) < 1:
|
if len(results) < 1:
|
||||||
|
|
@ -73,6 +91,11 @@ class Configuration:
|
||||||
else:
|
else:
|
||||||
return results[0]
|
return results[0]
|
||||||
|
|
||||||
|
def get(self, *, kind, name):
|
||||||
|
for document in self.documents:
|
||||||
|
if document.kind == kind and document.name == name:
|
||||||
|
return document
|
||||||
|
|
||||||
def iterate(self, *, kind=None, target=None):
|
def iterate(self, *, kind=None, target=None):
|
||||||
if target:
|
if target:
|
||||||
docs = self._iterate_with_target(target)
|
docs = self._iterate_with_target(target)
|
||||||
|
|
|
||||||
|
|
@ -123,6 +123,7 @@ class Generator:
|
||||||
role_specific_documents.extend([
|
role_specific_documents.extend([
|
||||||
admin_cert,
|
admin_cert,
|
||||||
admin_cert_key,
|
admin_cert_key,
|
||||||
|
cluster_ca_key,
|
||||||
etcd_client_ca,
|
etcd_client_ca,
|
||||||
etcd_peer_ca,
|
etcd_peer_ca,
|
||||||
sa_priv,
|
sa_priv,
|
||||||
|
|
@ -140,7 +141,7 @@ class Generator:
|
||||||
role_specific_documents.extend(_genesis_config(hostname, data,
|
role_specific_documents.extend(_genesis_config(hostname, data,
|
||||||
masters, network, keys))
|
masters, network, keys))
|
||||||
role_specific_documents.append(_genesis_etcd_config(cluster_name, hostname))
|
role_specific_documents.append(_genesis_etcd_config(cluster_name, hostname))
|
||||||
node.data['is_genesis'] = True
|
node.data['spec']['is_genesis'] = True
|
||||||
|
|
||||||
c = config.Configuration(common_documents + role_specific_documents)
|
c = config.Configuration(common_documents + role_specific_documents)
|
||||||
c.write(os.path.join(output_dir, hostname + '.yaml'))
|
c.write(os.path.join(output_dir, hostname + '.yaml'))
|
||||||
|
|
@ -156,6 +157,7 @@ class Generator:
|
||||||
'kind': 'Masters',
|
'kind': 'Masters',
|
||||||
'metadata': {
|
'metadata': {
|
||||||
'cluster': cluster_name,
|
'cluster': cluster_name,
|
||||||
|
'name': cluster_name,
|
||||||
'target': 'all',
|
'target': 'all',
|
||||||
},
|
},
|
||||||
'spec': {
|
'spec': {
|
||||||
|
|
@ -172,7 +174,8 @@ def _master_etcd_config(cluster_name, genesis_hostname, hostname, masters):
|
||||||
'auxiliary-etcd-0=https://%s:12380' % genesis_hostname,
|
'auxiliary-etcd-0=https://%s:12380' % genesis_hostname,
|
||||||
'auxiliary-etcd-1=https://%s:22380' % genesis_hostname,
|
'auxiliary-etcd-1=https://%s:22380' % genesis_hostname,
|
||||||
])
|
])
|
||||||
return _etcd_config(cluster_name, target=hostname,
|
return _etcd_config(cluster_name, name='master-etcd',
|
||||||
|
target=hostname,
|
||||||
initial_cluster=initial_cluster,
|
initial_cluster=initial_cluster,
|
||||||
initial_cluster_state='existing')
|
initial_cluster_state='existing')
|
||||||
|
|
||||||
|
|
@ -183,18 +186,20 @@ def _genesis_etcd_config(cluster_name, hostname):
|
||||||
'auxiliary-etcd-0=https://%s:12380' % hostname,
|
'auxiliary-etcd-0=https://%s:12380' % hostname,
|
||||||
'auxiliary-etcd-1=https://%s:22380' % hostname,
|
'auxiliary-etcd-1=https://%s:22380' % hostname,
|
||||||
]
|
]
|
||||||
return _etcd_config(cluster_name, target=hostname,
|
return _etcd_config(cluster_name, name='genesis-etcd',
|
||||||
|
target=hostname,
|
||||||
initial_cluster=initial_cluster,
|
initial_cluster=initial_cluster,
|
||||||
initial_cluster_state='new')
|
initial_cluster_state='new')
|
||||||
|
|
||||||
|
|
||||||
def _etcd_config(cluster_name, *, target,
|
def _etcd_config(cluster_name, *, name, target,
|
||||||
initial_cluster, initial_cluster_state):
|
initial_cluster, initial_cluster_state):
|
||||||
return config.Document({
|
return config.Document({
|
||||||
'apiVersion': 'promenade/v1',
|
'apiVersion': 'promenade/v1',
|
||||||
'kind': 'Etcd',
|
'kind': 'Etcd',
|
||||||
'metadata': {
|
'metadata': {
|
||||||
'cluster': cluster_name,
|
'cluster': cluster_name,
|
||||||
|
'name': name,
|
||||||
'target': target,
|
'target': target,
|
||||||
},
|
},
|
||||||
'spec': {
|
'spec': {
|
||||||
|
|
@ -221,6 +226,13 @@ def _master_config(hostname, host_data, masters, network, keys):
|
||||||
hosts=kube_domains + [hostname, host_data['ip']],
|
hosts=kube_domains + [hostname, host_data['ip']],
|
||||||
target=hostname,
|
target=hostname,
|
||||||
))
|
))
|
||||||
|
docs.extend(keys.generate_certificate(
|
||||||
|
alias='etcd-apiserver-client',
|
||||||
|
name='etcd:client:apiserver:%s' % hostname,
|
||||||
|
ca_name='etcd-client',
|
||||||
|
hosts=[hostname, host_data['ip']],
|
||||||
|
target=hostname,
|
||||||
|
))
|
||||||
docs.extend(keys.generate_certificate(
|
docs.extend(keys.generate_certificate(
|
||||||
alias='etcd-peer',
|
alias='etcd-peer',
|
||||||
name='etcd:peer:%s' % hostname,
|
name='etcd:peer:%s' % hostname,
|
||||||
|
|
@ -271,13 +283,14 @@ def _genesis_config(hostname, host_data, masters, network, keys):
|
||||||
|
|
||||||
for i in range(2):
|
for i in range(2):
|
||||||
docs.extend(keys.generate_certificate(
|
docs.extend(keys.generate_certificate(
|
||||||
name='auxiliary-etcd-client-%d' % i,
|
name='auxiliary-etcd-%d-client' % i,
|
||||||
ca_name='etcd-client',
|
ca_name='etcd-client',
|
||||||
hosts=[hostname, host_data['ip']],
|
hosts=[hostname, host_data['ip']],
|
||||||
target=hostname,
|
target=hostname,
|
||||||
))
|
))
|
||||||
|
|
||||||
docs.extend(keys.generate_certificate(
|
docs.extend(keys.generate_certificate(
|
||||||
name='auxiliary-etcd-client-%d' % i,
|
name='auxiliary-etcd-%d-peer' % i,
|
||||||
ca_name='etcd-peer',
|
ca_name='etcd-peer',
|
||||||
hosts=[hostname, host_data['ip']],
|
hosts=[hostname, host_data['ip']],
|
||||||
target=hostname,
|
target=hostname,
|
||||||
|
|
@ -299,6 +312,7 @@ def _construct_node_config(cluster_name, hostname, data):
|
||||||
'kind': 'Node',
|
'kind': 'Node',
|
||||||
'metadata': {
|
'metadata': {
|
||||||
'cluster': cluster_name,
|
'cluster': cluster_name,
|
||||||
|
'name': hostname,
|
||||||
'target': hostname,
|
'target': hostname,
|
||||||
},
|
},
|
||||||
'spec': spec,
|
'spec': spec,
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
- proxy
|
- proxy
|
||||||
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
||||||
- --hostname-override=$(NODE_NAME)
|
- --hostname-override=$(NODE_NAME)
|
||||||
- --kubeconfig=/etc/kubernetes/config/kubeconfig.yaml
|
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
|
||||||
- --proxy-mode=iptables
|
- --proxy-mode=iptables
|
||||||
- --v=5
|
- --v=5
|
||||||
env:
|
env:
|
||||||
|
|
@ -30,7 +30,7 @@ spec:
|
||||||
privileged: true
|
privileged: true
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes/proxy
|
||||||
readOnly: true
|
readOnly: true
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='kubelet')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='kubelet')['data'] }}
|
||||||
|
|
@ -3,7 +3,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
server: https://kubernetes
|
server: https://kubernetes
|
||||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
certificate-authority: /etc/kubernetes/proxy/pki/cluster-ca.pem
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
|
@ -16,5 +16,5 @@ preferences: {}
|
||||||
users:
|
users:
|
||||||
- name: proxy
|
- name: proxy
|
||||||
user:
|
user:
|
||||||
client-certificate: /etc/kubernetes/pki/proxy.pem
|
client-certificate: /etc/kubernetes/proxy/pki/proxy.pem
|
||||||
client-key: /etc/kubernetes/pki/proxy-key.pem
|
client-key: /etc/kubernetes/proxy/pki/proxy-key.pem
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='proxy')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='proxy')['data'] }}
|
||||||
|
|
@ -3,7 +3,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
server: https://kubernetes
|
server: https://kubernetes
|
||||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
certificate-authority: /etc/kubernetes/asset-loader/pki/cluster-ca.pem
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
|
@ -16,5 +16,5 @@ preferences: {}
|
||||||
users:
|
users:
|
||||||
- name: asset-loader
|
- name: asset-loader
|
||||||
user:
|
user:
|
||||||
client-certificate: /etc/kubernetes/pki/asset-loader.pem
|
client-certificate: /etc/kubernetes/asset-loader/pki/asset-loader.pem
|
||||||
client-key: /etc/kubernetes/pki/asset-loader-key.pem
|
client-key: /etc/kubernetes/asset-loader/pki/asset-loader-key.pem
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='admin')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='admin')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='auxiliary-etcd-0-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-0-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='auxiliary-etcd-0-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='auxiliary-etcd-1-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='auxiliary-etcd-1-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='auxiliary-etcd-1-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||||
|
|
@ -3,7 +3,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
server: https://127.0.0.1
|
server: https://127.0.0.1
|
||||||
certificate-authority: /target/etc/kubernetes/genesis/pki/cluster-ca.pem
|
certificate-authority: /target/etc/kubernetes/admin/pki/cluster-ca.pem
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
|
@ -16,5 +16,5 @@ preferences: {}
|
||||||
users:
|
users:
|
||||||
- name: genesis
|
- name: genesis
|
||||||
user:
|
user:
|
||||||
client-certificate: /target/etc/kubernetes/genesis/pki/genesis.pem
|
client-certificate: /target/etc/kubernetes/admin/pki/admin.pem
|
||||||
client-key: /target/etc/kubernetes/genesis/pki/genesis-key.pem
|
client-key: /target/etc/kubernetes/admin/pki/admin-key.pem
|
||||||
|
|
|
||||||
|
|
@ -21,12 +21,12 @@ spec:
|
||||||
while true; do
|
while true; do
|
||||||
sleep 60
|
sleep 60
|
||||||
/kubectl \
|
/kubectl \
|
||||||
--kubeconfig /etc/kubernetes/kubeconfig.yaml \
|
--kubeconfig /etc/kubernetes/asset-loader/kubeconfig.yaml \
|
||||||
apply -f /etc/kubernetes/assets
|
apply -f /etc/kubernetes/asset-loader/assets
|
||||||
done
|
done
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes/asset-loader
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
|
|
|
||||||
|
|
@ -22,21 +22,21 @@ spec:
|
||||||
- name: ETCD_DATA_DIR
|
- name: ETCD_DATA_DIR
|
||||||
value: /var/lib/auxiliary-etcd-0
|
value: /var/lib/auxiliary-etcd-0
|
||||||
- name: ETCD_TRUSTED_CA_FILE
|
- name: ETCD_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/client-ca.pem
|
||||||
- name: ETCD_CERT_FILE
|
- name: ETCD_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client.pem
|
||||||
- name: ETCD_KEY_FILE
|
- name: ETCD_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-client-key.pem
|
||||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/peer-ca.pem
|
||||||
- name: ETCD_PEER_CERT_FILE
|
- name: ETCD_PEER_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer.pem
|
||||||
- name: ETCD_PEER_KEY_FILE
|
- name: ETCD_PEER_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/auxiliary-etcd-0/pki/etcd-peer-key.pem
|
||||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||||
value: https://$(ETCD_NAME):12379
|
value: https://{{ config['Node']['hostname'] }}:12379
|
||||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||||
value: https://$(ETCD_NAME):12380
|
value: https://{{ config['Node']['hostname'] }}:12380
|
||||||
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
||||||
value: promenade-kube-etcd-token
|
value: promenade-kube-etcd-token
|
||||||
- name: ETCD_LISTEN_CLIENT_URLS
|
- name: ETCD_LISTEN_CLIENT_URLS
|
||||||
|
|
@ -60,8 +60,8 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data-0
|
- name: data-0
|
||||||
mountPath: /var/lib/auxiliary-etcd-0
|
mountPath: /var/lib/auxiliary-etcd-0
|
||||||
- name: pki
|
- name: pki-0
|
||||||
mountPath: /etc/etcd-pki
|
mountPath: /etc/kubernetes/auxiliary-etcd-0/pki
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: auxiliary-etcd-1
|
- name: auxiliary-etcd-1
|
||||||
image: quay.io/coreos/etcd:v3.0.17
|
image: quay.io/coreos/etcd:v3.0.17
|
||||||
|
|
@ -75,21 +75,21 @@ spec:
|
||||||
- name: ETCD_DATA_DIR
|
- name: ETCD_DATA_DIR
|
||||||
value: /var/lib/auxiliary-etcd-1
|
value: /var/lib/auxiliary-etcd-1
|
||||||
- name: ETCD_TRUSTED_CA_FILE
|
- name: ETCD_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/client-ca.pem
|
||||||
- name: ETCD_CERT_FILE
|
- name: ETCD_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client.pem
|
||||||
- name: ETCD_KEY_FILE
|
- name: ETCD_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-client-key.pem
|
||||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/peer-ca.pem
|
||||||
- name: ETCD_PEER_CERT_FILE
|
- name: ETCD_PEER_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer.pem
|
||||||
- name: ETCD_PEER_KEY_FILE
|
- name: ETCD_PEER_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/auxiliary-etcd-1/pki/etcd-peer-key.pem
|
||||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||||
value: https://$(ETCD_NAME):22379
|
value: https://{{ config['Node']['hostname'] }}:22379
|
||||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||||
value: https://$(ETCD_NAME):22380
|
value: https://{{ config['Node']['hostname'] }}:22380
|
||||||
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
- name: ETCD_INITIAL_CLUSTER_TOKEN
|
||||||
value: promenade-kube-etcd-token
|
value: promenade-kube-etcd-token
|
||||||
- name: ETCD_LISTEN_CLIENT_URLS
|
- name: ETCD_LISTEN_CLIENT_URLS
|
||||||
|
|
@ -113,8 +113,8 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: data-1
|
- name: data-1
|
||||||
mountPath: /var/lib/auxiliary-etcd-1
|
mountPath: /var/lib/auxiliary-etcd-1
|
||||||
- name: pki
|
- name: pki-1
|
||||||
mountPath: /etc/etcd-pki
|
mountPath: /etc/kubernetes/auxiliary-etcd-1/pki
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: cluster-monitor
|
- name: cluster-monitor
|
||||||
image: quay.io/coreos/etcd:v3.0.17
|
image: quay.io/coreos/etcd:v3.0.17
|
||||||
|
|
@ -137,7 +137,12 @@ spec:
|
||||||
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-1 | cut -d , -f 1)
|
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-1 | cut -d , -f 1)
|
||||||
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-0 | cut -d , -f 1)
|
etcdctl member remove $(etcdctl member list | grep auxiliary-etcd-0 | cut -d , -f 1)
|
||||||
sleep 60
|
sleep 60
|
||||||
rm -rf /var/lib/auxiliary-etcd-0 /var/lib/auxiliary-etcd-1 /etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml
|
rm -rf \
|
||||||
|
/var/lib/auxiliary-etcd-0 \
|
||||||
|
/var/lib/auxiliary-etcd-1 \
|
||||||
|
/etc/kubernetes/auxiliary-etcd-0 \
|
||||||
|
/etc/kubernetes/auxiliary-etcd-1 \
|
||||||
|
/etc/kubernetes/kubelet/manifests/auxiliary-etcd.yaml
|
||||||
sleep 10000
|
sleep 10000
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
@ -150,16 +155,16 @@ spec:
|
||||||
- name: ETCDCTL_API
|
- name: ETCDCTL_API
|
||||||
value: "3"
|
value: "3"
|
||||||
- name: ETCDCTL_CACERT
|
- name: ETCDCTL_CACERT
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/etcd/pki/client-ca.pem
|
||||||
- name: ETCDCTL_CERT
|
- name: ETCDCTL_CERT
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/etcd/pki/etcd-client.pem
|
||||||
- name: ETCDCTL_ENDPOINTS
|
- name: ETCDCTL_ENDPOINTS
|
||||||
value: https://127.0.0.1:12379
|
value: https://{{ config['Node']['ip'] }}:2379
|
||||||
- name: ETCDCTL_KEY
|
- name: ETCDCTL_KEY
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/etcd/pki/etcd-client-key.pem
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pki
|
- name: pki
|
||||||
mountPath: /etc/etcd-pki
|
mountPath: /etc/kubernetes/etcd/pki
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: manifests
|
- name: manifests
|
||||||
mountPath: /etc/kubernetes/kubelet/manifests
|
mountPath: /etc/kubernetes/kubelet/manifests
|
||||||
|
|
@ -175,6 +180,12 @@ spec:
|
||||||
- name: pki
|
- name: pki
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /etc/kubernetes/etcd/pki
|
path: /etc/kubernetes/etcd/pki
|
||||||
|
- name: pki-0
|
||||||
|
hostPath:
|
||||||
|
path: /etc/kubernetes/auxiliary-etcd-0/pki
|
||||||
|
- name: pki-1
|
||||||
|
hostPath:
|
||||||
|
path: /etc/kubernetes/auxiliary-etcd-1/pki
|
||||||
- name: manifests
|
- name: manifests
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /etc/kubernetes/kubelet/manifests
|
path: /etc/kubernetes/kubelet/manifests
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='admin')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='admin')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='apiserver')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='apiserver')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='etcd-apiserver-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='etcd-apiserver-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='PublicKey', name='service-account')['data'] }}
|
||||||
|
|
@ -3,7 +3,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
server: https://kubernetes
|
server: https://kubernetes
|
||||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
certificate-authority: /etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
|
@ -16,5 +16,5 @@ preferences: {}
|
||||||
users:
|
users:
|
||||||
- name: controller-manager
|
- name: controller-manager
|
||||||
user:
|
user:
|
||||||
client-certificate: /etc/kubernetes/pki/controller-manager.pem
|
client-certificate: /etc/kubernetes/controller-manager/pki/controller-manager.pem
|
||||||
client-key: /etc/kubernetes/pki/controller-manager-key.pem
|
client-key: /etc/kubernetes/controller-manager/pki/controller-manager-key.pem
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthorityKey', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='controller-manager')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='controller-manager')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='PrivateKey', name='service-account')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='etcd-client')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='etcd-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='etcd-peer')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='etcd-peer')['data'] }}
|
||||||
|
|
@ -27,12 +27,12 @@ spec:
|
||||||
- --secure-port=443
|
- --secure-port=443
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --etcd-servers=https://kubernetes:2379
|
- --etcd-servers=https://kubernetes:2379
|
||||||
- --etcd-cafile=/etc/kubernetes/pki/cluster-ca.pem
|
- --etcd-cafile=/etc/kubernetes/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/pki/apiserver.pem
|
- --etcd-certfile=/etc/kubernetes/pki/etcd-client.pem
|
||||||
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-key.pem
|
- --etcd-keyfile=/etc/kubernetes/pki/etcd-client-key.pem
|
||||||
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --service-account-key-file=/etc/kubernetes/pki/sa.pem
|
- --service-account-key-file=/etc/kubernetes/pki/service-account.pub
|
||||||
- --tls-cert-file=/etc/kubernetes/pki/apiserver.pem
|
- --tls-cert-file=/etc/kubernetes/pki/apiserver.pem
|
||||||
- --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem
|
||||||
- --v=5
|
- --v=5
|
||||||
|
|
|
||||||
|
|
@ -20,19 +20,19 @@ spec:
|
||||||
- controller-manager
|
- controller-manager
|
||||||
- --allocate-node-cidrs=true
|
- --allocate-node-cidrs=true
|
||||||
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
- --cluster-cidr={{ config['Network']['pod_ip_cidr'] }}
|
||||||
- --cluster-signing-cert-file=/etc/kubernetes/pki/cluster-ca.pem
|
- --cluster-signing-cert-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||||
- --cluster-signing-key-file=/etc/kubernetes/pki/cluster-ca-key.pem
|
- --cluster-signing-key-file=/etc/kubernetes/controller-manager/pki/cluster-ca-key.pem
|
||||||
- --configure-cloud-routes=false
|
- --configure-cloud-routes=false
|
||||||
- --leader-elect=true
|
- --leader-elect=true
|
||||||
- --kubeconfig=/etc/kubernetes/kubeconfig.yaml
|
- --kubeconfig=/etc/kubernetes/controller-manager/kubeconfig.yaml
|
||||||
- --root-ca-file=/etc/kubernetes/pki/cluster-ca.pem
|
- --root-ca-file=/etc/kubernetes/controller-manager/pki/cluster-ca.pem
|
||||||
- --service-account-private-key-file=/etc/kubernetes/pki/sa-key.pem
|
- --service-account-private-key-file=/etc/kubernetes/controller-manager/pki/service-account.key
|
||||||
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
- --service-cluster-ip-range={{ config['Network']['service_ip_cidr'] }}
|
||||||
- --use-service-account-credentials=true
|
- --use-service-account-credentials=true
|
||||||
- --v=5
|
- --v=5
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes/controller-manager
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
|
|
|
||||||
|
|
@ -24,17 +24,17 @@ spec:
|
||||||
- name: ETCD_DATA_DIR
|
- name: ETCD_DATA_DIR
|
||||||
value: /var/lib/kube-etcd
|
value: /var/lib/kube-etcd
|
||||||
- name: ETCD_TRUSTED_CA_FILE
|
- name: ETCD_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/etcd/pki/client-ca.pem
|
||||||
- name: ETCD_CERT_FILE
|
- name: ETCD_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/etcd/pki/etcd-client.pem
|
||||||
- name: ETCD_KEY_FILE
|
- name: ETCD_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/etcd/pki/etcd-client-key.pem
|
||||||
- name: ETCD_PEER_TRUSTED_CA_FILE
|
- name: ETCD_PEER_TRUSTED_CA_FILE
|
||||||
value: /etc/etcd-pki/cluster-ca.pem
|
value: /etc/kubernetes/etcd/pki/peer-ca.pem
|
||||||
- name: ETCD_PEER_CERT_FILE
|
- name: ETCD_PEER_CERT_FILE
|
||||||
value: /etc/etcd-pki/etcd.pem
|
value: /etc/kubernetes/etcd/pki/etcd-peer.pem
|
||||||
- name: ETCD_PEER_KEY_FILE
|
- name: ETCD_PEER_KEY_FILE
|
||||||
value: /etc/etcd-pki/etcd-key.pem
|
value: /etc/kubernetes/etcd/pki/etcd-peer-key.pem
|
||||||
- name: ETCD_ADVERTISE_CLIENT_URLS
|
- name: ETCD_ADVERTISE_CLIENT_URLS
|
||||||
value: https://$(ETCD_NAME):2379
|
value: https://$(ETCD_NAME):2379
|
||||||
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
|
||||||
|
|
@ -58,7 +58,7 @@ spec:
|
||||||
- name: data
|
- name: data
|
||||||
mountPath: /var/lib/kube-etcd
|
mountPath: /var/lib/kube-etcd
|
||||||
- name: pki
|
- name: pki
|
||||||
mountPath: /etc/etcd-pki
|
mountPath: /etc/kubernetes/etcd/pki
|
||||||
volumes:
|
volumes:
|
||||||
- name: data
|
- name: data
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|
|
||||||
|
|
@ -18,11 +18,11 @@ spec:
|
||||||
- ./hyperkube
|
- ./hyperkube
|
||||||
- scheduler
|
- scheduler
|
||||||
- --leader-elect=true
|
- --leader-elect=true
|
||||||
- --kubeconfig=/etc/kubernetes/kubeconfig.yaml
|
- --kubeconfig=/etc/kubernetes/scheduler/kubeconfig.yaml
|
||||||
- --v=5
|
- --v=5
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: config
|
||||||
mountPath: /etc/kubernetes
|
mountPath: /etc/kubernetes/scheduler
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: config
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ apiVersion: v1
|
||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
server: https://kubernetes
|
server: https://kubernetes
|
||||||
certificate-authority: /etc/kubernetes/pki/cluster-ca.pem
|
certificate-authority: /etc/kubernetes/scheduler/pki/cluster-ca.pem
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
|
@ -16,5 +16,5 @@ preferences: {}
|
||||||
users:
|
users:
|
||||||
- name: scheduler
|
- name: scheduler
|
||||||
user:
|
user:
|
||||||
client-certificate: /etc/kubernetes/pki/scheduler.pem
|
client-certificate: /etc/kubernetes/scheduler/pki/scheduler.pem
|
||||||
client-key: /etc/kubernetes/pki/scheduler-key.pem
|
client-key: /etc/kubernetes/scheduler/pki/scheduler-key.pem
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateAuthority', name='cluster')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='CertificateKey', name='scheduler')['data'] }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(kind='Certificate', name='scheduler')['data'] }}
|
||||||
Loading…
Reference in New Issue