From 1e47b8718afac8a5a42d76fb8ba9490a39de84c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=96=B9=E4=BF=8A=E6=AD=A6?= Date: Thu, 15 Jun 2017 19:20:58 +0800 Subject: [PATCH] seperate kube-proxy certs for each node --- .../node/templates/kube-proxy-kubeconfig.yaml.j2 | 4 ++-- roles/kubernetes/secrets/files/make-ssl.sh | 12 +++++++++--- roles/kubernetes/secrets/tasks/gen_certs_script.yml | 10 +++++----- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2 b/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2 index cd305b493..18c47cd3e 100644 --- a/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2 +++ b/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2 @@ -8,8 +8,8 @@ clusters: users: - name: kube-proxy user: - client-certificate: {{ kube_cert_dir }}/kube-proxy.pem - client-key: {{ kube_cert_dir }}/kube-proxy-key.pem + client-certificate: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}.pem + client-key: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}-key.pem contexts: - context: cluster: local diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh index 8fec4f314..dde5873fb 100755 --- a/roles/kubernetes/secrets/files/make-ssl.sh +++ b/roles/kubernetes/secrets/files/make-ssl.sh @@ -103,9 +103,15 @@ if [ -n "$HOSTS" ]; then fi # system:kube-proxy -openssl genrsa -out kube-proxy-key.pem 2048 > /dev/null 2>&1 -openssl req -new -key kube-proxy-key.pem -out kube-proxy.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1 -openssl x509 -req -in kube-proxy.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy.pem -days 3650 > /dev/null 2>&1 +if [ -n "$HOSTS" ]; then + for host in $HOSTS; do + cn="${host%%.*}" + # kube-proxy key + openssl genrsa -out kube-proxy-${host}-key.pem 2048 > /dev/null 2>&1 + openssl req -new -key kube-proxy-${host}-key.pem -out kube-proxy-${host}.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1 + openssl x509 -req -in kube-proxy-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy-${host}.pem -days 3650 > /dev/null 2>&1 + done +fi # Install certs diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml index 0629e3ea5..1920b696b 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml @@ -69,17 +69,17 @@ 'apiserver-key.pem' ] all_node_certs: "['ca.pem', - 'kube-proxy.pem', - 'kube-proxy-key.pem', {% for node in groups['k8s-cluster'] %} 'node-{{ node }}.pem', 'node-{{ node }}-key.pem', + 'kube-proxy-{{ node }}.pem', + 'kube-proxy-{{ node }}-key.pem', {% endfor %}]" my_node_certs: ['ca.pem', - 'kube-proxy.pem', - 'kube-proxy-key.pem', 'node-{{ inventory_hostname }}.pem', - 'node-{{ inventory_hostname }}-key.pem' + 'node-{{ inventory_hostname }}-key.pem', + 'kube-proxy-{{ inventory_hostname }}.pem', + 'kube-proxy-{{ inventory_hostname }}-key.pem', ] tags: facts