C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

seperate kube-proxy certs for each node

Browse source
This commit is contained in:
方俊武 2017-06-15 19:20:58 +08:00
parent c73b9abf26
commit 1e47b8718a
3 changed files with 16 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2
View file

@ -8,8 +8,8 @@ clusters:
users: users:
- name: kube-proxy - name: kube-proxy
user: user:
client-certificate: {{ kube_cert_dir }}/kube-proxy.pem client-certificate: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}.pem
client-key: {{ kube_cert_dir }}/kube-proxy-key.pem client-key: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}-key.pem
contexts: contexts:
- context: - context:
cluster: local cluster: local

12
roles/kubernetes/secrets/files/make-ssl.sh
View file

@ -103,9 +103,15 @@ if [ -n "$HOSTS" ]; then
fi fi
# system:kube-proxy # system:kube-proxy
openssl genrsa -out kube-proxy-key.pem 2048 > /dev/null 2>&1 if [ -n "$HOSTS" ]; then
openssl req -new -key kube-proxy-key.pem -out kube-proxy.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1 for host in $HOSTS; do
openssl x509 -req -in kube-proxy.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy.pem -days 3650 > /dev/null 2>&1 cn="${host%%.*}"
# kube-proxy key
openssl genrsa -out kube-proxy-${host}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key kube-proxy-${host}-key.pem -out kube-proxy-${host}.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1
openssl x509 -req -in kube-proxy-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy-${host}.pem -days 3650 > /dev/null 2>&1
done
fi
# Install certs # Install certs

10
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -69,17 +69,17 @@
'apiserver-key.pem' 'apiserver-key.pem'
] ]
all_node_certs: "['ca.pem', all_node_certs: "['ca.pem',
'kube-proxy.pem',
'kube-proxy-key.pem',
{% for node in groups['k8s-cluster'] %} {% for node in groups['k8s-cluster'] %}
'node-{{ node }}.pem', 'node-{{ node }}.pem',
'node-{{ node }}-key.pem', 'node-{{ node }}-key.pem',
'kube-proxy-{{ node }}.pem',
'kube-proxy-{{ node }}-key.pem',
{% endfor %}]" {% endfor %}]"
my_node_certs: ['ca.pem', my_node_certs: ['ca.pem',
'kube-proxy.pem',
'kube-proxy-key.pem',
'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}.pem',
'node-{{ inventory_hostname }}-key.pem' 'node-{{ inventory_hostname }}-key.pem',
'kube-proxy-{{ inventory_hostname }}.pem',
'kube-proxy-{{ inventory_hostname }}-key.pem',
] ]
tags: facts tags: facts