Use only one certificate for all apiservers

https://github.com/kubernetes/kubernetes/issues/25063
This commit is contained in:
Matthew Mosesohn 2017-01-13 14:03:20 +03:00
parent e88c10670e
commit 80703010bd
4 changed files with 17 additions and 14 deletions

View file

@ -35,10 +35,10 @@ spec:
- --service-node-port-range={{ kube_apiserver_node_port_range }} - --service-node-port-range={{ kube_apiserver_node_port_range }}
- --client-ca-file={{ kube_cert_dir }}/ca.pem - --client-ca-file={{ kube_cert_dir }}/ca.pem
- --basic-auth-file={{ kube_users_dir }}/known_users.csv - --basic-auth-file={{ kube_users_dir }}/known_users.csv
- --tls-cert-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}.pem - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
- --service-account-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
- --secure-port={{ kube_apiserver_port }} - --secure-port={{ kube_apiserver_port }}
- --insecure-port={{ kube_apiserver_insecure_port }} - --insecure-port={{ kube_apiserver_insecure_port }}
{% if kube_api_runtime_config is defined %} {% if kube_api_runtime_config is defined %}

View file

@ -23,7 +23,7 @@ spec:
- controller-manager - controller-manager
- --master={{ kube_apiserver_endpoint }} - --master={{ kube_apiserver_endpoint }}
- --leader-elect=true - --leader-elect=true
- --service-account-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
- --root-ca-file={{ kube_cert_dir }}/ca.pem - --root-ca-file={{ kube_cert_dir }}/ca.pem
- --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem - --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
- --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem - --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem

View file

@ -72,14 +72,16 @@ else
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1 openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
fi fi
if [ ! -e "$SSLDIR/ca-key.pem" ]; then
# kube-apiserver key
openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
cat ca.pem >> apiserver.pem
fi
if [ -n "$MASTERS" ]; then if [ -n "$MASTERS" ]; then
for host in $MASTERS; do for host in $MASTERS; do
# kube-apiserver key
openssl genrsa -out apiserver-${host}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key apiserver-${host}-key.pem -out apiserver-${host}.csr -subj "/CN=kube-apiserver-${host}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in apiserver-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver-${host}.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
cat ca.pem >> apiserver-${host}.pem
# admin key # admin key
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1 openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1 openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1
@ -90,6 +92,7 @@ fi
# Nodes and Admin # Nodes and Admin
if [ -n "$HOSTS" ]; then if [ -n "$HOSTS" ]; then
for host in $HOSTS; do for host in $HOSTS; do
# node key
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1 openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1 openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1 openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1

View file

@ -39,14 +39,14 @@
{% for node in groups['kube-master'] %} {% for node in groups['kube-master'] %}
'admin-{{ node }}.pem', 'admin-{{ node }}.pem',
'admin-{{ node }}-key.pem', 'admin-{{ node }}-key.pem',
'apiserver-{{ node }}.pem', 'apiserver.pem',
'apiserver-{{ node }}-key.pem', 'apiserver-key.pem',
{% endfor %}]" {% endfor %}]"
my_master_certs: ['ca-key.pem', my_master_certs: ['ca-key.pem',
'admin-{{ inventory_hostname }}.pem', 'admin-{{ inventory_hostname }}.pem',
'admin-{{ inventory_hostname }}-key.pem', 'admin-{{ inventory_hostname }}-key.pem',
'apiserver-{{ inventory_hostname }}.pem', 'apiserver.pem',
'apiserver-{{ inventory_hostname }}-key.pem' 'apiserver-key.pem'
] ]
all_node_certs: "['ca.pem', all_node_certs: "['ca.pem',
{% for node in groups['k8s-cluster'] %} {% for node in groups['k8s-cluster'] %}