add kube-node to system:nodes group, add system:kube-proxy cert for kube-proxy
This commit is contained in:
parent
b73786c6d5
commit
c73b9abf26
5 changed files with 43 additions and 8 deletions
|
@ -30,9 +30,12 @@
|
||||||
|
|
||||||
- name: write the kubecfg (auth) file for kubelet
|
- name: write the kubecfg (auth) file for kubelet
|
||||||
template:
|
template:
|
||||||
src: node-kubeconfig.yaml.j2
|
src: "{{ item }}-kubeconfig.yaml.j2"
|
||||||
dest: "{{ kube_config_dir }}/node-kubeconfig.yaml"
|
dest: "{{ kube_config_dir }}/{{ item }}-kubeconfig.yaml"
|
||||||
backup: yes
|
backup: yes
|
||||||
|
with_items:
|
||||||
|
- node
|
||||||
|
- kube-proxy
|
||||||
notify: restart kubelet
|
notify: restart kubelet
|
||||||
tags: kubelet
|
tags: kubelet
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- name: local
|
||||||
|
cluster:
|
||||||
|
certificate-authority: {{ kube_cert_dir }}/ca.pem
|
||||||
|
server: {{ kube_apiserver_endpoint }}
|
||||||
|
users:
|
||||||
|
- name: kube-proxy
|
||||||
|
user:
|
||||||
|
client-certificate: {{ kube_cert_dir }}/kube-proxy.pem
|
||||||
|
client-key: {{ kube_cert_dir }}/kube-proxy-key.pem
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: local
|
||||||
|
user: kube-proxy
|
||||||
|
name: kube-proxy-{{ cluster_name }}
|
||||||
|
current-context: kube-proxy-{{ cluster_name }}
|
|
@ -27,7 +27,7 @@ spec:
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
- --master={{ kube_apiserver_endpoint }}
|
- --master={{ kube_apiserver_endpoint }}
|
||||||
{% if not is_kube_master %}
|
{% if not is_kube_master %}
|
||||||
- --kubeconfig={{kube_config_dir}}/node-kubeconfig.yaml
|
- --kubeconfig={{kube_config_dir}}/kube-proxy-kubeconfig.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- --bind-address={{ ip | default(ansible_default_ipv4.address) }}
|
- --bind-address={{ ip | default(ansible_default_ipv4.address) }}
|
||||||
- --cluster-cidr={{ kube_pods_subnet }}
|
- --cluster-cidr={{ kube_pods_subnet }}
|
||||||
|
@ -41,7 +41,7 @@ spec:
|
||||||
- mountPath: /etc/ssl/certs
|
- mountPath: /etc/ssl/certs
|
||||||
name: ssl-certs-host
|
name: ssl-certs-host
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: {{kube_config_dir}}/node-kubeconfig.yaml
|
- mountPath: {{kube_config_dir}}/kube-proxy-kubeconfig.yaml
|
||||||
name: "kubeconfig"
|
name: "kubeconfig"
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: {{kube_config_dir}}/ssl
|
- mountPath: {{kube_config_dir}}/ssl
|
||||||
|
@ -60,7 +60,7 @@ spec:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- name: "kubeconfig"
|
- name: "kubeconfig"
|
||||||
hostPath:
|
hostPath:
|
||||||
path: "{{kube_config_dir}}/node-kubeconfig.yaml"
|
path: "{{kube_config_dir}}/kube-proxy-kubeconfig.yaml"
|
||||||
- name: "etc-kube-ssl"
|
- name: "etc-kube-ssl"
|
||||||
hostPath:
|
hostPath:
|
||||||
path: "{{kube_config_dir}}/ssl"
|
path: "{{kube_config_dir}}/ssl"
|
||||||
|
|
|
@ -80,6 +80,7 @@ if [ ! -e "$SSLDIR/ca-key.pem" ]; then
|
||||||
cat ca.pem >> apiserver.pem
|
cat ca.pem >> apiserver.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Admins
|
||||||
if [ -n "$MASTERS" ]; then
|
if [ -n "$MASTERS" ]; then
|
||||||
for host in $MASTERS; do
|
for host in $MASTERS; do
|
||||||
cn="${host%%.*}"
|
cn="${host%%.*}"
|
||||||
|
@ -90,16 +91,22 @@ if [ -n "$MASTERS" ]; then
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Nodes and Admin
|
# Nodes
|
||||||
if [ -n "$HOSTS" ]; then
|
if [ -n "$HOSTS" ]; then
|
||||||
for host in $HOSTS; do
|
for host in $HOSTS; do
|
||||||
cn="${host%%.*}"
|
cn="${host%%.*}"
|
||||||
# node key
|
# node key
|
||||||
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
|
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1
|
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}/O=system:nodes" > /dev/null 2>&1
|
||||||
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
|
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# system:kube-proxy
|
||||||
|
openssl genrsa -out kube-proxy-key.pem 2048 > /dev/null 2>&1
|
||||||
|
openssl req -new -key kube-proxy-key.pem -out kube-proxy.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1
|
||||||
|
openssl x509 -req -in kube-proxy.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy.pem -days 3650 > /dev/null 2>&1
|
||||||
|
|
||||||
|
|
||||||
# Install certs
|
# Install certs
|
||||||
mv *.pem ${SSLDIR}/
|
mv *.pem ${SSLDIR}/
|
||||||
|
|
|
@ -69,11 +69,18 @@
|
||||||
'apiserver-key.pem'
|
'apiserver-key.pem'
|
||||||
]
|
]
|
||||||
all_node_certs: "['ca.pem',
|
all_node_certs: "['ca.pem',
|
||||||
|
'kube-proxy.pem',
|
||||||
|
'kube-proxy-key.pem',
|
||||||
{% for node in groups['k8s-cluster'] %}
|
{% for node in groups['k8s-cluster'] %}
|
||||||
'node-{{ node }}.pem',
|
'node-{{ node }}.pem',
|
||||||
'node-{{ node }}-key.pem',
|
'node-{{ node }}-key.pem',
|
||||||
{% endfor %}]"
|
{% endfor %}]"
|
||||||
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
my_node_certs: ['ca.pem',
|
||||||
|
'kube-proxy.pem',
|
||||||
|
'kube-proxy-key.pem',
|
||||||
|
'node-{{ inventory_hostname }}.pem',
|
||||||
|
'node-{{ inventory_hostname }}-key.pem'
|
||||||
|
]
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
- name: Gen_certs | Gather master certs
|
- name: Gen_certs | Gather master certs
|
||||||
|
|
Loading…
Reference in a new issue