configure kubespray to sign service account tokens with a dedicated and stable key
This commit is contained in:
parent
270d21f5c1
commit
c8f857eae4
4 changed files with 15 additions and 2 deletions
|
@ -63,7 +63,7 @@ spec:
|
||||||
{% if kube_token_auth|default(true) %}
|
{% if kube_token_auth|default(true) %}
|
||||||
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
- --service-account-key-file={{ kube_cert_dir }}/service-account-key.pem
|
||||||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
||||||
- --oidc-issuer-url={{ kube_oidc_url }}
|
- --oidc-issuer-url={{ kube_oidc_url }}
|
||||||
- --oidc-client-id={{ kube_oidc_client_id }}
|
- --oidc-client-id={{ kube_oidc_client_id }}
|
||||||
|
|
|
@ -29,7 +29,7 @@ spec:
|
||||||
- controller-manager
|
- controller-manager
|
||||||
- --kubeconfig={{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml
|
- --kubeconfig={{ kube_config_dir }}/kube-controller-manager-kubeconfig.yaml
|
||||||
- --leader-elect=true
|
- --leader-elect=true
|
||||||
- --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
- --service-account-private-key-file={{ kube_cert_dir }}/service-account-key.pem
|
||||||
- --root-ca-file={{ kube_cert_dir }}/ca.pem
|
- --root-ca-file={{ kube_cert_dir }}/ca.pem
|
||||||
- --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
|
- --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
|
||||||
- --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem
|
- --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem
|
||||||
|
|
|
@ -82,6 +82,17 @@ gen_key_and_cert() {
|
||||||
|
|
||||||
# Admins
|
# Admins
|
||||||
if [ -n "$MASTERS" ]; then
|
if [ -n "$MASTERS" ]; then
|
||||||
|
|
||||||
|
# service-account
|
||||||
|
# If --service-account-private-key-file was previously configured to use apiserver-key.pem then copy that to the new dedicated service-account signing key location to avoid disruptions
|
||||||
|
if [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
|
||||||
|
cp $SSLDIR/apiserver-key.pem $SSLDIR/service-account-key.pem
|
||||||
|
fi
|
||||||
|
# Generate dedicated service account signing key if one doesn't exist
|
||||||
|
if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
|
||||||
|
openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
# kube-apiserver
|
# kube-apiserver
|
||||||
# Generate only if we don't have existing ca and apiserver certs
|
# Generate only if we don't have existing ca and apiserver certs
|
||||||
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
|
if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
|
||||||
|
|
|
@ -75,6 +75,7 @@
|
||||||
'kube-controller-manager-key.pem',
|
'kube-controller-manager-key.pem',
|
||||||
'front-proxy-client.pem',
|
'front-proxy-client.pem',
|
||||||
'front-proxy-client-key.pem',
|
'front-proxy-client-key.pem',
|
||||||
|
'service-account-key.pem',
|
||||||
{% for node in groups['kube-master'] %}
|
{% for node in groups['kube-master'] %}
|
||||||
'admin-{{ node }}.pem',
|
'admin-{{ node }}.pem',
|
||||||
'admin-{{ node }}-key.pem',
|
'admin-{{ node }}-key.pem',
|
||||||
|
@ -86,6 +87,7 @@
|
||||||
'apiserver-key.pem',
|
'apiserver-key.pem',
|
||||||
'front-proxy-client.pem',
|
'front-proxy-client.pem',
|
||||||
'front-proxy-client-key.pem',
|
'front-proxy-client-key.pem',
|
||||||
|
'service-account-key.pem',
|
||||||
'kube-scheduler.pem',
|
'kube-scheduler.pem',
|
||||||
'kube-scheduler-key.pem',
|
'kube-scheduler-key.pem',
|
||||||
'kube-controller-manager.pem',
|
'kube-controller-manager.pem',
|
||||||
|
|
Loading…
Reference in a new issue