mirror of
https://github.com/k3s-io/k3s.git
synced 2026-06-09 00:33:35 -04:00
Add generation for kube-scheduler and kube-controller-manager certs (#12285)
* Add generation for kube-scheduler and kube-controller-manager certs Signed-off-by: Vitor Savian <vitor.savian@suse.com> * Add new certs to the tests Signed-off-by: Vitor Savian <vitor.savian@suse.com> * Change cert-dir to tls-cert-file and tls-private-key-file Signed-off-by: Vitor Savian <vitor.savian@suse.com> * Address altName structure Co-authored-by: Brad Davidson <brad@oatmail.org> Signed-off-by: Vitor Savian <vitor.savian@suse.com> --------- Signed-off-by: Vitor Savian <vitor.savian@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org>
This commit is contained in:
Vitor Savian
GitHub
parent
4c1f014d27
commit
53de968676
5 changed files with 76 additions and 33 deletions
|
|
@ -334,16 +334,20 @@ type ControlRuntime struct {
|
|||
KubeConfigAPIServer string
|
||||
KubeConfigCloudController string
|
||||
|
||||
ServingKubeAPICert string
|
||||
ServingKubeAPIKey string
|
||||
ServingKubeletKey string
|
||||
ServerToken string
|
||||
AgentToken string
|
||||
APIServer http.Handler
|
||||
Handler http.Handler
|
||||
HTTPBootstrap http.Handler
|
||||
Tunnel http.Handler
|
||||
Authenticator authenticator.Request
|
||||
ServingKubeAPICert string
|
||||
ServingKubeAPIKey string
|
||||
ServingKubeSchedulerCert string
|
||||
ServingKubeSchedulerKey string
|
||||
ServingKubeControllerCert string
|
||||
ServingKubeControllerKey string
|
||||
ServingKubeletKey string
|
||||
ServerToken string
|
||||
AgentToken string
|
||||
APIServer http.Handler
|
||||
Handler http.Handler
|
||||
HTTPBootstrap http.Handler
|
||||
Tunnel http.Handler
|
||||
Authenticator authenticator.Request
|
||||
|
||||
EgressSelectorConfig string
|
||||
CloudControllerConfig string
|
||||
|
|
|
|||
|
|
@ -143,6 +143,12 @@ func CreateRuntimeCertFiles(config *config.Control) {
|
|||
runtime.ServingKubeAPICert = filepath.Join(config.DataDir, "tls", "serving-kube-apiserver.crt")
|
||||
runtime.ServingKubeAPIKey = filepath.Join(config.DataDir, "tls", "serving-kube-apiserver.key")
|
||||
|
||||
runtime.ServingKubeSchedulerCert = filepath.Join(config.DataDir, "tls", "kube-scheduler", "kube-scheduler.crt")
|
||||
runtime.ServingKubeSchedulerKey = filepath.Join(config.DataDir, "tls", "kube-scheduler", "kube-scheduler.key")
|
||||
|
||||
runtime.ServingKubeControllerCert = filepath.Join(config.DataDir, "tls", "kube-controller-manager", "kube-controller-manager.crt")
|
||||
runtime.ServingKubeControllerKey = filepath.Join(config.DataDir, "tls", "kube-controller-manager", "kube-controller-manager.key")
|
||||
|
||||
runtime.ClientKubeletKey = filepath.Join(config.DataDir, "tls", "client-kubelet.key")
|
||||
runtime.ServingKubeletKey = filepath.Join(config.DataDir, "tls", "serving-kubelet.key")
|
||||
|
||||
|
|
@ -440,6 +446,23 @@ func genServerCerts(config *config.Control) error {
|
|||
return err
|
||||
}
|
||||
|
||||
altNames = &certutil.AltNames{}
|
||||
addSANs(altNames, []string{"localhost" ,"127.0.0.1", "::1"})
|
||||
|
||||
if _, err := createClientCertKey(regen, "kube-scheduler", nil,
|
||||
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
runtime.ServerCA, runtime.ServerCAKey,
|
||||
runtime.ServingKubeSchedulerCert, runtime.ServingKubeSchedulerKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if _, err := createClientCertKey(regen, "kube-controller-manager", nil,
|
||||
altNames, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
runtime.ServerCA, runtime.ServerCAKey,
|
||||
runtime.ServingKubeControllerCert, runtime.ServingKubeControllerKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -116,6 +116,8 @@ func controllerManager(ctx context.Context, cfg *config.Control) error {
|
|||
"cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges),
|
||||
"root-ca-file": runtime.ServerCA,
|
||||
"profiling": "false",
|
||||
"tls-cert-file": runtime.ServingKubeControllerCert,
|
||||
"tls-private-key-file": runtime.ServingKubeControllerKey,
|
||||
"bind-address": cfg.Loopback(false),
|
||||
"secure-port": "10257",
|
||||
"use-service-account-credentials": "true",
|
||||
|
|
@ -157,6 +159,8 @@ func scheduler(ctx context.Context, cfg *config.Control) error {
|
|||
"authentication-kubeconfig": runtime.KubeConfigScheduler,
|
||||
"bind-address": cfg.Loopback(false),
|
||||
"secure-port": "10259",
|
||||
"tls-cert-file": runtime.ServingKubeSchedulerCert,
|
||||
"tls-private-key-file": runtime.ServingKubeSchedulerKey,
|
||||
"profiling": "false",
|
||||
}
|
||||
if cfg.NoLeaderElect {
|
||||
|
|
|
|||
|
|
@ -71,11 +71,15 @@ func FilesForServices(controlConfig config.Control, services []string) (map[stri
|
|||
fileMap[service] = []string{
|
||||
controlConfig.Runtime.ClientControllerCert,
|
||||
controlConfig.Runtime.ClientControllerKey,
|
||||
controlConfig.Runtime.ServingKubeControllerCert,
|
||||
controlConfig.Runtime.ServingKubeControllerKey,
|
||||
}
|
||||
case Scheduler:
|
||||
fileMap[service] = []string{
|
||||
controlConfig.Runtime.ClientSchedulerCert,
|
||||
controlConfig.Runtime.ClientSchedulerKey,
|
||||
controlConfig.Runtime.ServingKubeSchedulerCert,
|
||||
controlConfig.Runtime.ServingKubeSchedulerKey,
|
||||
}
|
||||
case ETCD:
|
||||
fileMap[service] = []string{
|
||||
|
|
|
|||
|
|
@ -38,29 +38,31 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
return nil
|
||||
},
|
||||
want: map[string][]string{
|
||||
"admin": []string{
|
||||
"admin": {
|
||||
filepath.Join(serverDir, "tls", "client-admin.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-admin.key"),
|
||||
},
|
||||
"api-server": []string{
|
||||
"api-server": {
|
||||
filepath.Join(serverDir, "tls", "client-kube-apiserver.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-kube-apiserver.key"),
|
||||
filepath.Join(serverDir, "tls", "serving-kube-apiserver.crt"),
|
||||
filepath.Join(serverDir, "tls", "serving-kube-apiserver.key"),
|
||||
},
|
||||
"auth-proxy": []string{
|
||||
"auth-proxy": {
|
||||
filepath.Join(serverDir, "tls", "client-auth-proxy.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-auth-proxy.key"),
|
||||
},
|
||||
"cloud-controller": []string{
|
||||
"cloud-controller": {
|
||||
filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.key"),
|
||||
},
|
||||
"controller-manager": []string{
|
||||
"controller-manager": {
|
||||
filepath.Join(serverDir, "tls", "client-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-controller.key"),
|
||||
filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.crt"),
|
||||
filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.key"),
|
||||
},
|
||||
"etcd": []string{
|
||||
"etcd": {
|
||||
filepath.Join(serverDir, "tls", "etcd", "client.crt"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "client.key"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "server-client.crt"),
|
||||
|
|
@ -68,19 +70,19 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
filepath.Join(serverDir, "tls", "etcd", "peer-server-client.crt"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "peer-server-client.key"),
|
||||
},
|
||||
"k3s-controller": []string{
|
||||
"k3s-controller": {
|
||||
filepath.Join(serverDir, "tls", "client-k3s-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-k3s-controller.key"),
|
||||
filepath.Join(agentDir, "client-k3s-controller.crt"),
|
||||
filepath.Join(agentDir, "client-k3s-controller.key"),
|
||||
},
|
||||
"kube-proxy": []string{
|
||||
"kube-proxy": {
|
||||
filepath.Join(serverDir, "tls", "client-kube-proxy.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-kube-proxy.key"),
|
||||
filepath.Join(agentDir, "client-kube-proxy.crt"),
|
||||
filepath.Join(agentDir, "client-kube-proxy.key"),
|
||||
},
|
||||
"kubelet": []string{
|
||||
"kubelet": {
|
||||
filepath.Join(serverDir, "tls", "client-kubelet.key"),
|
||||
filepath.Join(serverDir, "tls", "serving-kubelet.key"),
|
||||
filepath.Join(agentDir, "client-kubelet.crt"),
|
||||
|
|
@ -88,11 +90,13 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
filepath.Join(agentDir, "serving-kubelet.crt"),
|
||||
filepath.Join(agentDir, "serving-kubelet.key"),
|
||||
},
|
||||
"scheduler": []string{
|
||||
"scheduler": {
|
||||
filepath.Join(serverDir, "tls", "client-scheduler.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-scheduler.key"),
|
||||
filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.crt"),
|
||||
filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.key"),
|
||||
},
|
||||
"supervisor": []string{
|
||||
"supervisor": {
|
||||
filepath.Join(serverDir, "tls", "client-supervisor.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-supervisor.key"),
|
||||
},
|
||||
|
|
@ -112,29 +116,31 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
return nil
|
||||
},
|
||||
want: map[string][]string{
|
||||
"admin": []string{
|
||||
"admin": {
|
||||
filepath.Join(serverDir, "tls", "client-admin.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-admin.key"),
|
||||
},
|
||||
"api-server": []string{
|
||||
"api-server": {
|
||||
filepath.Join(serverDir, "tls", "client-kube-apiserver.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-kube-apiserver.key"),
|
||||
filepath.Join(serverDir, "tls", "serving-kube-apiserver.crt"),
|
||||
filepath.Join(serverDir, "tls", "serving-kube-apiserver.key"),
|
||||
},
|
||||
"auth-proxy": []string{
|
||||
"auth-proxy": {
|
||||
filepath.Join(serverDir, "tls", "client-auth-proxy.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-auth-proxy.key"),
|
||||
},
|
||||
"cloud-controller": []string{
|
||||
"cloud-controller": {
|
||||
filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-k3s-cloud-controller.key"),
|
||||
},
|
||||
"controller-manager": []string{
|
||||
"controller-manager": {
|
||||
filepath.Join(serverDir, "tls", "client-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-controller.key"),
|
||||
filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.crt"),
|
||||
filepath.Join(serverDir, "tls", "kube-controller-manager", "kube-controller-manager.key"),
|
||||
},
|
||||
"etcd": []string{
|
||||
"etcd": {
|
||||
filepath.Join(serverDir, "tls", "etcd", "client.crt"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "client.key"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "server-client.crt"),
|
||||
|
|
@ -142,11 +148,13 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
filepath.Join(serverDir, "tls", "etcd", "peer-server-client.crt"),
|
||||
filepath.Join(serverDir, "tls", "etcd", "peer-server-client.key"),
|
||||
},
|
||||
"scheduler": []string{
|
||||
"scheduler": {
|
||||
filepath.Join(serverDir, "tls", "client-scheduler.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-scheduler.key"),
|
||||
filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.crt"),
|
||||
filepath.Join(serverDir, "tls", "kube-scheduler", "kube-scheduler.key"),
|
||||
},
|
||||
"supervisor": []string{
|
||||
"supervisor": {
|
||||
filepath.Join(serverDir, "tls", "client-supervisor.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-supervisor.key"),
|
||||
},
|
||||
|
|
@ -166,19 +174,19 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
return nil
|
||||
},
|
||||
want: map[string][]string{
|
||||
"k3s-controller": []string{
|
||||
"k3s-controller": {
|
||||
filepath.Join(serverDir, "tls", "client-k3s-controller.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-k3s-controller.key"),
|
||||
filepath.Join(agentDir, "client-k3s-controller.crt"),
|
||||
filepath.Join(agentDir, "client-k3s-controller.key"),
|
||||
},
|
||||
"kube-proxy": []string{
|
||||
"kube-proxy": {
|
||||
filepath.Join(serverDir, "tls", "client-kube-proxy.crt"),
|
||||
filepath.Join(serverDir, "tls", "client-kube-proxy.key"),
|
||||
filepath.Join(agentDir, "client-kube-proxy.crt"),
|
||||
filepath.Join(agentDir, "client-kube-proxy.key"),
|
||||
},
|
||||
"kubelet": []string{
|
||||
"kubelet": {
|
||||
filepath.Join(serverDir, "tls", "client-kubelet.key"),
|
||||
filepath.Join(serverDir, "tls", "serving-kubelet.key"),
|
||||
filepath.Join(agentDir, "client-kubelet.crt"),
|
||||
|
|
@ -202,7 +210,7 @@ func Test_UnitFilesForServices(t *testing.T) {
|
|||
return nil
|
||||
},
|
||||
want: map[string][]string{
|
||||
"certificate-authority": []string{
|
||||
"certificate-authority": {
|
||||
filepath.Join(serverDir, "tls", "server-ca.crt"),
|
||||
filepath.Join(serverDir, "tls", "server-ca.key"),
|
||||
filepath.Join(serverDir, "tls", "client-ca.crt"),
|
||||
|
|
|
|||
Loading…
Reference in a new issue