Merge pull request #4026 from chaosi-zju/localup
remove insecureSkipTLSVerify in local-up-karmada script
This commit is contained in:
karmada-bot
GitHub
commit
b498f0f4c3
|
|
@ -6,7 +6,7 @@ metadata:
|
||||||
app: karmada-aggregated-apiserver
|
app: karmada-aggregated-apiserver
|
||||||
apiserver: "true"
|
apiserver: "true"
|
||||||
spec:
|
spec:
|
||||||
insecureSkipTLSVerify: true
|
caBundle: {{caBundle}}
|
||||||
group: cluster.karmada.io
|
group: cluster.karmada.io
|
||||||
groupPriorityMinimum: 2000
|
groupPriorityMinimum: 2000
|
||||||
service:
|
service:
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ metadata:
|
||||||
app: karmada-metrics-adapter
|
app: karmada-metrics-adapter
|
||||||
apiserver: "true"
|
apiserver: "true"
|
||||||
spec:
|
spec:
|
||||||
insecureSkipTLSVerify: true
|
caBundle: {{caBundle}}
|
||||||
group: metrics.k8s.io
|
group: metrics.k8s.io
|
||||||
groupPriorityMinimum: 2000
|
groupPriorityMinimum: 2000
|
||||||
service:
|
service:
|
||||||
|
|
@ -25,7 +25,7 @@ spec:
|
||||||
namespace: karmada-system
|
namespace: karmada-system
|
||||||
group: custom.metrics.k8s.io
|
group: custom.metrics.k8s.io
|
||||||
version: v1beta2
|
version: v1beta2
|
||||||
insecureSkipTLSVerify: true
|
caBundle: {{caBundle}}
|
||||||
groupPriorityMinimum: 100
|
groupPriorityMinimum: 100
|
||||||
versionPriority: 200
|
versionPriority: 200
|
||||||
---
|
---
|
||||||
|
|
@ -39,7 +39,7 @@ spec:
|
||||||
namespace: karmada-system
|
namespace: karmada-system
|
||||||
group: custom.metrics.k8s.io
|
group: custom.metrics.k8s.io
|
||||||
version: v1beta1
|
version: v1beta1
|
||||||
insecureSkipTLSVerify: true
|
caBundle: {{caBundle}}
|
||||||
groupPriorityMinimum: 100
|
groupPriorityMinimum: 100
|
||||||
versionPriority: 200
|
versionPriority: 200
|
||||||
---
|
---
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,8 @@ spec:
|
||||||
- --authentication-kubeconfig=/etc/kubeconfig
|
- --authentication-kubeconfig=/etc/kubeconfig
|
||||||
- --authorization-kubeconfig=/etc/kubeconfig
|
- --authorization-kubeconfig=/etc/kubeconfig
|
||||||
- --client-ca-file=/etc/karmada/pki/ca.crt
|
- --client-ca-file=/etc/karmada/pki/ca.crt
|
||||||
|
- --tls-cert-file=/etc/karmada/pki/karmada.crt
|
||||||
|
- --tls-private-key-file=/etc/karmada/pki/karmada.key
|
||||||
- --audit-log-path=-
|
- --audit-log-path=-
|
||||||
- --audit-log-maxage=0
|
- --audit-log-maxage=0
|
||||||
- --audit-log-maxbackup=0
|
- --audit-log-maxbackup=0
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@ metadata:
|
||||||
app: karmada-search
|
app: karmada-search
|
||||||
apiserver: "true"
|
apiserver: "true"
|
||||||
spec:
|
spec:
|
||||||
insecureSkipTLSVerify: true
|
caBundle: {{caBundle}}
|
||||||
group: search.karmada.io
|
group: search.karmada.io
|
||||||
groupPriorityMinimum: 2000
|
groupPriorityMinimum: 2000
|
||||||
service:
|
service:
|
||||||
|
|
|
||||||
|
|
@ -250,21 +250,31 @@ util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_CRDS}/_crds/patches/webhook_i
|
||||||
util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_CRDS}/_crds/patches/webhook_in_clusterresourcebindings.yaml"
|
util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_CRDS}/_crds/patches/webhook_in_clusterresourcebindings.yaml"
|
||||||
installCRDs "karmada-apiserver" "${TEMP_PATH_CRDS}"
|
installCRDs "karmada-apiserver" "${TEMP_PATH_CRDS}"
|
||||||
|
|
||||||
|
# render the caBundle in these apiservice with root ca, then karmada-apiserver can use caBundle to verify corresponding AA's server-cert
|
||||||
|
TEMP_PATH_APISERVICE=$(mktemp -d)
|
||||||
|
trap '{ rm -rf ${TEMP_PATH_APISERVICE}; }' EXIT
|
||||||
|
cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-aggregated-apiserver-apiservice.yaml "${TEMP_PATH_APISERVICE}"/karmada-aggregated-apiserver-apiservice.yaml
|
||||||
|
cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-metrics-adapter-apiservice.yaml "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
|
cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-search-apiservice.yaml "${TEMP_PATH_APISERVICE}"/karmada-search-apiservice.yaml
|
||||||
|
util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_APISERVICE}"/karmada-aggregated-apiserver-apiservice.yaml
|
||||||
|
util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
|
util::fill_cabundle "${ROOT_CA_FILE}" "${TEMP_PATH_APISERVICE}"/karmada-search-apiservice.yaml
|
||||||
|
|
||||||
# deploy webhook configurations on karmada apiserver
|
# deploy webhook configurations on karmada apiserver
|
||||||
util::deploy_webhook_configuration "karmada-apiserver" "${ROOT_CA_FILE}" "${REPO_ROOT}/artifacts/deploy/webhook-configuration.yaml"
|
util::deploy_webhook_configuration "karmada-apiserver" "${ROOT_CA_FILE}" "${REPO_ROOT}/artifacts/deploy/webhook-configuration.yaml"
|
||||||
|
|
||||||
# deploy APIService on karmada apiserver for karmada-aggregated-apiserver
|
# deploy APIService on karmada apiserver for karmada-aggregated-apiserver
|
||||||
kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/karmada-aggregated-apiserver-apiservice.yaml"
|
kubectl --context="karmada-apiserver" apply -f "${TEMP_PATH_APISERVICE}"/karmada-aggregated-apiserver-apiservice.yaml
|
||||||
# make sure apiservice for v1alpha1.cluster.karmada.io is Available
|
# make sure apiservice for v1alpha1.cluster.karmada.io is Available
|
||||||
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_AGGREGATION_APISERVER_LABEL}"
|
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_AGGREGATION_APISERVER_LABEL}"
|
||||||
|
|
||||||
# deploy APIService on karmada apiserver for karmada-search
|
# deploy APIService on karmada apiserver for karmada-search
|
||||||
kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/karmada-search-apiservice.yaml"
|
kubectl --context="karmada-apiserver" apply -f "${TEMP_PATH_APISERVICE}"/karmada-search-apiservice.yaml
|
||||||
# make sure apiservice for v1alpha1.search.karmada.io is Available
|
# make sure apiservice for v1alpha1.search.karmada.io is Available
|
||||||
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_SEARCH_LABEL}"
|
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_SEARCH_LABEL}"
|
||||||
|
|
||||||
# deploy APIService on karmada apiserver for karmada-metrics-adapter
|
# deploy APIService on karmada apiserver for karmada-metrics-adapter
|
||||||
kubectl --context="karmada-apiserver" apply -f "${REPO_ROOT}/artifacts/deploy/karmada-metrics-adapter-apiservice.yaml"
|
kubectl --context="karmada-apiserver" apply -f "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
# make sure apiservice for karmada metrics adapter is Available
|
# make sure apiservice for karmada metrics adapter is Available
|
||||||
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_METRICS_ADAPTER_LABEL}"
|
util::wait_apiservice_ready "karmada-apiserver" "${KARMADA_METRICS_ADAPTER_LABEL}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
|
||||||
source "${REPO_ROOT}"/hack/util.sh
|
source "${REPO_ROOT}"/hack/util.sh
|
||||||
function usage() {
|
function usage() {
|
||||||
echo "This script will deploy karmada-metrics-adapter on host cluster"
|
echo "This script will deploy karmada-metrics-adapter on host cluster"
|
||||||
echo "Usage: hack/deploy-metrics-adapter.sh <HOST_CLUSTER_KUBECONFIG> <HOST_CONTEXT_NAME> <KARMADA_APISERVER_KUBECONFIG> <KARMADA_APISERVER_CONTEXT_NAME>"
|
echo "Usage: hack/deploy-metrics-adapter.sh <HOST_CLUSTER_KUBECONFIG> <HOST_CONTEXT_NAME> <KARMADA_APISERVER_KUBECONFIG> <KARMADA_APISERVER_CONTEXT_NAME>"
|
||||||
echo "Example: hack/deploy-metrics-adapter.sh ~/.kube/karmada.config karmada-host ~/.kube/karmada.config karmada-apiserver"
|
echo "Example: hack/deploy-metrics-adapter.sh ~/.kube/karmada.config karmada-host ~/.kube/karmada.config karmada-apiserver"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -66,8 +66,17 @@ util::wait_pod_ready "${HOST_CONTEXT_NAME}" "${KARMADA_METRICS_ADAPTER_LABEL}" "
|
||||||
|
|
||||||
export KUBECONFIG=$KARMADA_APISERVER_KUBECONFIG
|
export KUBECONFIG=$KARMADA_APISERVER_KUBECONFIG
|
||||||
|
|
||||||
|
# get karmada CA from configmap cluster-info, which generated in karmada-apiserver context when installing karmada.
|
||||||
|
karmada_ca=$(kubectl --context="${KARMADA_APISERVER_CONTEXT_NAME}" get cm cluster-info -n kube-public -o jsonpath='{.data.kubeconfig}' | grep 'certificate-authority-data' | awk -F ': ' '{print $2}')
|
||||||
|
|
||||||
|
# render the caBundle in apiservice with root ca, then karmada-apiserver can use caBundle to verify karmada-metrics-adapter's server-cert
|
||||||
|
TEMP_PATH_APISERVICE=$(mktemp -d)
|
||||||
|
trap '{ rm -rf ${TEMP_PATH_APISERVICE}; }' EXIT
|
||||||
|
cp -rf "${REPO_ROOT}"/artifacts/deploy/karmada-metrics-adapter-apiservice.yaml "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
|
sed -i'' -e "s/{{caBundle}}/${karmada_ca}/g" "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
|
|
||||||
# deploy karmada-metrics-adapter-apiservice
|
# deploy karmada-metrics-adapter-apiservice
|
||||||
kubectl --context="${KARMADA_APISERVER_CONTEXT_NAME}" apply -f "${REPO_ROOT}/artifacts/deploy/karmada-metrics-adapter-apiservice.yaml"
|
kubectl --context="${KARMADA_APISERVER_CONTEXT_NAME}" apply -f "${TEMP_PATH_APISERVICE}"/karmada-metrics-adapter-apiservice.yaml
|
||||||
|
|
||||||
# make sure that karmada-metrics-adapter-apiservice is ready
|
# make sure that karmada-metrics-adapter-apiservice is ready
|
||||||
util::wait_apiservice_ready "${KARMADA_APISERVER_CONTEXT_NAME}" "${KARMADA_METRICS_ADAPTER_LABEL}"
|
util::wait_apiservice_ready "${KARMADA_APISERVER_CONTEXT_NAME}" "${KARMADA_METRICS_ADAPTER_LABEL}"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue