mirror of https://github.com/kubernetes/kops.git
Issue kops cert in nodeup
This commit is contained in:
John Gardiner Myers
parent
87010c9c9b
commit
0f77055f63
|
|
@ -29,6 +29,7 @@ import (
|
|||
"k8s.io/kops/pkg/assets"
|
||||
"k8s.io/kops/pkg/dns"
|
||||
"k8s.io/kops/pkg/flagbuilder"
|
||||
"k8s.io/kops/pkg/rbac"
|
||||
"k8s.io/kops/pkg/systemd"
|
||||
"k8s.io/kops/upup/pkg/fi"
|
||||
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
|
||||
|
|
@ -65,14 +66,15 @@ func (t *ProtokubeBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
}
|
||||
|
||||
if t.IsMaster {
|
||||
kubeconfig, err := t.BuildPKIKubeconfig("kops")
|
||||
if err != nil {
|
||||
return err
|
||||
name := nodetasks.PKIXName{
|
||||
CommonName: "kops",
|
||||
Organization: []string{rbac.SystemPrivilegedGroup},
|
||||
}
|
||||
kubeconfig := t.BuildIssuedKubeconfig("kops", name, c)
|
||||
|
||||
c.AddTask(&nodetasks.File{
|
||||
Path: "/var/lib/kops/kubeconfig",
|
||||
Contents: fi.NewStringResource(kubeconfig),
|
||||
Contents: kubeconfig,
|
||||
Type: nodetasks.FileType_File,
|
||||
Mode: s("0400"),
|
||||
})
|
||||
|
|
|
|||
|
|
@ -17,65 +17,33 @@ limitations under the License.
|
|||
package model
|
||||
|
||||
import (
|
||||
"path"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"k8s.io/kops/pkg/apis/kops"
|
||||
"k8s.io/kops/pkg/apis/nodeup"
|
||||
"k8s.io/kops/pkg/testutils"
|
||||
"k8s.io/kops/upup/pkg/fi"
|
||||
)
|
||||
|
||||
func TestProtokubeBuilder_Docker(t *testing.T) {
|
||||
runProtokubeBuilderTest(t, "docker")
|
||||
RunGoldenTest(t, "tests/protokube/docker", "protokube", func(nodeupModelContext *NodeupModelContext, target *fi.ModelBuilderContext) error {
|
||||
builder := ProtokubeBuilder{NodeupModelContext: nodeupModelContext}
|
||||
populateImage(nodeupModelContext)
|
||||
return builder.Build(target)
|
||||
})
|
||||
}
|
||||
|
||||
func TestProtokubeBuilder_containerd(t *testing.T) {
|
||||
runProtokubeBuilderTest(t, "containerd")
|
||||
RunGoldenTest(t, "tests/protokube/containerd", "protokube", func(nodeupModelContext *NodeupModelContext, target *fi.ModelBuilderContext) error {
|
||||
builder := ProtokubeBuilder{NodeupModelContext: nodeupModelContext}
|
||||
populateImage(nodeupModelContext)
|
||||
return builder.Build(target)
|
||||
})
|
||||
}
|
||||
|
||||
func runProtokubeBuilderTest(t *testing.T, key string) {
|
||||
basedir := path.Join("tests/protokube/", key)
|
||||
|
||||
context := &fi.ModelBuilderContext{
|
||||
Tasks: make(map[string]fi.Task),
|
||||
func populateImage(ctx *NodeupModelContext) {
|
||||
if ctx.NodeupConfig == nil {
|
||||
ctx.NodeupConfig = &nodeup.Config{}
|
||||
}
|
||||
nodeUpModelContext, err := BuildNodeupModelContext(basedir)
|
||||
if err != nil {
|
||||
t.Fatalf("error loading model %q: %v", basedir, err)
|
||||
return
|
||||
ctx.NodeupConfig.ProtokubeImage = &nodeup.Image{
|
||||
Name: "protokube image name",
|
||||
}
|
||||
|
||||
cluster := nodeUpModelContext.Cluster
|
||||
if cluster.Spec.MasterKubelet == nil {
|
||||
cluster.Spec.MasterKubelet = &kops.KubeletConfigSpec{}
|
||||
}
|
||||
if cluster.Spec.MasterKubelet == nil {
|
||||
cluster.Spec.MasterKubelet = &kops.KubeletConfigSpec{}
|
||||
}
|
||||
cluster.Spec.Kubelet.HostnameOverride = "example-hostname"
|
||||
|
||||
nodeUpModelContext.IsMaster = true
|
||||
|
||||
nodeUpModelContext.NodeupConfig = &nodeup.Config{}
|
||||
|
||||
// These trigger use of etcd-manager
|
||||
nodeUpModelContext.NodeupConfig.EtcdManifests = []string{
|
||||
"memfs://clusters.example.com/minimal.example.com/manifests/etcd/main.yaml",
|
||||
"memfs://clusters.example.com/minimal.example.com/manifests/etcd/events.yaml",
|
||||
}
|
||||
|
||||
nodeUpModelContext.NodeupConfig.ProtokubeImage = &nodeup.Image{}
|
||||
nodeUpModelContext.NodeupConfig.ProtokubeImage.Name = "protokube:test"
|
||||
|
||||
builder := &ProtokubeBuilder{NodeupModelContext: nodeUpModelContext}
|
||||
|
||||
if task, err := builder.buildSystemdService(); err != nil {
|
||||
t.Fatalf("error from buildSystemdService: %v", err)
|
||||
} else {
|
||||
context.AddTask(task)
|
||||
}
|
||||
|
||||
testutils.ValidateTasks(t, filepath.Join(basedir, "tasks.yaml"), context)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ spec:
|
|||
channel: stable
|
||||
cloudProvider: aws
|
||||
configBase: memfs://clusters.example.com/minimal.example.com
|
||||
containerd:
|
||||
version: 1.3.4
|
||||
containerRuntime: containerd
|
||||
etcdClusters:
|
||||
- etcdMembers:
|
||||
|
|
@ -21,7 +23,8 @@ spec:
|
|||
name: master-us-test-1a
|
||||
name: events
|
||||
provider: Manager
|
||||
kubelet: {}
|
||||
kubelet:
|
||||
hostnameOverride: master.hostname.invalid
|
||||
kubernetesVersion: v1.17.0
|
||||
masterInternalName: api.internal.minimal.example.com
|
||||
masterPublicName: api.minimal.example.com
|
||||
|
|
@ -46,7 +49,7 @@ apiVersion: kops.k8s.io/v1alpha2
|
|||
kind: InstanceGroup
|
||||
metadata:
|
||||
creationTimestamp: "2016-12-10T22:42:28Z"
|
||||
name: nodes
|
||||
name: master-1a
|
||||
labels:
|
||||
kops.k8s.io/cluster: minimal.example.com
|
||||
spec:
|
||||
|
|
@ -55,6 +58,6 @@ spec:
|
|||
machineType: t2.medium
|
||||
maxSize: 2
|
||||
minSize: 2
|
||||
role: Node
|
||||
role: Master
|
||||
subnets:
|
||||
- us-test-1a
|
||||
|
|
|
|||
|
|
@ -0,0 +1,99 @@
|
|||
contents:
|
||||
task:
|
||||
CA:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Cert:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Key:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Name: kops
|
||||
ServerURL: https://127.0.0.1
|
||||
mode: "0400"
|
||||
path: /var/lib/kops/kubeconfig
|
||||
type: file
|
||||
---
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
---
|
||||
CA:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Cert:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Key:
|
||||
task:
|
||||
Name: kops
|
||||
signer: ca
|
||||
subject:
|
||||
CommonName: kops
|
||||
Organization:
|
||||
- system:masters
|
||||
type: client
|
||||
Name: kops
|
||||
ServerURL: https://127.0.0.1
|
||||
---
|
||||
Hash: ""
|
||||
Name: protokube
|
||||
Runtime: containerd
|
||||
Sources: null
|
||||
---
|
||||
Name: protokube.service
|
||||
definition: |
|
||||
[Unit]
|
||||
Description=Kubernetes Protokube Service
|
||||
Documentation=https://github.com/kubernetes/kops
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/bin/true
|
||||
ExecStartPre=-/usr/bin/ctr --namespace k8s.io container rm protokube
|
||||
ExecStartPre=/bin/true
|
||||
ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin docker.io/library/protokube image name protokube /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.hostname.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
|
||||
Restart=always
|
||||
RestartSec=2s
|
||||
StartLimitInterval=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
enabled: true
|
||||
manageState: true
|
||||
running: true
|
||||
smartRestart: true
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
Name: protokube.service
|
||||
definition: |
|
||||
[Unit]
|
||||
Description=Kubernetes Protokube Service
|
||||
Documentation=https://github.com/kubernetes/kops
|
||||
|
||||
[Service]
|
||||
ExecStartPre=/bin/true
|
||||
ExecStartPre=-/usr/bin/ctr --namespace k8s.io container rm protokube
|
||||
ExecStartPre=/bin/true
|
||||
ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin docker.io/library/protokube:test protokube /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --initialize-rbac=true --manage-etcd=false --master=true --node-name=example-hostname --remove-dns-names=etcd-master-us-test-1a.internal.minimal.example.com,etcd-events-master-us-test-1a.internal.minimal.example.com --v=4
|
||||
Restart=always
|
||||
RestartSec=2s
|
||||
StartLimitInterval=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
enabled: true
|
||||
manageState: true
|
||||
running: true
|
||||
smartRestart: true
|
||||
|
|
@ -21,9 +21,10 @@ spec:
|
|||
name: master-us-test-1a
|
||||
name: events
|
||||
provider: Manager
|
||||
kubelet: {}
|
||||
kubelet:
|
||||
hostnameOverride: master.override.invalid
|
||||
kubernetesVersion: v1.17.0
|
||||
masterInternalName: api.internal.minimal.example.com
|
||||
masterInternalName: api.internal.minimal.k8s.local
|
||||
masterPublicName: api.minimal.example.com
|
||||
networkCIDR: 172.20.0.0/16
|
||||
networking:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
Hash: ""
|
||||
Name: protokube
|
||||
Runtime: docker
|
||||
Sources: null
|
||||
---
|
||||
Name: protokube.service
|
||||
definition: |
|
||||
[Unit]
|
||||
Description=Kubernetes Protokube Service
|
||||
Documentation=https://github.com/kubernetes/kops
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker stop protokube
|
||||
ExecStartPre=-/usr/bin/docker rm protokube
|
||||
ExecStartPre=/bin/true
|
||||
ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs/ --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --name protokube protokube image name /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=internal.minimal.k8s.local --dns=gossip --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=false --node-name=master.override.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO
|
||||
Restart=always
|
||||
RestartSec=2s
|
||||
StartLimitInterval=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
enabled: true
|
||||
manageState: true
|
||||
running: true
|
||||
smartRestart: true
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
Name: protokube.service
|
||||
definition: |
|
||||
[Unit]
|
||||
Description=Kubernetes Protokube Service
|
||||
Documentation=https://github.com/kubernetes/kops
|
||||
|
||||
[Service]
|
||||
ExecStartPre=-/usr/bin/docker stop protokube
|
||||
ExecStartPre=-/usr/bin/docker rm protokube
|
||||
ExecStartPre=/bin/true
|
||||
ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs/ --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --volume /usr/local/bin:/opt/kops/bin:ro --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin --name protokube protokube:test /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --initialize-rbac=true --manage-etcd=false --master=true --node-name=example-hostname --remove-dns-names=etcd-master-us-test-1a.internal.minimal.example.com,etcd-events-master-us-test-1a.internal.minimal.example.com --v=4
|
||||
Restart=always
|
||||
RestartSec=2s
|
||||
StartLimitInterval=0
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
enabled: true
|
||||
manageState: true
|
||||
running: true
|
||||
smartRestart: true
|
||||
|
|
@ -204,18 +204,6 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
|
|||
c.AddTask(aggregator)
|
||||
}
|
||||
|
||||
{
|
||||
// Used by e.g. protokube
|
||||
t := &fitasks.Keypair{
|
||||
Name: fi.String("kops"),
|
||||
Lifecycle: b.Lifecycle,
|
||||
Subject: "o=" + rbac.SystemPrivilegedGroup + ",cn=kops",
|
||||
Type: "client",
|
||||
Signer: defaultCA,
|
||||
}
|
||||
c.AddTask(t)
|
||||
}
|
||||
|
||||
{
|
||||
// A few names used from inside the cluster, which all resolve the same based on our default suffixes
|
||||
alternateNames := []string{
|
||||
|
|
|
|||
Loading…
Reference in New Issue