scripts: Simplify TLS scripts into k8s-certgen and generate kubeconfig

* Remove kubecfg-rkt and kubecfg-docker which used relative paths
2026-01-27 10:19:35 +00:00 · 2016-03-27 18:38:03 -07:00
parent ac0e90585c
commit e4f147b1f2
9 changed files with 98 additions and 97 deletions
--- a/examples/README.md
+++ b/examples/README.md
@@ -53,19 +53,9 @@ Generate a root CA and Kubernetes TLS assets for components (`admin`, `apiserver

    rm -rf assets/tls
    # for Kubernetes on CNI metal0, i.e. rkt
-    ./scripts/tls/gen-rkt-k8s-secrets
+    ./scripts/tls/k8s-certgen -d assets/tls -s 172.15.0.21 -m IP.1=10.3.0.1,IP.2=172.15.0.21 -w IP.1=172.15.0.22,IP.2=172.15.0.23
    # for Kubernetes on docker0
-    ./scripts/tls/gen-docker-k8s-secrets
-
-Alternately, you can add your own CA certificate, entity certificates, and entity private keys to `assets/tls`.
-
-    * ca.pem
-    * apiserver.pem
-    * apiserver-key.pem
-    * worker.pem
-    * worker-key.pem
-    * admin.pem
-    * admin-key.pem
+    ./scripts/tls/k8s-certgen -d assets/tls -s 172.17.0.21 -m IP.1=10.3.0.1,IP.2=172.17.0.21 -w IP.1=172.17.0.22,IP.2=172.17.0.23

 See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/latest/openssl.html) document or [Kubernetes Step by Step](https://coreos.com/kubernetes/docs/latest/getting-started.html) for more details.

@@ -74,14 +64,11 @@ See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/late
 Install the `kubectl` CLI on your host. Use the provided kubeconfig's to access the Kubernetes cluster created on rkt `metal0` or `docker0`.

    cd /path/to/coreos-baremetal
-    # for kubernetes on CNI metal0, i.e. rkt
-    kubectl --kubeconfig=examples/kubecfg-rkt get nodes
-    # for kubernetes on docker0
-    kubectl --kubeconfig=examples/kubecfg-docker get nodes
+    kubectl --kubeconfig=assets/tls/kubeconfig get nodes

 Get all pods.

-    kubectl --kubeconfig=examples/kubecfg-rkt get pods --all-namespaces
+    kubectl --kubeconfig=assets/tls/kubeconfig get pods --all-namespaces

 On my laptop, VMs download and network boot CoreOS in the first 45 seconds, the Kubernetes API becomes available after about 150 seconds, and add-on pods are scheduled by 180 seconds. On physical hosts and networks, OS and container image download times are a bit longer.

--- a/examples/groups/.gitkeep
+++ b/examples/groups/.gitkeep
--- a/examples/kubecfg-docker
+++ b/examples/kubecfg-docker
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
- cluster:
-    certificate-authority: ../assets/tls/ca.pem
-    server: https://172.17.0.21:443
-  name: k8s-docker
-contexts:
- context:
-    cluster: k8s-docker
-    namespace: default
-    user: k8s-docker
-  name: k8s-docker
-current-context: k8s-docker
-users:
- name: k8s-docker
-  user:
-    client-certificate: ../assets/tls/admin.pem
-    client-key: ../assets/tls/admin-key.pem
--- a/examples/kubecfg-rkt
+++ b/examples/kubecfg-rkt
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-clusters:
- cluster:
-    certificate-authority: ../assets/tls/ca.pem
-    server: https://172.15.0.21:443
-  name: k8s-rkt
-contexts:
- context:
-    cluster: k8s-rkt
-    namespace: default
-    user: k8s-rkt
-  name: k8s-rkt
-current-context: k8s-rkt
-users:
- name: k8s-rkt
-  user:
-    client-certificate: ../assets/tls/admin.pem
-    client-key: ../assets/tls/admin-key.pem
--- a/scripts/tls/gen-bm-k8s-secrets
+++ b/scripts/tls/gen-bm-k8s-secrets
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=192.168.1.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=192.168.1.22,IP.2=192.168.1.23
--- a/scripts/tls/gen-docker0-k8s-secrets
+++ b/scripts/tls/gen-docker0-k8s-secrets
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.17.0.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=172.17.0.22,IP.2=172.17.0.23
--- a/scripts/tls/gen-rkt-k8s-secrets
+++ b/scripts/tls/gen-rkt-k8s-secrets
@@ -1,14 +0,0 @@
-#!/bin/bash -e
-# USAGE: ./scripts/generate-kubernetes-secrets
-
-DEST=${1:-"assets/tls"}
-
-if [ ! -d "$DEST" ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-./scripts/tls/root-ca $DEST
-./scripts/tls/kubernetes-cert $DEST admin kube-admin
-./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.15.0.21
-./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=172.15.0.22,IP.2=172.15.0.23
--- a/scripts/tls/k8s-certgen
+++ b/scripts/tls/k8s-certgen
@@ -0,0 +1,42 @@
+#!/bin/bash -e
+
+USAGE="Usage: $(basename $0)
+Options:
+  -d DEST     Destination for generated files (default: ./assets/tls)
+  -s SERVER   Reachable Server IP for kubeconfig (e.g. 172.15.0.21)
+  -m MASTERS  Master Node Names/Addresses in SAN format (e.g. IP.1=10.3.0.1,IP.2=172.15.0.21).
+  -w WORKERS  Worker Node Names/Addresses in SAN format (e.g. IP.1=172.15.0.22,IP.2=172.15.0.23)
+  -h          Show help.
+"
+
+DEST="./assets/tls"
+SERVER="172.15.0.21"
+MASTERS="IP.1=10.3.0.1,IP.2=172.15.0.21"
+WORKERS="IP.1=172.15.0.22,IP.2=172.15.0.23"
+
+while getopts "d:s:m:w:vh" opt; do
+  case $opt in
+    d) DEST="$OPTARG" ;;
+    s) SERVER="$OPTARG" ;;
+    m) MASTERS="$OPTARG" ;;
+    w) WORKERS="$OPTARG" ;;
+    h) echo "$USAGE"; exit;;
+    *) exit 1;;
+  esac
+done
+
+if [ ! -d "$DEST" ]; then
+  echo "Creating directory $DEST"
+  mkdir -p $DEST
+fi
+
+# create root CA
+./scripts/tls/root-ca $DEST
+
+# create Kubernetes master and worker certificates
+./scripts/tls/kubernetes-cert $DEST admin kube-admin
+./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver $MASTERS
+./scripts/tls/kubernetes-cert $DEST worker kube-worker $WORKERS
+
+# create a kubeconfig
+./scripts/tls/kube-conf $DEST $SERVER
--- a/scripts/tls/kube-conf
+++ b/scripts/tls/kube-conf
@@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+function usage {
+    echo "USAGE: $0 DEST MASTER_IP"
+    echo "example: $0 dest/path 192.168.1.21"
+}
+
+function base64_encode {
+  if [[ "$OSTYPE" == "darwin" ]]; then
+    base64 $1
+  else
+    base64 -w 0 $1
+  fi
+}
+
+if [ -z "$1" ] || [ -z "$2" ]; then
+    usage
+    exit 1
+fi
+
+DEST="$1"
+MASTER_IP="$2"
+ADMIN_CERT_BASE64=$(base64_encode $DEST/admin.pem)
+ADMIN_KEY_BASE64="$(base64_encode $DEST/admin-key.pem)"
+CA_CERT_BASE64="$(base64_encode $DEST/ca.pem)"
+
+if [ -f "$DEST/kubeconfig" ]; then
+  echo "$DEST/kubeconfig already exists"
+  exit 1
+fi
+
+cat << EOF > $DEST/kubeconfig
+apiVersion: v1
+kind: Config
+users:
+- name: bootcfg-user
+  user:
+    client-certificate-data: ${ADMIN_CERT_BASE64}
+    client-key-data: ${ADMIN_KEY_BASE64}
+clusters:
+- name: bootcfg-cluster
+  cluster:
+    certificate-authority-data: ${CA_CERT_BASE64}
+    server: https://${MASTER_IP}:443
+contexts:
+- context:
+    cluster: bootcfg-cluster
+    user: bootcfg-user
+  name: bootcfg-context
+current-context: bootcfg-context
+EOF
+echo "Wrote kubeconfig to $DEST/kubeconfig"