mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Merge pull request #41514 from deads2k/agg-14-register-in-local
Automatic merge from submit-queue (batch tested with PRs 41505, 41484, 41544, 41514, 41022) several issues hit while trying to make it easy to register APIs I was trying to create a script that would register all API versions on a given server and ended up hitting several problems. These are the fixes. @sttts I suspect that I won't be able to continue down the host-network approach, since that means I won't be able to use in-cluster DNS without some finagling. It *could* be set up (and we make it work as a for instance), but the simple enablement approach will be hosted on the infrastructure. I'll go back to that.
This commit is contained in:
Kubernetes Submit Queue
@@ -34,6 +34,7 @@ NET_PLUGIN=${NET_PLUGIN:-""}
|
||||
# Place the binaries required by NET_PLUGIN in this directory, eg: "/home/kubernetes/bin".
|
||||
NET_PLUGIN_DIR=${NET_PLUGIN_DIR:-""}
|
||||
SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-10.0.0.0/24}
|
||||
FIRST_SERVICE_CLUSTER_IP=${FIRST_SERVICE_CLUSTER_IP:-10.0.0.1}
|
||||
# if enabled, must set CGROUP_ROOT
|
||||
CGROUPS_PER_QOS=${CGROUPS_PER_QOS:-false}
|
||||
# this is not defaulted to preserve backward compatibility.
|
||||
@@ -404,7 +405,7 @@ function start_apiserver {
|
||||
kube::util::create_signing_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header '"client auth"'
|
||||
|
||||
# serving cert for kube-apiserver
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST}
|
||||
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
|
||||
|
||||
# Create client certs signed with client-ca, given id, given CN and a number of groups
|
||||
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes
|
||||
@@ -484,7 +485,7 @@ function start_apiserver {
|
||||
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create namespace kube-public
|
||||
${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${CONTROLPLANE_SUDO} chown $(whoami) "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:9443"
|
||||
${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:31090"
|
||||
echo "use 'kubectl --kubeconfig=${CERT_DIR}/admin-kube-aggregator.kubeconfig' to use the aggregated API server"
|
||||
|
||||
}
|
||||
@@ -515,7 +516,6 @@ function start_controller_manager {
|
||||
function start_kubelet {
|
||||
KUBELET_LOG=/tmp/kubelet.log
|
||||
mkdir -p ${POD_MANIFEST_PATH} || true
|
||||
cp ${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/hostpath-pods/insecure-etcd-pod.yaml ${POD_MANIFEST_PATH}/kube-aggregator.yaml
|
||||
|
||||
priv_arg=""
|
||||
if [[ -n "${ALLOW_PRIVILEGED}" ]]; then
|
||||
|
||||
@@ -1,105 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2016 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# starts kube-aggregator as a pod after you've run `local-up-cluster.sh`
|
||||
|
||||
|
||||
KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
|
||||
source "${KUBE_ROOT}/hack/lib/init.sh"
|
||||
|
||||
DISCOVERY_SECURE_PORT=${DISCOVERY_SECURE_PORT:-31090}
|
||||
API_HOST=${API_HOST:-localhost}
|
||||
API_HOST_IP=${API_HOST_IP:-"127.0.0.1"}
|
||||
CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"}
|
||||
ROOT_CA_FILE=$CERT_DIR/apiserver.crt
|
||||
|
||||
# Ensure CERT_DIR is created for auto-generated crt/key and kubeconfig
|
||||
mkdir -p "${CERT_DIR}" &>/dev/null || sudo mkdir -p "${CERT_DIR}"
|
||||
sudo=$(test -w "${CERT_DIR}" || echo "sudo -E")
|
||||
|
||||
|
||||
kubectl=$(kube::util::find-binary kubectl)
|
||||
|
||||
function kubectl_core {
|
||||
${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@
|
||||
}
|
||||
|
||||
function sudo_kubectl_core {
|
||||
${sudo} ${kubectl} --kubeconfig="${CERT_DIR}/admin.kubeconfig" $@
|
||||
}
|
||||
|
||||
# start_kube-aggregator relies on certificates created by start_apiserver
|
||||
function start_kube-aggregator {
|
||||
kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator" '"server auth"'
|
||||
# sign the kube-aggregator cert to be good for the local node too, so that we can trust it
|
||||
kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "kube-aggregator-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
|
||||
|
||||
# Create serving and client CA. etcd only takes one arg
|
||||
kube::util::create_signing_certkey "${sudo}" "${CERT_DIR}" "etcd" '"client auth","server auth"'
|
||||
kube::util::create_serving_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc
|
||||
# etcd doesn't seem to have separate signers for serving and client trust
|
||||
kube::util::create_client_certkey "${sudo}" "${CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd
|
||||
|
||||
# don't fail if the namespace already exists or something
|
||||
# If this fails for some reason, the script will fail during creation of other resources
|
||||
kubectl_core create namespace kube-public || true
|
||||
|
||||
# grant permission to run delegated authentication and authorization checks
|
||||
kubectl_core delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true
|
||||
kubectl_core delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true
|
||||
kubectl_core create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator
|
||||
kubectl_core create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator
|
||||
|
||||
# make sure the resources we're about to create don't exist
|
||||
kubectl_core -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true
|
||||
kubectl_core -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true
|
||||
kubectl_core -n kube-public delete -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up" > /dev/null 2>&1 || true
|
||||
|
||||
sudo_kubectl_core -n kube-public create secret tls auth-proxy-client --cert="${CERT_DIR}/client-auth-proxy.crt" --key="${CERT_DIR}/client-auth-proxy.key"
|
||||
sudo_kubectl_core -n kube-public create secret tls serving-etcd --cert="${CERT_DIR}/serving-etcd.crt" --key="${CERT_DIR}/serving-etcd.key"
|
||||
sudo_kubectl_core -n kube-public create secret tls serving-kube-aggregator --cert="${CERT_DIR}/serving-kube-aggregator.crt" --key="${CERT_DIR}/serving-kube-aggregator.key"
|
||||
sudo_kubectl_core -n kube-public create secret tls kube-aggregator-etcd --cert="${CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${CERT_DIR}/client-kube-aggregator-etcd.key"
|
||||
kubectl_core -n kube-public create configmap etcd-ca --from-file="ca.crt=${CERT_DIR}/etcd-ca.crt" || true
|
||||
kubectl_core -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${CERT_DIR}/kube-aggregator-ca.crt" || true
|
||||
kubectl_core -n kube-public create configmap client-ca --from-file="ca.crt=${CERT_DIR}/client-ca.crt" || true
|
||||
kubectl_core -n kube-public create configmap request-header-ca --from-file="ca.crt=${CERT_DIR}/request-header-ca.crt" || true
|
||||
|
||||
${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/hack/build-image.sh
|
||||
|
||||
kubectl_core -n kube-public create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/local-cluster-up"
|
||||
|
||||
${sudo} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${sudo} chown ${USER} "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${kubectl} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --certificate-authority="${CERT_DIR}/kube-aggregator-ca.crt" --embed-certs --server="https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}"
|
||||
|
||||
# Wait for kube-aggregator to come up before launching the rest of the components.
|
||||
# This should work since we're creating a node port service.
|
||||
echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version"
|
||||
kube::util::wait_for_url "https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1
|
||||
|
||||
# something is weird with the proxy
|
||||
sleep 1
|
||||
|
||||
# create the "normal" api services for the core API server
|
||||
${kubectl} --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" create -f "${KUBE_ROOT}/vendor/k8s.io/kube-aggregator/artifacts/core-apiservices"
|
||||
}
|
||||
|
||||
kube::util::test_openssl_installed
|
||||
kube::util::test_cfssl_installed
|
||||
|
||||
start_kube-aggregator
|
||||
|
||||
echo "kuberentes-kube-aggregator available at https://${API_HOST_IP}:${DISCOVERY_SECURE_PORT} from 'api.kube-public.svc'"
|
||||
@@ -1,11 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1.
|
||||
spec:
|
||||
version: v1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1.authorization.k8s.io
|
||||
spec:
|
||||
group: authorization.k8s.io
|
||||
version: v1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1.autoscaling
|
||||
spec:
|
||||
group: autoscaling
|
||||
version: v1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1.batch
|
||||
spec:
|
||||
group: batch
|
||||
version: v1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1alpha1.certificates.k8s.io
|
||||
spec:
|
||||
group: certificates.k8s.io
|
||||
version: v1alpha1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1alpha1.rbac.authorization.k8s.io
|
||||
spec:
|
||||
group: rbac.authorization.k8s.io
|
||||
version: v1alpha1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.apps
|
||||
spec:
|
||||
group: apps
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.authentication.k8s.io
|
||||
spec:
|
||||
group: authentication.k8s.io
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.authorization.k8s.io
|
||||
spec:
|
||||
group: authorization.k8s.io
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.extensions
|
||||
spec:
|
||||
group: extensions
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 150
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.policy
|
||||
spec:
|
||||
group: policy
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -1,12 +0,0 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: v1beta1.storage.k8s.io
|
||||
spec:
|
||||
group: storage.k8s.io
|
||||
version: v1beta1
|
||||
service:
|
||||
namespace: default
|
||||
name: kubernetes
|
||||
insecureSkipTLSVerify: true
|
||||
priority: 100
|
||||
@@ -84,14 +84,14 @@ spec:
|
||||
- name: volume-etcd-client-cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: discovery-etcd
|
||||
secretName: kube-aggregator-etcd
|
||||
- name: volume-serving-cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: serving-discovery
|
||||
secretName: serving-kube-aggregator
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
name: discovery-ca
|
||||
name: kube-aggregator-ca
|
||||
name: volume-serving-ca
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: apiregistration.k8s.io/v1alpha1
|
||||
kind: APIService
|
||||
metadata:
|
||||
name: RESOURCE_NAME
|
||||
spec:
|
||||
group: API_GROUP
|
||||
version: API_VERSION
|
||||
service:
|
||||
namespace: SERVICE_NAMESPACE
|
||||
name: SERVICE_NAME
|
||||
caBundle: CA_BUNDLE
|
||||
priority: 100
|
||||
91
staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
Executable file
91
staging/src/k8s.io/kube-aggregator/hack/local-up-kube-aggregator.sh
Executable file
@@ -0,0 +1,91 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2016 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# starts kube-aggregator as a pod after you've run `local-up-cluster.sh`
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
AGG_ROOT=$(dirname "${BASH_SOURCE}")/..
|
||||
KUBE_ROOT=${AGG_ROOT}/../../../..
|
||||
source "${KUBE_ROOT}/hack/lib/init.sh"
|
||||
|
||||
AGGREGATOR_SECURE_PORT=${AGGREGATOR_SECURE_PORT:-31090}
|
||||
API_HOST=${API_HOST:-localhost}
|
||||
API_HOST_IP=${API_HOST_IP:-"127.0.0.1"}
|
||||
AGGREGATOR_CERT_DIR=${AGGREGATOR_CERT_DIR:-"/var/run/kubernetes/aggregator"}
|
||||
|
||||
KUBE_CERT_DIR=${KUBE_CERT_DIR:-"/var/run/kubernetes"}
|
||||
SERVING_CERT_CA_CERT=${SERVING_CERT_CA_CERT:-"${KUBE_CERT_DIR}/server-ca.crt"}
|
||||
CLIENT_CERT_CA_CERT=${CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/client-ca.crt"}
|
||||
FRONT_PROXY_CLIENT_CERT_CA_CERT=${FRONT_PROXY_CLIENT_CERT_CA_CERT:-"${KUBE_CERT_DIR}/request-header-ca.crt"}
|
||||
SERVING_CERT=${SERVING_CERT:-"${KUBE_CERT_DIR}/serving-kube-aggregator.crt"}
|
||||
SERVING_KEY=${SERVING_KEY:-"${KUBE_CERT_DIR}/serving-kube-aggregator.key"}
|
||||
FRONT_PROXY_CLIENT_CERT=${FRONT_PROXY_CLIENT_CERT:-"${KUBE_CERT_DIR}/client-auth-proxy.crt"}
|
||||
FRONT_PROXY_CLIENT_KEY=${FRONT_PROXY_CLIENT_KEY:-"${KUBE_CERT_DIR}/client-auth-proxy.key"}
|
||||
|
||||
|
||||
# Ensure AGGREGATOR_CERT_DIR is created for auto-generated crt/key and kubeconfig
|
||||
mkdir -p "${AGGREGATOR_CERT_DIR}" &>/dev/null || sudo mkdir -p "${AGGREGATOR_CERT_DIR}"
|
||||
sudo=$(test -w "${AGGREGATOR_CERT_DIR}" || echo "sudo -E")
|
||||
|
||||
# start_kube-aggregator relies on certificates created by start_apiserver
|
||||
function start_kube-aggregator {
|
||||
# Create serving and client CA. etcd only takes one arg
|
||||
kube::util::create_signing_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd" '"client auth","server auth"'
|
||||
kube::util::create_serving_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" etcd etcd.kube-public.svc
|
||||
# etcd doesn't seem to have separate signers for serving and client trust
|
||||
kube::util::create_client_certkey "${sudo}" "${AGGREGATOR_CERT_DIR}" "etcd-ca" kube-aggregator-etcd kube-aggregator-etcd
|
||||
|
||||
# don't fail if the namespace already exists or something
|
||||
# If this fails for some reason, the script will fail during creation of other resources
|
||||
kubectl create namespace kube-public || true
|
||||
|
||||
# grant permission to run delegated authentication and authorization checks
|
||||
kubectl delete clusterrolebinding kube-aggregator:system:auth-delegator > /dev/null 2>&1 || true
|
||||
kubectl delete clusterrolebinding kube-aggregator:system:kube-aggregator > /dev/null 2>&1 || true
|
||||
kubectl create clusterrolebinding kube-aggregator:system:auth-delegator --clusterrole=system:auth-delegator --serviceaccount=kube-public:kube-aggregator
|
||||
kubectl create clusterrolebinding kube-aggregator:system:kube-aggregator --clusterrole=system:kube-aggregator --serviceaccount=kube-public:kube-aggregator
|
||||
|
||||
# make sure the resources we're about to create don't exist
|
||||
kubectl -n kube-public delete secret auth-proxy-client serving-etcd serving-kube-aggregator kube-aggregator-etcd > /dev/null 2>&1 || true
|
||||
kubectl -n kube-public delete configmap etcd-ca kube-aggregator-ca client-ca request-header-ca > /dev/null 2>&1 || true
|
||||
kubectl -n kube-public delete -f "${AGG_ROOT}/artifacts/self-contained" > /dev/null 2>&1 || true
|
||||
|
||||
kubectl -n kube-public create secret tls auth-proxy-client --cert="${FRONT_PROXY_CLIENT_CERT}" --key="${FRONT_PROXY_CLIENT_KEY}"
|
||||
kubectl -n kube-public create secret tls serving-etcd --cert="${AGGREGATOR_CERT_DIR}/serving-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/serving-etcd.key"
|
||||
kubectl -n kube-public create secret tls serving-kube-aggregator --cert="${SERVING_CERT}" --key="${SERVING_KEY}"
|
||||
kubectl -n kube-public create secret tls kube-aggregator-etcd --cert="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.crt" --key="${AGGREGATOR_CERT_DIR}/client-kube-aggregator-etcd.key"
|
||||
kubectl -n kube-public create configmap etcd-ca --from-file="ca.crt=${AGGREGATOR_CERT_DIR}/etcd-ca.crt" || true
|
||||
kubectl -n kube-public create configmap kube-aggregator-ca --from-file="ca.crt=${SERVING_CERT_CA_CERT}" || true
|
||||
kubectl -n kube-public create configmap client-ca --from-file="ca.crt=${CLIENT_CERT_CA_CERT}" || true
|
||||
kubectl -n kube-public create configmap request-header-ca --from-file="ca.crt=${FRONT_PROXY_CLIENT_CERT_CA_CERT}" || true
|
||||
|
||||
kubectl -n kube-public create -f "${AGG_ROOT}/artifacts/self-contained"
|
||||
|
||||
# Wait for kube-aggregator to come up before launching the rest of the components.
|
||||
# This should work since we're creating a node port service.
|
||||
echo "Waiting for kube-aggregator to come up: https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version"
|
||||
kube::util::wait_for_url "https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT}/version" "kube-aggregator: " 1 60 || exit 1
|
||||
}
|
||||
|
||||
kube::util::test_openssl_installed
|
||||
kube::util::test_cfssl_installed
|
||||
|
||||
start_kube-aggregator
|
||||
|
||||
echo "kube-aggregator available at https://${API_HOST_IP}:${AGGREGATOR_SECURE_PORT} from 'api.kube-public.svc'"
|
||||
90
staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh
Executable file
90
staging/src/k8s.io/kube-aggregator/hack/register-all-apis-from.sh
Executable file
@@ -0,0 +1,90 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
|
||||
if LANG=C sed --help 2>&1 | grep -q GNU; then
|
||||
SED="sed"
|
||||
elif which gsed &>/dev/null; then
|
||||
SED="gsed"
|
||||
else
|
||||
echo "Failed to find GNU sed as sed or gsed. If you are on Mac: brew install gnu-sed." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename 0).XXXXXXXXXXXX")
|
||||
# Register function to be called on EXIT to remove generated binary.
|
||||
function cleanup {
|
||||
rm -rf "${dir}"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
|
||||
scriptDir=$(dirname "${BASH_SOURCE}")
|
||||
|
||||
# this uses discovery from a kube-like API server to register ALL the API versions that server provides
|
||||
# first argument is reference to kube-config file that points the API server you're adding from
|
||||
# second argument is the service namespace
|
||||
# third argument is the service name
|
||||
# fourth argument is reference to kube-config file that points to the aggregator you're using
|
||||
|
||||
FROM_KUBECONFIG=${1}
|
||||
SERVICE_NAMESPACE=${2}
|
||||
SERVICE_NAME=${3}
|
||||
AGG_KUBECONFIG=${4}
|
||||
|
||||
|
||||
caBundle=$(base64 /var/run/kubernetes/server-ca.crt | awk 'BEGIN{ORS="";} {print}')
|
||||
|
||||
# if we have a /api endpoint, then we need to register that
|
||||
if kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep -q /api/v1; then
|
||||
group=""
|
||||
version="v1"
|
||||
resourceName=${version}.${group}
|
||||
resourceFileName=${dir}/${resourceName}.yaml
|
||||
cp ${scriptDir}/apiservice-template.yaml ${resourceFileName}
|
||||
${SED} -i "s/RESOURCE_NAME/${resourceName}/" ${resourceFileName}
|
||||
${SED} -i "s/API_GROUP/${group}/" ${resourceFileName}
|
||||
${SED} -i "s/API_VERSION/${version}/" ${resourceFileName}
|
||||
${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName}
|
||||
${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName}
|
||||
${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName}
|
||||
echo "registering ${resourceName} using ${resourceFileName}"
|
||||
|
||||
kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName}
|
||||
fi
|
||||
|
||||
groupVersions=( $(kubectl --kubeconfig=${FROM_KUBECONFIG} get --raw / | grep /apis/ | sed 's/",.*//' | sed 's|.*"/apis/||' | grep '/') )
|
||||
|
||||
for groupVersion in "${groupVersions[@]}"; do
|
||||
group=$(echo $groupVersion | awk -F/ '{print $1}')
|
||||
version=$(echo $groupVersion | awk -F/ '{print $2}')
|
||||
resourceName=${version}.${group}
|
||||
resourceFileName=${dir}/${resourceName}.yaml
|
||||
cp ${scriptDir}/apiservice-template.yaml ${resourceFileName}
|
||||
${SED} -i "s/RESOURCE_NAME/${resourceName}/" ${resourceFileName}
|
||||
${SED} -i "s/API_GROUP/${group}/" ${resourceFileName}
|
||||
${SED} -i "s/API_VERSION/${version}/" ${resourceFileName}
|
||||
${SED} -i "s/SERVICE_NAMESPACE/${SERVICE_NAMESPACE}/" ${resourceFileName}
|
||||
${SED} -i "s/SERVICE_NAME/${SERVICE_NAME}/" ${resourceFileName}
|
||||
${SED} -i "s/CA_BUNDLE/${caBundle}/" ${resourceFileName}
|
||||
echo "registering ${resourceName} using ${resourceFileName}"
|
||||
|
||||
kubectl --kubeconfig=${AGG_KUBECONFIG} create -f ${resourceFileName}
|
||||
done
|
||||
@@ -21,6 +21,7 @@ import (
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||
@@ -69,6 +70,8 @@ type APIAggregator struct {
|
||||
|
||||
// proxyHandlers are the proxy handlers that are currently registered, keyed by apiservice.name
|
||||
proxyHandlers map[string]*proxyHandler
|
||||
// handledGroups are the groups that already have routes
|
||||
handledGroups sets.String
|
||||
|
||||
// lister is used to add group handling for /apis/<group> aggregator lookups based on
|
||||
// controller state
|
||||
@@ -131,6 +134,7 @@ func (c completedConfig) New() (*APIAggregator, error) {
|
||||
proxyClientCert: c.ProxyClientCert,
|
||||
proxyClientKey: c.ProxyClientKey,
|
||||
proxyHandlers: map[string]*proxyHandler{},
|
||||
handledGroups: sets.String{},
|
||||
lister: informerFactory.Apiregistration().InternalVersion().APIServices().Lister(),
|
||||
serviceLister: kubeInformers.Core().V1().Services().Lister(),
|
||||
endpointsLister: kubeInformers.Core().V1().Endpoints().Lister(),
|
||||
@@ -233,6 +237,11 @@ func (s *APIAggregator) AddAPIService(apiService *apiregistration.APIService) {
|
||||
return
|
||||
}
|
||||
|
||||
// if we've already registered the path with the handler, we don't want to do it again.
|
||||
if s.handledGroups.Has(apiService.Spec.Group) {
|
||||
return
|
||||
}
|
||||
|
||||
// it's time to register the group aggregation endpoint
|
||||
groupPath := "/apis/" + apiService.Spec.Group
|
||||
groupDiscoveryHandler := &apiGroupHandler{
|
||||
@@ -244,7 +253,7 @@ func (s *APIAggregator) AddAPIService(apiService *apiregistration.APIService) {
|
||||
// aggregation is protected
|
||||
s.GenericAPIServer.HandlerContainer.UnlistedRoutes.Handle(groupPath, groupDiscoveryHandler)
|
||||
s.GenericAPIServer.HandlerContainer.UnlistedRoutes.Handle(groupPath+"/", groupDiscoveryHandler)
|
||||
|
||||
s.handledGroups.Insert(apiService.Spec.Group)
|
||||
}
|
||||
|
||||
// RemoveAPIService removes the APIService from being handled. Later on it will disable the proxy endpoint.
|
||||
|
||||
1
vendor/BUILD
vendored
1
vendor/BUILD
vendored
@@ -16454,6 +16454,7 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/httpstream/spdy",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/sets",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
||||
"//vendor:k8s.io/apiserver/pkg/endpoints/filters",
|
||||
"//vendor:k8s.io/apiserver/pkg/endpoints/handlers/responsewriters",
|
||||
|
||||
Reference in New Issue
Block a user