mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Merge pull request #91116 from liggitt/local-up-cluster-rotation
Enable kubelet client-cert bootstrap/rotation in local-up-cluster
This commit is contained in:
Kubernetes Prow Robot
@@ -236,9 +236,8 @@ ENABLE_CONTROLLER_ATTACH_DETACH=${ENABLE_CONTROLLER_ATTACH_DETACH:-"true"} # cur
|
||||
# which should be able to be used as the CA to verify itself
|
||||
CERT_DIR=${CERT_DIR:-"/var/run/kubernetes"}
|
||||
ROOT_CA_FILE=${CERT_DIR}/server-ca.crt
|
||||
ROOT_CA_KEY=${CERT_DIR}/server-ca.key
|
||||
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${ROOT_CA_FILE}"}
|
||||
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${ROOT_CA_KEY}"}
|
||||
CLUSTER_SIGNING_CERT_FILE=${CLUSTER_SIGNING_CERT_FILE:-"${CERT_DIR}/client-ca.crt"}
|
||||
CLUSTER_SIGNING_KEY_FILE=${CLUSTER_SIGNING_KEY_FILE:-"${CERT_DIR}/client-ca.key"}
|
||||
# Reuse certs will skip generate new ca/cert files under CERT_DIR
|
||||
# it's useful with PRESERVE_ETCD=true because new ca will make existed service account secrets invalided
|
||||
REUSE_CERTS=${REUSE_CERTS:-false}
|
||||
@@ -610,6 +609,9 @@ EOF
|
||||
# Grant apiserver permission to speak to the kubelet
|
||||
${KUBECTL} --kubeconfig "${CERT_DIR}/admin.kubeconfig" create clusterrolebinding kube-apiserver-kubelet-admin --clusterrole=system:kubelet-api-admin --user=kube-apiserver
|
||||
|
||||
# Grant kubelets permission to request client certificates
|
||||
${KUBECTL} --kubeconfig "${CERT_DIR}/admin.kubeconfig" create clusterrolebinding kubelet-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
|
||||
|
||||
${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${CONTROLPLANE_SUDO} chown "$(whoami)" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
|
||||
${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:31090"
|
||||
@@ -686,7 +688,7 @@ function wait_node_ready(){
|
||||
# check the nodes information after kubelet daemon start
|
||||
local nodes_stats="${KUBECTL} --kubeconfig '${CERT_DIR}/admin.kubeconfig' get nodes"
|
||||
local node_name=$HOSTNAME_OVERRIDE
|
||||
local system_node_wait_time=30
|
||||
local system_node_wait_time=60
|
||||
local interval_time=2
|
||||
kube::util::wait_for_success "$system_node_wait_time" "$interval_time" "$nodes_stats | grep $node_name"
|
||||
if [ $? == "1" ]; then
|
||||
@@ -770,7 +772,9 @@ function start_kubelet {
|
||||
"--hostname-override=${HOSTNAME_OVERRIDE}"
|
||||
"${cloud_config_arg[@]}"
|
||||
"--address=${KUBELET_HOST}"
|
||||
--kubeconfig "${CERT_DIR}"/kubelet.kubeconfig
|
||||
"--bootstrap-kubeconfig=${CERT_DIR}/kubelet.kubeconfig"
|
||||
"--kubeconfig=${CERT_DIR}/kubelet-rotated.kubeconfig"
|
||||
"--rotate-certificates=true"
|
||||
"--feature-gates=${FEATURE_GATES}"
|
||||
"--cpu-cfs-quota=${CPU_CFS_QUOTA}"
|
||||
"--enable-controller-attach-detach=${ENABLE_CONTROLLER_ATTACH_DETACH}"
|
||||
@@ -800,6 +804,9 @@ function start_kubelet {
|
||||
fi
|
||||
|
||||
if [[ "${REUSE_CERTS}" != true ]]; then
|
||||
# clear previous dynamic certs
|
||||
sudo rm -fr "/var/lib/kubelet/pki" "${CERT_DIR}/kubelet-rotated.kubeconfig"
|
||||
# create new certs
|
||||
generate_kubelet_certs
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user