fix aggregator proxy client cert issue

2018-06-17 13:07:57 +08:00 · 2018-06-17 13:07:57 +08:00 · d66a5ef5ba
parent 2006eb6a5c
commit d66a5ef5ba
4 changed files with 34 additions and 4 deletions
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@ -24,6 +24,19 @@
        -config={{ ca_dir }}/ca-config.json \
        -profile=kubernetes kubernetes-csr.json | {{ bin_dir }}/cfssljson -bare kubernetes"

+# 创建aggregator proxy相关证书
+- name: 创建 aggregator proxy证书签名请求
+  template: src=aggregator-proxy-csr.json.j2 dest={{ ca_dir }}/aggregator-proxy-csr.json
+  when: p.stat.isreg is not defined
+
+- name: 创建 aggregator-proxy证书和私钥
+  when: p.stat.isreg is not defined
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes aggregator-proxy-csr.json | {{ bin_dir }}/cfssljson -bare aggregator-proxy"
+
 - name: 创建 token.csv
  template: src=token.csv.j2 dest={{ ca_dir }}/token.csv

--- a/roles/kube-master/templates/aggregator-proxy-csr.json.j2
+++ b/roles/kube-master/templates/aggregator-proxy-csr.json.j2
@ -0,0 +1,17 @@
+{
+  "CN": "aggregator",
+  "hosts": [],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}
--- a/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
+++ b/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
@ -39,8 +39,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --requestheader-extra-headers-prefix=X-Remote-Extra- \
  --requestheader-group-headers=X-Remote-Group \
  --requestheader-username-headers=X-Remote-User \
-  --proxy-client-cert-file={{ ca_dir }}/admin.pem \
-  --proxy-client-key-file={{ ca_dir }}/admin-key.pem \
+  --proxy-client-cert-file={{ ca_dir }}/aggregator-proxy.pem \
+  --proxy-client-key-file={{ ca_dir }}/aggregator-proxy-key.pem \
  --enable-aggregator-routing=true \
  --v=2
 Restart=on-failure
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -39,8 +39,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --requestheader-extra-headers-prefix=X-Remote-Extra- \
  --requestheader-group-headers=X-Remote-Group \
  --requestheader-username-headers=X-Remote-User \
-  --proxy-client-cert-file={{ ca_dir }}/admin.pem \
-  --proxy-client-key-file={{ ca_dir }}/admin-key.pem \
+  --proxy-client-cert-file={{ ca_dir }}/aggregator-proxy.pem \
+  --proxy-client-key-file={{ ca_dir }}/aggregator-proxy-key.pem \
  --enable-aggregator-routing=true \
  --v=2
 Restart=on-failure