From 80703010bdae0b29cf2a5c5babb8c35ffb667429 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 13 Jan 2017 14:03:20 +0300 Subject: [PATCH] Use only one certificate for all apiservers https://github.com/kubernetes/kubernetes/issues/25063 --- .../manifests/kube-apiserver.manifest.j2 | 6 +++--- .../manifests/kube-controller-manager.manifest.j2 | 2 +- roles/kubernetes/secrets/files/make-ssl.sh | 15 +++++++++------ roles/kubernetes/secrets/tasks/gen_certs.yml | 8 ++++---- 4 files changed, 17 insertions(+), 14 deletions(-) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index fe9a49fa8..c05030697 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -35,10 +35,10 @@ spec: - --service-node-port-range={{ kube_apiserver_node_port_range }} - --client-ca-file={{ kube_cert_dir }}/ca.pem - --basic-auth-file={{ kube_users_dir }}/known_users.csv - - --tls-cert-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}.pem - - --tls-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem + - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem + - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --token-auth-file={{ kube_token_dir }}/known_tokens.csv - - --service-account-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem + - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem - --secure-port={{ kube_apiserver_port }} - --insecure-port={{ kube_apiserver_insecure_port }} {% if kube_api_runtime_config is defined %} diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index c604587af..49dd05ba8 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -23,7 +23,7 @@ spec: - controller-manager - --master={{ kube_apiserver_endpoint }} - --leader-elect=true - - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem + - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --root-ca-file={{ kube_cert_dir }}/ca.pem - --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem - --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh index 422bde6cf..4728cc6c2 100755 --- a/roles/kubernetes/secrets/files/make-ssl.sh +++ b/roles/kubernetes/secrets/files/make-ssl.sh @@ -72,14 +72,16 @@ else openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1 fi +if [ ! -e "$SSLDIR/ca-key.pem" ]; then + # kube-apiserver key + openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1 + openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1 + openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1 + cat ca.pem >> apiserver.pem +fi + if [ -n "$MASTERS" ]; then for host in $MASTERS; do - # kube-apiserver key - openssl genrsa -out apiserver-${host}-key.pem 2048 > /dev/null 2>&1 - openssl req -new -key apiserver-${host}-key.pem -out apiserver-${host}.csr -subj "/CN=kube-apiserver-${host}" -config ${CONFIG} > /dev/null 2>&1 - openssl x509 -req -in apiserver-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver-${host}.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1 - cat ca.pem >> apiserver-${host}.pem - # admin key openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1 @@ -90,6 +92,7 @@ fi # Nodes and Admin if [ -n "$HOSTS" ]; then for host in $HOSTS; do + # node key openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1 openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1 diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml index bd652e340..545cba31f 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs.yml @@ -39,14 +39,14 @@ {% for node in groups['kube-master'] %} 'admin-{{ node }}.pem', 'admin-{{ node }}-key.pem', - 'apiserver-{{ node }}.pem', - 'apiserver-{{ node }}-key.pem', + 'apiserver.pem', + 'apiserver-key.pem', {% endfor %}]" my_master_certs: ['ca-key.pem', 'admin-{{ inventory_hostname }}.pem', 'admin-{{ inventory_hostname }}-key.pem', - 'apiserver-{{ inventory_hostname }}.pem', - 'apiserver-{{ inventory_hostname }}-key.pem' + 'apiserver.pem', + 'apiserver-key.pem' ] all_node_certs: "['ca.pem', {% for node in groups['k8s-cluster'] %}