Merge "Add customer-specified certificates for kubernetes"
This commit is contained in:
commit
fdaa59c6a8
|
@ -17,6 +17,7 @@ class platform::kubernetes::params (
|
||||||
$k8s_nodeset = undef,
|
$k8s_nodeset = undef,
|
||||||
$k8s_reserved_cpus = undef,
|
$k8s_reserved_cpus = undef,
|
||||||
$k8s_reserved_mem = undef,
|
$k8s_reserved_mem = undef,
|
||||||
|
$apiserver_cert_san = []
|
||||||
|
|
||||||
) { }
|
) { }
|
||||||
|
|
||||||
|
@ -189,6 +190,8 @@ class platform::kubernetes::master::init
|
||||||
6 => '::1',
|
6 => '::1',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$apiserver_certsans = concat($apiserver_cert_san, $apiserver_loopback_address, $apiserver_advertise_address)
|
||||||
|
|
||||||
# This is used for imageRepository in template kubeadm.yaml.erb
|
# This is used for imageRepository in template kubeadm.yaml.erb
|
||||||
if $::platform::docker::params::k8s_registry {
|
if $::platform::docker::params::k8s_registry {
|
||||||
$k8s_registry = $::platform::docker::params::k8s_registry
|
$k8s_registry = $::platform::docker::params::k8s_registry
|
||||||
|
|
|
@ -3,28 +3,32 @@ kind: InitConfiguration
|
||||||
apiEndpoint:
|
apiEndpoint:
|
||||||
advertiseAddress: <%= @apiserver_advertise_address %>
|
advertiseAddress: <%= @apiserver_advertise_address %>
|
||||||
---
|
---
|
||||||
apiVersion: kubeadm.k8s.io/v1alpha3
|
apiVersion: kubeadm.k8s.io/v1beta1
|
||||||
kind: ClusterConfiguration
|
kind: ClusterConfiguration
|
||||||
kubernetesVersion: 1.13.5
|
kubernetesVersion: 1.13.5
|
||||||
|
|
||||||
|
apiServer:
|
||||||
|
certSANs:
|
||||||
|
<% @apiserver_certsans.each do |item| -%>
|
||||||
|
- <%= item %>
|
||||||
|
<% end -%>
|
||||||
|
extraArgs:
|
||||||
|
default-not-ready-toleration-seconds: "30"
|
||||||
|
default-unreachable-toleration-seconds: "30"
|
||||||
|
controllerManager:
|
||||||
|
extraArgs:
|
||||||
|
node-monitor-period: "2s"
|
||||||
|
node-monitor-grace-period: "20s"
|
||||||
|
pod-eviction-timeout: "30s"
|
||||||
etcd:
|
etcd:
|
||||||
external:
|
external:
|
||||||
endpoints:
|
endpoints:
|
||||||
- <%= @etcd_endpoint %>
|
- <%= @etcd_endpoint %>
|
||||||
apiServerExtraArgs:
|
imageRepository: "<%= @k8s_registry %>"
|
||||||
default-not-ready-toleration-seconds: "30"
|
|
||||||
default-unreachable-toleration-seconds: "30"
|
|
||||||
apiServerCertSANs:
|
|
||||||
- "<%= @apiserver_advertise_address %>"
|
|
||||||
- "<%= @apiserver_loopback_address %>"
|
|
||||||
networking:
|
networking:
|
||||||
dnsDomain: <%= @service_domain %>
|
dnsDomain: <%= @service_domain %>
|
||||||
podSubnet: <%= @pod_network_cidr %>
|
podSubnet: <%= @pod_network_cidr %>
|
||||||
serviceSubnet: <%= @service_network_cidr %>
|
serviceSubnet: <%= @service_network_cidr %>
|
||||||
controllerManagerExtraArgs:
|
|
||||||
node-monitor-period: "2s"
|
|
||||||
node-monitor-grace-period: "20s"
|
|
||||||
pod-eviction-timeout: "30s"
|
|
||||||
imageRepository: "<%= @k8s_registry %>"
|
|
||||||
---
|
---
|
||||||
kind: KubeletConfiguration
|
kind: KubeletConfiguration
|
||||||
apiVersion: kubelet.config.k8s.io/v1beta1
|
apiVersion: kubelet.config.k8s.io/v1beta1
|
||||||
|
|
|
@ -910,6 +910,7 @@ SERVICE_TYPE_BARBICAN = 'barbican'
|
||||||
SERVICE_TYPE_DOCKER = 'docker'
|
SERVICE_TYPE_DOCKER = 'docker'
|
||||||
SERVICE_TYPE_HTTP = 'http'
|
SERVICE_TYPE_HTTP = 'http'
|
||||||
SERVICE_TYPE_OPENSTACK = 'openstack'
|
SERVICE_TYPE_OPENSTACK = 'openstack'
|
||||||
|
SERVICE_TYPE_KUBERNETES = 'kubernetes'
|
||||||
|
|
||||||
SERVICE_PARAM_SECTION_IDENTITY_CONFIG = 'config'
|
SERVICE_PARAM_SECTION_IDENTITY_CONFIG = 'config'
|
||||||
|
|
||||||
|
@ -968,6 +969,10 @@ SERVICE_PARAM_NAME_DOCKER_DOCKER_REGISTRY = 'docker'
|
||||||
SERVICE_PARAM_NAME_DOCKER_REGISTRIES = 'registries'
|
SERVICE_PARAM_NAME_DOCKER_REGISTRIES = 'registries'
|
||||||
SERVICE_PARAM_NAME_DOCKER_INSECURE_REGISTRY = 'insecure_registry'
|
SERVICE_PARAM_NAME_DOCKER_INSECURE_REGISTRY = 'insecure_registry'
|
||||||
|
|
||||||
|
# kubernetes parameters
|
||||||
|
SERVICE_PARAM_SECTION_KUBERNETES_CERTIFICATES = 'certificates'
|
||||||
|
SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST = 'apiserver_certsan'
|
||||||
|
|
||||||
# default filesystem size to 25 MB
|
# default filesystem size to 25 MB
|
||||||
SERVICE_PARAM_SWIFT_FS_SIZE_MB_DEFAULT = 25
|
SERVICE_PARAM_SWIFT_FS_SIZE_MB_DEFAULT = 25
|
||||||
|
|
||||||
|
@ -1199,6 +1204,8 @@ SSL_CERT_CA_DIR = "/etc/pki/ca-trust/source/anchors/"
|
||||||
SSL_CERT_CA_FILE = os.path.join(SSL_CERT_CA_DIR, CERT_CA_FILE)
|
SSL_CERT_CA_FILE = os.path.join(SSL_CERT_CA_DIR, CERT_CA_FILE)
|
||||||
SSL_CERT_CA_FILE_SHARED = os.path.join(tsc.CONFIG_PATH, CERT_CA_FILE)
|
SSL_CERT_CA_FILE_SHARED = os.path.join(tsc.CONFIG_PATH, CERT_CA_FILE)
|
||||||
|
|
||||||
|
KUBERNETES_PKI_SHARED_DIR = os.path.join(tsc.CONFIG_PATH, "kubernetes/pki")
|
||||||
|
|
||||||
CERT_OPENSTACK_DIR = "/etc/ssl/private/openstack"
|
CERT_OPENSTACK_DIR = "/etc/ssl/private/openstack"
|
||||||
CERT_OPENSTACK_SHARED_DIR = os.path.join(tsc.CONFIG_PATH, 'openstack')
|
CERT_OPENSTACK_SHARED_DIR = os.path.join(tsc.CONFIG_PATH, 'openstack')
|
||||||
OPENSTACK_CERT_FILE = os.path.join(CERT_OPENSTACK_DIR, CERT_FILE)
|
OPENSTACK_CERT_FILE = os.path.join(CERT_OPENSTACK_DIR, CERT_FILE)
|
||||||
|
|
|
@ -129,6 +129,25 @@ def _validate_read_only(name, value):
|
||||||
"Parameter '%s' is readonly" % name))
|
"Parameter '%s' is readonly" % name))
|
||||||
|
|
||||||
|
|
||||||
|
def _validate_SAN_list(name, value):
|
||||||
|
"""
|
||||||
|
Validate list of Subject Alternative Name for x509 certificates. Each entry
|
||||||
|
must be an IP address or domain name
|
||||||
|
For example:
|
||||||
|
"localhost.localdomain,192.168.204.2,controller"
|
||||||
|
"""
|
||||||
|
san_entries = value.split(',')
|
||||||
|
if len(san_entries) == 0:
|
||||||
|
raise wsme.exc.ClientSideError(_(
|
||||||
|
"No values provided for '%s'" % name))
|
||||||
|
|
||||||
|
for entry in san_entries:
|
||||||
|
if not cutils.is_valid_domain_or_ip(entry):
|
||||||
|
raise wsme.exc.ClientSideError(_(
|
||||||
|
"The value provided is not a domain name or IP address. (%s)"
|
||||||
|
% entry))
|
||||||
|
|
||||||
|
|
||||||
def _get_network_pool_from_ip_address(ip, networks):
|
def _get_network_pool_from_ip_address(ip, networks):
|
||||||
for name in networks:
|
for name in networks:
|
||||||
try:
|
try:
|
||||||
|
@ -464,6 +483,23 @@ DOCKER_REGISTRY_PARAMETER_RESOURCE = {
|
||||||
'platform::docker::params::insecure_registry',
|
'platform::docker::params::insecure_registry',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
KUBERNETES_CERTIFICATES_PARAMETER_OPTIONAL = [
|
||||||
|
constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST,
|
||||||
|
]
|
||||||
|
|
||||||
|
KUBERNETES_CERTIFICATES_PARAMETER_VALIDATOR = {
|
||||||
|
constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST: _validate_SAN_list,
|
||||||
|
}
|
||||||
|
|
||||||
|
KUBERNETES_CERTIFICATES_PARAMETER_RESOURCE = {
|
||||||
|
constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST:
|
||||||
|
'platform::kubernetes::params::apiserver_cert_san',
|
||||||
|
}
|
||||||
|
|
||||||
|
KUBERNETES_CERTIFICATES_PARAMETER_DATA_FORMAT = {
|
||||||
|
constants.SERVICE_PARAM_NAME_KUBERNETES_API_SAN_LIST: SERVICE_PARAMETER_DATA_FORMAT_ARRAY,
|
||||||
|
}
|
||||||
|
|
||||||
HTTPD_PORT_PARAMETER_OPTIONAL = [
|
HTTPD_PORT_PARAMETER_OPTIONAL = [
|
||||||
constants.SERVICE_PARAM_HTTP_PORT_HTTP,
|
constants.SERVICE_PARAM_HTTP_PORT_HTTP,
|
||||||
constants.SERVICE_PARAM_HTTP_PORT_HTTPS,
|
constants.SERVICE_PARAM_HTTP_PORT_HTTPS,
|
||||||
|
@ -548,6 +584,14 @@ SERVICE_PARAMETER_SCHEMA = {
|
||||||
SERVICE_PARAM_RESOURCE: DOCKER_REGISTRY_PARAMETER_RESOURCE,
|
SERVICE_PARAM_RESOURCE: DOCKER_REGISTRY_PARAMETER_RESOURCE,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
constants.SERVICE_TYPE_KUBERNETES: {
|
||||||
|
constants.SERVICE_PARAM_SECTION_KUBERNETES_CERTIFICATES: {
|
||||||
|
SERVICE_PARAM_OPTIONAL: KUBERNETES_CERTIFICATES_PARAMETER_OPTIONAL,
|
||||||
|
SERVICE_PARAM_VALIDATOR: KUBERNETES_CERTIFICATES_PARAMETER_VALIDATOR,
|
||||||
|
SERVICE_PARAM_RESOURCE: KUBERNETES_CERTIFICATES_PARAMETER_RESOURCE,
|
||||||
|
SERVICE_PARAM_DATA_FORMAT: KUBERNETES_CERTIFICATES_PARAMETER_DATA_FORMAT,
|
||||||
|
},
|
||||||
|
},
|
||||||
constants.SERVICE_TYPE_HTTP: {
|
constants.SERVICE_TYPE_HTTP: {
|
||||||
constants.SERVICE_PARAM_SECTION_HTTP_CONFIG: {
|
constants.SERVICE_PARAM_SECTION_HTTP_CONFIG: {
|
||||||
SERVICE_PARAM_OPTIONAL: HTTPD_PORT_PARAMETER_OPTIONAL,
|
SERVICE_PARAM_OPTIONAL: HTTPD_PORT_PARAMETER_OPTIONAL,
|
||||||
|
|
|
@ -53,19 +53,21 @@ class KubernetesPuppet(base.BasePuppet):
|
||||||
|
|
||||||
def get_secure_system_config(self):
|
def get_secure_system_config(self):
|
||||||
config = {}
|
config = {}
|
||||||
# This is retrieving the certificates that 'kubeadm init'
|
# This retrieves the certificates that were used during the bootstrap
|
||||||
# generated. We will want to change this to generate the
|
# ansible playbook.
|
||||||
# certificates ourselves, store in hiera and then feed those
|
if os.path.exists(constants.KUBERNETES_PKI_SHARED_DIR):
|
||||||
# back into 'kubeadm init'.
|
|
||||||
if os.path.exists('/etc/kubernetes/pki/ca.crt'):
|
|
||||||
# Store required certificates in configuration.
|
# Store required certificates in configuration.
|
||||||
with open('/etc/kubernetes/pki/ca.crt', 'r') as f:
|
with open(os.path.join(
|
||||||
|
constants.KUBERNETES_PKI_SHARED_DIR, 'ca.crt'), 'r') as f:
|
||||||
ca_crt = f.read()
|
ca_crt = f.read()
|
||||||
with open('/etc/kubernetes/pki/ca.key', 'r') as f:
|
with open(os.path.join(
|
||||||
|
constants.KUBERNETES_PKI_SHARED_DIR, 'ca.key'), 'r') as f:
|
||||||
ca_key = f.read()
|
ca_key = f.read()
|
||||||
with open('/etc/kubernetes/pki/sa.key', 'r') as f:
|
with open(os.path.join(
|
||||||
|
constants.KUBERNETES_PKI_SHARED_DIR, 'sa.key'), 'r') as f:
|
||||||
sa_key = f.read()
|
sa_key = f.read()
|
||||||
with open('/etc/kubernetes/pki/sa.pub', 'r') as f:
|
with open(os.path.join(
|
||||||
|
constants.KUBERNETES_PKI_SHARED_DIR, 'sa.pub'), 'r') as f:
|
||||||
sa_pub = f.read()
|
sa_pub = f.read()
|
||||||
config.update(
|
config.update(
|
||||||
{'platform::kubernetes::params::ca_crt': ca_crt,
|
{'platform::kubernetes::params::ca_crt': ca_crt,
|
||||||
|
|
Loading…
Reference in New Issue