Give the API server access to TLS certs.

Moved the cert generation to a separate salt state and put it in a more appropriate sharable location (`/srv/kubernetes/`).
2014-11-12 18:14:24 -08:00
parent e0e686896e
commit ee2f030623
10 changed files with 87 additions and 69 deletions
--- a/cluster/saltbase/salt/generate-cert/init.sls
+++ b/cluster/saltbase/salt/generate-cert/init.sls
@@ -0,0 +1,38 @@
+{% if grains.cloud is defined %}
+  {% if grains.cloud == 'gce' %}
+    {% set cert_ip='_use_gce_external_ip_' %}
+  {% endif %}
+  {% if grains.cloud == 'aws' %}
+    {% set cert_ip='_use_aws_external_ip_' %}
+  {% endif %}
+  {% if grains.cloud == 'vagrant' %}
+    {% set cert_ip=grains.fqdn_ip4 %}
+  {% endif %}
+  {% if grains.cloud == 'vsphere' %}
+    {% set cert_ip=grains.ip_interfaces.eth0[0] %}
+  {% endif %}
+{% endif %}
+
+# If there is a pillar defined, override any defaults.
+{% if pillar['cert_ip'] is defined %}
+  {% set cert_ip=pillar['cert_ip'] %}
+{% endif %}
+
+{% set certgen="make-cert.sh" %}
+{% if cert_ip is defined %}
+  {% set certgen="make-ca-cert.sh" %}
+{% endif %}
+
+kubernetes-cert:
+  cmd.script:
+    - unless: test -f /srv/kubernetes/server.cert
+    - source: salt://generate-cert/{{certgen}}
+{% if cert_ip is defined %}
+    - args: {{cert_ip}}
+    - require:
+      - pkg: curl
+{% endif %}
+    - cwd: /
+    - user: root
+    - group: root
+    - shell: /bin/bash