Give the API server access to TLS certs.

Moved the cert generation to a separate salt state and put it in a more appropriate sharable location (`/srv/kubernetes/`).
2014-11-12 18:14:24 -08:00
parent e0e686896e
commit ee2f030623
10 changed files with 87 additions and 69 deletions
--- a/cluster/saltbase/salt/nginx/init.sls
+++ b/cluster/saltbase/salt/nginx/init.sls
@@ -8,45 +8,7 @@ nginx:
      - file: /etc/nginx/nginx.conf
      - file: /etc/nginx/sites-enabled/default
      - file: /usr/share/nginx/htpasswd
-      - cmd: /usr/share/nginx/server.cert
-
-{% if grains.cloud is defined %}
-  {% if grains.cloud == 'gce' %}
-    {% set cert_ip='_use_gce_external_ip_' %}
-  {% endif %}
-  {% if grains.cloud == 'aws' %}
-    {% set cert_ip='_use_aws_external_ip_' %}
-  {% endif %}
-  {% if grains.cloud == 'vagrant' %}
-    {% set cert_ip=grains.fqdn_ip4 %}
-  {% endif %}
-  {% if grains.cloud == 'vsphere' %}
-    {% set cert_ip=grains.ip_interfaces.eth0[0] %}
-  {% endif %}
-{% endif %}
-# If there is a pillar defined, override any defaults.
-{% if pillar['cert_ip'] is defined %}
-  {% set cert_ip=pillar['cert_ip'] %}
-{% endif %}
-
-{% set certgen="make-cert.sh" %}
-{% if cert_ip is defined %}
-  {% set certgen="make-ca-cert.sh" %}
-{% endif %}
-
-/usr/share/nginx/server.cert:
-  cmd.script:
-    - unless: test -f /usr/share/nginx/server.cert
-    - source: salt://nginx/{{certgen}} 
-{% if cert_ip is defined %}
-    - args: {{cert_ip}}
-    - require:
-      - pkg: curl
-{% endif %}
-    - cwd: /
-    - user: root
-    - group: root
-    - shell: /bin/bash
+      - cmd: kubernetes-cert

 /etc/nginx/nginx.conf:
  file:
--- a/cluster/saltbase/salt/nginx/kubernetes-site
+++ b/cluster/saltbase/salt/nginx/kubernetes-site
@@ -33,8 +33,8 @@ server {
        index index.html index.htm;

        ssl on;
-        ssl_certificate /usr/share/nginx/server.cert;
-        ssl_certificate_key /usr/share/nginx/server.key;
+        ssl_certificate /srv/kubernetes/server.cert;
+        ssl_certificate_key /srv/kubernetes/server.key;

        ssl_session_timeout 5m;

@@ -53,7 +53,7 @@ server {
          proxy_connect_timeout 159s;
          proxy_send_timeout   600s;
          proxy_read_timeout   600s;
-          
+
          # Disable retry
          proxy_next_upstream off;

--- a/cluster/saltbase/salt/nginx/make-ca-cert.sh
+++ b/cluster/saltbase/salt/nginx/make-ca-cert.sh
@@ -1,51 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014 Google Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-cert_ip=$1
-
-# TODO: Add support for discovery on other providers?
-if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
-  cert_ip=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
-fi
-
-if [ "$cert_ip" == "_use_aws_external_ip_" ]; then
-  cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-fi
-
-tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
-trap 'rm -rf "${tmpdir}"' EXIT
-cd "${tmpdir}"
-
-# TODO: For now, this is a patched repo that makes subject-alt-name work, when the fix is upstream
-#  move back to the upstream easyrsa
-curl -L -J -O https://github.com/brendandburns/easy-rsa/archive/master.tar.gz > /dev/null 2>&1
-tar xzf easy-rsa-master.tar.gz > /dev/null 2>&1
-
-cd easy-rsa-master/easyrsa3
-./easyrsa init-pki > /dev/null 2>&1
-./easyrsa --batch build-ca nopass > /dev/null 2>&1
-./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
-./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
-cp -p pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
-cp -p pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
-cp -p pki/ca.crt /usr/share/nginx/ca.crt
-cp -p pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
-cp -p pki/private/kubecfg.key /usr/share/nginx/kubecfg.key
-
--- a/cluster/saltbase/salt/nginx/make-cert.sh
+++ b/cluster/saltbase/salt/nginx/make-cert.sh
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014 Google Inc. All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-  -subj "/CN=kubernetes.invalid/O=Kubernetes" \
-  -keyout /usr/share/nginx/server.key  -out /usr/share/nginx/server.cert