Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Commit

Permalink
remove me
Browse files Browse the repository at this point in the history
  • Loading branch information
surajssd committed Jun 11, 2020
1 parent aee816d commit 7646867
Show file tree
Hide file tree
Showing 27 changed files with 198 additions and 101 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,9 @@ systemd:
--cluster_domain=${cluster_domain_suffix} \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,9 @@ systemd:
--cluster_domain=${cluster_domain_suffix} \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,9 @@ systemd:
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--hostname-override=${domain_name} \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,9 @@ systemd:
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--hostname-override=${domain_name} \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
31 changes: 21 additions & 10 deletions assets/lokomotive-kubernetes/bootkube/assets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ resource "local_file" "kubernetes" {
server = format("https://%s:%s", var.api_servers[0], var.external_apiserver_port)
serviceaccount_key = base64encode(tls_private_key.service-account.private_key_pem)
etcd_endpoints = var.etcd_endpoints
token_id = random_string.bootstrap-token-id.result
token_secret = random_string.bootstrap-token-secret.result
})
}

Expand Down Expand Up @@ -126,12 +128,6 @@ resource "template_dir" "kubelet" {
destination_dir = "${var.asset_dir}/charts/kube-system/kubelet"
}

# Generated kubeconfig for Kubelets
resource "local_file" "kubeconfig-kubelet" {
content = data.template_file.kubeconfig-kubelet.rendered
filename = "${var.asset_dir}/auth/kubeconfig-kubelet"
}

# Generated admin kubeconfig (bootkube requires it be at auth/kubeconfig)
# https://github.com/kubernetes-incubator/bootkube/blob/master/pkg/bootkube/bootkube.go#L42
resource "local_file" "kubeconfig-admin" {
Expand All @@ -145,14 +141,29 @@ resource "local_file" "kubeconfig-admin-named" {
filename = "${var.asset_dir}/auth/${var.cluster_name}-config"
}

data "template_file" "kubeconfig-kubelet" {
template = file("${path.module}/resources/kubeconfig-kubelet")
# Generate a cryptographically random token id (public)
resource random_string "bootstrap-token-id" {
length = 6
upper = false
special = false
}

# Generate a cryptographically random token secret
resource random_string "bootstrap-token-secret" {
length = 16
upper = false
special = false
}

# Generated kubeconfig to bootstrap Kubelets
data "template_file" "kubeconfig-bootstrap" {
template = file("${path.module}/resources/kubeconfig-bootstrap")

vars = {
ca_cert = base64encode(tls_self_signed_cert.kube-ca.cert_pem)
kubelet_cert = base64encode(tls_locally_signed_cert.kubelet.cert_pem)
kubelet_key = base64encode(tls_private_key.kubelet.private_key_pem)
server = format("https://%s:%s", var.api_servers[0], var.external_apiserver_port)
token_id = random_string.bootstrap-token-id.result
token_secret = random_string.bootstrap-token-secret.result
}
}

Expand Down
2 changes: 1 addition & 1 deletion assets/lokomotive-kubernetes/bootkube/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ output "cluster_dns_service_ip" {

// Generated kubeconfig for Kubelets (i.e. lower privilege than admin)
output "kubeconfig-kubelet" {
value = data.template_file.kubeconfig-kubelet.rendered
value = data.template_file.kubeconfig-bootstrap.rendered
}

// Generated kubeconfig for admins (i.e. human super-user)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,12 @@ spec:
- --advertise-address=$(POD_IP)
- --allow-privileged=true
- --anonymous-auth=false
- --authorization-mode=RBAC
- --authorization-mode=Node,RBAC
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
- --cloud-provider=${cloud_provider}
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy,NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ spec:
- --cluster-signing-cert-file=/etc/kubernetes/secrets/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/secrets/ca.key
- --configure-cloud-routes=false
- --controllers=*,tokencleaner,bootstrapsigner
- --experimental-cluster-signing-duration=1h
- --kubeconfig=/etc/kubernetes/secrets/kubeconfig
- --leader-elect=true
- --root-ca-file=/etc/kubernetes/secrets/ca.crt
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,12 @@ spec:
--advertise-address=$(POD_IP) \
--allow-privileged=true \
--anonymous-auth=false \
--authorization-mode=RBAC \
--authorization-mode=Node,RBAC \
--bind-address=$(cat /run/kube-apiserver/address) \
--client-ca-file=/etc/kubernetes/secrets/ca.crt \
--cloud-provider={{ .Values.apiserver.cloudProvider }} \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy,NodeRestriction \
--enable-bootstrap-token-auth=true \
--etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt \
--etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt \
--etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key \
Expand Down Expand Up @@ -119,11 +120,12 @@ spec:
- --advertise-address=$(POD_IP)
- --allow-privileged=true
- --anonymous-auth=false
- --authorization-mode=RBAC
- --authorization-mode=Node,RBAC
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
- --cloud-provider={{ .Values.apiserver.cloudProvider }}
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy
- --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultTolerationSeconds,DefaultStorageClass,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodSecurityPolicy,NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@ spec:
--cluster_domain={{ .Values.clusterDomain }} \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--pod-manifest-path=/etc/kubernetes/manifests \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ kubeScheduler:
controlPlaneReplicas: ${control_plane_replicas}
kubeConfigInCluster:
server: ${server}
tokenID: ${token_id}
tokenSecret: ${token_secret}
coredns:
clusterDomainSuffix: ${cluster_domain_suffix}
controlPlaneReplicas: ${control_plane_replicas}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# enable bootstrapping nodes to create CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: create-csrs-for-bootstrapping
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
apiGroup: rbac.authorization.k8s.io
---
# Approve all CSRs for the group "system:bootstrappers"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
# Approve renewal CSRs for the group "system:nodes"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-approve-renewals-for-nodes
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
type: bootstrap.kubernetes.io/token
metadata:
# Name MUST be of form "bootstrap-token-<token_id>"
name: bootstrap-token-{{ .Values.kubeConfigInCluster.tokenID }}
namespace: kube-system
stringData:
description: "Lokomotive generated bootstrap token"
token-id: {{ .Values.kubeConfigInCluster.tokenID }}
token-secret: {{ .Values.kubeConfigInCluster.tokenSecret }}
usage-bootstrap-authentication: "true"
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ spec:
- --cluster-signing-cert-file=/etc/kubernetes/secrets/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/secrets/ca.key
- --configure-cloud-routes=false
- --controllers=*,tokencleaner,bootstrapsigner
- --experimental-cluster-signing-duration=1h
- --leader-elect=true
- --flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins
- --pod-eviction-timeout=1m
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ kubeScheduler:
controlPlaneReplicas: 1
kubeConfigInCluster:
server:
tokenID:
tokenSecret:
coredns:
clusterDomainSuffix: cluster.local
controlPlaneReplicas: 1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@ clusters:
users:
- name: kubelet
user:
client-certificate-data: ${kubelet_cert}
client-key-data: ${kubelet_key}
token: ${token_id}.${token_secret}
contexts:
- context:
cluster: local
Expand Down
1 change: 1 addition & 0 deletions assets/lokomotive-kubernetes/bootkube/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,6 @@ terraform {
local = "~> 1.2"
template = "~> 2.1"
tls = "~> 2.0"
random = "~> 2.2"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,9 @@ systemd:
--cluster_domain=${cluster_domain_suffix} \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,9 @@ systemd:
--cluster_domain=${cluster_domain_suffix} \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--hostname-override=${etcd_domain} \
--network-plugin=cni \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,9 @@ systemd:
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--config=/etc/kubernetes/kubelet.config \
--exit-on-lock-contention \
--kubeconfig=/etc/kubernetes/kubeconfig \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
--rotate-certificates \
--lock-file=/var/run/lock/kubelet.lock \
--network-plugin=cni \
--node-labels=$${NODE_LABELS} \
Expand Down
Loading

0 comments on commit 7646867

Please sign in to comment.