From 90b26465d7d377b067e65a990461171ad41cdaaf Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Mon, 27 Feb 2017 15:06:11 -0800 Subject: [PATCH] fix upgrades --- cluster/common.sh | 2 + cluster/gce/configure-vm.sh | 5 ++- cluster/gce/gci/configure-helper.sh | 38 ++++++++++--------- .../kube-apiserver/kube-apiserver.manifest | 4 +- 4 files changed, 28 insertions(+), 21 deletions(-) diff --git a/cluster/common.sh b/cluster/common.sh index c067d31fffaf..89eabf293c0a 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -1073,6 +1073,8 @@ function parse-master-env() { EXTRA_DOCKER_OPTS=$(get-env-val "${master_env}" "EXTRA_DOCKER_OPTS") KUBELET_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_CERT") KUBELET_KEY_BASE64=$(get-env-val "${master_env}" "KUBELET_KEY") + MASTER_CERT_BASE64=$(get-env-val "${master_env}" "MASTER_CERT") + MASTER_KEY_BASE64=$(get-env-val "${master_env}" "MASTER_KEY") } # Update or verify required gcloud components are installed diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 092f9c80af8e..5584403cb6db 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -61,10 +61,11 @@ function create-node-pki { if [[ -z "${CA_CERT_BUNDLE:-}" ]]; then CA_CERT_BUNDLE="${CA_CERT}" - CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt" - echo "${CA_CERT_BUNDLE}" | base64 --decode > "${CA_CERT_BUNDLE_PATH}" fi + CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt" + echo "${CA_CERT_BUNDLE}" | base64 --decode > "${CA_CERT_BUNDLE_PATH}" + if [[ ! -z "${KUBELET_CERT:-}" && ! -z "${KUBELET_KEY:-}" ]]; then KUBELET_CERT_PATH="${pki_dir}/kubelet.crt" echo "${KUBELET_CERT}" | base64 --decode > "${KUBELET_CERT_PATH}" diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index d7696a79aeb7..c8597b0df7a7 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -197,10 +197,11 @@ function create-node-pki { if [[ -z "${CA_CERT_BUNDLE:-}" ]]; then CA_CERT_BUNDLE="${CA_CERT}" - CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt" - echo "${CA_CERT_BUNDLE}" | base64 --decode > "${CA_CERT_BUNDLE_PATH}" fi + CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt" + echo "${CA_CERT_BUNDLE}" | base64 --decode > "${CA_CERT_BUNDLE_PATH}" + if [[ ! -z "${KUBELET_CERT:-}" && ! -z "${KUBELET_KEY:-}" ]]; then KUBELET_CERT_PATH="${pki_dir}/kubelet.crt" echo "${KUBELET_CERT}" | base64 --decode > "${KUBELET_CERT_PATH}" @@ -227,33 +228,36 @@ function create-master-pki { if [[ -z "${APISERVER_SERVER_CERT:-}" || -z "${APISERVER_SERVER_KEY:-}" ]]; then APISERVER_SERVER_CERT="${MASTER_CERT}" - APISERVER_SERVER_CERT_PATH="${pki_dir}/apiserver.crt" - echo "${APISERVER_SERVER_CERT}" | base64 --decode > "${APISERVER_SERVER_CERT_PATH}" - APISERVER_SERVER_KEY="${MASTER_KEY}" - APISERVER_SERVER_KEY_PATH="${pki_dir}/apiserver.key" - echo "${APISERVER_SERVER_KEY}" | base64 --decode > "${APISERVER_SERVER_KEY_PATH}" fi + APISERVER_SERVER_CERT_PATH="${pki_dir}/apiserver.crt" + echo "${APISERVER_SERVER_CERT}" | base64 --decode > "${APISERVER_SERVER_CERT_PATH}" + + APISERVER_SERVER_KEY_PATH="${pki_dir}/apiserver.key" + echo "${APISERVER_SERVER_KEY}" | base64 --decode > "${APISERVER_SERVER_KEY_PATH}" + if [[ -z "${APISERVER_CLIENT_CERT:-}" || -z "${APISERVER_CLIENT_KEY:-}" ]]; then APISERVER_CLIENT_CERT="${KUBEAPISERVER_CERT}" - APISERVER_CLIENT_CERT_PATH="${pki_dir}/apiserver-client.crt" - echo "${APISERVER_CLIENT_CERT}" | base64 --decode > "${APISERVER_CLIENT_CERT_PATH}" - APISERVER_CLIENT_KEY="${KUBEAPISERVER_KEY}" - APISERVER_CLIENT_KEY_PATH="${pki_dir}/apiserver-client.key" - echo "${APISERVER_CLIENT_KEY}" | base64 --decode > "${APISERVER_CLIENT_KEY_PATH}" fi + APISERVER_CLIENT_CERT_PATH="${pki_dir}/apiserver-client.crt" + echo "${APISERVER_CLIENT_CERT}" | base64 --decode > "${APISERVER_CLIENT_CERT_PATH}" + + APISERVER_CLIENT_KEY_PATH="${pki_dir}/apiserver-client.key" + echo "${APISERVER_CLIENT_KEY}" | base64 --decode > "${APISERVER_CLIENT_KEY_PATH}" + if [[ -z "${SERVICEACCOUNT_CERT:-}" || -z "${SERVICEACCOUNT_KEY:-}" ]]; then SERVICEACCOUNT_CERT="${MASTER_CERT}" - SERVICEACCOUNT_CERT_PATH="${pki_dir}/serviceaccount.crt" - echo "${SERVICEACCOUNT_CERT}" | base64 --decode > "${SERVICEACCOUNT_CERT_PATH}" - SERVICEACCOUNT_KEY="${MASTER_KEY}" - SERVICEACCOUNT_KEY_PATH="${pki_dir}/serviceaccount.key" - echo "${SERVICEACCOUNT_KEY}" | base64 --decode > "${SERVICEACCOUNT_KEY_PATH}" fi + + SERVICEACCOUNT_CERT_PATH="${pki_dir}/serviceaccount.crt" + echo "${SERVICEACCOUNT_CERT}" | base64 --decode > "${SERVICEACCOUNT_CERT_PATH}" + + SERVICEACCOUNT_KEY_PATH="${pki_dir}/serviceaccount.key" + echo "${SERVICEACCOUNT_KEY}" | base64 --decode > "${SERVICEACCOUNT_KEY_PATH}" } # After the first boot and on upgrade, these files exist on the master-pd diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest index 131f957be7f6..994c5e602ff2 100644 --- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest +++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest @@ -264,7 +264,7 @@ "mountPath": "/etc/openssl", "readOnly": true}, { "name": "etcpki", - "mountPath": "/etc/pki", + "mountPath": "/etc/srv/pki", "readOnly": true}, { "name": "srvsshproxy", "mountPath": "{{srv_sshproxy_path}}", @@ -309,7 +309,7 @@ }, { "name": "etcpki", "hostPath": { - "path": "/etc/pki"} + "path": "/etc/srv/pki"} }, { "name": "srvsshproxy", "hostPath": {