From ea7a6f1cf1d95732d8305d0ca8da0da8a0050e3d Mon Sep 17 00:00:00 2001 From: Dmitry Chepurovskiy Date: Mon, 18 Mar 2019 09:55:11 +0300 Subject: [PATCH] Fix #4237: update kube cert path (#4354) --- contrib/terraform/openstack/README.md | 8 ++++---- contrib/vault/roles/vault/defaults/main.yml | 2 +- contrib/vault/vault.md | 4 ++-- inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml | 4 +++- roles/kubernetes/client/defaults/main.yml | 1 + roles/kubernetes/client/tasks/main.yml | 2 +- roles/kubernetes/master/tasks/kubeadm-setup.yml | 2 +- roles/kubernetes/preinstall/defaults/main.yml | 1 + roles/kubespray-defaults/defaults/main.yaml | 2 +- 9 files changed, 15 insertions(+), 11 deletions(-) diff --git a/contrib/terraform/openstack/README.md b/contrib/terraform/openstack/README.md index a488e37fb..0dddca1ba 100644 --- a/contrib/terraform/openstack/README.md +++ b/contrib/terraform/openstack/README.md @@ -412,13 +412,13 @@ sudo route add -net [internal-subnet]/24 gw [router-ip] ``` 3. List Kubernetes certificates & keys: ``` -ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/ssl/ +ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/pki/ ``` 4. Get `admin`'s certificates and keys: ``` -ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1-key.pem > admin-key.pem -ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1.pem > admin.pem -ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/ca.pem > ca.pem +ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/admin-kube-master-k8s-master-1-key.pem > admin-key.pem +ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/admin-kube-master-k8s-master-1.pem > admin.pem +ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/ca.pem > ca.pem ``` 5. Configure kubectl: ```ShellSession diff --git a/contrib/vault/roles/vault/defaults/main.yml b/contrib/vault/roles/vault/defaults/main.yml index 0b27e03ff..eebd26d92 100644 --- a/contrib/vault/roles/vault/defaults/main.yml +++ b/contrib/vault/roles/vault/defaults/main.yml @@ -114,7 +114,7 @@ vault_client_headers: Content-Type: "application/json" etcd_cert_dir: /etc/ssl/etcd/ssl -kube_cert_dir: /etc/kubernetes/ssl +kube_cert_dir: /etc/kubernetes/pki vault_pki_mounts: userpass: diff --git a/contrib/vault/vault.md b/contrib/vault/vault.md index 014cf0251..535ff2a57 100644 --- a/contrib/vault/vault.md +++ b/contrib/vault/vault.md @@ -76,8 +76,8 @@ generated elsewhere, you'll need to copy the certificate and key to the hosts in * ``/etc/ssl/etcd/ssl/ca.pem`` * ``/etc/ssl/etcd/ssl/ca-key.pem`` * kubernetes: - * ``/etc/kubernetes/ssl/ca.pem`` - * ``/etc/kubernetes/ssl/ca-key.pem`` + * ``/etc/kubernetes/pki/ca.pem`` + * ``/etc/kubernetes/pki/ca-key.pem`` Additional Notes: diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml index 03f70a4ca..09727b332 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml @@ -8,7 +8,9 @@ kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" kube_manifest_dir: "{{ kube_config_dir }}/manifests" # This is where all the cert scripts and certs will be located -kube_cert_dir: "{{ kube_config_dir }}/ssl" +# For old version of k8s next line should be used instead +# kube_cert_dir: "{{ kube_config_dir }}/ssl" +kube_cert_dir: "{{ kube_config_dir }}/pki" # This is where all of the bearer tokens will be stored kube_token_dir: "{{ kube_config_dir }}/tokens" diff --git a/roles/kubernetes/client/defaults/main.yml b/roles/kubernetes/client/defaults/main.yml index 32870df01..4b4a0cace 100644 --- a/roles/kubernetes/client/defaults/main.yml +++ b/roles/kubernetes/client/defaults/main.yml @@ -4,4 +4,5 @@ kubectl_localhost: false artifacts_dir: "{{ inventory_dir }}/artifacts" kube_config_dir: "/etc/kubernetes" +kube_cert_dir: "{{ kube_config_dir }}/pki" kube_apiserver_port: "6443" diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml index dae323f0e..5b8fe4a8b 100644 --- a/roles/kubernetes/client/tasks/main.yml +++ b/roles/kubernetes/client/tasks/main.yml @@ -49,7 +49,7 @@ kubeconfig user --client-name kubernetes-admin --org system:masters - --cert-dir {{ kube_config_dir }}/ssl + --cert-dir {{ kube_cert_dir }} --apiserver-advertise-address {{ external_apiserver_address }} --apiserver-bind-port {{ external_apiserver_port }} run_once: yes diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index 31067522a..8d9bc9849 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -71,7 +71,7 @@ tags: facts - name: kubeadm | Copy etcd cert dir under k8s cert dir - command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd" + command: "cp -TR {{ etcd_cert_dir }} {{ kube_cert_dir }}/etcd" changed_when: false - name: Create audit-policy directory diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index 9accce930..948fe0789 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -25,6 +25,7 @@ disable_ipv6_dns: false kube_cert_group: kube-cert kube_config_dir: /etc/kubernetes +kube_cert_dir: "{{ kube_config_dir }}/pki" # Container Linux by CoreOS cloud init config file to define /etc/resolv.conf content # for hostnet pods and infra needs diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index ea5d57b9d..3e4c3db33 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -93,7 +93,7 @@ kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" kube_manifest_dir: "{{ kube_config_dir }}/manifests" # This is where all the cert scripts and certs will be located -kube_cert_dir: "{{ kube_config_dir }}/ssl" +kube_cert_dir: "{{ kube_config_dir }}/pki" # This is where all of the bearer tokens will be stored kube_token_dir: "{{ kube_config_dir }}/tokens"