Use only one certificate for all apiservers

https://github.com/kubernetes/kubernetes/issues/25063
2026-05-07 01:17:39 -02:30 · 2017-01-13 14:03:20 +03:00
parent e88c10670e
commit 80703010bd
4 changed files with 17 additions and 14 deletions
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -72,14 +72,16 @@ else
    openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi

+if [ ! -e "$SSLDIR/ca-key.pem" ]; then
+    # kube-apiserver key
+    openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    cat ca.pem >> apiserver.pem
+fi
+
 if [ -n "$MASTERS" ]; then
    for host in $MASTERS; do
-        # kube-apiserver key
-        openssl genrsa -out apiserver-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key apiserver-${host}-key.pem -out apiserver-${host}.csr -subj "/CN=kube-apiserver-${host}" -config ${CONFIG} > /dev/null 2>&1
-        openssl x509 -req -in apiserver-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver-${host}.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
-        cat ca.pem >> apiserver-${host}.pem
-
        # admin key
        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1
@@ -90,6 +92,7 @@ fi
 # Nodes and Admin
 if [ -n "$HOSTS" ]; then
    for host in $HOSTS; do
+        # node key
        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1
        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -39,14 +39,14 @@
                      {% for node in groups['kube-master'] %}
                      'admin-{{ node }}.pem',
                      'admin-{{ node }}-key.pem',
-                      'apiserver-{{ node }}.pem',
-                      'apiserver-{{ node }}-key.pem',
+                      'apiserver.pem',
+                      'apiserver-key.pem',
                      {% endfor %}]"
    my_master_certs: ['ca-key.pem',
                     'admin-{{ inventory_hostname }}.pem',
                     'admin-{{ inventory_hostname }}-key.pem',
-                     'apiserver-{{ inventory_hostname }}.pem',
-                     'apiserver-{{ inventory_hostname }}-key.pem'
+                     'apiserver.pem',
+                     'apiserver-key.pem'
                     ]
    all_node_certs: "['ca.pem',
                    {% for node in groups['k8s-cluster'] %}