External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-07 17:37:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Generate TLS certs for calico typha (#5258)

Browse Source 
* Generate TLS certs for calico typha

Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707

* Add group vars note

Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
This commit is contained in:
Matthew Mosesohn
2019-10-17 17:02:38 +03:00
committed by Kubernetes Prow Robot
parent 81d57fe658
commit a1fff30bd9
12 changed files with 249 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/network_plugin/calico/templates/calico-config.yml.j2
View File

@@ -9,7 +9,7 @@ data:
etcd_ca: "/calico-secrets/ca_cert.crt"
etcd_cert: "/calico-secrets/cert.crt"
etcd_key: "/calico-secrets/key.pem"
{% elif calico_datastore == "kdd" and typha_enabled == "true" %}
{% elif calico_datastore == "kdd" and typha_enabled %}
# To enable Typha, set this to "calico-typha" *and* set a non-zero value for Typha replicas
# below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is
# essential.

37
roles/network_plugin/calico/templates/calico-node.yml.j2
View File

@@ -155,14 +155,24 @@ spec:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPE
value: "kubernetes"
{% if typha_enabled == "true" %}
{% if typha_enabled %}
# Typha support: controlled by the ConfigMap.
- name: FELIX_TYPHAK8SSERVICENAME
valueFrom:
configMapKeyRef:
name: calico-config
key: typha_service_name
{% endif %}
{% if typha_secure %}
- name: FELIX_TYPHACN
value: typha-server
- name: FELIX_TYPHACAFILE
value: /etc/typha-ca/ca.crt
- name: FELIX_TYPHACERTFILE
value: /etc/typha-client/typha-client.crt
- name: FELIX_TYPHAKEYFILE
value: /etc/typha-client/typha-client.key
{% endif %}
{% endif %}
# Wait for the datastore.
- name: WAIT_FOR_DATASTORE
value: "true"
@@ -296,6 +306,16 @@ spec:
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
{% if typha_secure %}
- name: typha-client
mountPath: /etc/typha-client
readOnly: true
- name: typha-cacert
subPath: ca.crt
mountPath: /etc/typha-ca/ca.crt
readOnly: true
{% endif %}
volumes:
# Used by calico/node.
- name: lib-modules
@@ -332,6 +352,19 @@ spec:
- name: host-local-net-dir
hostPath:
path: /var/lib/cni/networks
{% endif %}
{% if typha_enabled and typha_secure %}
- name: typha-client
secret:
secretName: typha-client
items:
- key: tls.crt
path: typha-client.crt
- key: tls.key
path: typha-client.key
- name: typha-cacert
hostPath:
path: "/etc/kubernetes/ssl/"
{% endif %}
updateStrategy:
rollingUpdate:

33
roles/network_plugin/calico/templates/calico-typha.yml.j2
View File

@@ -62,6 +62,7 @@ spec:
# Since Calico can't network a pod until Typha is up, we need to run Typha itself
# as a host-networked pod.
serviceAccountName: calico-node
priorityClassName: system-cluster-critical
containers:
- image: {{ calico_typha_image_repo }}:{{ calico_typha_image_tag }}
name: calico-typha
@@ -86,6 +87,24 @@ spec:
value: "kubernetes"
- name: TYPHA_HEALTHENABLED
value: "true"
{% if typha_secure %}
- name: TYPHA_CAFILE
value: /etc/ca/ca.crt
- name: TYPHA_CLIENTCN
value: typha-client
- name: TYPHA_SERVERCERTFILE
value: /etc/typha/server_certificate.pem
- name: TYPHA_SERVERKEYFILE
value: /etc/typha/server_key.pem
volumeMounts:
- mountPath: /etc/typha
name: typha-server
readOnly: true
- mountPath: /etc/ca/ca.crt
subPath: ca.crt
name: cacert
readOnly: true
{% endif %}
# Uncomment these lines to enable prometheus metrics. Since Typha is host-networked,
# this opens a port on the host, which may need to be secured.
#- name: TYPHA_PROMETHEUSMETRICSENABLED
@@ -127,6 +146,20 @@ spec:
host: localhost
{% endif %}
periodSeconds: 10
{% if typha_secure %}
volumes:
- name: typha-server
secret:
secretName: typha-server
items:
- key: tls.crt
path: server_certificate.pem
- key: tls.key
path: server_key.pem
- name: cacert
hostPath:
path: "{{ kube_cert_dir }}"
{% endif %}
---