mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

VTWO-14496 : rework the doc and generate the root CA

pull/468/head
mbenabda 2019-06-28 00:42:55 +02:00
parent 8d7c329d46
commit 4800ee5b62
8 changed files with 119 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
inventory/generated inventory/generated
*.retry *.retry
pki/

43
README.md
View File

@ -17,25 +17,50 @@ You can run the following command to check if you've missed something (don't wor
ansible-playbook kthw-playbook.yml -t check_local_prerequisites -l localhost ansible-playbook kthw-playbook.yml -t check_local_prerequisites -l localhost
``` ```
# setup
- run `vagrant up` to start the vms. This will create a master node and 2 worker nodes on your host's network
- setup a container runtime on the nodes # Root Certificate Authority
Kubernetes components implement a certificates based authentication mecanism (non revoked client certficates signed with a server's key are valid credentials).
Etcd also implements such a mecanism.
We need a root Certificate Authority to :
* enable authentication to the kubernetes api server.
* enable authentication to the etcd cluster.
To generate it, run
```sh
ansible-playbook kthw-playbook.yml -t generate_the_root_ca -l localhost
```
# Infrastructure
- provision the vms the kubernetes cluster will be running on:
```sh
vagrant up
```
# CRI-compatible container runtime
- setup a CRI-compatible container runtime on these VMs
```sh ```sh
ansible-playbook kthw-playbook.yml -t install_container_runtime -l k8s_nodes ansible-playbook kthw-playbook.yml -t install_container_runtime -l k8s_nodes
``` ```
- install kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes # Etcd cluster
- download etcd
```sh ```sh
ansible-playbook kthw-playbook.yml -t install_kubernetes_master_components -l masters ansible-playbook kthw-playbook.yml -t download_etcd -l etcd_peers
``` ```
- install kubelet & kube-proxy on the worker nodes # Kubernetes Control Plane
- download kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes
```sh ```sh
ansible-playbook kthw-playbook.yml -t install_kubernetes_worker_components -l workers ansible-playbook kthw-playbook.yml -t download_kubernetes_control_plane -l masters
``` ```
- install etcd on the master nodes # Kubernetes worker nodes
- download kubelet & kube-proxy on the worker nodes
```sh ```sh
ansible-playbook kthw-playbook.yml -t install_etcd -l masters ansible-playbook kthw-playbook.yml -t download_kubernetes_worker_components -l workers
``` ```

5
Vagrantfile vendored
View File

@ -37,6 +37,11 @@ Vagrant.configure("2") do |config|
end end
end end
inventory.puts "[etcd_peers]"
hosts[:masters].each do |node_name|
inventory.puts node_name
end
inventory.puts "[k8s_nodes]" inventory.puts "[k8s_nodes]"
all_hosts.each do |node_name| all_hosts.each do |node_name|
inventory.puts node_name inventory.puts node_name

47
kthw-playbook.yml
View File

@ -7,41 +7,48 @@
tags: tags:
- check_local_prerequisites - check_local_prerequisites
- name: Root CA
import_tasks: ./root_ca.yml
when: "'localhost' in group_names"
tags:
- generate_the_root_ca
- name: Install a container runtime
- name: Download etcd
become: yes
script: ./scripts/download_etcd {{ etcd3_version }}
args:
creates: /tmp/.download_etcd
when: "'etcd_peers' in group_names"
tags:
- download_etcd
- name: Install a CRI-compatible container runtime
import_tasks: ./install_container_runtime.yml import_tasks: ./install_container_runtime.yml
when: "'k8s_nodes' in group_names" when: "'k8s_nodes' in group_names"
tags: tags:
- install_container_runtime - install_container_runtime
- name: Install kubernetes master components - name: Download kubernetes control plane components
become: yes become: yes
script: ./scripts/install_kubernetes_master_components {{ kubernetes_version }} script: ./scripts/download_kubernetes_control_plane {{ kubernetes_version }}
args: args:
creates: /tmp/.install_kubernetes_master_components creates: /tmp/.download_kubernetes_control_plane
when: "'masters' in group_names" when: "'masters' in group_names"
tags: tags:
- install_kubernetes_components - download_kubernetes
- install_kubernetes_master_components - download_kubernetes_control_plane
- name: Install kubernetes worker components - name: Download kubernetes worker components
become: yes become: yes
script: ./scripts/install_kubernetes_worker_components {{ kubernetes_version }} script: ./scripts/download_kubernetes_worker_components {{ kubernetes_version }}
args: args:
creates: /tmp/.install_kubernetes_worker_components creates: /tmp/.download_kubernetes_worker_components
when: "'workers' in group_names" when: "'workers' in group_names"
tags: tags:
- install_kubernetes_components - download_kubernetes
- install_kubernetes_worker_components - download_kubernetes_worker_components
- name: Install etcd
become: yes
script: ./scripts/install_etcd {{ etcd3_version }}
args:
creates: /tmp/.install_etcd
when: "'masters' in group_names"
tags:
- install_etcd

46
root_ca.yml Normal file
View File

@ -0,0 +1,46 @@
---
- name: Root CA | create the work directory
file:
path: "{{ playbook_dir }}/pki/root-ca"
state: directory
recurse: yes
- name: Root CA | build the CSR (Certificate Signing Request) for the root CA
copy:
dest: "{{ playbook_dir }}/pki/root-ca/root-ca-csr.json"
content: |
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
mode: 0600
- name: Root CA | generate
shell: |
pushd {{ playbook_dir }}/pki/root-ca ;
cfssl gencert -initca root-ca-csr.json | cfssljson -bare ca ;
popd ;
args:
executable: bash
creates: "{{ playbook_dir }}/pki/root-ca/ca-key.pem"
- name: Root CA | cleanup
file:
path: "{{ playbook_dir }}/pki/root-ca/{{ item }}"
state: absent
with_items:
- root-ca-csr.json
- ca.csr

2
scripts/install_etcd → scripts/download_etcd
View File

@ -11,6 +11,6 @@ mv etcd-$ETCD3_RELEASE_VERSION-linux-amd64/etcdctl /usr/bin/
rm -rf etcd* rm -rf etcd*
touch .install_etcd touch .download_etcd
popd &> /dev/null popd &> /dev/null

2
scripts/install_kubernetes_master_components → scripts/download_kubernetes_control_plane
View File

@ -18,7 +18,7 @@ cp hyperkube /usr/bin/cloud-controller-manager
cp hyperkube /usr/bin/apiserver cp hyperkube /usr/bin/apiserver
rm hyperkube rm hyperkube
touch .install_kubernetes_master_components touch .download_kubernetes_control_plane
popd popd

2
scripts/install_kubernetes_worker_components → scripts/download_kubernetes_worker_components
View File

@ -13,6 +13,6 @@ cp hyperkube /usr/bin/proxy
cp hyperkube /usr/bin/kubectl cp hyperkube /usr/bin/kubectl
rm hyperkube rm hyperkube
touch .install_kubernetes_worker_components touch .download_kubernetes_worker_components
popd popd