VTWO-14496 : rework the doc and generate the root CA
mbenabda
parent
8d7c329d46
commit
4800ee5b62
|
|
@ -2,3 +2,4 @@
|
|||
inventory/generated
|
||||
*.retry
|
||||
|
||||
pki/
|
||||
|
|
|
|||
43
README.md
43
README.md
|
|
@ -17,25 +17,50 @@ You can run the following command to check if you've missed something (don't wor
|
|||
ansible-playbook kthw-playbook.yml -t check_local_prerequisites -l localhost
|
||||
```
|
||||
|
||||
# setup
|
||||
- run `vagrant up` to start the vms. This will create a master node and 2 worker nodes on your host's network
|
||||
|
||||
- setup a container runtime on the nodes
|
||||
# Root Certificate Authority
|
||||
Kubernetes components implement a certificates based authentication mecanism (non revoked client certficates signed with a server's key are valid credentials).
|
||||
Etcd also implements such a mecanism.
|
||||
|
||||
We need a root Certificate Authority to :
|
||||
* enable authentication to the kubernetes api server.
|
||||
* enable authentication to the etcd cluster.
|
||||
|
||||
To generate it, run
|
||||
```sh
|
||||
ansible-playbook kthw-playbook.yml -t generate_the_root_ca -l localhost
|
||||
```
|
||||
|
||||
# Infrastructure
|
||||
- provision the vms the kubernetes cluster will be running on:
|
||||
```sh
|
||||
vagrant up
|
||||
```
|
||||
|
||||
# CRI-compatible container runtime
|
||||
- setup a CRI-compatible container runtime on these VMs
|
||||
```sh
|
||||
ansible-playbook kthw-playbook.yml -t install_container_runtime -l k8s_nodes
|
||||
```
|
||||
|
||||
- install kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes
|
||||
# Etcd cluster
|
||||
- download etcd
|
||||
```sh
|
||||
ansible-playbook kthw-playbook.yml -t install_kubernetes_master_components -l masters
|
||||
ansible-playbook kthw-playbook.yml -t download_etcd -l etcd_peers
|
||||
```
|
||||
|
||||
- install kubelet & kube-proxy on the worker nodes
|
||||
# Kubernetes Control Plane
|
||||
|
||||
- download kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes
|
||||
```sh
|
||||
ansible-playbook kthw-playbook.yml -t install_kubernetes_worker_components -l workers
|
||||
ansible-playbook kthw-playbook.yml -t download_kubernetes_control_plane -l masters
|
||||
```
|
||||
|
||||
- install etcd on the master nodes
|
||||
# Kubernetes worker nodes
|
||||
- download kubelet & kube-proxy on the worker nodes
|
||||
```sh
|
||||
ansible-playbook kthw-playbook.yml -t install_etcd -l masters
|
||||
ansible-playbook kthw-playbook.yml -t download_kubernetes_worker_components -l workers
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -37,6 +37,11 @@ Vagrant.configure("2") do |config|
|
|||
end
|
||||
end
|
||||
|
||||
inventory.puts "[etcd_peers]"
|
||||
hosts[:masters].each do |node_name|
|
||||
inventory.puts node_name
|
||||
end
|
||||
|
||||
inventory.puts "[k8s_nodes]"
|
||||
all_hosts.each do |node_name|
|
||||
inventory.puts node_name
|
||||
|
|
|
|||
|
|
@ -6,42 +6,49 @@
|
|||
when: "'localhost' in group_names"
|
||||
tags:
|
||||
- check_local_prerequisites
|
||||
|
||||
- name: Root CA
|
||||
import_tasks: ./root_ca.yml
|
||||
when: "'localhost' in group_names"
|
||||
tags:
|
||||
- generate_the_root_ca
|
||||
|
||||
|
||||
- name: Install a container runtime
|
||||
|
||||
- name: Download etcd
|
||||
become: yes
|
||||
script: ./scripts/download_etcd {{ etcd3_version }}
|
||||
args:
|
||||
creates: /tmp/.download_etcd
|
||||
when: "'etcd_peers' in group_names"
|
||||
tags:
|
||||
- download_etcd
|
||||
|
||||
|
||||
- name: Install a CRI-compatible container runtime
|
||||
import_tasks: ./install_container_runtime.yml
|
||||
when: "'k8s_nodes' in group_names"
|
||||
tags:
|
||||
- install_container_runtime
|
||||
|
||||
|
||||
- name: Install kubernetes master components
|
||||
|
||||
- name: Download kubernetes control plane components
|
||||
become: yes
|
||||
script: ./scripts/install_kubernetes_master_components {{ kubernetes_version }}
|
||||
script: ./scripts/download_kubernetes_control_plane {{ kubernetes_version }}
|
||||
args:
|
||||
creates: /tmp/.install_kubernetes_master_components
|
||||
creates: /tmp/.download_kubernetes_control_plane
|
||||
when: "'masters' in group_names"
|
||||
tags:
|
||||
- install_kubernetes_components
|
||||
- install_kubernetes_master_components
|
||||
- download_kubernetes
|
||||
- download_kubernetes_control_plane
|
||||
|
||||
|
||||
- name: Install kubernetes worker components
|
||||
- name: Download kubernetes worker components
|
||||
become: yes
|
||||
script: ./scripts/install_kubernetes_worker_components {{ kubernetes_version }}
|
||||
script: ./scripts/download_kubernetes_worker_components {{ kubernetes_version }}
|
||||
args:
|
||||
creates: /tmp/.install_kubernetes_worker_components
|
||||
creates: /tmp/.download_kubernetes_worker_components
|
||||
when: "'workers' in group_names"
|
||||
tags:
|
||||
- install_kubernetes_components
|
||||
- install_kubernetes_worker_components
|
||||
|
||||
|
||||
- name: Install etcd
|
||||
become: yes
|
||||
script: ./scripts/install_etcd {{ etcd3_version }}
|
||||
args:
|
||||
creates: /tmp/.install_etcd
|
||||
when: "'masters' in group_names"
|
||||
tags:
|
||||
- install_etcd
|
||||
- download_kubernetes
|
||||
- download_kubernetes_worker_components
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
- name: Root CA | create the work directory
|
||||
file:
|
||||
path: "{{ playbook_dir }}/pki/root-ca"
|
||||
state: directory
|
||||
recurse: yes
|
||||
|
||||
- name: Root CA | build the CSR (Certificate Signing Request) for the root CA
|
||||
copy:
|
||||
dest: "{{ playbook_dir }}/pki/root-ca/root-ca-csr.json"
|
||||
content: |
|
||||
{
|
||||
"CN": "Kubernetes",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 2048
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "Portland",
|
||||
"O": "Kubernetes",
|
||||
"OU": "CA",
|
||||
"ST": "Oregon"
|
||||
}
|
||||
]
|
||||
}
|
||||
mode: 0600
|
||||
|
||||
- name: Root CA | generate
|
||||
shell: |
|
||||
pushd {{ playbook_dir }}/pki/root-ca ;
|
||||
cfssl gencert -initca root-ca-csr.json | cfssljson -bare ca ;
|
||||
popd ;
|
||||
args:
|
||||
executable: bash
|
||||
creates: "{{ playbook_dir }}/pki/root-ca/ca-key.pem"
|
||||
|
||||
|
||||
- name: Root CA | cleanup
|
||||
file:
|
||||
path: "{{ playbook_dir }}/pki/root-ca/{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- root-ca-csr.json
|
||||
- ca.csr
|
||||
|
|
@ -11,6 +11,6 @@ mv etcd-$ETCD3_RELEASE_VERSION-linux-amd64/etcdctl /usr/bin/
|
|||
|
||||
rm -rf etcd*
|
||||
|
||||
touch .install_etcd
|
||||
touch .download_etcd
|
||||
|
||||
popd &> /dev/null
|
||||
|
|
@ -18,7 +18,7 @@ cp hyperkube /usr/bin/cloud-controller-manager
|
|||
cp hyperkube /usr/bin/apiserver
|
||||
rm hyperkube
|
||||
|
||||
touch .install_kubernetes_master_components
|
||||
touch .download_kubernetes_control_plane
|
||||
|
||||
popd
|
||||
|
||||
|
|
@ -13,6 +13,6 @@ cp hyperkube /usr/bin/proxy
|
|||
cp hyperkube /usr/bin/kubectl
|
||||
rm hyperkube
|
||||
|
||||
touch .install_kubernetes_worker_components
|
||||
touch .download_kubernetes_worker_components
|
||||
|
||||
popd
|
||||
Loading…
Reference in New Issue