mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

changes from kk

pull/584/head
Sujith Abdul Rahim 2020-04-26 11:06:11 +05:30
parent dc51d1bcf3
commit 567847397b
1 changed files with 38 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
vagrant/cert_verify.sh
View File

@ -5,50 +5,50 @@ set -e
# All Cert Location # All Cert Location
# ca certificate location # ca certificate location
CACERT=/var/lib/kubernetes/ca.crt CACERT=ca.crt
CAKEY=/var/lib/kubernetes/ca.key CAKEY=ca.key
# admin certificate location # admin certificate location
ADMINCERT=/var/lib/kubernetes/admin.crt ADMINCERT=admin.crt
ADMINKEY=/var/lib/kubernetes/admin.key ADMINKEY=admin.key
# Kube controller manager certificate location # Kube controller manager certificate location
KCMCERT=/var/lib/kubernetes/kube-controller-manager.crt KCMCERT=kube-controller-manager.crt
KCMKEY=/var/lib/kubernetes/kube-controller-manager.key KCMKEY=kube-controller-manager.key
# Kube proxy certificate location # Kube proxy certificate location
KPCERT=/var/lib/kubernetes/kube-proxy.crt KPCERT=kube-proxy.crt
KPKEY=/var/lib/kubernetes/kube-proxy.key KPKEY=kube-proxy.key
# Kube scheduler certificate location # Kube scheduler certificate location
KSCERT=/var/lib/kubernetes/kube-scheduler.crt KSCERT=kube-scheduler.crt
KSKEY=/var/lib/kubernetes/kube-scheduler.key KSKEY=kube-scheduler.key
# Kube api certificate location # Kube api certificate location
APICERT=/var/lib/kubernetes/kube-apiserver.crt APICERT=kube-apiserver.crt
APIKEY=/var/lib/kubernetes/kube-apiserver.key APIKEY=kube-apiserver.key
# ETCD certificate location # ETCD certificate location
ETCDCERT=/etc/etcd/etcd-server.crt ETCDCERT=etcd-server.crt
ETCDKEY=/etc/etcd/etcd-server.key ETCDKEY=etcd-server.key
# Service account certificate location # Service account certificate location
SACERT=/var/lib/kubernetes/service-account.crt SACERT=service-account.crt
SAKEY=/var/lib/kubernetes/service-account.key SAKEY=service-account.key
# All kubeconfig locations # All kubeconfig locations
# kubeproxy.kubeconfig location # kubeproxy.kubeconfig location
KPKUBECONFIG=/var/lib/kubernetes/kube-proxy.kubeconfig KPKUBECONFIG=kube-proxy.kubeconfig
# kube-controller-manager.kubeconfig location # kube-controller-manager.kubeconfig location
KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig KCMKUBECONFIG=kube-controller-manager.kubeconfig
# kube-scheduler.kubeconfig location # kube-scheduler.kubeconfig location
KSKUBECONFIG=/var/lib/kubernetes/kube-scheduler.kubeconfig KSKUBECONFIG=kube-scheduler.kubeconfig
# admin.kubeconfig location # admin.kubeconfig location
ADMINKUBECONFIG=/var/lib/kubernetes/admin.kubeconfig ADMINKUBECONFIG=admin.kubeconfig
# All systemd service locations # All systemd service locations
@ -396,7 +396,7 @@ check_systemd_etcd()
echo "Systemd for ETCD service found, verifying the authenticity" echo "Systemd for ETCD service found, verifying the authenticity"
# Systemd cert and key file details # Systemd cert and key file details
ETCD_CA_CERT=/etc/etcd/ca.crt ETCD_CA_CERT=ca.crt
CERT_FILE=$(systemctl cat etcd.service | grep "\--cert-file"| awk '{print $1}'| cut -d "=" -f2) CERT_FILE=$(systemctl cat etcd.service | grep "\--cert-file"| awk '{print $1}'| cut -d "=" -f2)
KEY_FILE=$(systemctl cat etcd.service | grep "\--key-file"| awk '{print $1}' | cut -d "=" -f2) KEY_FILE=$(systemctl cat etcd.service | grep "\--key-file"| awk '{print $1}' | cut -d "=" -f2)
PEER_CERT_FILE=$(systemctl cat etcd.service | grep "\--peer-cert-file"| awk '{print $1}'| cut -d "=" -f2) PEER_CERT_FILE=$(systemctl cat etcd.service | grep "\--peer-cert-file"| awk '{print $1}'| cut -d "=" -f2)
@ -412,6 +412,9 @@ check_systemd_etcd()
AC_URL=$(systemctl cat etcd.service | grep "\--advertise-client-urls"| awk '{print $2}') AC_URL=$(systemctl cat etcd.service | grep "\--advertise-client-urls"| awk '{print $2}')
ETCD_CA_CERT=/etc/etcd/ca.crt
ETCDCERT=/etc/etcd/etcd-server.crt
ETCDKEY=/etc/etcd/etcd-server.key
if [ $CERT_FILE == $ETCDCERT ] && [ $KEY_FILE == $ETCDKEY ] && [ $PEER_CERT_FILE == $ETCDCERT ] && [ $PEER_KEY_FILE == $ETCDKEY ] && \ if [ $CERT_FILE == $ETCDCERT ] && [ $KEY_FILE == $ETCDKEY ] && [ $PEER_CERT_FILE == $ETCDCERT ] && [ $PEER_KEY_FILE == $ETCDKEY ] && \
[ $TRUSTED_CA_FILE == $ETCD_CA_CERT ] && [ $PEER_TRUSTED_CA_FILE = $ETCD_CA_CERT ] [ $TRUSTED_CA_FILE == $ETCD_CA_CERT ] && [ $PEER_TRUSTED_CA_FILE = $ETCD_CA_CERT ]
then then
@ -429,7 +432,7 @@ check_systemd_etcd()
echo "Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file" echo "Exiting...Found mismtach in the ETCD initial-advertise-peer-urls / listen-peer-urls / listen-client-urls / advertise-client-urls, check /etc/systemd/system/etcd.service file"
exit 1 exit 1
fi fi
else else
echo "etcd-server.crt / etcd-server.key is missing" echo "etcd-server.crt / etcd-server.key is missing"
exit 1 exit 1
@ -459,6 +462,10 @@ check_systemd_api()
TLS_CERT_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-cert-file" | awk '{print $1}' | cut -d "=" -f2) TLS_CERT_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-cert-file" | awk '{print $1}' | cut -d "=" -f2)
TLS_PRIVATE_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-private-key-file" | awk '{print $1}' | cut -d "=" -f2) TLS_PRIVATE_KEY_FILE=$(systemctl cat kube-apiserver.service | grep "\--tls-private-key-file" | awk '{print $1}' | cut -d "=" -f2)
CACERT=/var/lib/kubernetes/ca.crt
APICERT=/var/lib/kubernetes/kube-apiserver.crt
APIKEY=/var/lib/kubernetes/kube-apiserver.key
SACERT=/var/lib/kubernetes/service-account.crt
if [ $ADVERTISE_ADDRESS == $INTERNAL_IP ] && [ $CLIENT_CA_FILE == $CACERT ] && [ $ETCD_CA_FILE == $CACERT ] && \ if [ $ADVERTISE_ADDRESS == $INTERNAL_IP ] && [ $CLIENT_CA_FILE == $CACERT ] && [ $ETCD_CA_FILE == $CACERT ] && \
[ $ETCD_CERT_FILE == "/var/lib/kubernetes/etcd-server.crt" ] && [ $ETCD_KEY_FILE == "/var/lib/kubernetes/etcd-server.key" ] && \ [ $ETCD_CERT_FILE == "/var/lib/kubernetes/etcd-server.crt" ] && [ $ETCD_KEY_FILE == "/var/lib/kubernetes/etcd-server.key" ] && \
[ $KUBELET_CERTIFICATE_AUTHORITY == $CACERT ] && [ $KUBELET_CLIENT_CERTIFICATE == $APICERT ] && [ $KUBELET_CLIENT_KEY == $APIKEY ] && \ [ $KUBELET_CERTIFICATE_AUTHORITY == $CACERT ] && [ $KUBELET_CLIENT_CERTIFICATE == $APICERT ] && [ $KUBELET_CLIENT_KEY == $APIKEY ] && \
@ -477,6 +484,12 @@ check_systemd_api()
check_systemd_kcm() check_systemd_kcm()
{ {
KCMCERT=/var/lib/kubernetes/kube-controller-manager.crt
KCMKEY=/var/lib/kubernetes/kube-controller-manager.key
CACERT=/var/lib/kubernetes/ca.crt
CAKEY=/var/lib/kubernetes/ca.key
SAKEY=/var/lib/kubernetes/service-account.key
KCMKUBECONFIG=/var/lib/kubernetes/kube-controller-manager.kubeconfig
if [ -z $KCMCERT ] && [ -z $KCMKEY ] if [ -z $KCMCERT ] && [ -z $KCMKEY ]
then then
echo "please specify cert and key location" echo "please specify cert and key location"
@ -506,6 +519,9 @@ check_systemd_kcm()
check_systemd_kp() check_systemd_kp()
{ {
KPCERT=/var/lib/kubernetes/kube-proxy.crt
KPKEY=/var/lib/kubernetes/kube-proxy.key
if [ -z $KPCERT ] && [ -z $KPKEY ] if [ -z $KPCERT ] && [ -z $KPKEY ]
then then
echo "please specify cert and key location" echo "please specify cert and key location"