update docs

.gitignore

@@ -8,6 +8,16 @@ ca-key.pem
 ca.csr                     
 ca.pem                     
 encryption-config.yaml     
+kube-controller-manager-csr.json
+kube-controller-manager-key.pem
+kube-controller-manager.csr
+kube-controller-manager.kubeconfig
+kube-controller-manager.pem
+kube-scheduler-csr.json
+kube-scheduler-key.pem
+kube-scheduler.csr
+kube-scheduler.kubeconfig
+kube-scheduler.pem
 kube-proxy-csr.json        
 kube-proxy-key.pem         
 kube-proxy.csr             

docs/04-certificate-authority.md

@@ -163,6 +163,50 @@ worker-2-key.pem
 worker-2.pem
 ```
 
+### The kube-controller-manager Client Certificate
+
+Create the `kube-controller-manager` client certificate signing request:
+
+```
+cat > kube-controller-manager-csr.json <<EOF
+{
+  "CN": "system:kube-controller-manager",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-controller-manager",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+Generate the `kube-controller-manager` client certificate and private key:
+
+```
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
+```
+
+Results:
+
+```
+kube-controller-manager-key.pem
+kube-controller-manager.pem
+```
+
+
 ### The kube-proxy Client Certificate
 
 Create the `kube-proxy` client certificate signing request:
@@ -206,6 +250,50 @@ kube-proxy-key.pem
 kube-proxy.pem
 ```
 
+### The kube-scheduler Client Certificate
+
+Create the `kube-scheduler` client certificate signing request:
+
+```
+cat > kube-scheduler-csr.json <<EOF
+{
+  "CN": "system:kube-scheduler",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-scheduler",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+Generate the `kube-scheduler` client certificate and private key:
+
+```
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-scheduler-csr.json | cfssljson -bare kube-scheduler
+```
+
+Results:
+
+```
+kube-scheduler-key.pem
+kube-scheduler.pem
+```
+
+
 ### The Kubernetes API Server Certificate
 
 The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
@@ -278,6 +366,6 @@ for instance in controller-0 controller-1 controller-2; do
 done
 ```
 
-> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
+> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
 
 Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)

docs/05-kubernetes-configuration-files.md

@@ -94,6 +94,82 @@ Results:
 kube-proxy.kubeconfig
 ```
 
+### The kube-controller-manager Kubernetes Configuration File
+
+Generate a kubeconfig file for the `kube-controller-manager` service:
+
+```
+kubectl config set-cluster kubernetes-the-hard-way \
+  --certificate-authority=ca.pem \
+  --embed-certs=true \
+  --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
+  --kubeconfig=kube-controller-manager.kubeconfig
+```
+
+```
+kubectl config set-credentials kube-controller-manager \
+  --client-certificate=kube-controller-manager.pem \
+  --client-key=kube-controller-manager-key.pem \
+  --embed-certs=true \
+  --kubeconfig=kube-controller-manager.kubeconfig
+```
+
+```
+kubectl config set-context default \
+  --cluster=kubernetes-the-hard-way \
+  --user=kube-controller-manager \
+  --kubeconfig=kube-controller-manager.kubeconfig
+```
+
+```
+kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
+```
+
+Results:
+
+```
+kube-controller-manager.kubeconfig
+```
+
+
+### The kube-scheduler Kubernetes Configuration File
+
+Generate a kubeconfig file for the `kube-scheduler` service:
+
+```
+kubectl config set-cluster kubernetes-the-hard-way \
+  --certificate-authority=ca.pem \
+  --embed-certs=true \
+  --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
+  --kubeconfig=kube-scheduler.kubeconfig
+```
+
+```
+kubectl config set-credentials kube-scheduler \
+  --client-certificate=kube-scheduler.pem \
+  --client-key=kube-scheduler-key.pem \
+  --embed-certs=true \
+  --kubeconfig=kube-scheduler.kubeconfig
+```
+
+```
+kubectl config set-context default \
+  --cluster=kubernetes-the-hard-way \
+  --user=kube-scheduler \
+  --kubeconfig=kube-scheduler.kubeconfig
+```
+
+```
+kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
+```
+
+Results:
+
+```
+kube-scheduler.kubeconfig
+```
+
+
 ## Distribute the Kubernetes Configuration Files
 
 Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
@@ -104,4 +180,12 @@ for instance in worker-0 worker-1 worker-2; do
 done
 ```
 
+Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance:
+
+```
+for instance in controller-0 controller-1 controller-2; do
+  gcloud compute scp kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
+done
+```
+
 Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)

docs/08-bootstrapping-kubernetes-controllers.md

@@ -106,6 +106,12 @@ EOF
 
 ### Configure the Kubernetes Controller Manager
 
+Move the `kube-controller-manager` kubeconfig into place:
+
+```
+sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/
+```
+
 Create the `kube-controller-manager.service` systemd unit file:
 
 ```
@@ -121,8 +127,8 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
   --cluster-name=kubernetes \\
   --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
   --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
+  --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
   --leader-elect=true \\
-  --master=http://127.0.0.1:8080 \\
   --root-ca-file=/var/lib/kubernetes/ca.pem \\
   --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
   --service-cluster-ip-range=10.32.0.0/24 \\
@@ -138,6 +144,8 @@ EOF
 ### Configure the Kubernetes Scheduler
 
 
+Create the `kube-scheduler.yaml` configuration file:
+
 ```
 cat > kube-scheduler.yaml <<EOF
 apiVersion: componentconfig/v1alpha1