kubeadm ca: ubuntu with ca cert

marthanda93 · Jun 14, 2021 · 8b9a65b · 8b9a65b
1 parent 6080e8c
commit 8b9a65b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/kubeadm-with-ca/ubuntu/lib/trigger.rb b/kubeadm-with-ca/ubuntu/lib/trigger.rb
@@ -4,14 +4,14 @@
 
     trigger.ruby do |env,machine|
         mpub, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c 'cat /home/" + k8s['user'] + "/.ssh/id_rsa.pub' " + k8s['cluster']['master'])
-        kubeadm_join, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c \"sudo kubeadm init --apiserver-advertise-address=#{k8s['ip_part']}.10 --apiserver-cert-extra-sans=#{k8s['ip_part']}.10  --node-name master-node --pod-network-cidr=#{k8s['ip_part']}.0/16 --token-ttl 0 | grep -A2 'kubeadm join' | xargs -L 2 | paste -sd ''\" #{k8s['cluster']['master']}")
+        kubeadm_join, stdeerr, status = Open3.capture3("vagrant ssh --no-tty -c \"sudo kubeadm init --apiserver-advertise-address=#{k8s['ip_part']}.10 --apiserver-cert-extra-sans=#{k8s['ip_part']}.10  --node-name #{k8s['cluster']['master']} --certificate-key=/opt/certificates/ca.pem --ignore-preflight-errors all --pod-network-cidr=#{k8s['ip_part']}.0/16 --token-ttl 0 | grep -A2 'kubeadm join' | xargs -L 2 | paste -sd ''\" #{k8s['cluster']['master']}")
 
         system("vagrant ssh --no-tty -c 'mkdir -p $HOME/.kube' #{k8s['cluster']['master']}")
         system("vagrant ssh --no-tty -c 'sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config' #{k8s['cluster']['master']}")
         system("vagrant ssh --no-tty -c 'sudo chown $(id -u):$(id -g) $HOME/.kube/config' #{k8s['cluster']['master']}")
         system("vagrant ssh --no-tty -c 'echo \"export KUBECONFIG=/etc/kubernetes/admin.conf\" >> $HOME/.bash_profile' #{k8s['cluster']['master']}")
         system("vagrant ssh --no-tty -c 'sudo chown #{k8s['user']} /etc/kubernetes/admin.conf' #{k8s['cluster']['master']}")
-        system('vagrant ssh --no-tty -c \'echo "export KUBEADM_JOIN=\"'+ kubeadm_join.strip + '\"" >> /home/vagrant/.bash_profile\' master-node')
+        system('vagrant ssh --no-tty -c \'echo "export KUBEADM_JOIN=\"'+ kubeadm_join.strip + '\"" >> /home/vagrant/.bash_profile\' ' + k8s['cluster']['master'])
         system("vagrant ssh --no-tty -c 'kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml' #{k8s['cluster']['master']}")
 
         1.step(k8s['resources']['node']['count']) do |m|

diff --git a/kubeadm-with-ca/ubuntu/script/bootstrap_master.sh b/kubeadm-with-ca/ubuntu/script/bootstrap_master.sh
@@ -17,3 +17,51 @@ ufw allow 8080/tcp
 ufw allow 2379:2380/tcp
 sudo ufw allow 2380/tcp
 sudo ufw reload
+
+{
+wget -q --https-only https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson
+chmod +x cfssl cfssljson
+mv cfssl cfssljson /usr/local/bin/
+
+mkdir -p /opt/certificates && chown vagrant -R $_ && cd $_ 
+}
+
+# Certificate Authority
+{
+cat > ca-config.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+
+cat > ca-csr.json <<EOF
+{
+  "CN": "Kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "CA",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+}