forked from hswaw/hscloud
cluster: move prodvider to kubernetes.default.svc.k0.hswaw.net
In https://gerrit.hackerspace.pl/c/hscloud/+/70 we accidentally introduced a split-horizon DNS situation: - k0.hswaw.net from the Internet resolves to nodes running the k8s API servers, and as such can serve API server traffic - k0.hswaw.net from the cluster returned no results This broke prodvider in two ways: - it dialed the API servers at k0.hswaw.net - even after the endpoint was moved to kubernetes.default.svc.k0.hswaw.net, the apiserver cert didn't cover that Thus, not only we had to change the prodvider endpoint but also change the APIserver certs to cover this new name. I'm not sure this should be the target fix. I think at some point we should only start referring to in-cluster services via their full (or cluster.local) names, but right now k0.hswaw.net is an exception and as such a split, and we have no way to access the internal services from the outside just yet. However, getting prodvider to work is important enough that this fix is IMO good enough for now. Change-Id: I13d0681208c66f4060acecc78b7ae14b8f8d7125
This commit is contained in:
parent
e31d64f265
commit
d186e9468d
4 changed files with 33 additions and 26 deletions
|
|
@ -1,30 +1,30 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFFjCCA/6gAwIBAgIUOh9rwpJmes6m22slPOE/o3P6qYMwDQYJKoZIhvcNAQEL
|
||||
MIIFOzCCBCOgAwIBAgIUOTp3sQjMouriHKrbOlv/F2vNXaMwDQYJKoZIhvcNAQEL
|
||||
BQAwgYMxCzAJBgNVBAYTAlBMMRQwEgYDVQQIEwtNYXpvd2llY2tpZTEPMA0GA1UE
|
||||
BxMGV2Fyc2F3MRswGQYDVQQKExJXYXJzYXcgSGFja2Vyc3BhY2UxEzARBgNVBAsT
|
||||
CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTA0
|
||||
MDYyMTIwMDBaFw0yMDA0MDUyMTIwMDBaMGQxCzAJBgNVBAYTAlBMMRQwEgYDVQQI
|
||||
CmNsdXN0ZXJjZmcxGzAZBgNVBAMTEmt1YmVybmV0ZXMgbWFpbiBDQTAeFw0xOTEw
|
||||
MDQxMTM5MDBaFw0yMDEwMDMxMTM5MDBaMGQxCzAJBgNVBAYTAlBMMRQwEgYDVQQI
|
||||
EwtNYXpvd2llY2tpZTEPMA0GA1UEBxMGV2Fyc2F3MRcwFQYDVQQLEw5LdWJlcm5l
|
||||
dGVzIEFQSTEVMBMGA1UEAxMMazAuaHN3YXcubmV0MIICIjANBgkqhkiG9w0BAQEF
|
||||
AAOCAg8AMIICCgKCAgEAs9DdG6lb0weWTLCH1Z8ETCy+RasjGTkubPWEkrL8JU/o
|
||||
69aC873wIlVkL6DiqVyiBaXvcIfwKK8b4uLsPuNlThcnhl3rZIr2/y7FDnp5E2ci
|
||||
5bAWKwguv4/zKD3CiK/wTBXVlhkTuA1eLvB0UynUK5ILn7Z2YBpKr0iH8YQ/bkPy
|
||||
WkZlwBXuE/UuaeDBIOrMnTUQ5BLsnnQeDw2vkI9Fv+WNMaK5R8Drku3+yHvdWptw
|
||||
Xv7evOIQiLADazRrRSxyErjjhYTClV/Zlg5wbkfKoyfwDn8dvOiJHrK3qGFdAn81
|
||||
P2W2nNlpn5SCzlIx7IvKzlTDCb1qsF6iHK5FDPac3sD5HW8V5o9GWEJuFmcP1291
|
||||
j4gQgugTYHX/sS4yDyAInWY8YDXaFVZRKS7FWxJ1H/5s4uL7xJqerwKURDrAazI/
|
||||
IIeTvZ58KDgG0HEdgAk4E+/FlVrZqkHySL2npQtMgXfSdk2WqUUayT7DTRyDZdU9
|
||||
nj0OAhju7HuUF31/3nu+nPuCZlW3xcrlbB5ZSXr/M/VUsiZEB3KyPoy7kqLRtRbl
|
||||
TYAyfco/ZosLym4qMhzP5trkU/5kr84plDS0iUJ9psbqkW/ZapPeemPGbbPxPByR
|
||||
6w6OvR0jo+/Sbd+gXjaNlwNlBDOObmTv9LViUJaCTvpx6oSjDAKO2hG2X4HbcOUC
|
||||
AwEAAaOBnzCBnDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
||||
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMLkejxh9VHSK9XJcvFs
|
||||
i3sP9ZVTMB8GA1UdIwQYMBaAFJgyXQ5PMx77CemJJBMWQmqA0ZnQMB0GA1UdEQQW
|
||||
MBSCDGswLmhzd2F3Lm5ldIcECgoMATANBgkqhkiG9w0BAQsFAAOCAQEAmme9CGeu
|
||||
Nl1rQOB9d4xVey2k6aUD+mlta0FIOPJyvgbkC99Uj95KN/pD/2Ptasqi8QFOFTax
|
||||
CKYOb3HcT3NDE8KIuqwsaJqraTMKFJhFpNvhw9nnQ6OuGBAhDCmoAZuCLyv0t+PH
|
||||
fN7J9MBvVvTLUE8ZGEuzIu1/3owYfEp9SJ+5xJ0G+OcOOfvYqm8Px52h8/nMAClQ
|
||||
hf3Me37UA1o5ADsdfzSTjnPvEwnvkkWFgi0EpeUAZnDn9BnD3dCMNhJYSAgh9b9+
|
||||
fgk5vAYLmG8VhQNFRx1GdaEoBNd3aoUyCVFzkN1jCiTcu/BcaaJW0Rz/MCCTLVEa
|
||||
a50kj4xSfVQR7A==
|
||||
AAOCAg8AMIICCgKCAgEA060kw0Os4CAbsdmWqIuoeoKeTl0j0hAtxpDAJZIG2Cam
|
||||
2SST4AKAxrk6neNQXqmrUpJYzfDrQuUlDhr47+7Gdhllp0wkG0gobErkbo+yUDRs
|
||||
hPCcRlRktodXlvEb3jAe8OXF1LgX6sYj6Pe7d+TuMcQlUuW6qcheWUl/JJfYCFhf
|
||||
Vd5qk7BGXCZBFo6wBr08ctRKDFLFzmA+TyUADVXlVRd+M7jAo/EAZ9y30HmWRNae
|
||||
jhdsazW3mUdO2nCvMCxBhCemHPP/V/3Jg70Ueo6AD5m1+ynJ0CxN1XRgq20ETPlQ
|
||||
CT0Rk7IaHJ1e9XNMYeV1OxL3TlxMmalsARO2gl0D88X0kpIniIfbwUM4HZU4jx8B
|
||||
1FwMtJxbCSWVPE5pGE5wCbiM//dybIQelorCqLvIFuy617KhdCPs2CAsXUE2TD6h
|
||||
P80bzNiC/vNUwH1SqX6B0tvAfwwEqSIK4zAVISDYgrNH8LbcEXs9xmltowt4qG7x
|
||||
Cyxl8ihhf6BlNrGvA3F0foZCfaPKlT7+rH1cbFWqlF95/zOI8mZSJn0YNZgb8OV8
|
||||
KG1VvQOPriGE8Ha3xGZXOyUPcXAyd+ZrCGY/nntS+WRxG7EvejtSWlAkcy8G3ZK3
|
||||
FaDxYEbtpaSZZ9LYLvf6qFs32jtxd3OpUceVKmJOAZMUSSsF2zt/ytxTk5jlmesC
|
||||
AwEAAaOBxDCBwTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
|
||||
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNbiIjC8M04dzKXqBJpi
|
||||
NcTtkVA4MB8GA1UdIwQYMBaAFJgyXQ5PMx77CemJJBMWQmqA0ZnQMEIGA1UdEQQ7
|
||||
MDmCDGswLmhzd2F3Lm5ldIIja3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5rMC5oc3dh
|
||||
dy5uZXSHBAoKDAEwDQYJKoZIhvcNAQELBQADggEBAHXeJL3zo+MSn8Bg8cn+PmW3
|
||||
BVINkb9jxdcD45fbp1sqSuFysKx8jBVVrcxWP8ALm7J9gk1Q4Es7gOO7mISywtEI
|
||||
IcGzrQwmlM5lKMOaLMOMPJlGOI6rhlbdixuEiL7eNAKyxW9tvmtG32sRf3EiKxro
|
||||
AE/+jHN3FB5z6OAucGWcYFIPYlUOaTEAVHjMuks+8YlvB4MoEisR9J0IKyM/Ziw8
|
||||
SOQAh1gsP0Ogrsw+AxqB4m/y0V0E4xhVoJ62aOPHqVaT2VX9wQpypnNmFCMBYEkA
|
||||
89ZwprVBaH+DTBpGccYlPNK+BpFVdKnvI5zzq8Vnx0zoaK2lcYgNpbcKp0ar4D8=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
|||
|
|
@ -190,7 +190,7 @@ def nodestrap(args, nocerts=False):
|
|||
c.upload_pki(r, pki_config('kube.kubelet'))
|
||||
|
||||
# Make apiserver certificate.
|
||||
c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
|
||||
c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, 'kubernetes.default.svc.'+cluster, '10.10.12.1'])
|
||||
c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
|
||||
|
||||
# Make service accounts decryption key (as cert for consistency).
|
||||
|
|
|
|||
|
|
@ -210,7 +210,11 @@ local Cluster(fqdn) = {
|
|||
},
|
||||
|
||||
// Prodvider
|
||||
prodvider: prodvider.Environment {},
|
||||
prodvider: prodvider.Environment {
|
||||
cfg+: {
|
||||
apiEndpoint: "kubernetes.default.svc.%s" % [cluster.fqdn],
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
namespace: "prodvider",
|
||||
image: "registry.k0.hswaw.net/cluster/prodvider:1567256363-71a21c769369d013972d8dd0a71b83bee3e6848e",
|
||||
|
||||
apiEndpoint: error "API endpoint must be set",
|
||||
|
||||
pki: {
|
||||
intermediate: {
|
||||
cert: importstr "../../certs/ca-kube-prodvider.cert",
|
||||
|
|
@ -60,6 +62,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
"-ca_key_path", "/opt/ca/intermediate-ca.key",
|
||||
"-ca_certificate_path", "/opt/ca/intermediate-ca.crt",
|
||||
"-kube_ca_certificate_path", "/opt/ca/ca.crt",
|
||||
"-kubernetes_host", cfg.apiEndpoint,
|
||||
],
|
||||
volumeMounts_: {
|
||||
ca: { mountPath: "/opt/ca" },
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue