only create cert files on master (Azure#2120)

* only create cert files on master * master node provision script cleanup
tesharp · Mar 15, 2018 · f4a4544 · f4a4544
1 parent fd30497
commit f4a4544
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 53 deletions.
diff --git a/parts/k8s/kubernetesmastercustomscript.sh b/parts/k8s/kubernetesmastercustomscript.sh
@@ -67,71 +67,63 @@ else
     REBOOTREQUIRED=false
 fi
 
-# If APISERVER_PRIVATE_KEY is empty, then we are not on the master
-if [[ ! -z "${APISERVER_PRIVATE_KEY}" ]]; then
-    echo "APISERVER_PRIVATE_KEY is non-empty, assuming master node"
+if [[ ! -z "${MASTER_NODE}" ]]; then
+    echo "executing master node provision operations"
 
     APISERVER_PRIVATE_KEY_PATH="/etc/kubernetes/certs/apiserver.key"
     touch "${APISERVER_PRIVATE_KEY_PATH}"
     chmod 0600 "${APISERVER_PRIVATE_KEY_PATH}"
     chown root:root "${APISERVER_PRIVATE_KEY_PATH}"
     echo "${APISERVER_PRIVATE_KEY}" | base64 --decode > "${APISERVER_PRIVATE_KEY_PATH}"
-else
-    echo "APISERVER_PRIVATE_KEY is empty, assuming worker node"
-fi
-
-# If CA_PRIVATE_KEY is empty, then we are not on the master
-if [[ ! -z "${CA_PRIVATE_KEY}" ]]; then
-    echo "CA_KEY is non-empty, assuming master node"
 
     CA_PRIVATE_KEY_PATH="/etc/kubernetes/certs/ca.key"
     touch "${CA_PRIVATE_KEY_PATH}"
     chmod 0600 "${CA_PRIVATE_KEY_PATH}"
     chown root:root "${CA_PRIVATE_KEY_PATH}"
     echo "${CA_PRIVATE_KEY}" | base64 --decode > "${CA_PRIVATE_KEY_PATH}"
+
+    ETCD_SERVER_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdserver.key"
+    touch "${ETCD_SERVER_PRIVATE_KEY_PATH}"
+    chmod 0600 "${ETCD_SERVER_PRIVATE_KEY_PATH}"
+    chown root:root "${ETCD_SERVER_PRIVATE_KEY_PATH}"
+    echo "${ETCD_SERVER_PRIVATE_KEY}" | base64 --decode > "${ETCD_SERVER_PRIVATE_KEY_PATH}"
+
+    ETCD_CLIENT_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdclient.key"
+    touch "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
+    chmod 0600 "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
+    chown root:root "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
+    echo "${ETCD_CLIENT_PRIVATE_KEY}" | base64 --decode > "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
+
+    ETCD_PEER_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdpeer${MASTER_INDEX}.key"
+    touch "${ETCD_PEER_PRIVATE_KEY_PATH}"
+    chmod 0600 "${ETCD_PEER_PRIVATE_KEY_PATH}"
+    chown root:root "${ETCD_PEER_PRIVATE_KEY_PATH}"
+    echo "${ETCD_PEER_KEY}" | base64 --decode > "${ETCD_PEER_PRIVATE_KEY_PATH}"
+
+    ETCD_SERVER_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdserver.crt"
+    touch "${ETCD_SERVER_CERTIFICATE_PATH}"
+    chmod 0644 "${ETCD_SERVER_CERTIFICATE_PATH}"
+    chown root:root "${ETCD_SERVER_CERTIFICATE_PATH}"
+    echo "${ETCD_SERVER_CERTIFICATE}" | base64 --decode > "${ETCD_SERVER_CERTIFICATE_PATH}"
+
+    ETCD_CLIENT_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdclient.crt"
+    touch "${ETCD_CLIENT_CERTIFICATE_PATH}"
+    chmod 0644 "${ETCD_CLIENT_CERTIFICATE_PATH}"
+    chown root:root "${ETCD_CLIENT_CERTIFICATE_PATH}"
+    echo "${ETCD_CLIENT_CERTIFICATE}" | base64 --decode > "${ETCD_CLIENT_CERTIFICATE_PATH}"
+
+    ETCD_PEER_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdpeer${MASTER_INDEX}.crt"
+    touch "${ETCD_PEER_CERTIFICATE_PATH}"
+    chmod 0644 "${ETCD_PEER_CERTIFICATE_PATH}"
+    chown root:root "${ETCD_PEER_CERTIFICATE_PATH}"
+    echo "${ETCD_PEER_CERT}" | base64 --decode > "${ETCD_PEER_CERTIFICATE_PATH}"
+
+    echo `date`,`hostname`, finishedGettingEtcdCerts>>/opt/m
+    mkdir -p /opt/azure/containers && touch /opt/azure/containers/etcdcerts.complete
 else
-    echo "CA_PRIVATE_KEY is empty, assuming worker node"
+    echo "skipping master node provision operations, this is an agent node"
 fi
 
-ETCD_SERVER_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdserver.key"
-touch "${ETCD_SERVER_PRIVATE_KEY_PATH}"
-chmod 0600 "${ETCD_SERVER_PRIVATE_KEY_PATH}"
-chown root:root "${ETCD_SERVER_PRIVATE_KEY_PATH}"
-echo "${ETCD_SERVER_PRIVATE_KEY}" | base64 --decode > "${ETCD_SERVER_PRIVATE_KEY_PATH}"
-
-ETCD_CLIENT_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdclient.key"
-touch "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
-chmod 0600 "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
-chown root:root "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
-echo "${ETCD_CLIENT_PRIVATE_KEY}" | base64 --decode > "${ETCD_CLIENT_PRIVATE_KEY_PATH}"
-
-ETCD_PEER_PRIVATE_KEY_PATH="/etc/kubernetes/certs/etcdpeer${MASTER_INDEX}.key"
-touch "${ETCD_PEER_PRIVATE_KEY_PATH}"
-chmod 0600 "${ETCD_PEER_PRIVATE_KEY_PATH}"
-chown root:root "${ETCD_PEER_PRIVATE_KEY_PATH}"
-echo "${ETCD_PEER_KEY}" | base64 --decode > "${ETCD_PEER_PRIVATE_KEY_PATH}"
-
-ETCD_SERVER_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdserver.crt"
-touch "${ETCD_SERVER_CERTIFICATE_PATH}"
-chmod 0644 "${ETCD_SERVER_CERTIFICATE_PATH}"
-chown root:root "${ETCD_SERVER_CERTIFICATE_PATH}"
-echo "${ETCD_SERVER_CERTIFICATE}" | base64 --decode > "${ETCD_SERVER_CERTIFICATE_PATH}"
-
-ETCD_CLIENT_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdclient.crt"
-touch "${ETCD_CLIENT_CERTIFICATE_PATH}"
-chmod 0644 "${ETCD_CLIENT_CERTIFICATE_PATH}"
-chown root:root "${ETCD_CLIENT_CERTIFICATE_PATH}"
-echo "${ETCD_CLIENT_CERTIFICATE}" | base64 --decode > "${ETCD_CLIENT_CERTIFICATE_PATH}"
-
-ETCD_PEER_CERTIFICATE_PATH="/etc/kubernetes/certs/etcdpeer${MASTER_INDEX}.crt"
-touch "${ETCD_PEER_CERTIFICATE_PATH}"
-chmod 0644 "${ETCD_PEER_CERTIFICATE_PATH}"
-chown root:root "${ETCD_PEER_CERTIFICATE_PATH}"
-echo "${ETCD_PEER_CERT}" | base64 --decode > "${ETCD_PEER_CERTIFICATE_PATH}"
-
-echo `date`,`hostname`, finishedGettingEtcdCerts>>/opt/m
-mkdir -p /opt/azure/containers && touch /opt/azure/containers/etcdcerts.complete
-
 KUBELET_PRIVATE_KEY_PATH="/etc/kubernetes/certs/client.key"
 touch "${KUBELET_PRIVATE_KEY_PATH}"
 chmod 0600 "${KUBELET_PRIVATE_KEY_PATH}"
@@ -699,7 +691,7 @@ ensureRunCommandCompleted
 echo `date`,`hostname`, RunCmdCompleted>>/opt/m
 
 # master only
-if [[ ! -z "${APISERVER_PRIVATE_KEY}" ]]; then
+if [[ ! -z "${MASTER_NODE}" ]]; then
     writeKubeConfig
     ensureKubectl
     ensureEtcdDataDir
@@ -713,7 +705,6 @@ if [[ $OS == $UBUNTU_OS_NAME ]]; then
     echo 2dd1ce17-079e-403c-b352-a1921ee207ee > /sys/bus/vmbus/drivers/hv_util/unbind
     sed -i "13i\echo 2dd1ce17-079e-403c-b352-a1921ee207ee > /sys/bus/vmbus/drivers/hv_util/unbind\n" /etc/rc.local
 
-    # If APISERVER_PRIVATE_KEY is empty, then we are not on the master
     apt-mark unhold walinuxagent
 fi
 

diff --git a/parts/k8s/kubernetesmastervars.t b/parts/k8s/kubernetesmastervars.t
@@ -176,7 +176,7 @@
     "provisionScriptParametersCommon": "[concat('TENANT_ID=',variables('tenantID'),' APISERVER_PUBLIC_KEY=',variables('apiserverCertificate'),' SUBSCRIPTION_ID=',variables('subscriptionId'),' RESOURCE_GROUP=',variables('resourceGroup'),' LOCATION=',variables('location'),' SUBNET=',variables('subnetName'),' NETWORK_SECURITY_GROUP=',variables('nsgName'),' VIRTUAL_NETWORK=',variables('virtualNetworkName'),' VIRTUAL_NETWORK_RESOURCE_GROUP=',variables('virtualNetworkResourceGroupName'),' ROUTE_TABLE=',variables('routeTableName'),' PRIMARY_AVAILABILITY_SET=',variables('primaryAvailabilitySetName'),' SERVICE_PRINCIPAL_CLIENT_ID=',variables('servicePrincipalClientId'),' SERVICE_PRINCIPAL_CLIENT_SECRET=',variables('servicePrincipalClientSecret'),' KUBELET_PRIVATE_KEY=',variables('clientPrivateKey'),' TARGET_ENVIRONMENT=',variables('targetEnvironment'),' NETWORK_POLICY=',variables('networkPolicy'),' FQDNSuffix=',variables('fqdnEndpointSuffix'),' VNET_CNI_PLUGINS_URL=',variables('vnetCniLinuxPluginsURL'),' CNI_PLUGINS_URL=',variables('cniPluginsURL'),' MAX_PODS=',variables('maxPods'),' CLOUDPROVIDER_BACKOFF=',variables('cloudProviderBackoff'),' CLOUDPROVIDER_BACKOFF_RETRIES=',variables('cloudProviderBackoffRetries'),' CLOUDPROVIDER_BACKOFF_EXPONENT=',variables('cloudProviderBackoffExponent'),' CLOUDPROVIDER_BACKOFF_DURATION=',variables('cloudProviderBackoffDuration'),' CLOUDPROVIDER_BACKOFF_JITTER=',variables('cloudProviderBackoffJitter'),' CLOUDPROVIDER_RATELIMIT=',variables('cloudProviderRatelimit'),' CLOUDPROVIDER_RATELIMIT_QPS=',variables('cloudProviderRatelimitQPS'),' CLOUDPROVIDER_RATELIMIT_BUCKET=',variables('cloudProviderRatelimitBucket'),' USE_MANAGED_IDENTITY_EXTENSION=',variables('useManagedIdentityExtension'),' USE_INSTANCE_METADATA=',variables('useInstanceMetadata'),' CONTAINER_RUNTIME=',variables('containerRuntime'))]",
 
 {{if not IsHostedMaster}}
-    "provisionScriptParametersMaster": "[concat('APISERVER_PRIVATE_KEY=',variables('apiServerPrivateKey'),' CA_CERTIFICATE=',variables('caCertificate'),' CA_PRIVATE_KEY=',variables('caPrivateKey'),' MASTER_FQDN=',variables('masterFqdnPrefix'),' KUBECONFIG_CERTIFICATE=',variables('kubeConfigCertificate'),' KUBECONFIG_KEY=',variables('kubeConfigPrivateKey'),' ETCD_SERVER_CERTIFICATE=',variables('etcdServerCertificate'),' ETCD_CLIENT_CERTIFICATE=',variables('etcdClientCertificate'),' ETCD_SERVER_PRIVATE_KEY=',variables('etcdServerPrivateKey'),' ETCD_CLIENT_PRIVATE_KEY=',variables('etcdClientPrivateKey'),' ETCD_PEER_CERTIFICATES=',string(variables('etcdPeerCertificates')),' ETCD_PEER_PRIVATE_KEYS=',string(variables('etcdPeerPrivateKeys')),' ADMINUSER=',variables('username'))]",
+    "provisionScriptParametersMaster": "[concat('MASTER_NODE=true APISERVER_PRIVATE_KEY=',variables('apiServerPrivateKey'),' CA_CERTIFICATE=',variables('caCertificate'),' CA_PRIVATE_KEY=',variables('caPrivateKey'),' MASTER_FQDN=',variables('masterFqdnPrefix'),' KUBECONFIG_CERTIFICATE=',variables('kubeConfigCertificate'),' KUBECONFIG_KEY=',variables('kubeConfigPrivateKey'),' ETCD_SERVER_CERTIFICATE=',variables('etcdServerCertificate'),' ETCD_CLIENT_CERTIFICATE=',variables('etcdClientCertificate'),' ETCD_SERVER_PRIVATE_KEY=',variables('etcdServerPrivateKey'),' ETCD_CLIENT_PRIVATE_KEY=',variables('etcdClientPrivateKey'),' ETCD_PEER_CERTIFICATES=',string(variables('etcdPeerCertificates')),' ETCD_PEER_PRIVATE_KEYS=',string(variables('etcdPeerPrivateKeys')),' ADMINUSER=',variables('username'))]",
 {{end}}
     "generateProxyCertsScript": "{{GetKubernetesB64GenerateProxyCerts}}",
     "orchestratorNameVersionTag": "{{.OrchestratorProfile.OrchestratorType}}:{{.OrchestratorProfile.OrchestratorVersion}}",