cluster/clustercfg: add clustercfg-nocerts
diff --git a/cluster/clustercfg/clustercfg.py b/cluster/clustercfg/clustercfg.py
index a438a4c..dac2a13 100644
--- a/cluster/clustercfg/clustercfg.py
+++ b/cluster/clustercfg/clustercfg.py
@@ -129,7 +129,7 @@
configure_k8s(username, ca_kube._cert, local_crt, local_key)
-def nodestrap(args):
+def nodestrap(args, nocerts=False):
if len(args) != 1:
sys.stderr.write("Usage: nodestrap bc01n01.hswaw.net\n")
return 1
@@ -138,67 +138,68 @@
logger.info("Nodestrapping {}...".format(fqdn))
r = fabric.Connection('root@{}'.format(fqdn))
- cfg = dict((k, pki_config(k)) for k in [
- 'etcdPeer', 'etcd.server', 'etcd.kube'
- ])
- certs_root = os.path.join(local_root, 'cluster/certs')
+ if not nocerts:
+ cfg = dict((k, pki_config(k)) for k in [
+ 'etcdPeer', 'etcd.server', 'etcd.kube'
+ ])
+ certs_root = os.path.join(local_root, 'cluster/certs')
- # Make etcd peer certificate for node.
- ca_etcd_peer = ca.CA(ss, certs_root, 'etcdpeer', 'etcd peer ca')
- ca_etcd_peer.upload(r, cfg['etcdPeer']['ca'])
- c = ca_etcd_peer.make_cert('etcdpeer-{}'.format(fqdn), hosts=[fqdn], ou='node etcd peer certificate')
- c.upload_pki(r, cfg['etcdPeer'])
+ # Make etcd peer certificate for node.
+ ca_etcd_peer = ca.CA(ss, certs_root, 'etcdpeer', 'etcd peer ca')
+ ca_etcd_peer.upload(r, cfg['etcdPeer']['ca'])
+ c = ca_etcd_peer.make_cert('etcdpeer-{}'.format(fqdn), hosts=[fqdn], ou='node etcd peer certificate')
+ c.upload_pki(r, cfg['etcdPeer'])
- # Make etcd server certificate for node and client certificate for kube.
- ca_etcd = ca.CA(ss, certs_root, 'etcd', 'etcd ca')
- ca_etcd.upload(r, cfg['etcd.server']['ca'])
+ # Make etcd server certificate for node and client certificate for kube.
+ ca_etcd = ca.CA(ss, certs_root, 'etcd', 'etcd ca')
+ ca_etcd.upload(r, cfg['etcd.server']['ca'])
- c = ca_etcd.make_cert('etcd-{}'.format(fqdn), hosts=[fqdn], ou='node etcd server certificate')
- c.upload_pki(r, cfg['etcd.server'])
+ c = ca_etcd.make_cert('etcd-{}'.format(fqdn), hosts=[fqdn], ou='node etcd server certificate')
+ c.upload_pki(r, cfg['etcd.server'])
- c = ca_etcd.make_cert('etcd-kube', hosts=['kube'], ou='kube etcd client certificate')
- c.upload_pki(r, cfg['etcd.kube'])
+ c = ca_etcd.make_cert('etcd-kube', hosts=['kube'], ou='kube etcd client certificate')
+ c.upload_pki(r, cfg['etcd.kube'])
- # Make root etcd client (do not upload).
- ca_etcd.make_cert('etcd-root', hosts=['root'], ou='root etcd client certificate')
+ # Make root etcd client (do not upload).
+ ca_etcd.make_cert('etcd-root', hosts=['root'], ou='root etcd client certificate')
- # Make calico etcd client (do not upload, used by jsonnet).
- ca_etcd.make_cert('etcd-calico', hosts=['calico'], ou='root etcd client certificate')
+ # Make calico etcd client (do not upload, used by jsonnet).
+ ca_etcd.make_cert('etcd-calico', hosts=['calico'], ou='root etcd client certificate')
- ## Make kube certificates.
- ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
+ ## Make kube certificates.
+ ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
- # Make kubelet certificate (per node).
- c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
- c.upload_pki(r, pki_config('kube.kubelet'))
+ # Make kubelet certificate (per node).
+ c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
+ c.upload_pki(r, pki_config('kube.kubelet'))
- # Make apiserver certificate.
- c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
- c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
+ # Make apiserver certificate.
+ c = ca_kube.make_cert('kube-apiserver', ou='Kubernetes API', hosts=[cluster, '10.10.12.1'])
+ c.upload_pki(r, pki_config('kube.apiserver'), concat_ca=True)
- # Make service accounts decryption key (as cert for consistency).
- c = ca_kube.make_cert('kube-serviceaccounts', ou='Kubernetes Service Accounts Signer', hosts=['serviceaccounts'])
- c.upload_pki(r, pki_config('kube.serviceaccounts'))
+ # Make service accounts decryption key (as cert for consistency).
+ c = ca_kube.make_cert('kube-serviceaccounts', ou='Kubernetes Service Accounts Signer', hosts=['serviceaccounts'])
+ c.upload_pki(r, pki_config('kube.serviceaccounts'))
- # Make kube component certificates.
- kube_components = ['controllermanager', 'scheduler', 'proxy']
- cfg = dict((k, pki_config('kube.' + k)) for k in kube_components)
- for k in kube_components:
- ca_kube.upload(r, cfg[k]['ca'])
- # meh
- if k == 'controllermanager':
- o = 'system:kube-controller-manager'
- else:
- o = 'system:kube-'+k
- ou = 'Kubernetes Component '+k
- c = ca_kube.make_cert('kube-'+k, ou=ou, o=o, hosts=[o,])
- c.upload_pki(r, cfg[k])
+ # Make kube component certificates.
+ kube_components = ['controllermanager', 'scheduler', 'proxy']
+ cfg = dict((k, pki_config('kube.' + k)) for k in kube_components)
+ for k in kube_components:
+ ca_kube.upload(r, cfg[k]['ca'])
+ # meh
+ if k == 'controllermanager':
+ o = 'system:kube-controller-manager'
+ else:
+ o = 'system:kube-'+k
+ ou = 'Kubernetes Component '+k
+ c = ca_kube.make_cert('kube-'+k, ou=ou, o=o, hosts=[o,])
+ c.upload_pki(r, cfg[k])
- ## Make kubefront certificates.
- ca_kubefront = ca.CA(ss, certs_root, 'kubefront', 'kubernetes frontend CA')
- ca_kubefront.upload(r, pki_config('kubeFront.apiserver')['ca'])
- c = ca_kubefront.make_cert('kubefront-apiserver', ou='Kubernetes Frontend', hosts=['apiserver'])
- c.upload_pki(r, pki_config('kubeFront.apiserver'))
+ ## Make kubefront certificates.
+ ca_kubefront = ca.CA(ss, certs_root, 'kubefront', 'kubernetes frontend CA')
+ ca_kubefront.upload(r, pki_config('kubeFront.apiserver')['ca'])
+ c = ca_kubefront.make_cert('kubefront-apiserver', ou='Kubernetes Frontend', hosts=['apiserver'])
+ c.upload_pki(r, pki_config('kubeFront.apiserver'))
# Upload NixOS config
for f in ['toplevel', 'cluster-configuration']:
@@ -220,6 +221,8 @@
mode = sys.argv[1]
if mode == "nodestrap":
return nodestrap(sys.argv[2:])
+ elif mode == "nodestrap-nocerts":
+ return nodestrap(sys.argv[2:], nocerts=True)
elif mode == "admincreds":
return admincreds(sys.argv[2:])
elif mode == "config":