-
Notifications
You must be signed in to change notification settings - Fork 385
Cleaning up the setup instructions for Kubernetes 1.7 #1005
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,8 +9,8 @@ metadata: | |
heritage: "{{ .Release.Service }}" | ||
type: Opaque | ||
data: | ||
tls.crt: {{ .Values.apiserver.tls.cert }} | ||
tls.key: {{ .Values.apiserver.tls.key }} | ||
tls.crt: {{ (.Files.Get .Values.apiserver.tls.certFileName) | b64enc }} | ||
tls.key: {{ (.Files.Get .Values.apiserver.tls.keyFileName) | b64enc }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes, it uses sprig for template functions. relevant docs: https://masterminds.github.io/sprig/encoding.html |
||
{{- if .Values.apiserver.tls.requestHeaderCA }} | ||
requestheader-ca.crt: {{ .Values.apiserver.tls.requestHeaderCA }} | ||
{{- end }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,6 +59,8 @@ spec: | |
- "{{ .Values.apiserver.verbosity }}" | ||
{{- if .Values.apiserver.tls.requestHeaderCA }} | ||
- --requestheader-client-ca-file=/var/run/kubernetes-service-catalog/requestheader-ca.crt | ||
{{ else }} | ||
- --authentication-skip-lookup=true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
{{- end }} | ||
{{- if not .Values.apiserver.auth.enabled }} | ||
- --disable-auth | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,13 +25,22 @@ apiserver: | |
# for more information on proper values of this field | ||
versionPriority: 20 | ||
tls: | ||
# Base64-encoded certificate authority for the APIService object to register | ||
# the Service Catalog API with the apiregistration | ||
ca: "" | ||
# Base64-encoded x509 certificate | ||
cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFpTVNBd0hnWURWUVFEREJjeE1DNHgKTVRJdU1TNHhPRFJBTVRRNE56RTVPRE14TWpBZUZ3MHhOekF5TVRVeU1qTTRNekphRncweE9EQXlNVFV5TWpNNApNekphTUNJeElEQWVCZ05WQkFNTUZ6RXdMakV4TWk0eExqRTRORUF4TkRnM01UazRNekV5TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc1J6WlcxTllJQ2FaV3NScytrUGZxRU1uUnI0eE91N2gKb0l5ODI2MHltU3lCRkFZaUh0ankrVVc5NldNbXdCQkFRcVlGR3BQczN2UnI1SGF1RkJuV1dicHRMUjlnbVdZWApRa0tzYm9yK1MybTJwYWUyQ2EyVVRnMXJkMkV5VHpkbWkzaFdKMWRQMllRV0tOSXJOSGpmcTM5L25HTU5YWHRjCmJqbWYxb0ZHUER5ODVMNlIyclpVMHlaM0NMNVByczNhV0tQQmtLVXU3NDZhbldONzNTcGRoSTFxMnhNWHJseXMKcFlnUzdjV2FhZERidjVvNjFUYUFyTm0yTCtUWlNESExUMUVzOXdlVCs3TkhQQVlkUVpYTW1lRXU1V1U5ZzZ0UApnOEtmQk5PVG9iUzZPOTZLTzl4Y0VqT0JLcWdaZTQyYVpoZmFja09rcCs5aUFRN1BPQXhTVVFJREFRQUJvNEdOCk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUIKQWY4RUJUQURBUUgvTUZJR0ExVWRFUVJMTUVtQ0ZtdDFZbVZ5Ym1WMFpYTXVaR1ZtWVhWc2RDNXpkbU9DRW10MQpZbVZ5Ym1WMFpYTXVaR1ZtWVhWc2RJSUthM1ZpWlhKdVpYUmxjNElKYkc5allXeG9iM04waHdRS2NBRzRNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCYWlPckpOS3FhMmFWdG13YVdoaDAyVFJrMjlXLzA0WlRCYnJseFlpbHQKVi9CYklHbmF3UzlxcGRyVHJNc0RBVmtBbUpRaGtabHJOeFpYbE01WnR2c2wyc3ZHMVlFVnA1UTJuaU9PT3B1Sgo1UDFINUo2SDJNWUpQS2c3OTAyVnZnZ0xPVG5QU01aVjgyWFRlV2JrRW51UjFlY3pwK1NmWjVjZFArSnE3WVRuCm52dHc3aHUzOW1mSVZIU3g3Rk0vN2lBWUJLN0tNQlNUUHZYdWk0SGRTamUzTkhkNlllL0c1bTgvOXNxVXVIL0gKcWJMT0lpenFRRVFNTFRzaFNHdUtxYlVFZ2tBU0ExaTVPbENZcWpEUGRQNTBvVEJkQ24vRnhrMVIvc0R5UlhtQwpYMUR4cUZjNzdkT0pMaHJKM0tDT1RsTy9RY2tkcytkR0tTU09jV0Y4L0p5egotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | ||
# The name of the file that contains the certificate authority for the APIService object to | ||
# register the Service Catalog API with the API aggregator in the APIRegistration object. | ||
# This field is required if apiserver.auth.enabled is true. | ||
caFileName: | ||
# The name of the file that contains the x509 certificate for use in the aforementioned | ||
# APIService object. This field is required if apiserver.auth.enabled is true. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think so. RBAC and delegated authn/authz can happen while still serving with self-signed certs |
||
certFileName: | ||
# The name of the file that contains the private key for use in the aforementioned APIService | ||
# object. This field is required if apiserver.auth.enabled is true. | ||
# Base64-encoded private key | ||
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBc1J6WlcxTllJQ2FaV3NScytrUGZxRU1uUnI0eE91N2hvSXk4MjYweW1TeUJGQVlpCkh0ankrVVc5NldNbXdCQkFRcVlGR3BQczN2UnI1SGF1RkJuV1dicHRMUjlnbVdZWFFrS3Nib3IrUzJtMnBhZTIKQ2EyVVRnMXJkMkV5VHpkbWkzaFdKMWRQMllRV0tOSXJOSGpmcTM5L25HTU5YWHRjYmptZjFvRkdQRHk4NUw2UgoyclpVMHlaM0NMNVByczNhV0tQQmtLVXU3NDZhbldONzNTcGRoSTFxMnhNWHJseXNwWWdTN2NXYWFkRGJ2NW82CjFUYUFyTm0yTCtUWlNESExUMUVzOXdlVCs3TkhQQVlkUVpYTW1lRXU1V1U5ZzZ0UGc4S2ZCTk9Ub2JTNk85NksKTzl4Y0VqT0JLcWdaZTQyYVpoZmFja09rcCs5aUFRN1BPQXhTVVFJREFRQUJBb0lCQUUyYUVWWmxkeWhuSVN4WApBbFRKWm5iSUxhNWVhUjJrU3pIWVdHdDhRTDVDZEsvOFcvamVIOSsrZ2c1L2hod0RRdFN3LzIxOHdQMlRaSzZ1Cm5XbHJSTEw5N3hZbE9HTWVDelRhRjhrN2wxNGRqSXlhcGpVcFcrQ3pHcEl0QVNrYVloRGNBZ3Vzd3V6UVpoRXUKdlFWNXJLN3M1MUh6U0lqY0kweWNiUDlFbHl5T3lhQWJhRnNuQmw5RkFCSUgydmhIRS9NNUZsUHBOaVZPaGhraQpQUWdEQng1VGdrYUJrUDJtMVF1WmdxbnRkakRpcC9ZUWdpNE03ai9FMm9tWWtxOGkvd0lnUTBmaUkrZmxzVXpyCmNBWHNvaTU5TGVwLzEyUllqUEtoMXFJUHd4Y0dvTCtHektxNlQ0RG9xRXgxYXg4c1YwK1ZZVHJ6UHJXbTBZL0cKdHVhaXJnRUNnWUVBMm95RDVDNkdJb1JKU21ldTRTbnlxZTFJTjYrUndTd3RvMmd1SUx3K3dUSVBPTFJyNFJzMwpvRjJ6VS9NcmZpRFliTSswK0NXSGhOb3huMmcwOEsyd0pFV01EY1JlNjJLeEhjUEFXcFZuajVUcEJSaHRibUhZCkFoaGVidnErOW9RSkM3c3FLRHp3dWVpYzZhVlVmcVBtTXJ0M0tpRVh6R3VHWVVGbi93dm12dkVDZ1lFQXozYVQKaGU2OG9neHUrSEs4MElYSWNEMlljNFVYeS9UalNOSVdFakRzTUYrekhyNFNBMHJvQzBCaHc2b1djeUpERXFHdgo3WFg3dmFzMHR2SlBTc1Y3QnZieWxmUzY1cVdyN3JJQ2VsbG44Z3ptbERLUlcwbE5hNVAzWWxsSGx1bXVBR29MCjFJMHBwVUVLN3ZOK2hzQk5CdmtRL3NTVlRqME9aNTJuemo1ZmlXRUNnWUJ3TytrZnJhVEU1UnFlVTFERDRUNzEKZFIyNU96aW04NEVjZ2N2dWs3M0dpV2Ezd0RBR2ttdW10M2Y0ak5DeEhUMEg1RU1UakhKa0Q0bWNTMitraWc0RApFcFF5SGI2Qk0xV3g2MjFGRjZUdlg1R3JSRGd1ajZEV3NwME1jVWpRWUU0azhDRmVPSzJIUzZZSmR4WkZVdlpNCjUyanpBYnV2Qnlram1PdEhWMTFRZ1FLQmdGQ0xsTkxXMFYySXZqeXZMeWMyQ1krcUdsb2ZQaEh0VGFDa0QvV1kKRU5ybkRML093MmVMMlhNazE5QURaUnZtSFd4S1llY3JlMFUwQnc5UUhBREhrdkF0U0JsNEhtZ1Z3aDYxOWNoUwpsY3lmdlpXajNGTTRybG9wNUUzR284aXZpT0tZU1dlSU5yYjEvYXl2MUZ1MHBUTWoxN2xSMFRYQzlxaTd5TDZGCjhNbUJBb0dCQU0vN2ROK2lLN2NOTlFiT3haMWJ0VDduQzkySTI1ekduRWNXZFBzMWdZR2w2SnQ3TXJUQTEzRDUKNDNNTXIvTE1OdnI0ZWMyVHl0VUpkMXMzQ1dEMEM5UHg5dUlURUNOT1ZCRHpvN2hoUFcxb0NkTTl0OWM4V0hSNwpzSSsrWktKOVJVanZzeUNZeHM1SFNlNzFVNXZYMTFMcUhydkc2Q2docnNNc2lCa0N1NGZWCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== | ||
keyFileName: | ||
# The name of the file that contains the CA to authenticate connections from API server | ||
# proxies. This field is not required. If it is not set, the service-catalog API server | ||
# will be started with the --authentication-skip-lookup flag, which will disable the auth checks | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure setting CA should tie to setting this other flag. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. they seem to be one or the other There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agree with @MHBauer |
||
# from the API server proxies as well as client cert authentication. | ||
requestHeaderCA: | ||
# Attributes of the apiserver's service resource | ||
service: | ||
# Type of service; valid values are "LoadBalancer" and "NodePort" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
|
||
# Setting up Service Catalog for API Aggregation in Kubernetes | ||
|
||
The aggregator is a server that sits in front of the core API | ||
|
@@ -15,7 +14,7 @@ certificate bundle to the APIService apiregistration endpoint. | |
|
||
For development purposes, it is convenient to use the existing CA | ||
automatically set up by the kubernetes development environment. The | ||
[script in contrib](../contrib/svc-cat-apiserver-aggregation-tls-setup.sh) | ||
[script in the catalog chart](../charts/catalog/aggregation-tls-setup.sh) | ||
generates a fresh CA and certificate setup, without using any existing | ||
kubernetes infrastructure CAs or certificates. This script should be | ||
`source`ed to define all of the variables it contains in the current | ||
|
@@ -179,12 +178,14 @@ keys we just generated inline. | |
|
||
``` | ||
helm install charts/catalog \ | ||
--name ${HELM_NAME} --namespace ${SVCCAT_NAMESPACE} \ | ||
--name ${HELM_NAME} \ | ||
--namespace ${SVCCAT_NAMESPACE} \ | ||
--set apiserver.auth.enabled=true \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should just switch this to true by default, see #981 |
||
--set useAggregator=true \ | ||
--set apiserver.tls.ca=$(base64 --wrap 0 ${SC_SERVING_CA}) \ | ||
--set apiserver.tls.cert=$(base64 --wrap 0 ${SC_SERVING_CERT}) \ | ||
--set apiserver.tls.key=$(base64 --wrap 0 ${SC_SERVING_KEY}) | ||
--set useAggregator=true \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should just switch this to true by default, see #981 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it would be fine for #981 to do that. |
||
--set apiserver.insecure=false \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should just switch this to false by default, see #981 |
||
--set apiserver.tls.caFileName=${SC_SERVING_CA} \ | ||
--set apiserver.tls.certFileName=${SC_SERVING_CERT} \ | ||
--set apiserver.tls.keyFileName=${SC_SERVING_KEY} | ||
``` | ||
|
||
`servicecatalog.k8s.io/v1alpha1` should show up under `kubectl | ||
|
@@ -211,5 +212,12 @@ Before installing the helm chart, run the script in contrib by | |
`source`ing it, to define all of the necessary variables. | ||
|
||
```shell | ||
source /contrib/svc-cat-apiserver-aggregation-tls-setup.sh | ||
source charts/catalog/aggregation/tls-setup/sh | ||
``` | ||
|
||
To delete, all resources, execute the following: | ||
|
||
```console | ||
helm delete --purge catalog | ||
kubectl delete apiservice v1alpha1.servicecatalog.k8s.io | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we put these in a subdir to isolate them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, I know this works at the top level chart directory though, and I'd rather make progress this way for now