Created
June 1, 2018 09:56
-
-
Save swade1987/9ac2563b4f0862f7a1951b97280c57f9 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Refresh kubernetes certs with consul-template | |
| vault { | |
| address = "https://vault.service.consul:8200" | |
| } | |
| # ============================================================ | |
| # Read etcd CA | |
| # /etc/bootkube/assets/tls/etcd-client-ca.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/etcd/pki/cert/ca_chain" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/etcd-client-ca.crt" | |
| exec { | |
| command = "/usr/bin/bash -c \"ln -fs /etc/bootkube/assets/tls/etcd-client-ca.crt /etc/ssl/certs/ && /usr/sbin/update-ca-certificates > /dev/null\"" | |
| } | |
| } | |
| # ============================================================ | |
| # Update Etcd client certs | |
| # /etc/bootkube/assets/tls/etcd-client.key | |
| # /etc/bootkube/assets/tls/etcd-client.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/etcd/pki/issue/client" "common_name=etcd@localhost" "alt_names=etcd.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/etcd-client.crt" | |
| } | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/etcd/pki/issue/client" "common_name=etcd@localhost" "alt_names=etcd.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.private_key }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/etcd-client.key" | |
| } | |
| # ============================================================ | |
| # Update Kubernetes CA | |
| # /etc/bootkube/assets/tls/ca.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ $ip := env "COREOS_EC2_IPV4_LOCAL" }} | |
| {{ $ip_sans := printf "ip_sans=127.0.0.1,%s" $ip }} | |
| {{ with secret "platform/kubernetes/pki/issue/instance" "common_name=k8s-master.identity.development.eeveebank.internal" $ip_sans "ttl=6h" }}{{ range .Data.ca_chain }}{{ . }} | |
| {{ end }}{{ end }} | |
| EOF | |
| perms = 0600 | |
| destination = "/etc/bootkube/assets/tls/ca.crt" | |
| exec { | |
| command = "/usr/bin/bash -c \"ln -fs /etc/bootkube/assets/tls/ca.crt /etc/ssl/certs/ && /usr/sbin/update-ca-certificates > /dev/null\"" | |
| } | |
| } | |
| # ============================================================ | |
| # Update api-server certs | |
| # /etc/bootkube/assets/tls/apiserver.key | |
| # /etc/bootkube/assets/tls/apiserver.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ $node_name := env "HOSTNAME" }} | |
| {{ $common_name := printf "common_name=%s" $node_name }} | |
| {{ $ip := env "COREOS_EC2_IPV4_LOCAL" }} | |
| {{ $ip_sans := printf "ip_sans=127.0.0.1, 172.20.0.1, %s" $ip }} | |
| {{ $alt_names := printf "alt_names=kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, master.identity.development.eeveebank.internal, %s" $node_name }} | |
| {{ with secret "platform/kubernetes/pki/issue/client" $common_name $alt_names $ip_sans "ttl=6h" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/apiserver.crt" | |
| } | |
| template { | |
| contents = <<EOF | |
| {{ $node_name := env "HOSTNAME" }} | |
| {{ $common_name := printf "common_name=%s" $node_name }} | |
| {{ $ip := env "COREOS_EC2_IPV4_LOCAL" }} | |
| {{ $ip_sans := printf "ip_sans=127.0.0.1, 172.20.0.1, %s" $ip }} | |
| {{ $alt_names := printf "alt_names=kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, master.identity.development.eeveebank.internal, %s" $node_name }} | |
| {{ with secret "platform/kubernetes/pki/issue/client" $common_name $alt_names $ip_sans "ttl=6h" }}{{ .Data.private_key }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/apiserver.key" | |
| } | |
| # ============================================================ | |
| # Update admin certs | |
| # /etc/bootkube/assets/tls/admin.key | |
| # /etc/bootkube/assets/tls/admin.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/kubernetes/pki/issue/client" "common_name=k8s-admin.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/admin.crt" | |
| } | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/kubernetes/pki/issue/client" "common_name=k8s-admin.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.private_key }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/admin.key" | |
| } | |
| # ============================================================ | |
| # Update service account certs | |
| # /etc/bootkube/assets/tls/service-account.key | |
| # /etc/bootkube/assets/tls/service-account.pub | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/kubernetes/pki/issue/client" "common_name=k8s-service-accoun.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/service-account.pem" | |
| exec { | |
| command = "/usr/bin/bash -c 'openssl x509 -pubkey -noout -in /etc/bootkube/assets/tls/service-account.pem > /etc/bootkube/assets/tls/service-account.pub'" | |
| } | |
| } | |
| template { | |
| contents = <<EOF | |
| {{ with secret "platform/kubernetes/pki/issue/client" "common_name=k8s-service-account.identity.development.eeveebank.internal" "ttl=6h" }}{{ .Data.private_key }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/service-account.key" | |
| } | |
| # ============================================================ | |
| # Update kubelet certs | |
| # /etc/bootkube/assets/tls/kubelet.key | |
| # /etc/bootkube/assets/tls/kubelet.crt | |
| # ============================================================ | |
| template { | |
| contents = <<EOF | |
| {{ $node_name := env "HOSTNAME" }} | |
| {{ $common_name := printf "common_name=system:node:%s" $node_name }} | |
| {{ $alt_names := printf "alt_names=%s" $node_name }} | |
| {{ $ip := env "COREOS_EC2_IPV4_LOCAL" }} | |
| {{ $ip_sans := printf "ip_sans=127.0.0.1, 172.20.0.1, %s" $ip }} | |
| {{ with secret "platform/kubernetes/pki/issue/client" $common_name %$alt_names $ip_sans "ttl=6h" }}{{ .Data.certificate }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/kubelet.crt" | |
| } | |
| template { | |
| contents = <<EOF | |
| {{ $node_name := env "HOSTNAME" }} | |
| {{ $common_name := printf "common_name=system:node:%s" $node_name }} | |
| {{ $alt_names := printf "alt_names=%s" $node_name }} | |
| {{ $ip := env "COREOS_EC2_IPV4_LOCAL" }} | |
| {{ $ip_sans := printf "ip_sans=127.0.0.1, 172.20.0.1, %s" $ip }} | |
| {{ with secret "platform/kubernetes/pki/issue/client" $common_name %$alt_names $ip_sans "ttl=6h" }}{{ .Data.private_key }}{{ end }} | |
| EOF | |
| perms = 0660 | |
| destination = "/etc/bootkube/assets/tls/kubelet.key" | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Jun 01 09:19:51 ip-172-31-45-115.eu-west-2.compute.internal consul-template[1409]: 2018/06/01 09:19:51.437674 [ERR] (cli) (dynamic): parse: template: :10: unexpected "%" in operand |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment