Merge pull request #23550 from luxas/fix_hyperkube_certs

Automatic merge from submit-queue Fix so setup-files don't recreate/invalidate certificates that already exist Fixes: #23197 and a lot of other DNS and dashboard issues This is quite critical for `docker`-based users and should be considered as a **cherrypick-candidate** as it makes a lot of people wonder why Dashboard and/or DNS doesn't work. Example: kubernetes/dashboard#374 Earlier when you shut your `docker.md` cluster down and started it again, all ServiceAccounts became invalidated by `setup-files` that happily ran once again and replaced all files. That made `apiserver` and `controller-manager` pick up the new certs (or there was a race condition, they _could_ have picked up the old certs too, but that's unlikely) and the old certs were put into `/var/run/secrets` because the ServiceAccount's Secrets were stored in etcd, which `setup-files` didn't touch. @fgrzadkowski @huggsboson @thockin @mikedanese @vishh @pwittrock @eparis @bgrant0607
kubernetes · Apr 1, 2016 · 1521aa8 · 1521aa8 · k8s-teamcity-mesosphere · Apr 1, 2016
2 parents d015598 + 858b953
commit 1521aa8
Showing 1 changed file with 37 additions and 13 deletions.
diff --git a/cluster/images/hyperkube/setup-files.sh b/cluster/images/hyperkube/setup-files.sh
@@ -23,28 +23,52 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+create_token() {
+  echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
+}
+
 # Additional address of the API server to be added to the
 # list of Subject Alternative Names of the server TLS certificate
 # Should contain internal IP, i.e. IP:10.0.0.1 for 10.0.0.0/24 cluster IP range
 EXTRA_SANS=$1
 
-create_token() {
-  echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
-}
+# Files in /data are persistent across reboots, so we don't want to re-create the files if they already
+# exist, because the state is persistent in etcd too, and we don't want a conflict between "old" data in
+# etcd and "new" data that this script would create for apiserver. Therefore, if the file exist, skip it.
+if [[ ! -f /data/ca.crt ]]; then
+
+	# Create HTTPS certificates
+	groupadd -f -r kube-cert-test
+
+	# hostname -I gets the ip of the node
+	CERT_DIR=/data CERT_GROUP=kube-cert-test /make-ca-cert.sh $(hostname -I | awk '{print $1}') ${EXTRA_SANS}
+
+	echo "Certificates created $(date)"
+else
+	echo "Certificates already found, not recreating."
+fi
+
+if [[ ! -f /data/basic_auth.csv ]]; then
+
+	# Create basic token authorization
+	echo "admin,admin,admin" > /data/basic_auth.csv
 
-# Create basic token authorization
-echo "admin,admin,admin" > /data/basic_auth.csv
+	echo "basic_auth.csv created $(date)"
+else
+	echo "basic_auth.csv already found, not recreating."
+fi
 
-# Create HTTPS certificates
-groupadd -f -r kube-cert-test
+if [[ ! -f /data/known_tokens.csv ]]; then
 
-# hostname -I gets the ip of the node
-CERT_DIR=/data CERT_GROUP=kube-cert-test /make-ca-cert.sh $(hostname -I | awk '{print $1}') ${EXTRA_SANS}
+	# Create known tokens for service accounts
+	echo "$(create_token),admin,admin" >> /data/known_tokens.csv
+	echo "$(create_token),kubelet,kubelet" >> /data/known_tokens.csv
+	echo "$(create_token),kube_proxy,kube_proxy" >> /data/known_tokens.csv
 
-# Create known tokens for service accounts
-echo "$(create_token),admin,admin" >> /data/known_tokens.csv
-echo "$(create_token),kubelet,kubelet" >> /data/known_tokens.csv
-echo "$(create_token),kube_proxy,kube_proxy" >> /data/known_tokens.csv
+	echo "known_tokens.csv created $(date)"
+else
+	echo "known_tokens.csv already found, not recreating."
+fi
 
 while true; do
   sleep 3600