fix kubeconfigs

kvaps · kvaps · commit 31c7c49bfe90 · 2020-09-15T01:39:28.000+02:00
diff --git a/deploy/helm/kubernetes/scripts/configure-cluster.sh b/deploy/helm/kubernetes/scripts/configure-cluster.sh
@@ -24,7 +24,7 @@ ln -sf /pki/front-proxy-client/tls.crt /etc/kubernetes/pki/front-proxy-client.ke
 # Update secrets and component configs
 # ------------------------------------------------------------------------------
 
-cat > kubeadmcfg.yaml << EOT
+cat >kubeadmcfg.yaml <<EOT
 apiVersion: "kubeadm.k8s.io/v1beta2" 
 kind: ClusterConfiguration 
 imageRepository: k8s.gcr.io 
@@ -33,34 +33,32 @@ EOT
 
 {{- if .Values.apiServer.enabled }}{{"\n"}}
 # generate sa key
-if [ -z "$(kubectl get secret  "${FULL_NAME}-pki-sa" -o jsonpath='{.data}')" ]; then
+if ! kubectl get secret "${FULL_NAME}-pki-sa" >/dev/null; then
   kubeadm init phase certs sa
-  kubectl patch secret "${FULL_NAME}-pki-sa" --type merge \
-    -p "{\"data\":{\"sa.pub\":\"$(base64 /etc/kubernetes/pki/sa.pub | tr -d '\n')\", \"sa.key\":\"$(base64 /etc/kubernetes/pki/sa.key | tr -d '\n')\" }}"
+  kubectl create secret generic "${FULL_NAME}-pki-sa" --from-file=/etc/kubernetes/pki/sa.pub --from-file=/etc/kubernetes/pki/sa.key
 fi
 {{- end }}
 
 # generate cluster-admin kubeconfig
 rm -f /etc/kubernetes/admin.conf
 kubeadm init phase kubeconfig admin --config kubeadmcfg.yaml
-kubectl patch secret "${FULL_NAME}-admin-conf" --type merge \
-  -p "{\"data\":{\"admin.conf\":\"$(base64 /etc/kubernetes/admin.conf | tr -d '\n')\" }}"
+kubectl --kubeconfig=/etc/kubernetes/admin.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl create secret generic "${FULL_NAME}-admin-conf" --from-file=/etc/kubernetes/admin.conf --dry-run=client -o yaml | kubectl apply -f -
 
 {{- if .Values.controllerManager.enabled }}{{"\n"}}
 # generate controller-manager kubeconfig
 rm -f /etc/kubernetes/controller-manager.conf
 kubeadm init phase kubeconfig controller-manager --config kubeadmcfg.yaml
-kubectl patch secret "${FULL_NAME}-controller-manager-conf" --type merge \
-  -p "{\"data\":{\"controller-manager.conf\":\"$(base64 /etc/kubernetes/controller-manager.conf | tr -d '\n')\" }}"
+kubectl --kubeconfig=/etc/kubernetes/controller-manager.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl create secret generic "${FULL_NAME}-controller-manager-conf" --from-file=/etc/kubernetes/controller-manager.conf --dry-run=client -o yaml | kubectl apply -f -
 {{- end }}
 
-
 {{- if .Values.scheduler.enabled }}{{"\n"}}
 # generate scheduler kubeconfig
 rm -f /etc/kubernetes/scheduler.conf
 kubeadm init phase kubeconfig scheduler --config kubeadmcfg.yaml
-kubectl patch secret "${FULL_NAME}-scheduler-conf" --type merge \
-  -p "{\"data\":{\"scheduler.conf\":\"$(base64 /etc/kubernetes/scheduler.conf | tr -d '\n')\" }}"
+kubectl --kubeconfig=/etc/kubernetes/scheduler.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl create secret generic "${FULL_NAME}-scheduler-conf" --from-file=/etc/kubernetes/scheduler.conf --dry-run=client -o yaml | kubectl apply -f -
 {{- end }}
 
 # wait for cluster
@@ -80,20 +78,18 @@ kubectl --kubeconfig /etc/kubernetes/admin.conf patch configmap -n kube-system k
   -p '{"data":{"ClusterStatus":"apiEndpoints: {}\napiVersion: kubeadm.k8s.io/v1beta2\nkind: ClusterStatus"}}'
 
 # upload configuration
-kubeadm init phase upload-config kubelet --config /config/kubeadmcfg.yaml -v1 2>&1 \
-  | while read line; do echo "$line" | grep 'Preserving the CRISocket information for the control-plane node' && killall kubeadm || echo "$line"; done
+kubeadm init phase upload-config kubelet --config /config/kubeadmcfg.yaml -v1 2>&1 |
+  while read line; do echo "$line" | grep 'Preserving the CRISocket information for the control-plane node' && killall kubeadm || echo "$line"; done
 
 # setup bootstrap-tokens
 kubeadm init phase bootstrap-token --config /config/kubeadmcfg.yaml --skip-token-print
 
 # correct apiserver address for the external clients
-if [ -n "$CONTROL_PLANE_ENDPOINT" ]; then
-  tmp="$(mktemp -d)"
-  kubectl --kubeconfig /etc/kubernetes/admin.conf get configmap -n kube-public cluster-info -o jsonpath='{.data.kubeconfig}' > "$tmp/kubeconfig"
-  kubectl --kubeconfig "$tmp/kubeconfig" config set clusters..server "https://${CONTROL_PLANE_ENDPOINT}"
-  kubectl create configmap cluster-info --from-file="$tmp/kubeconfig" --dry-run=client -o yaml | kubectl --kubeconfig /etc/kubernetes/admin.conf apply -n kube-public -f -
-  rm -rf "$tmp"
-fi
+tmp="$(mktemp -d)"
+kubectl --kubeconfig "$tmp/kubeconfig" config set clusters..server "https://${CONTROL_PLANE_ENDPOINT:-${FULL_NAME}-apiserver:6443}"
+kubectl --kubeconfig "$tmp/kubeconfig" config set clusters..certificate-authority-data "$(base64 /etc/kubernetes/pki/ca.crt | tr -d '\n')"
+kubectl create configmap cluster-info --from-file="$tmp/kubeconfig" --dry-run=client -o yaml | kubectl --kubeconfig /etc/kubernetes/admin.conf apply -n kube-public -f -
+rm -rf "$tmp"
 
 {{- if .Values.coredns.enabled }}{{"\n"}}
 # install coredns addon
diff --git a/deploy/helm/kubernetes/templates/kubeadm-rbac.yaml b/deploy/helm/kubernetes/templates/kubeadm-rbac.yaml
@@ -11,6 +11,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: "{{ $fullName }}-kubeadm-tasks"
 rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "patch"]
diff --git a/deploy/helm/kubernetes/templates/kubeadm-secrets.yaml b/deploy/helm/kubernetes/templates/kubeadm-secrets.yaml
