Merge pull request #15 from tcpcloud/cert_locations
change certs location
diff --git a/kubernetes/files/kube-proxy/proxy.kubeconfig b/kubernetes/files/kube-proxy/proxy.kubeconfig
index d9750fa..68e231c 100644
--- a/kubernetes/files/kube-proxy/proxy.kubeconfig
+++ b/kubernetes/files/kube-proxy/proxy.kubeconfig
@@ -11,7 +11,7 @@
name: proxy-to-cluster.local
clusters:
- cluster:
- certificate-authority: /etc/ssl/certs/ca-{{ pool.ca }}.crt
+ certificate-authority: /etc/kubernetes/ssl/ca-{{ pool.ca }}.crt
# server: https://{{ pool.apiserver.host }}:443
name: cluster.local
users:
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig b/kubernetes/files/kubelet/kubelet.kubeconfig
index 79c74e0..d2375a6 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig
@@ -6,7 +6,7 @@
preferences: {}
clusters:
- cluster:
- certificate-authority: /etc/ssl/certs/ca-{{ pool.ca }}.crt
+ certificate-authority: /etc/kubernetes/ssl/ca-{{ pool.ca }}.crt
# server: https://{{ pool.apiserver.host }}:443
name: cluster.local
contexts:
diff --git a/kubernetes/files/manifest/kube-apiserver.manifest b/kubernetes/files/manifest/kube-apiserver.manifest
index e7d134e..11a872f 100644
--- a/kubernetes/files/manifest/kube-apiserver.manifest
+++ b/kubernetes/files/manifest/kube-apiserver.manifest
@@ -20,10 +20,10 @@
--etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--service-cluster-ip-range={{ master.service_addresses }}
- --client-ca-file=/etc/ssl/certs/ca-{{ master.ca }}.crt
+ --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
--basic-auth-file=/srv/kubernetes/basic_auth.csv
- --tls-cert-file=/etc/ssl/certs/kubernetes-server.crt
- --tls-private-key-file=/etc/ssl/private/kubernetes-server.key
+ --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
+ --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
--secure-port=443
--bind-address={{ master.apiserver.address }}
--token-auth-file=/srv/kubernetes/known_tokens.csv
@@ -57,7 +57,7 @@
readOnly: true
- mountPath: /var/log/kube-apiserver.log
name: logfile
- - mountPath: /etc/ssl
+ - mountPath: /etc/kubernetes/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ca-certificates
@@ -73,7 +73,7 @@
path: /var/log/kube-apiserver.log
name: logfile
- hostPath:
- path: /etc/ssl
+ path: /etc/kubernetes/ssl
name: etcssl
- hostPath:
path: /usr/share/ca-certificates
diff --git a/kubernetes/files/manifest/kube-controller-manager.manifest b/kubernetes/files/manifest/kube-controller-manager.manifest
index ce74558..3cbbbd2 100644
--- a/kubernetes/files/manifest/kube-controller-manager.manifest
+++ b/kubernetes/files/manifest/kube-controller-manager.manifest
@@ -18,9 +18,9 @@
- kube-controller-manager
--master={{ master.apiserver.insecure_address }}:8080
--cluster-name=kubernetes
- --service-account-private-key-file=/etc/ssl/private/kubernetes-server.key
+ --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
--v=2
- --root-ca-file=/etc/ssl/certs/ca-{{ master.ca }}.crt
+ --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
--leader-elect=true
1>>/var/log/kube-controller-manager.log 2>&1
imagePullPolicy: IfNotPresent
@@ -43,7 +43,7 @@
readOnly: true
- mountPath: /var/log/kube-controller-manager.log
name: logfile
- - mountPath: /etc/ssl
+ - mountPath: /etc/kubernetes/ssl
name: etcssl
readOnly: true
- mountPath: /usr/share/ca-certificates
@@ -57,7 +57,7 @@
path: /var/log/kube-controller-manager.log
name: logfile
- hostPath:
- path: /etc/ssl
+ path: /etc/kubernetes/ssl
name: etcssl
- hostPath:
path: /usr/share/ca-certificates
diff --git a/kubernetes/files/manifest/kube-proxy.manifest.pool b/kubernetes/files/manifest/kube-proxy.manifest.pool
index babd202..359d9f7 100644
--- a/kubernetes/files/manifest/kube-proxy.manifest.pool
+++ b/kubernetes/files/manifest/kube-proxy.manifest.pool
@@ -25,7 +25,7 @@
securityContext:
privileged: true
volumeMounts:
- - mountPath: /etc/ssl/certs
+ - mountPath: /etc/kuberbetes/ssl
name: ssl-certs-host
readOnly: true
- mountPath: /var/log
@@ -39,7 +39,7 @@
readOnly: false
volumes:
- hostPath:
- path: /etc/ssl/certs
+ path: /etc/kubernetes/ssl
name: ssl-certs-host
- hostPath:
path: /etc/kubernetes/proxy.kubeconfig
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index f09fa29..b59d9ff 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -76,14 +76,14 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/ssl/certs/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/ssl/certs/kubernetes-server.crt --tls-private-key-file=/etc/ssl/private/kubernetes-server.key --secure-port=443 --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True"
+ - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port=443 --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True"
/etc/default/kube-controller-manager:
file.managed:
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --master={{ master.apiserver.insecure_address }}:8080 --cluster-name=kubernetes --service-account-private-key-file=/etc/ssl/private/kubernetes-server.key --v=2 --root-ca-file=/etc/ssl/certs/ca-{{ master.ca }}.crt --leader-elect=true"
+ - contents: DAEMON_ARGS=" --master={{ master.apiserver.insecure_address }}:8080 --cluster-name=kubernetes --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --v=2 --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --leader-elect=true"
/etc/default/kube-scheduler:
file.managed: