Apply the git repo to the cluster.

nix/kubernetes/keys/Makefile

@@ -16,342 +16,14 @@ WORKERS := worker0 worker1 worker2 controller0 controller1 controller2
 
 .PHONY: all
 all: \
-    $(OUT)/ca-key.pem \
-    $(OUT)/admin-key.pem \
-    $(OUT)/worker0-key.pem \
-    $(OUT)/worker1-key.pem \
-    $(OUT)/worker2-key.pem \
-    $(OUT)/controller0-proxy-key.pem \
-    $(OUT)/controller1-proxy-key.pem \
-    $(OUT)/controller2-proxy-key.pem \
-    $(OUT)/kube-controller-manager-key.pem \
-    $(OUT)/kube-proxy-key.pem \
-    $(OUT)/kube-scheduler-key.pem \
-    $(OUT)/kubernetes-key.pem \
-    $(OUT)/service-account-key.pem \
-    $(OUT)/worker0.kubeconfig \
-    $(OUT)/worker1.kubeconfig \
-    $(OUT)/worker2.kubeconfig \
-    $(OUT)/controller0.kubeconfig \
-    $(OUT)/controller1.kubeconfig \
-    $(OUT)/controller2.kubeconfig \
-    $(OUT)/kube-proxy.kubeconfig \
-    $(OUT)/kube-controller-manager.kubeconfig \
-    $(OUT)/kube-scheduler.kubeconfig \
-    $(OUT)/admin.kubeconfig \
-    $(OUT)/encryption-config.yaml \
-    $(OUT)/remote_admin.kubeconfig \
-    $(OUT)/requestheader-client-ca-key.pem
+    $(OUT)/known_hosts
 
 .PHONY: clean
 clean:
 > rm -rf $(OUT)
 
-# Requestheader client ca
-$(OUT)/requestheader-client-ca-key.pem: requestheader-client-ca-csr.json ca-config.json
+$(OUT)/:
 > @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert -initca ../requestheader-client-ca-csr.json | cfssljson -bare requestheader-client-ca
 
-# Certificate authority
-$(OUT)/ca-key.pem: ca-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert -initca ../ca-csr.json | cfssljson -bare ca
-
-# Admin client certificate
-$(OUT)/admin-key.pem: admin-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -profile=kubernetes \
->   ../admin-csr.json | cfssljson -bare admin
-
-# Worker kubelet client certificate
-$(OUT)/worker0-key.pem: worker0-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=worker0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.207 \
->   -profile=kubernetes \
->   ../worker0-csr.json | cfssljson -bare worker0
-
-# Worker kubelet client certificate
-$(OUT)/worker1-key.pem: worker1-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=worker1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.208 \
->   -profile=kubernetes \
->   ../worker1-csr.json | cfssljson -bare worker1
-
-# Worker kubelet client certificate
-$(OUT)/worker2-key.pem: worker2-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=worker2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.209 \
->   -profile=kubernetes \
->   ../worker2-csr.json | cfssljson -bare worker2
-
-# Controller kubelet client certificate
-$(OUT)/controller0-key.pem: controller0-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.204 \
->   -profile=kubernetes \
->   ../controller0-csr.json | cfssljson -bare controller0
-
-# Controller kubelet client certificate
-$(OUT)/controller1-key.pem: controller1-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.205 \
->   -profile=kubernetes \
->   ../controller1-csr.json | cfssljson -bare controller1
-
-# Controller kubelet client certificate
-$(OUT)/controller2-key.pem: controller2-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.206 \
->   -profile=kubernetes \
->   ../controller2-csr.json | cfssljson -bare controller2
-
-# Controller kubelet client certificate
-$(OUT)/controller0-proxy-key.pem: controller0-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=requestheader-client-ca.pem \
->   -ca-key=requestheader-client-ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller0,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.204 \
->   -profile=kubernetes \
->   ../controller0-proxy-csr.json | cfssljson -bare controller0-proxy
-
-# Controller kubelet client certificate
-$(OUT)/controller1-proxy-key.pem: controller1-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=requestheader-client-ca.pem \
->   -ca-key=requestheader-client-ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller1,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.205 \
->   -profile=kubernetes \
->   ../controller1-proxy-csr.json | cfssljson -bare controller1-proxy
-
-# Controller kubelet client certificate
-$(OUT)/controller2-proxy-key.pem: controller2-proxy-csr.json ca-config.json $(OUT)/requestheader-client-ca-key.pem
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=requestheader-client-ca.pem \
->   -ca-key=requestheader-client-ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=controller2,$(KUBERNETES_PUBLIC_ADDRESS),10.215.1.206 \
->   -profile=kubernetes \
->   ../controller2-proxy-csr.json | cfssljson -bare controller2-proxy
-
-# Controller manager client certificate
-$(OUT)/kube-controller-manager-key.pem: kube-controller-manager-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -profile=kubernetes \
->   ../kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
-
-# Kube proxy client certificate
-$(OUT)/kube-proxy-key.pem: kube-proxy-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -profile=kubernetes \
->   ../kube-proxy-csr.json | cfssljson -bare kube-proxy
-
-# Kube scheduler client certificate
-$(OUT)/kube-scheduler-key.pem: kube-scheduler-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -profile=kubernetes \
->   ../kube-scheduler-csr.json | cfssljson -bare kube-scheduler
-
-# Kuberntes API server certificate
-# TODO: Replace 10.32.0.1 with kubernetes api server local ip address from lab 8
-$(OUT)/kubernetes-key.pem: kubernetes-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -hostname=10.197.0.1,10.0.0.1,10.215.1.204,10.215.1.205,10.215.1.206,10.215.1.207,10.215.1.208,10.215.1.209,$(KUBERNETES_PUBLIC_ADDRESS),127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local \
->   -profile=kubernetes \
->   ../kubernetes-csr.json | cfssljson -bare kubernetes
-
-# Service account keypair
-$(OUT)/service-account-key.pem: service-account-csr.json ca-config.json
-> @mkdir -p $(@D)
-> cd $(@D) && cfssl gencert \
->   -ca=ca.pem \
->   -ca-key=ca-key.pem \
->   -config=../ca-config.json \
->   -profile=kubernetes \
->   ../service-account-csr.json | cfssljson -bare service-account
-
-# Generate worker kubeconfigs
-$(patsubst %,$(OUT)/%.kubeconfig,$(WORKERS)): $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials system:node:$* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=system:node:$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
-
-# Generate kube-proxy kubeconfig
-$(OUT)/kube-proxy.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials system:$* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=system:$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
-
-# Generate kube-controller-manager kubeconfig
-$(OUT)/kube-controller-manager.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://127.0.0.1:6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials system:$* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=system:$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
-
-# Generate kube-scheduler kubeconfig
-$(OUT)/kube-scheduler.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://127.0.0.1:6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials system:$* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=system:$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
-
-# Generate admin kubeconfig
-$(OUT)/admin.kubeconfig: $(OUT)/%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://127.0.0.1:6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials $* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
-
-# Generate data encryption key for encrypting data at rest
-$(OUT)/encryption-config.yaml:
-> @mkdir -p $(@D)
-> ENCRYPTION_KEY=$(shell head -c 32 /dev/urandom | base64)
-> cat encryption-config-template.yaml | sed "s@ENCRYPTION_KEY@$$ENCRYPTION_KEY@g" > $@
-
-# Generate remote admin kubeconfig
-$(OUT)/remote_admin.kubeconfig: $(OUT)/remote_%.kubeconfig: $(OUT)/%-key.pem $(OUT)/%.pem
-> @mkdir -p $(@D)
-> kubectl config set-cluster kubernetes-the-hard-way \
->   --certificate-authority=$(OUT)/ca.pem \
->   --embed-certs=true \
->   --server=https://$(KUBERNETES_PUBLIC_ADDRESS):6443 \
->   --kubeconfig=$@
->
-> kubectl config set-credentials $* \
->   --client-certificate=$(OUT)/$*.pem \
->   --client-key=$(OUT)/$*-key.pem \
->   --embed-certs=true \
->   --kubeconfig=$@
->
-> kubectl config set-context default \
->   --cluster=kubernetes-the-hard-way \
->   --user=$* \
->   --kubeconfig=$@
->
-> kubectl config use-context default --kubeconfig=$@
+$(OUT)/known_hosts: | $(OUT)/
+> ssh-keyscan -p 65099 74.80.180.138 | sed 's/\[74.80.180.138\]:65099/\[10.215.1.210\]:22/g' > $@