| package main | |
| import ( | |
| "fmt" | |
| "io" | |
| "github.com/coreos/go-systemd/sdjournal" | |
| ) | |
| func main() { |
In order to enable oidc authenticator in kube-apiserver,
we need to have TLS enabled between kubectl and kube-apiserver, as well as between kube-apiserver and OpenID Provider(dex-worker here)
For simplicity, we will use cfssl to create the bundles.
Checkout and build dex
| [INFO] [19:08:41-0700] Running tests against existing cluster... | |
| [INFO] [19:08:41-0700] Running parallel tests N=<default> | |
| I0709 19:08:41.741853 10764 test.go:86] Extended test version v3.10.0-alpha.0+e63afaa-1228-dirty | |
| Running Suite: Extended | |
| ======================= | |
| Random Seed: 1531188522 - Will randomize all specs | |
| Will run 447 specs | |
| Running in parallel across 5 nodes |
| [INFO] [13:42:19-0700] Running tests against existing cluster... | |
| [INFO] [13:42:19-0700] Running parallel tests N=<default> | |
| I0709 13:42:20.323666 26542 test.go:86] Extended test version v3.10.0-alpha.0+e63afaa-1228 | |
| Running Suite: Extended | |
| ======================= | |
| Random Seed: 1531168941 - Will randomize all specs | |
| Will run 447 specs | |
| Running in parallel across 5 nodes |
| package main | |
| import ( | |
| "fmt" | |
| "os" | |
| "time" | |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |
| "k8s.io/client-go/kubernetes" | |
| "k8s.io/client-go/pkg/api" |
tectonic install assets --dir=my-test-cluster
* module.assets_base.local.identity_client_ca_cert: local.identity_client_ca_cert: file: open /home/yifan/gopher/src/github.com/coreos/tectonic-installer/my-test-cluster/generated/tls/root-ca.crt: no such file or directory in:
${file("${local.tls_path}/root-ca.crt")}
* module.assets_base.local.aggregator_ca_cert_pem: local.aggregator_ca_cert_pem: file: open /home/yifan/gopher/src/github.com/coreos/tectonic-installer/my-test-cluster/generated/tls/aggregator-ca.crt: no such file or directory in:
${file("${local.tls_path}/aggregator-ca.crt")}
* module.assets_base.local.identity_server_cert_pem: local.identity_server_cert_pem: file: open /home/yifan/gopher/src/github.com/coreos/tectonic-installer/my-test-cluster/generated/tls/identity-server.crt: no such file or directory in:
selector section in the pod-checkpointer spec:cat<<EOF | kubectl replace -f -
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
k8s-app: pod-checkpointer
tier: control-plane
| I1031 20:06:45.955006 1 main.go:290] Should start checkpoint kube-system/pod-checkpointer-wqbq7 | |
| I1031 20:06:45.955056 1 main.go:385] Checkpoint manifest for "kube-system/pod-checkpointer-wqbq7" already exists. Skipping | |
| I1031 20:06:48.975356 1 main.go:385] Checkpoint manifest for "kube-system/pod-checkpointer-wqbq7" already exists. Skipping | |
| I1031 20:06:48.992369 1 main.go:385] Checkpoint manifest for "kube-system/kube-etcd-0000" already exists. Skipping | |
| I1031 20:06:49.005260 1 main.go:385] Checkpoint manifest for "kube-system/kube-apiserver-qtmd7" already exists. Skipping | |
| I1031 20:06:49.010436 1 main.go:385] Checkpoint manifest for "kube-system/kube-etcd-network-checkpointer-2npz7" already exists. Skipping | |
| I1031 20:06:49.023779 1 main.go:232] API GC: skipping inactive checkpoint kube-system/kube-apiserver-qtmd7 | |
| I1031 20:06:49.023799 1 main.go:232] API GC: skipping inactive checkpoint kube-system/kube-etcd-0000 | |
| I1031 20:06:49.023805 1 main.go:232] API GC: sk |
To reschedule the tco pods to master nodes, run:
kubectl -n tectonic-system patch deployment tectonic-channel-operator -p '{"spec":{"template":{"spec":{"nodeSelector":{"node-role.kubernetes.io/master":""},"tolerations":[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"}]}}}}'This works around the issue that tco can't run on rhel node because it expects a ssl cert dir that's not in rhel distros.