mirror of https://github.com/k3s-io/k3s.git
150 lines
4.3 KiB
Go
150 lines
4.3 KiB
Go
package services
|
|
|
|
import (
|
|
"fmt"
|
|
"path/filepath"
|
|
|
|
"github.com/k3s-io/k3s/pkg/daemons/config"
|
|
"github.com/k3s-io/k3s/pkg/version"
|
|
)
|
|
|
|
const (
|
|
APIServer = "api-server"
|
|
Admin = "admin"
|
|
AuthProxy = "auth-proxy"
|
|
CloudController = "cloud-controller"
|
|
ControllerManager = "controller-manager"
|
|
ETCD = "etcd"
|
|
KubeProxy = "kube-proxy"
|
|
Kubelet = "kubelet"
|
|
ProgramController = "-controller"
|
|
ProgramServer = "-server"
|
|
Scheduler = "scheduler"
|
|
CertificateAuthority = "certificate-authority"
|
|
)
|
|
|
|
var Agent = []string{
|
|
KubeProxy,
|
|
Kubelet,
|
|
version.Program + ProgramController,
|
|
}
|
|
|
|
var Server = []string{
|
|
Admin,
|
|
APIServer,
|
|
AuthProxy,
|
|
CloudController,
|
|
ControllerManager,
|
|
ETCD,
|
|
Scheduler,
|
|
version.Program + ProgramServer,
|
|
}
|
|
|
|
var All = append(Server, Agent...)
|
|
|
|
// CA is intentionally not included in agent, server, or all as it
|
|
// requires manual action by the user to rotate these certs.
|
|
var CA = []string{
|
|
CertificateAuthority,
|
|
}
|
|
|
|
func FilesForServices(controlConfig config.Control, services []string) (map[string][]string, error) {
|
|
agentDataDir := filepath.Join(controlConfig.DataDir, "..", "agent")
|
|
fileMap := map[string][]string{}
|
|
for _, service := range services {
|
|
switch service {
|
|
case Admin:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientAdminCert,
|
|
controlConfig.Runtime.ClientAdminKey,
|
|
}
|
|
case APIServer:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientKubeAPICert,
|
|
controlConfig.Runtime.ClientKubeAPIKey,
|
|
controlConfig.Runtime.ServingKubeAPICert,
|
|
controlConfig.Runtime.ServingKubeAPIKey,
|
|
}
|
|
case ControllerManager:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientControllerCert,
|
|
controlConfig.Runtime.ClientControllerKey,
|
|
}
|
|
case Scheduler:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientSchedulerCert,
|
|
controlConfig.Runtime.ClientSchedulerKey,
|
|
}
|
|
case ETCD:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientETCDCert,
|
|
controlConfig.Runtime.ClientETCDKey,
|
|
controlConfig.Runtime.ServerETCDCert,
|
|
controlConfig.Runtime.ServerETCDKey,
|
|
controlConfig.Runtime.PeerServerClientETCDCert,
|
|
controlConfig.Runtime.PeerServerClientETCDKey,
|
|
}
|
|
case CloudController:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientCloudControllerCert,
|
|
controlConfig.Runtime.ClientCloudControllerKey,
|
|
}
|
|
case version.Program + ProgramController:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientK3sControllerCert,
|
|
controlConfig.Runtime.ClientK3sControllerKey,
|
|
filepath.Join(agentDataDir, "client-"+version.Program+"-controller.crt"),
|
|
filepath.Join(agentDataDir, "client-"+version.Program+"-controller.key"),
|
|
}
|
|
case AuthProxy:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientAuthProxyCert,
|
|
controlConfig.Runtime.ClientAuthProxyKey,
|
|
}
|
|
case Kubelet:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientKubeletKey,
|
|
controlConfig.Runtime.ServingKubeletKey,
|
|
filepath.Join(agentDataDir, "client-kubelet.crt"),
|
|
filepath.Join(agentDataDir, "client-kubelet.key"),
|
|
filepath.Join(agentDataDir, "serving-kubelet.crt"),
|
|
filepath.Join(agentDataDir, "serving-kubelet.key"),
|
|
}
|
|
case KubeProxy:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ClientKubeProxyCert,
|
|
controlConfig.Runtime.ClientKubeProxyKey,
|
|
filepath.Join(agentDataDir, "client-kube-proxy.crt"),
|
|
filepath.Join(agentDataDir, "client-kube-proxy.key"),
|
|
}
|
|
case CertificateAuthority:
|
|
fileMap[service] = []string{
|
|
controlConfig.Runtime.ServerCA,
|
|
controlConfig.Runtime.ServerCAKey,
|
|
controlConfig.Runtime.ClientCA,
|
|
controlConfig.Runtime.ClientCAKey,
|
|
controlConfig.Runtime.RequestHeaderCA,
|
|
controlConfig.Runtime.RequestHeaderCAKey,
|
|
controlConfig.Runtime.ETCDPeerCA,
|
|
controlConfig.Runtime.ETCDPeerCAKey,
|
|
controlConfig.Runtime.ETCDServerCA,
|
|
controlConfig.Runtime.ETCDServerCAKey,
|
|
}
|
|
case version.Program + ProgramServer:
|
|
// not handled here, as the dynamiclistener cert cache is not a standard cert
|
|
default:
|
|
return nil, fmt.Errorf("%s is not a recognized service", service)
|
|
}
|
|
}
|
|
return fileMap, nil
|
|
}
|
|
|
|
func IsValid(svc string) bool {
|
|
for _, service := range All {
|
|
if svc == service {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|