Skip to content

Commit f7f9256

Browse files
committed
handle flattening of cert-dir
1 parent 0876a92 commit f7f9256

File tree

4 files changed

+67
-71
lines changed

4 files changed

+67
-71
lines changed

admin_guide/master_node_configuration.adoc

Lines changed: 53 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -17,16 +17,16 @@ The config files are fully specifying with no defaulting. This means that any e
1717
== Create the starting config files
1818
The `openshift start` command accepts flags that indicate that it should simply write the config file that it would have used and terminate. This is useful for getting a starting point for the config. You can do this by running
1919

20-
* `openshift start --writeconfig --master-config=master.yaml --node-config=node.yaml`
21-
* `openshift start master --write-config --config=master.yaml`
22-
* `openshift start node --write-config --config=node.yaml`
20+
* `openshift start --write-config=openshift.local.config
21+
* `openshift start master --write-config=openshift.local.config/master`
22+
* `osadm create-node-config --node-dir=openshift.local.config/node-myhost --node=myhost --hostnames=myhost.local,10.0.0.1`
2323

2424
== Use the config files
2525
Once you have modified the config files to your liking, you can make use of them by specifying them as an argument. Keep in mind that if you specify a config file, *none of the other flags you pass in will be respected*. You can run them like:
2626

27-
* `openshift start --master-config=master.yaml --node-config=node.yaml`
28-
* `openshift start master --config=master.yaml`
29-
* `openshift start node --config=node.yaml`
27+
* `openshift start --master-config=openshift.local.config/master/master-config.yaml --node-config=openshift.local.config/node-<node-name>/node-config.yaml`
28+
* `openshift start master --config=openshift.local.config/master/master-config.yaml`
29+
* `openshift start node --config=openshift.local.config/node-myhost/node-config.yaml`
3030

3131
== Stub for discussion of generating the config for a new node
3232

@@ -38,63 +38,67 @@ This is an example at a point in time. You should run `--write-config` to gener
3838
---
3939
apiVersion: v1
4040
assetConfig:
41-
kubernetesPublicURL: https://10.0.0.1:8443
4241
logoutURL: ""
4342
masterPublicURL: https://10.0.0.1:8443
44-
publicURL: https://10.0.0.1:8444
43+
publicURL: https://10.0.0.1:8443/console/
4544
servingInfo:
46-
bindAddress: 0.0.0.0:8444
47-
certFile: openshift.local.certificates/master/cert.crt
48-
clientCA: openshift.local.certificates/ca/cert.crt
49-
keyFile: openshift.local.certificates/master/key.key
45+
bindAddress: 0.0.0.0:8443
46+
certFile: master.server.crt
47+
clientCA: ""
48+
keyFile: master.server.key
5049
corsAllowedOrigins:
51-
- 10.0.0.1:8444
5250
- 10.0.0.1:8443
53-
- localhost
5451
- 127.0.0.1
52+
- localhost
5553
dnsConfig:
5654
bindAddress: 0.0.0.0:53
5755
etcdClientInfo:
58-
ca: openshift.local.certificates/ca/cert.crt
59-
certFile: openshift.local.certificates/master/etcd-client.crt
60-
keyFile: openshift.local.certificates/master/etcd-client.key
56+
ca: ca.crt
57+
certFile: master.etcd-client.crt
58+
keyFile: master.etcd-client.key
6159
urls:
6260
- https://10.0.0.1:4001
6361
etcdConfig:
6462
address: 10.0.0.1:4001
6563
peerAddress: 10.0.0.1:7001
6664
peerServingInfo:
6765
bindAddress: 0.0.0.0:7001
68-
certFile: openshift.local.certificates/etcd/server.crt
69-
clientCA: openshift.local.certificates/ca/cert.crt
70-
keyFile: openshift.local.certificates/etcd/server.key
66+
certFile: etcd.server.crt
67+
clientCA: ca.crt
68+
keyFile: etcd.server.key
7169
servingInfo:
7270
bindAddress: 0.0.0.0:4001
73-
certFile: openshift.local.certificates/etcd/server.crt
74-
clientCA: openshift.local.certificates/ca/cert.crt
75-
keyFile: openshift.local.certificates/etcd/server.key
71+
certFile: etcd.server.crt
72+
clientCA: ca.crt
73+
keyFile: etcd.server.key
7674
storageDirectory: openshift.local.etcd
7775
imageConfig:
7876
format: openshift/origin-${component}:${version}
7977
latest: false
8078
kind: MasterConfig
79+
kubeletClientInfo:
80+
ca: ca.crt
81+
certFile: master.kubelet-client.crt
82+
keyFile: master.kubelet-client.key
83+
port: 10250
8184
kubernetesMasterConfig:
8285
masterIP: 10.0.0.1
83-
servicesSubnet: 172.30.17.0/24
86+
schedulerConfigFile: ""
87+
servicesSubnet: 172.30.0.0/16
8488
staticNodeNames:
85-
- hostname.example.org
89+
- deads-dev-01
8690
masterClients:
87-
deployerKubeConfig: openshift.local.certificates/openshift-deployer/.kubeconfig
88-
kubernetesKubeConfig: openshift.local.certificates/kube-client/.kubeconfig
89-
openshiftLoopbackKubeConfig: openshift.local.certificates/openshift-client/.kubeconfig
91+
deployerKubeConfig: openshift-deployer.kubeconfig
92+
kubernetesKubeConfig: kube-client.kubeconfig
93+
openshiftLoopbackKubeConfig: openshift-client.kubeconfig
9094
oauthConfig:
91-
assetPublicURL: https://10.0.0.1:8444
95+
assetPublicURL: https://10.0.0.1:8443/console/
9296
grantConfig:
9397
method: auto
9498
identityProviders:
95-
- name: anypassword
96-
challenge: true
99+
- challenge: true
97100
login: true
101+
name: anypassword
98102
provider:
99103
apiVersion: v1
100104
kind: AllowAllPasswordIdentityProvider
@@ -103,45 +107,45 @@ oauthConfig:
103107
sessionConfig:
104108
sessionMaxAgeSeconds: 300
105109
sessionName: ssn
106-
sessionSecrets:
107-
- authentication: 46b8abfaa1ab450624bef7f4dbb53958
108-
encryption: d5c11c48c49d56fa955b96c78b9ae48
110+
sessionSecretsFile: ""
109111
tokenConfig:
110-
accessTokenMaxAgeSeconds: 3600
112+
accessTokenMaxAgeSeconds: 86400
111113
authorizeTokenMaxAgeSeconds: 300
112114
policyConfig:
113-
bootstrapPolicyFile: openshift.local.policy/policy.json
115+
bootstrapPolicyFile: policy.json
114116
masterAuthorizationNamespace: master
115117
openshiftSharedResourcesNamespace: openshift
116118
servingInfo:
117119
bindAddress: 0.0.0.0:8443
118-
certFile: openshift.local.certificates/master/cert.crt
119-
clientCA: openshift.local.certificates/ca/cert.crt
120-
keyFile: openshift.local.certificates/master/key.key
120+
certFile: master.server.crt
121+
clientCA: ca.crt
122+
keyFile: master.server.key
121123

122124
---
123125

124126
=== Stub for discussion of what the different values actually do
125127

126128
== Example node.yaml
127-
This is an example at a point in time. You should run `--write-config` to generate a file of your own.
129+
This is an example at a point in time. You should run `osadm create-node-config` to generate a file of your own.
128130

129131
[source]
130132
---
131-
allowDisabledDocker: true
133+
allowDisabledDocker: false
132134
apiVersion: v1
133135
dnsDomain: local
134-
dnsIP: 10.0.0.1
136+
dnsIP: ""
137+
imageConfig:
138+
format: openshift/origin-${component}:${version}
139+
latest: false
135140
kind: NodeConfig
136-
masterKubeConfig: openshift.local.certificates/node-hostname.example.org/.kubeconfig
137-
networkContainerImage: openshift/origin-pod:v0.4.1
138-
nodeName: hostname.example.org
139-
recordEvents: false
141+
masterKubeConfig: node.kubeconfig
142+
networkPluginName: ""
143+
nodeName: myhost
140144
servingInfo:
141145
bindAddress: 0.0.0.0:10250
142-
certFile: openshift.local.certificates/node-hostname.example.org/server.crt
143-
clientCA: ""
144-
keyFile: openshift.local.certificates/node-hostname.example.org/server.key
146+
certFile: server.crt
147+
clientCA: node-client-ca.crt
148+
keyFile: server.key
145149
volumeDirectory: openshift.local.volumes
146150
---
147151

cli_reference/get_started_cli.adoc

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -107,13 +107,9 @@ There are multiple methods that you can use to create a configuration file to be
107107
used with the CLI. The following rules are observed in order when loading CLI
108108
configuration, if the following files exist or options are specified:
109109

110-
. The path provided by the `--config` command line option.
111-
. The path provided by the `*$OPENSHIFTCONFIG*` environment variable.
112-
. The *_.openshiftconfig_* file in the current directory.
113-
. The *_.config_* file inside the *_.config/openshift_* directory in the user's home: *_~/.config/openshift/.config_*.
114-
. The path provided by the `*$KUBECONFIG*` environment variable.
115-
. The *_.kubeconfig_* file in the current directory.
116-
. The *_.kubeconfig_* file inside the *_.kube_* directory in the user's home: `~/.kube/.kubeconfig`
110+
. The path provided by the `--config` command line option
111+
. The paths provided by the `$OPENSHIFTCONFIG` environment variable, merged together
112+
. The `config` file inside the `.config/openshift` directory in the user's home: `~/.config/openshift/config`
117113

118114
You can easily link:setup_multiple_cli_profiles.html[configure and manage
119115
multiple CLI profiles] using the `osc config` command.

cli_reference/setup_multiple_cli_profiles.adoc

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -108,18 +108,14 @@ users:
108108
auth-path: path/to/my/existing/auth-file
109109
```
110110
== Loading and merging rules
111-
The rules for loading and merging .kubeconfig files are straightforward but numerous. The final config is built in the following order:
112-
113-
. Merge together the .kubeconfig file. This is done with the following hierarchy and merge rules:
114-
* Empty filenames are ignored; files with non-deserializable content produce errors.
115-
* The first file to set a particular value or map key wins and the value or map key is never changed. As a result, the first file to set [parameter]#CurrentContext# will have its context preserved. Also, if two files specify a "red-user", only values from the first file's red-user are used. Even non-conflicting entries from the second file's "red-user" are discarded.
116-
** CommandLineLocation: the value of the `kubeconfig` command line option.
117-
** EnvVarLocation: the value of $KUBECONFIG
118-
** CurrentDirectoryLocation: ``pwd``/.kubeconfig
119-
** HomeDirectoryLocation: ~/.kube/.kubeconfig
111+
The loading order follows these rules:
112+
1. If the --config flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
113+
2. If $OPENSHIFTCONFIG environment variable is set, then it is used a list of paths (normal path delimitting rules for your system). These paths are merged together. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.
114+
3. Otherwise, ${HOME}/.config/openshift/config is used and no merging takes place.
115+
120116
. Determine the context to use based on the first hit in this chain:
121117
** Command line argument - the value of the `context` command line option.
122-
** Current-context from the merged kubeconfig file.
118+
** Current-context from the kubeconfig file.
123119
** Empty is allowed at this stage.
124120
. Determine the user and cluster information to use. At this point, you may or may not have a context; they are built based on the first hit in this chain. Hint: Run it twice, once for user, once for cluster.
125121
** Command line argument: `user` for user name and `cluster` for cluster name

getting_started/dev_get_started/installation.adoc

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -51,8 +51,8 @@ $ sudo docker exec -it openshift-origin bash
5151
. Because OpenShift services are secured by TLS, clients must accept the server certificates and present their own client certificate. These certificates are generated when the master server is started. You must point `osc` and `curl` at the appropriate CA bundle and client key and certificate to connect to OpenShift. Set the following environment variables:
5252
+
5353
----
54-
# export KUBECONFIG=/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig
55-
# export CURL_CA_BUNDLE=/var/lib/openshift/openshift.local.certificates/admin/root.crt
54+
# export OPENSHIFTCONFIG=/var/lib/openshift/openshift.local.config/master/admin.kubeconfig
55+
# export CURL_CA_BUNDLE=/var/lib/openshift/openshift.local.config/master/ca.crt
5656
----
5757
+
5858
NOTE: When running as a user other than `root`, you would also need to make the private client key readable by that user. However, this is just for example purposes; in a production environment, developers would generate their own keys and not have access to the system keys.
@@ -107,9 +107,9 @@ $ ./openshift help
107107
. Because OpenShift services are secured by TLS, clients must accept the server certificates and present their own client certificate. These certificates are generated when the master server is started. You must point `osc` and `curl` at the appropriate CA bundle and client key and certificate to connect to OpenShift. Set the following environment variables:
108108
+
109109
----
110-
$ export KUBECONFIG=`pwd`/openshift.local.certificates/admin/.kubeconfig
111-
$ export CURL_CA_BUNDLE=`pwd`/openshift.local.certificates/admin/root.crt
112-
$ sudo chmod +r `pwd`/openshift.local.certificates/admin/.kubeconfig
110+
$ export OPENSHIFTCONFIG=`pwd`/openshift.local.config/master/admin.kubeconfig
111+
$ export CURL_CA_BUNDLE=`pwd`/openshift.local.config/master/ca.crt
112+
$ sudo chmod +r `pwd`/openshift.local.config/master/admin.kubeconfig
113113
----
114114
+
115115
NOTE: This is just for example purposes; in a production environment, developers would generate their own keys and not have access to the system keys.

0 commit comments

Comments
 (0)