setup: Configure requestheader-client cert for apiserver

Fixes habitat-sh#24 Signed-off-by: Indradhanush Gupta <[email protected]>
kinvolk-archives · Sep 14, 2018 · a4b5b56 · a4b5b56
1 parent 48b1ff9
commit a4b5b56
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/config/svc-kubernetes-apiserver.toml b/config/svc-kubernetes-apiserver.toml
@@ -11,6 +11,10 @@ kubelet-certificate-authority = "files/ca.pem"
 kubelet-client-certificate = "files/kubernetes.pem"
 kubelet-client-key = "files/kubernetes-key.pem"
 
+requestheader-client-ca-file = "files/requestheader-ca.pem"
+requestheader-group-headers = "X-Remote-Group"
+requestheader-username-headers = "X-Remote-User"
+
 service-account-key-file = "files/ca-key.pem"
 
 tls-ca-file = "files/ca.pem"

diff --git a/scripts/generate-ssl-certificates b/scripts/generate-ssl-certificates
@@ -77,3 +77,8 @@ EOF
     -profile=kubernetes \
     - | cfssljson -bare "node-${i}/node"
 done
+
+
+# requestheader CA
+
+cfssl gencert -initca requestheader-csr.json | cfssljson -bare requestheader-ca
diff --git a/scripts/setup b/scripts/setup
@@ -45,7 +45,7 @@ vagrant ssh node-0 -- sudo chown hab:hab /var/run/kubernetes
 vagrant ssh node-0 -- sudo hab svc load core/kubernetes-apiserver --channel "${channel}"
 
 cat <<'EOF' | vagrant ssh node-0 -- bash
-for f in /vagrant/certificates/{kubernetes.pem,kubernetes-key.pem,ca.pem,ca-key.pem}; do sudo hab file upload kubernetes-apiserver.default $(date +%s) "${f}"; done
+for f in /vagrant/certificates/{kubernetes.pem,kubernetes-key.pem,ca.pem,ca-key.pem,requestheader-ca.pem,requestheader-ca-key.pem}; do sudo hab file upload kubernetes-apiserver.default $(date +%s) "${f}"; done
 EOF
 vagrant ssh node-0 -- sudo hab config apply kubernetes-apiserver.default $(date +%s) /vagrant/config/svc-kubernetes-apiserver.toml