Fix for kubelet startup on nodes when using TLS bootstrapping (kubern…

…etes-retired#1522) * ALWAYS write a kubeconfig file - even when using the TLS bootstrapping feature * TLS worker pem symlink is always created so use it always in the kubeconfig
HotelsDotCom · Jan 9, 2019 · 61fbf16 · 61fbf16
1 parent 15abdd7
commit 61fbf16
Showing 1 changed file with 25 additions and 5 deletions.
diff --git a/builtin/files/userdata/cloud-config-worker b/builtin/files/userdata/cloud-config-worker
@@ -361,19 +361,19 @@ coreos:
         {{ end }}--cluster-domain=cluster.local \
         --cloud-provider=aws \
         --cert-dir=/etc/kubernetes/ssl \
-        {{- if and .Experimental.TLSBootstrap.Enabled .AssetsConfig.HasTLSBootstrapToken (not .Kubelet.Kubeconfig)}}
+        {{- if and .Experimental.TLSBootstrap.Enabled .AssetsConfig.HasTLSBootstrapToken }}
         --experimental-bootstrap-kubeconfig=/etc/kubernetes/kubeconfig/worker-bootstrap.yaml \
         {{- if .Kubelet.RotateCerts.Enabled }}
         --rotate-certificates \
         {{- end }}
         {{- else }}
-        {{- if .Kubelet.Kubeconfig}}
-        --kubeconfig={{ .Kubelet.Kubeconfig }} \
-        {{- else }}
-        --kubeconfig=/etc/kubernetes/kubeconfig/worker.yaml \
         --tls-cert-file=/etc/kubernetes/ssl/worker.pem \
         --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem \
         {{- end }}
+        {{- if .Kubelet.Kubeconfig }}
+        --kubeconfig={{ .Kubelet.Kubeconfig }} \
+        {{- else }}
+        --kubeconfig=/etc/kubernetes/kubeconfig/worker.yaml \
         {{- end }}
         {{- if .FeatureGates.Enabled }}
         --feature-gates=\"{{.FeatureGates.String}}\" \
@@ -1069,6 +1069,26 @@ write_files:
             user: tls-bootstrap
           name: tls-bootstrap-context
         current-context: tls-bootstrap-context
+  - path: /etc/kubernetes/kubeconfig/worker.yaml
+    content: |
+        apiVersion: v1
+        kind: Config
+        clusters:
+        - name: local
+          cluster:
+            certificate-authority: /etc/kubernetes/ssl/ca.pem
+            server: {{.APIEndpointURL}}:443
+        users:
+        - name: kubelet
+          user:
+            client-certificate: /etc/kubernetes/ssl/kubelet-client-current.pem
+            client-key: /etc/kubernetes/ssl/kubelet.key
+        contexts:
+        - context:
+            cluster: local
+            user: kubelet
+          name: kubelet-context
+        current-context: kubelet-context
 {{ else }}
   - path: /etc/kubernetes/kubeconfig/worker.yaml
     content: |