@@ -109,7 +109,7 @@ ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-"NamespaceLifecycle,LimitRa
109109DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:- " "
110110ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:- " "
111111
112- # START_MODE can be 'all', 'kubeletonly', or 'nokubelet '
112+ # START_MODE can be 'all', 'kubeletonly', 'nokubelet', or 'nokubeproxy '
113113START_MODE=${START_MODE:- " all"
114114
115115# A list of controllers to enable
@@ -457,7 +457,6 @@ function generate_certs {
457457 kube::util::create_serving_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " server-ca" " localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP}
458458
459459 # Create client certs signed with client-ca, given id, given CN and a number of groups
460- kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
461460 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
462461 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
463462 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
@@ -466,11 +465,17 @@ function generate_certs {
466465 # Create matching certificates for kube-aggregator
467466 kube::util::create_serving_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " server-ca" " localhost" ${API_HOST_IP}
468467 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} "
468+
469469 # TODO remove masters and add rolebinding
470470 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
471471 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
472472}
473473
474+ function generate_kubeproxy_certs {
475+ kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca'
476+ kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
477+ }
478+
474479function generate_kubelet_certs {
475480 kube::util::create_client_certkey " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " ' client-ca' ${HOSTNAME_OVERRIDE} system:nodes
476481 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
595600 # Create kubeconfigs for all components, using client certs
596601 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
597602 ${CONTROLPLANE_SUDO} chown " ${USER} " " ${CERT_DIR} /client-admin.key" # make readable for kubectl
598- kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
599603 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
600604 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
601605
813817 done
814818 fi >> /tmp/kube-proxy.yaml
815819
820+ if [[ " ${REUSE_CERTS} " != true ]]; then
821+ generate_kubeproxy_certs
822+ fi
823+
816824 sudo " ${GO_OUT} /hyperkube"
817825 --v=${LOG_LEVEL} \
818826 --config=/tmp/kube-proxy.yaml \
@@ -1014,7 +1022,9 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
10141022 if [[ " ${EXTERNAL_CLOUD_PROVIDER:- } " == " true" ; then
10151023 start_cloud_controller_manager
10161024 fi
1017- start_kubeproxy
1025+ if [[ " ${START_MODE} " != " nokubeproxy" ; then
1026+ start_kubeproxy
1027+ fi
10181028 start_kubescheduler
10191029 start_kubedns
10201030 if [[ " ${ENABLE_NODELOCAL_DNS:- } " == " true" ; then
0 commit comments