From 2bec5a5992a923a87d567e44d60568c8a32dca25 Mon Sep 17 00:00:00 2001 From: Andrea Mazzotti Date: Fri, 24 Nov 2023 13:17:40 +0100 Subject: [PATCH] Improve elemental api tls setup (#10) * Add more Elemental API setup options and related documentation Signed-off-by: Andrea Mazzotti --- README.md | 2 + cmd/manager/main.go | 22 +- config/manager/configmap.yaml | 4 +- config/manager/kustomization.yaml | 1 + config/manager/manager.yaml | 2 +- config/manager/service.yaml | 12 + doc/ELEMENTAL_API_SETUP.md | 258 ++++++++++++++++++ doc/QUICKSTART.md | 24 +- .../v0.0.0/infrastructure-components.yaml | 50 +++- infrastructure-elemental/v0.0.0/metadata.yaml | 3 + test/scripts/setup_kind_cluster.sh | 7 +- 11 files changed, 353 insertions(+), 32 deletions(-) create mode 100644 config/manager/service.yaml create mode 100644 doc/ELEMENTAL_API_SETUP.md diff --git a/README.md b/README.md index 00ca6e4b..0f95233a 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,8 @@ You can use it with any OpenAPI compliant tool, for example the online [Swagger This API is consumed by the `elemental-agent` and is meant for **Internal** use only. +For more details on how to configure and expose the Elemental API, please read the related [document](./doc/ELEMENTAL_API_SETUP.md). + ### Authentication & Authorization The Elemental API uses two different authorization header. diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 9eb6c7f1..c503590d 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -22,7 +22,6 @@ import ( "fmt" "net/url" "os" - "strconv" // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) // to ensure that exec-entrypoint and run can make use of them. @@ -44,12 +43,18 @@ import ( //+kubebuilder:scaffold:imports ) +// Defaults. +const ( + defaultAPIPort = 9090 +) + // Environment variables. const ( envEnableDebug = "ELEMENTAL_ENABLE_DEBUG" + envEnableDefaultCA = "ELEMENTAL_ENABLE_DEFAULT_CA" envAPIEndpoint = "ELEMENTAL_API_ENDPOINT" - envAPIPort = "ELEMENTAL_API_PORT" envAPIProtocol = "ELEMENTAL_API_PROTOCOL" + envAPITLSEnable = "ELEMENTAL_API_ENABLE_TLS" //nolint:gosec //This is just a boolean flag. Should never contain credentials. envAPITLSCA = "ELEMENTAL_API_TLS_CA" envAPITLSPrivateKey = "ELEMENTAL_API_TLS_PRIVATE_KEY" envAPITLSCertificate = "ELEMENTAL_API_TLS_CERTIFICATE" @@ -192,10 +197,9 @@ func main() { setupLog.Error(err, "formatting Elemental API URL") os.Exit(1) } - // If Elemental API uses TLS, initialize default trust certificate - useTLS := elementalAPIURL.Scheme == "https" + // Load the default CA if this behavior was enabled var defaultCACert string - if useTLS { + if os.Getenv(envEnableDefaultCA) == "true" { defaultCACertBytes, err := os.ReadFile(os.Getenv(envAPITLSCA)) if err != nil { setupLog.Error(err, "reading Elemental API TLS CA certificate") @@ -224,14 +228,10 @@ func main() { } // Start Elemental API - portValue := os.Getenv(envAPIPort) - port, err := strconv.ParseUint(portValue, 10, 32) - if err != nil { - setupLog.Error(err, "parsing Elemental API port value") - } privateKey := os.Getenv(envAPITLSPrivateKey) certificate := os.Getenv(envAPITLSCertificate) - elementalAPIServer := api.NewServer(ctx, mgr.GetClient(), uint(port), useTLS, privateKey, certificate) + useTLS := os.Getenv(envAPITLSEnable) == "true" + elementalAPIServer := api.NewServer(ctx, mgr.GetClient(), defaultAPIPort, useTLS, privateKey, certificate) go func() { if err := elementalAPIServer.Start(ctx); err != nil { setupLog.Error(err, "running Elemental API server") diff --git a/config/manager/configmap.yaml b/config/manager/configmap.yaml index 9c1cf0ee..932aa811 100644 --- a/config/manager/configmap.yaml +++ b/config/manager/configmap.yaml @@ -5,10 +5,10 @@ metadata: namespace: system data: ELEMENTAL_ENABLE_DEBUG: ${ELEMENTAL_ENABLE_DEBUG:="false"} + ELEMENTAL_ENABLE_DEFAULT_CA: ${ELEMENTAL_ENABLE_DEFAULT_CA:="false"} ELEMENTAL_API_ENDPOINT: ${ELEMENTAL_API_ENDPOINT:=""} - ELEMENTAL_API_PORT: ${ELEMENTAL_API_PORT:="9090"} ELEMENTAL_API_PROTOCOL: ${ELEMENTAL_API_PROTOCOL:="https"} + ELEMENTAL_API_ENABLE_TLS: ${ELEMENTAL_API_ENABLE_TLS:="false"} ELEMENTAL_API_TLS_CA: ${ELEMENTAL_API_TLS_CA:="/etc/elemental/ssl/ca.crt"} ELEMENTAL_API_TLS_PRIVATE_KEY: ${ELEMENTAL_API_TLS_PRIVATE_KEY:="/etc/elemental/ssl/tls.key"} ELEMENTAL_API_TLS_CERTIFICATE: ${ELEMENTAL_API_TLS_CERTIFICATE:="/etc/elemental/ssl/tls.crt"} - diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 44f9825d..81c45afe 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,6 +1,7 @@ resources: - manager.yaml - configmap.yaml +- service.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index b68988fc..36358a16 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -84,7 +84,7 @@ spec: ports: - containerPort: 9090 protocol: TCP - name: http + name: api volumeMounts: - mountPath: "/etc/elemental/ssl" name: elemental-api-ssl diff --git a/config/manager/service.yaml b/config/manager/service.yaml new file mode 100644 index 00000000..940ad8b4 --- /dev/null +++ b/config/manager/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: controller-manager + namespace: system +spec: + selector: + control-plane: controller-manager + ports: + - protocol: TCP + port: 9090 + targetPort: api diff --git a/doc/ELEMENTAL_API_SETUP.md b/doc/ELEMENTAL_API_SETUP.md new file mode 100644 index 00000000..3c318d29 --- /dev/null +++ b/doc/ELEMENTAL_API_SETUP.md @@ -0,0 +1,258 @@ +# Elemental API Setup + +This document describes the possibilities when exposing the Elemental API service. + +## Recommended configuration + +```bash +ELEMENTAL_API_ENDPOINT="my.elemental.api.endpoint.com" \ +clusterctl init --bootstrap "-" --control-plane "-" --infrastructure elemental:v0.3.0 +``` + +The most reliable way to serve the Elemental API is through an Ingress controller, making use of a public [ACME Issuer](https://cert-manager.io/docs/configuration/acme/). +Additionally it is recommended to keep the Elemental API under a private network, therefore using the [DNS01 challenge type](https://cert-manager.io/docs/configuration/acme/dns01/) to refresh certificates. + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: elemental-api + namespace: elemental-system + annotations: + cert-manager.io/issuer: "my-acme-issuer" +spec: + tls: + - hosts: + - my.elemental.api.endpoint.com + secretName: my-elemental-api-endpoint-com + rules: + - host: my.elemental.api.endpoint.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: elemental-controller-manager + port: + number: 9090 +``` + +This allows to configure the `elemental-agent` to use the system's certificate pool, which can be managed and updated in a more convenient way, for example by simply installing the `ca-certificates-mozilla` package. +This setting can be included when creating any `ElementalRegistration`: + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + agent: + useSystemCertPool: true +``` + +## Default self-signed CA + +By default this provider creates a self signed `cert-manager` CA Issuer. + +```bash +kubectl -n elemental-system get issuers -o wide +NAME READY STATUS AGE +elemental-ca True Signing CA verified 59m +elemental-selfsigned True 59m +``` + +The following certificates are also created and loaded to the Elemental controller by default: + +```bash +kubectl -n elemental-system get certificates -o wide +NAME READY SECRET ISSUER STATUS AGE +elemental-api-ca True elemental-api-ca elemental-selfsigned Certificate is up to date and has not expired 63m +elemental-api-ssl True elemental-api-ssl elemental-ca Certificate is up to date and has not expired 63m +``` + +The `elemental-api-ssl` certificate can be used out of the box when configuring the `ELEMENTAL_API_ENABLE_TLS="\"true\""` variable. +The certificate's `dnsName` is configured with the `ELEMENTAL_API_ENDPOINT` variable. This variable must always be set when istalling the controller. +It will not only be used to generate the default certificate, but it will also be used to automatically generate the `spec.config.elemental.registration.uri` field of every new `ElementalRegistration`. +This will make the Elemental API use the certificate and listen to TLS connections. Note that this certificate has a default expiration of `1 year` and the controller needs to be manually restarted after certificate renewal. + +The `elemental-api-ca` certificate can also be included by default in any new `ElementalRegistration`. +This allows for a quick and convenient way to make the `elemental-agent` trust the self-signed certificate. +This behavior can be enabled when using the `ELEMENTAL_ENABLE_DEFAULT_CA="\"true\""` variable. +By doing so, the controller will initialize the `ElementalRegistration` `spec.config.elemental.registration.caCert` field with the CA cert defined by the `ELEMENTAL_API_TLS_CA`. +By default this is configured to be the `/etc/elemental/ssl/ca.crt` mounted from `elemental-api-ssl` certificate's secret. + +For example, to enable the TLS listener and use the default CA: + +```bash +ELEMENTAL_API_ENDPOINT="my.elemental.api.endpoint.com" \ +ELEMENTAL_API_ENABLE_TLS="\"true\"" \ +ELEMENTAL_ENABLE_DEFAULT_CA="\"true\"" \ +clusterctl init --bootstrap "-" --control-plane "-" --infrastructure elemental:v0.3.0 +``` + +Now when creating a new `ElementalRegistration` you should see the `caCert` field being populated by default: + +```bash +cat << EOF | kubectl apply -f - +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: {} +EOF +``` + +```bash +kubectl get elementalregistration my-registration -o yaml +``` + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + registration: + caCert: | + -----BEGIN CERTIFICATE----- + MIIDEDCCAfigAwIBAgIQB6v+n9ClHeesS7NRRRgN1TANBgkqhkiG9w0BAQsFADAi + MSAwHgYDVQQDExdlbGVtZW50YWwtc2VsZnNpZ25lZC1jYTAeFw0yMzExMjMxNDA1 + MjNaFw0zNDA5MTYxNDA1MjNaMCIxIDAeBgNVBAMTF2VsZW1lbnRhbC1zZWxmc2ln + bmVkLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtg6TCCdtHlKu + IHyYp24aZZxJ/iuNjFzxVgDaaukr+13Po0Iz6oVFRmxBzz3H74jwCAq7j6aw42id + u52ZWH5A8eHlo5W8hvuEhb1B/F52wpXA0UTi8pil4AEd2rO7QQQi+UkHuZy4k69W + IEzTE9OQPLiLPHaxgRD0DP8X7ick0JYs/VQrEtsiZy9K7dhtN0UTBsHFUWUJWYKU + jI5Mj3Ah7SFH1ry8BdLPtiUxFggxUeBq3C7m3r6s1vvXvPvDU1Vr7R0iyKGDAEcI + 08dkZnbYr8LHyUXXuWoKxgg96oB9sdV5A80eXIlhGIFTTIBBzclqMr0B6xHmMkrA + CRw05ufB3wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB + /zAdBgNVHQ4EFgQUClau+YzBMKTmt9Yr1bcnRoYTHYEwDQYJKoZIhvcNAQELBQAD + ggEBAI4nXRUswqBWqVVVpAt4EkHRbsS2UnUpZnBhpnD2k9wbLvzupH5xBl5cdRD6 + F4aubIorWLEmMfPHwvkruEOQFujJD7ZVgUh5sHfFsn73t1nAzRnQBmtb7vMt/DPt + ZxDUMKNaJXmbB+mC+85h6MfOxAWqVPdgSj0WYBRaWRWRKcMxW/hqJxQ775e0bxau + +YHQKpDj+TLE38ZEMkpCRgAj1UOV2CauRc0c3b0tu5qNYAagN2IKGAt8vWVx/RnN + wp7wGl9ayPIwLh8iqaDP/rsYYiSb9QbNE7D9hDw0l6ZvRsNgg4QLkiYgbdfc4yH/ + 66ltSv8CdT37o7DtKaJqaqecYK0= + -----END CERTIFICATE----- + uri: https://my.elemental.api.endpoint.com/elemental/v1/namespaces/default/registrations/my-registration +``` + +## Using Ingress + +Ingress can better take care of certificates rotation and integration with `cert-manager`. +When using a TLS termination proxy, you can configure this provider with the `ELEMENTAL_API_ENABLE_TLS="\"false\""` variable, which is also the default value. +If using the default self-signed CA, you can still configure `ELEMENTAL_ENABLE_DEFAULT_CA="\"true\""` and use the already generated `elemental-api-ssl` certificate to configure the Ingress `tls` settings. +For example: + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: elemental-api + namespace: elemental-system +spec: + tls: + - hosts: + - my.elemental.api.endpoint.com + secretName: elemental-api-ssl + rules: + - host: my.elemental.api.endpoint.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: elemental-controller-manager + port: + number: 9090 +``` + +When using a certificate signed by a different CA, you have different options. +One option is to explicitly define the CA certificate to trust in each `ElementalRegistration`. +For example: + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + registration: + caCert: | + -----BEGIN CERTIFICATE----- + MY SELF-SIGNED CA + -----END CERTIFICATE----- +``` + +Another option is to configure the `elemental-agent` to use the system's certificate pool. + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + agent: + useSystemCertPool: true +``` + +## Using different Load Balancers + +The `ElementalRegistration` `spec.config.elemental.registration.uri` is normally populated automatically by the provider, from the `ELEMENTAL_API_PROTOCOL` and `ELEMENTAL_API_ENDPOINT` environment variables. +Howeverm it can also be set arbitrarily, for example to route different registrations to different load balancers. +This must be the fully qualified URI of the registration, including the registration name and namespace. +For example: + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + registration: + uri: https://my.elemental.api.endpoint.com/elemental/v1/namespaces/default/registrations/my-registration +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-alternative-registration + namespace: default +spec: + config: + elemental: + registration: + uri: https://my.alternative.api.endpoint.com/elemental/v1/namespaces/default/registrations/my-alternative-registration +``` + +Note that this mechanism can also be exploited to connect to non standard ports. +For example when exposing the Elemental API on a nodeport (for ex. `30009`), the uri can be configured to include the port: + +```yaml +apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 +kind: ElementalRegistration +metadata: + name: my-registration + namespace: default +spec: + config: + elemental: + registration: + uri: https://my.elemental.api.endpoint.com:30009/elemental/v1/namespaces/default/registrations/my-registration +``` diff --git a/doc/QUICKSTART.md b/doc/QUICKSTART.md index 0d5c10ba..f8196913 100644 --- a/doc/QUICKSTART.md +++ b/doc/QUICKSTART.md @@ -83,7 +83,7 @@ cat << EOF > $HOME/.cluster-api/clusterctl.yaml providers: - name: "elemental" - url: "https://github.com/rancher-sandbox/cluster-api-provider-elemental/releases/v0.2.0/infrastructure-components.yaml" + url: "https://github.com/rancher-sandbox/cluster-api-provider-elemental/releases/v0.3.0/infrastructure-components.yaml" type: "InfrastructureProvider" - name: "k3s" url: "https://github.com/cluster-api-provider-k3s/cluster-api-k3s/releases/v0.1.8/bootstrap-components.yaml" @@ -97,14 +97,11 @@ 1. Install CAPI Core provider, the k3s Control Plane and Bootstrap providers, and the Elemental Infrastructure provider: ```bash - clusterctl init --bootstrap k3s:v0.1.8 --control-plane k3s:v0.1.8 --infrastructure elemental:v0.2.0 - ``` - -1. Set the `ELEMENTAL_API_URL` on the operator: - - ```bash - export ELEMENTAL_API_URL="http://192.168.122.10:30009" - kubectl -n elemental-system patch deployment elemental-controller-manager -p '{"spec":{"template":{"spec":{"containers":[{"name":"manager","env":[{"name":"ELEMENTAL_API_URL","value":"'${ELEMENTAL_API_URL}'"}]}]}}}}' + ELEMENTAL_ENABLE_DEBUG="\"true\"" \ + ELEMENTAL_API_ENDPOINT="192.168.122.10.sslip.io" \ + ELEMENTAL_API_ENABLE_TLS="\"true\"" \ + ELEMENTAL_ENABLE_DEFAULT_CA="\"true\"" \ + clusterctl init --bootstrap k3s:v0.1.8 --control-plane k3s:v0.1.8 --infrastructure elemental:v0.3.0 ``` 1. Expose the Elemental API server: @@ -132,7 +129,7 @@ ```bash CONTROL_PLANE_ENDPOINT_IP=192.168.122.100 clusterctl generate cluster \ - --infrastructure elemental:v0.2.0 \ + --infrastructure elemental:v0.3.0 \ --flavor k3s-single-node \ --kubernetes-version v1.28.2 \ elemental-cluster-k3s > $HOME/elemental-cluster-k3s.yaml @@ -146,6 +143,10 @@ 1. Create a new `ElementalRegistration`: + Note that since we are using a non-standard port for this quickstart, we are manually setting the registration `uri` field. + Normally this would be automatically populated by the controller from the `ELEMENTAL_API_PROTOCOL` and `ELEMENTAL_API_ENDPOINT` environment variables. + For more details on how to configure and expose the Elemental API, please read the related [document](./ELEMENTAL_API_SETUP.md). + ```bash cat << EOF | kubectl apply -f - apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 @@ -160,13 +161,14 @@ - name: root passwd: root elemental: + registration: + uri: https://192.168.122.10.sslip.io:30009/elemental/v1/namespaces/default/registrations/my-registration agent: hostname: useExisting: false prefix: "m-" debug: true osPlugin: "/usr/lib/elemental/plugins/elemental.so" - insecureAllowHttp: true workDir: "/oem/elemental/agent" postInstall: reboot: true diff --git a/infrastructure-elemental/v0.0.0/infrastructure-components.yaml b/infrastructure-elemental/v0.0.0/infrastructure-components.yaml index 3516704f..84fa2554 100644 --- a/infrastructure-elemental/v0.0.0/infrastructure-components.yaml +++ b/infrastructure-elemental/v0.0.0/infrastructure-components.yaml @@ -1260,12 +1260,14 @@ subjects: --- apiVersion: v1 data: + ELEMENTAL_API_ENABLE_TLS: ${ELEMENTAL_API_ENABLE_TLS:="false"} ELEMENTAL_API_ENDPOINT: ${ELEMENTAL_API_ENDPOINT:=""} - ELEMENTAL_API_PORT: ${ELEMENTAL_API_PORT:="9090"} ELEMENTAL_API_PROTOCOL: ${ELEMENTAL_API_PROTOCOL:="https"} + ELEMENTAL_API_TLS_CA: ${ELEMENTAL_API_TLS_CA:="/etc/elemental/ssl/ca.crt"} ELEMENTAL_API_TLS_CERTIFICATE: ${ELEMENTAL_API_TLS_CERTIFICATE:="/etc/elemental/ssl/tls.crt"} ELEMENTAL_API_TLS_PRIVATE_KEY: ${ELEMENTAL_API_TLS_PRIVATE_KEY:="/etc/elemental/ssl/tls.key"} ELEMENTAL_ENABLE_DEBUG: ${ELEMENTAL_ENABLE_DEBUG:="false"} + ELEMENTAL_ENABLE_DEFAULT_CA: ${ELEMENTAL_ENABLE_DEFAULT_CA:="false"} kind: ConfigMap metadata: name: elemental-controller-manager-envs @@ -1273,6 +1275,19 @@ metadata: --- apiVersion: v1 kind: Service +metadata: + name: elemental-controller-manager + namespace: elemental-system +spec: + ports: + - port: 9090 + protocol: TCP + targetPort: api + selector: + app.kubernetes.io/name: elemental-controller-manager +--- +apiVersion: v1 +kind: Service metadata: labels: app.kubernetes.io/component: kube-rbac-proxy @@ -1362,7 +1377,7 @@ spec: name: manager ports: - containerPort: 9090 - name: http + name: api protocol: TCP readinessProbe: httpGet: @@ -1397,18 +1412,45 @@ spec: --- apiVersion: cert-manager.io/v1 kind: Certificate +metadata: + name: elemental-api-ca + namespace: elemental-system +spec: + commonName: elemental-selfsigned-ca + duration: 94800h + isCA: true + issuerRef: + kind: Issuer + name: elemental-selfsigned + renewBefore: 360h + secretName: elemental-api-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate metadata: name: elemental-api-ssl namespace: elemental-system spec: - commonName: ${ELEMENTAL_API_ENDPOINT:=""} + dnsNames: + - ${ELEMENTAL_API_ENDPOINT:=""} + duration: 9480h issuerRef: kind: Issuer - name: selfsigned-issuer + name: elemental-ca + renewBefore: 360h secretName: elemental-api-ssl --- apiVersion: cert-manager.io/v1 kind: Issuer +metadata: + name: elemental-ca + namespace: elemental-system +spec: + ca: + secretName: elemental-api-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer metadata: name: elemental-selfsigned namespace: elemental-system diff --git a/infrastructure-elemental/v0.0.0/metadata.yaml b/infrastructure-elemental/v0.0.0/metadata.yaml index 5a3c076f..4cbbe560 100644 --- a/infrastructure-elemental/v0.0.0/metadata.yaml +++ b/infrastructure-elemental/v0.0.0/metadata.yaml @@ -10,3 +10,6 @@ releaseSeries: - major: 0 minor: 2 contract: v1beta1 +- major: 0 + minor: 3 + contract: v1beta1 diff --git a/test/scripts/setup_kind_cluster.sh b/test/scripts/setup_kind_cluster.sh index 397107a2..aec17d4f 100755 --- a/test/scripts/setup_kind_cluster.sh +++ b/test/scripts/setup_kind_cluster.sh @@ -24,15 +24,16 @@ nodes: protocol: TCP EOF +make kind-load + make generate-infra-yaml export ELEMENTAL_ENABLE_DEBUG="\"true\"" export ELEMENTAL_API_ENDPOINT="192.168.122.10.sslip.io" -export ELEMENTAL_API_PROTOCOL="https" +export ELEMENTAL_API_ENABLE_TLS="\"true\"" +export ELEMENTAL_ENABLE_DEFAULT_CA="\"true\"" clusterctl init --bootstrap k3s:v0.1.8 --control-plane k3s:v0.1.8 --infrastructure elemental:v0.0.0 -make kind-load - cat << EOF | kubectl apply -f - apiVersion: v1 kind: Service