Rename from aggregator-proxy-client to front-proxy-client to match kubeadm...

Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault

Rename from aggregator-proxy-client to front-proxy-client to match kubeadm...
4dab92ce · woopstar · Andreas Kruger · b2d30d68 · 4dab92ce · 4dab92ce
Commit 4dab92ce authored 7 years ago by woopstar Committed by Andreas Kruger 7 years ago
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -54,6 +54,16 @@ apiServerExtraArgs:
  runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
  allow-privileged: "true"
+{% if kube_version | version_compare('1.9', '>=') %}
+  requestheader-client-ca-file: "{{ kube_cert_dir }}/ca.pem"
+  requestheader-allowed-names: "{{ kube_api_requestheader_allowed_names }}"
+  requestheader-extra-headers-prefix: "X-Remote-Extra-"
+  requestheader-group-headers: "X-Remote-Group"
+  requestheader-username-headers: "X-Remote-User"
+  enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
+  proxy-client-cert-file: "{{ kube_cert_dir }}/front-proxy-client.pem"
+  proxy-client-key-file: "{{ kube_cert_dir }}/front-proxy-client-key.pem"
+{% endif %}
 controllerManagerExtraArgs:
  node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
  node-monitor-period: {{ kube_controller_node_monitor_period }}

--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -101,14 +101,14 @@ spec:
    - --feature-gates={{ kube_feature_gates|join(',') }}
 {% endif %}
 {% if kube_version | version_compare('1.9', '>=') %}
-    - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
-    - --requestheader-allowed-names=system:aggregator-proxy-client
-    - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+    - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+    - --requestheader-allowed-names={{ kube_api_requestheader_allowed_names }}
+    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
-    - --enable-aggregator-routing=true
-    - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
-    - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
+    - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
+    - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
+    - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
 {% endif %}
 {% if apiserver_custom_flags is string %}
    - {{ apiserver_custom_flags }}

--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
    # kube-controller-manager
    gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
    # metrics aggregator
-    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
+    gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"

    for host in $MASTERS; do
        cn="${host%%.*}"

--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,8 +26,8 @@
    - kube-scheduler-key.pem
    - kube-controller-manager.pem
    - kube-controller-manager-key.pem
-    - aggregator-proxy-client.pem
-    - aggregator-proxy-client-key.pem
+    - front-proxy-client.pem
+    - front-proxy-client-key.pem
    - admin-{{ inventory_hostname }}.pem
    - admin-{{ inventory_hostname }}-key.pem
    - node-{{ inventory_hostname }}.pem
@@ -48,8 +48,8 @@
       '{{ kube_cert_dir }}/kube-scheduler-key.pem',
       '{{ kube_cert_dir }}/kube-controller-manager.pem',
       '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
-       '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
-       '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
+       '{{ kube_cert_dir }}/front-proxy-client.pem',
+       '{{ kube_cert_dir }}/front-proxy-client-key.pem',
       {% for host in groups['kube-master'] %}
       '{{ kube_cert_dir }}/admin-{{ host }}.pem'
       '{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -68,9 +68,10 @@
    gen_master_certs: |-
      {%- set gen = False -%}
      {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
-      {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
-                      'kube-scheduler-key.pem', 'kube-controller-manager.pem',
-                      'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
+      {% for cert in ['apiserver.pem', 'apiserver-key.pem',
+                      'kube-scheduler.pem','kube-scheduler-key.pem',
+                      'kube-controller-manager.pem','kube-controller-manager-key.pem',
+                      'front-proxy-client.pem','front-proxy-client-key.pem'] -%}
        {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
        {% if not cert_file in existing_certs -%}
        {%- set gen = True -%}

--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,8 +73,8 @@
                       'kube-scheduler-key.pem',
                       'kube-controller-manager.pem',
                       'kube-controller-manager-key.pem',
-                       'aggregator-proxy-client.pem',
-                       'aggregator-proxy-client-key.pem',
+                       'front-proxy-client.pem',
+                       'front-proxy-client-key.pem',
                       {% for node in groups['kube-master'] %}
                       'admin-{{ node }}.pem',
                       'admin-{{ node }}-key.pem',
@@ -84,8 +84,8 @@
                      'admin-{{ inventory_hostname }}-key.pem',
                      'apiserver.pem',
                      'apiserver-key.pem',
-                      'aggregator-proxy-client.pem',
-                      'aggregator-proxy-client-key.pem',
+                      'front-proxy-client.pem',
+                      'front-proxy-client-key.pem',
                      'kube-scheduler.pem',
                      'kube-scheduler-key.pem',
                      'kube-controller-manager.pem',

--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
    sync_file_hosts: "{{ groups['kube-master'] }}"
    sync_file_is_cert: true
    sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]

 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
  set_fact:

--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -122,6 +122,10 @@ kube_apiserver_port: 6443
 kube_apiserver_insecure_bind_address: 127.0.0.1
 kube_apiserver_insecure_port: 8080

+# Metrics server
+kube_api_requestheader_allowed_names: "front-proxy-client"
+kube_api_aggregator_routing: true
+
 # Path used to store Docker data
 docker_daemon_graph: "/var/lib/docker"