From 4dab92ce69805dc607220e7d9f07d58ae3936270 Mon Sep 17 00:00:00 2001
From: woopstar <andreas@kruger.nu>
Date: Wed, 7 Feb 2018 09:50:08 +0100
Subject: [PATCH] Rename from aggregator-proxy-client to front-proxy-client to
match kubeadm design. Added kubeadm support too. Changed to use variables set
and not hardcode paths. Still missing cert generation for Vault
---
.../master/templates/kubeadm-config.yaml.j2 | 10 ++++++++++
.../manifests/kube-apiserver.manifest.j2 | 12 ++++++------
roles/kubernetes/secrets/files/make-ssl.sh | 2 +-
roles/kubernetes/secrets/tasks/check-certs.yml | 15 ++++++++-------
.../kubernetes/secrets/tasks/gen_certs_script.yml | 8 ++++----
.../secrets/tasks/sync_kube_master_certs.yml | 2 +-
roles/kubespray-defaults/defaults/main.yaml | 4 ++++
7 files changed, 34 insertions(+), 19 deletions(-)
diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index 26e3b46a4..e25804e66 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -54,6 +54,16 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
allow-privileged: "true"
+{% if kube_version | version_compare('1.9', '>=') %}
+ requestheader-client-ca-file: "{{ kube_cert_dir }}/ca.pem"
+ requestheader-allowed-names: "{{ kube_api_requestheader_allowed_names }}"
+ requestheader-extra-headers-prefix: "X-Remote-Extra-"
+ requestheader-group-headers: "X-Remote-Group"
+ requestheader-username-headers: "X-Remote-User"
+ enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
+ proxy-client-cert-file: "{{ kube_cert_dir }}/front-proxy-client.pem"
+ proxy-client-key-file: "{{ kube_cert_dir }}/front-proxy-client-key.pem"
+{% endif %}
controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 751ce9392..d6f065ea5 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -101,14 +101,14 @@ spec:
- --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_version | version_compare('1.9', '>=') %}
- - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
- - --requestheader-allowed-names=system:aggregator-proxy-client
- - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+ - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+ - --requestheader-allowed-names={{ kube_api_requestheader_allowed_names }}
+ - --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- - --enable-aggregator-routing=true
- - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
- - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
+ - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
+ - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
+ - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
{% endif %}
{% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 8cfc0728a..750e9c4fe 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
# metrics aggregator
- gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
+ gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"
for host in $MASTERS; do
cn="${host%%.*}"
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 3b3b20300..627889771 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,8 +26,8 @@
- kube-scheduler-key.pem
- kube-controller-manager.pem
- kube-controller-manager-key.pem
- - aggregator-proxy-client.pem
- - aggregator-proxy-client-key.pem
+ - front-proxy-client.pem
+ - front-proxy-client-key.pem
- admin-{{ inventory_hostname }}.pem
- admin-{{ inventory_hostname }}-key.pem
- node-{{ inventory_hostname }}.pem
@@ -48,8 +48,8 @@
'{{ kube_cert_dir }}/kube-scheduler-key.pem',
'{{ kube_cert_dir }}/kube-controller-manager.pem',
'{{ kube_cert_dir }}/kube-controller-manager-key.pem',
- '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
- '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
+ '{{ kube_cert_dir }}/front-proxy-client.pem',
+ '{{ kube_cert_dir }}/front-proxy-client-key.pem',
{% for host in groups['kube-master'] %}
'{{ kube_cert_dir }}/admin-{{ host }}.pem'
'{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -68,9 +68,10 @@
gen_master_certs: |-
{%- set gen = False -%}
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
- {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
- 'kube-scheduler-key.pem', 'kube-controller-manager.pem',
- 'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
+ {% for cert in ['apiserver.pem', 'apiserver-key.pem',
+ 'kube-scheduler.pem','kube-scheduler-key.pem',
+ 'kube-controller-manager.pem','kube-controller-manager-key.pem',
+ 'front-proxy-client.pem','front-proxy-client-key.pem'] -%}
{% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
{% if not cert_file in existing_certs -%}
{%- set gen = True -%}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 0b88e0f14..c1dfeb394 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,8 +73,8 @@
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
'kube-controller-manager-key.pem',
- 'aggregator-proxy-client.pem',
- 'aggregator-proxy-client-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
{% for node in groups['kube-master'] %}
'admin-{{ node }}.pem',
'admin-{{ node }}-key.pem',
@@ -84,8 +84,8 @@
'admin-{{ inventory_hostname }}-key.pem',
'apiserver.pem',
'apiserver-key.pem',
- 'aggregator-proxy-client.pem',
- 'aggregator-proxy-client-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
'kube-scheduler.pem',
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index f488cc61b..f675f6eca 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true
sync_file_owner: kube
- with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
+ with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]
- name: sync_kube_master_certs | Set facts for kube master components sync_file results
set_fact:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 498b14365..efec7bd3d 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -122,6 +122,10 @@ kube_apiserver_port: 6443
kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 8080
+# Metrics server
+kube_api_requestheader_allowed_names: "front-proxy-client"
+kube_api_aggregator_routing: true
+
# Path used to store Docker data
docker_daemon_graph: "/var/lib/docker"
--
GitLab