diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index d94ddf0c438c9deec59e2763a309b99dc3b1372e..1242ad8200dd3a029326f91e41d58a69a2723a3d 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -102,6 +102,16 @@ spec:
{% if kube_feature_gates %}
- --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
+{% if kube_version | version_compare('1.9', '>=') %}
+ - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+ - --requestheader-allowed-names=front-proxy-client
+ - --requestheader-extra-headers-prefix=X-Remote-Extra-
+ - --requestheader-group-headers=X-Remote-Group
+ - --requestheader-username-headers=X-Remote-User
+ - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
+ - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
+ - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
+{% endif %}
{% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }}
{% else %}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 9139ce98f07f91b710375ec3a2124fdc301fcd75..750e9c4fe79680cf430b423bea57f16313240bb5 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -93,6 +93,8 @@ if [ -n "$MASTERS" ]; then
gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
+ # metrics aggregator
+ gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"
for host in $MASTERS; do
cn="${host%%.*}"
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 3870a3e9616bd74836dac28a8abace3bf7948d33..6278897710c8814cac0a30ef3d931c1ded673491 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,6 +26,8 @@
- kube-scheduler-key.pem
- kube-controller-manager.pem
- kube-controller-manager-key.pem
+ - front-proxy-client.pem
+ - front-proxy-client-key.pem
- admin-{{ inventory_hostname }}.pem
- admin-{{ inventory_hostname }}-key.pem
- node-{{ inventory_hostname }}.pem
@@ -46,6 +48,8 @@
'{{ kube_cert_dir }}/kube-scheduler-key.pem',
'{{ kube_cert_dir }}/kube-controller-manager.pem',
'{{ kube_cert_dir }}/kube-controller-manager-key.pem',
+ '{{ kube_cert_dir }}/front-proxy-client.pem',
+ '{{ kube_cert_dir }}/front-proxy-client-key.pem',
{% for host in groups['kube-master'] %}
'{{ kube_cert_dir }}/admin-{{ host }}.pem'
'{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -64,9 +68,10 @@
gen_master_certs: |-
{%- set gen = False -%}
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
- {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
- 'kube-scheduler-key.pem', 'kube-controller-manager.pem',
- 'kube-controller-manager-key.pem'] -%}
+ {% for cert in ['apiserver.pem', 'apiserver-key.pem',
+ 'kube-scheduler.pem','kube-scheduler-key.pem',
+ 'kube-controller-manager.pem','kube-controller-manager-key.pem',
+ 'front-proxy-client.pem','front-proxy-client-key.pem'] -%}
{% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
{% if not cert_file in existing_certs -%}
{%- set gen = True -%}
@@ -101,7 +106,8 @@
{% if gen_node_certs[inventory_hostname] or
(not kubecert_node.results[0].stat.exists|default(False)) or
(not kubecert_node.results[10].stat.exists|default(False)) or
- (kubecert_node.results[10].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[10].stat.path)|map(attribute="checksum")|first|default('')) -%}
- {%- set _ = certs.update({'sync': True}) -%}
+ (not kubecert_node.results[7].stat.exists|default(False)) or
+ (kubecert_node.results[10].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[10].stat.path)|map(attribute="checksum")|first|default('')) -%}
+ {%- set _ = certs.update({'sync': True}) -%}
{% endif %}
{{ certs.sync }}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 619bbe44595762cb39a097d14a897432e83c74b3..c1dfeb394a1fe1980fc3d539498c86e1face0c51 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,6 +73,8 @@
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
'kube-controller-manager-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
{% for node in groups['kube-master'] %}
'admin-{{ node }}.pem',
'admin-{{ node }}-key.pem',
@@ -82,6 +84,8 @@
'admin-{{ inventory_hostname }}-key.pem',
'apiserver.pem',
'apiserver-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
'kube-scheduler.pem',
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
index ca28b537f6fe1f9a370db494e1fc17805d470636..5b3b46edcb85d8b49328349201d433a72461989a 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -93,3 +93,29 @@
issue_cert_mount_path: "{{ kube_vault_mount_path }}"
with_items: "{{ kube_proxy_certs_needed|d([]) }}"
when: inventory_hostname in groups['k8s-cluster']
+
+# Issue front proxy cert to kube-master hosts
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
+ vars:
+ issue_cert_common_name: "front-proxy-client"
+ issue_cert_alt_names: "{{ kube_cert_alt_names }}"
+ issue_cert_file_group: "{{ kube_cert_group }}"
+ issue_cert_file_owner: kube
+ issue_cert_hosts: "{{ groups['kube-master'] }}"
+ issue_cert_ip_sans: >-
+ [
+ {%- for host in groups['kube-master'] -%}
+ "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
+ {%- if hostvars[host]['ip'] is defined -%}
+ "{{ hostvars[host]['ip'] }}",
+ {%- endif -%}
+ {%- endfor -%}
+ "127.0.0.1","::1","{{ kube_apiserver_ip }}"
+ ]
+ issue_cert_path: "{{ item }}"
+ issue_cert_role: front-proxy-client
+ issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+ issue_cert_mount_path: "{{ kube_vault_mount_path }}"
+ with_items: "{{ kube_master_components_certs_needed|d([]) }}"
+ when: inventory_hostname in groups['kube-master']
+ notify: set secret_changed
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index d54bf2b671b22bb8113f4a7fd7c94db2dfe711a8..f675f6eca0c0ea05871870aeac8b89ce89e859be 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true
sync_file_owner: kube
- with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
+ with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]
- name: sync_kube_master_certs | Set facts for kube master components sync_file results
set_fact:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index fd13417eb4a56a6b25b7208d09341e2058baf539..b225f8c13a2e3f4cbef3f44439e3fe04ac04b224 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -122,6 +122,9 @@ kube_apiserver_port: 6443
kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 8080
+# Aggregator
+kube_api_aggregator_routing: true
+
# Path used to store Docker data
docker_daemon_graph: "/var/lib/docker"
diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index 0640fddc21084f5b3f8a5830bdd5fceca4145ee1..4bbb66b11a7ee342cecd89c0b6b518203320b916 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -164,3 +164,11 @@ vault_pki_mounts:
allow_any_name: true
enforce_hostnames: false
organization: "system:node-proxier"
+ - name: front-proxy-client
+ group: k8s-cluster
+ password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
+ policy_rules: default
+ role_options:
+ allow_any_name: true
+ enforce_hostnames: false
+ organization: "system:front-proxy"