From b2d30d68e7458fdc59f7d0faf33a040d89fa734f Mon Sep 17 00:00:00 2001
From: woopstar <andreas@kruger.nu>
Date: Mon, 5 Feb 2018 20:37:06 +0100
Subject: [PATCH] Rename CN for aggreator back. Add flags to apiserver when
 version is >= 1.9

---
 inventory/group_vars/k8s-cluster.yml                  | 11 -----------
 .../templates/manifests/kube-apiserver.manifest.j2    | 10 ++++++++++
 roles/kubernetes/secrets/files/make-ssl.sh            |  2 +-
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index e2fe06149..8f79f3297 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -192,14 +192,3 @@ persistent_volumes_enabled: false
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
-
-## Add options for metrics-server
-#apiserver_custom_flags:
-#  - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
-#  - --requestheader-allowed-names=aggregator
-#  - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
-#  - --requestheader-group-headers=X-Remote-Group
-#  - --requestheader-username-headers=X-Remote-User
-#  - --enable-aggregator-routing=true
-#  - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
-#  - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 39974846d..751ce9392 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -100,6 +100,16 @@ spec:
 {% if kube_feature_gates %}
     - --feature-gates={{ kube_feature_gates|join(',') }}
 {% endif %}
+{% if kube_version | version_compare('1.9', '>=') %}
+    - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+    - --requestheader-allowed-names=system:aggregator-proxy-client
+    - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+    - --requestheader-group-headers=X-Remote-Group
+    - --requestheader-username-headers=X-Remote-User
+    - --enable-aggregator-routing=true
+    - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
+    - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
+{% endif %}
 {% if apiserver_custom_flags is string %}
     - {{ apiserver_custom_flags }}
 {% else %}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 61668992d..8cfc0728a 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
     # kube-controller-manager
     gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
     # metrics aggregator
-    gen_key_and_cert "aggregator-proxy-client" "/CN=aggregator"
+    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
 
     for host in $MASTERS; do
         cn="${host%%.*}"
-- 
GitLab