From f9b68a5d17721496c92000881ce31233903259ba Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Tue, 14 Nov 2017 13:41:28 +0000
Subject: [PATCH] Revert "Support for disabling apiserver insecure port"
 (#1974)

---
 inventory/group_vars/k8s-cluster.yml                 |  4 +---
 roles/kubernetes-apps/ansible/tasks/main.yml         |  5 +----
 roles/kubernetes-apps/cluster_roles/tasks/main.yml   |  5 +----
 roles/kubernetes/master/handlers/main.yml            |  5 +----
 .../templates/manifests/kube-apiserver.manifest.j2   | 12 ++----------
 .../kubernetes/preinstall/tasks/verify-settings.yml  |  6 ------
 6 files changed, 6 insertions(+), 31 deletions(-)

diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index f3830a521..a400d05f9 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 # This is where to save basic auth file
 kube_users_dir: "{{ kube_config_dir }}/users"
 
-kube_api_anonymous_auth: true
+kube_api_anonymous_auth: false
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
 kube_version: v1.8.2
@@ -106,8 +106,6 @@ kube_network_node_prefix: 24
 kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
 kube_apiserver_port: 6443 # (https)
 kube_apiserver_insecure_port: 8080 # (http)
-# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
-#kube_apiserver_insecure_port: 0 # (disabled)
 
 # DNS configuration.
 # Kubernetes cluster name, also will be used as DNS domain
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index f4349669a..025b4fab6 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -1,10 +1,7 @@
 ---
 - name: Kubernetes Apps | Wait for kube-apiserver
   uri:
-    url: "{{ kube_apiserver_endpoint }}/healthz"
-    validate_certs: no
-    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
-    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
+    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
   register: result
   until: result.status == 200
   retries: 10
diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
index 75be11d4f..24f94aac5 100644
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -1,10 +1,7 @@
 ---
 - name: Kubernetes Apps | Wait for kube-apiserver
   uri:
-    url: "{{ kube_apiserver_endpoint }}/healthz"
-    validate_certs: no
-    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
-    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
+    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
   register: result
   until: result.status == 200
   retries: 10
diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml
index 551b18c7d..dd3b03264 100644
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -66,10 +66,7 @@
 
 - name: Master | wait for the apiserver to be running
   uri:
-    url: "{{ kube_apiserver_endpoint }}/healthz"
-    validate_certs: no
-    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
-    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
+    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
   register: result
   until: result.status == 200
   retries: 20
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 2d0f0c9fb..5d4f6cf47 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -110,17 +110,9 @@ spec:
       httpGet:
         host: 127.0.0.1
         path: /healthz
-{% if kube_apiserver_insecure_port == 0 %}
-        port: {{ kube_apiserver_port }}
-        scheme: HTTPS
-{% else %}
         port: {{ kube_apiserver_insecure_port }}
-{% endif %}
-      failureThreshold: 8
-      initialDelaySeconds: 15
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 15
+      initialDelaySeconds: 30
+      timeoutSeconds: 10
     volumeMounts:
     - mountPath: {{ kube_config_dir }}
       name: kubernetes-config
diff --git a/roles/kubernetes/preinstall/tasks/verify-settings.yml b/roles/kubernetes/preinstall/tasks/verify-settings.yml
index b7bf2d664..9dbd7ab8c 100644
--- a/roles/kubernetes/preinstall/tasks/verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml
@@ -78,9 +78,3 @@
     that: ansible_swaptotal_mb == 0
   when: kubelet_fail_swap_on|default(true)
   ignore_errors: "{{ ignore_assert_errors }}"
-
-- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
-  assert:
-    that: rbac_enabled and kube_api_anonymous_auth
-  when: kube_apiserver_insecure_port == 0
-  ignore_errors: "{{ ignore_assert_errors }}"
\ No newline at end of file
-- 
GitLab