From 0b4168cad4cd046211138bbc2251415ec4af19e6 Mon Sep 17 00:00:00 2001
From: woopstar <andreas@kruger.nu>
Date: Mon, 5 Feb 2018 10:37:36 +0100
Subject: [PATCH] WIP. Adding metrics-server support for K8s version 1.9

---
 inventory/group_vars/k8s-cluster.yml                  | 11 +++++++++++
 roles/kubernetes/secrets/files/make-ssl.sh            |  2 ++
 roles/kubernetes/secrets/tasks/check-certs.yml        |  6 +++++-
 roles/kubernetes/secrets/tasks/gen_certs_script.yml   |  2 ++
 .../secrets/tasks/sync_kube_master_certs.yml          |  2 +-
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 8f79f3297..e2fe06149 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -192,3 +192,14 @@ persistent_volumes_enabled: false
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
+
+## Add options for metrics-server
+#apiserver_custom_flags:
+#  - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+#  - --requestheader-allowed-names=aggregator
+#  - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+#  - --requestheader-group-headers=X-Remote-Group
+#  - --requestheader-username-headers=X-Remote-User
+#  - --enable-aggregator-routing=true
+#  - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
+#  - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 9139ce98f..8cfc0728a 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -93,6 +93,8 @@ if [ -n "$MASTERS" ]; then
     gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
     # kube-controller-manager
     gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
+    # metrics aggregator
+    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
 
     for host in $MASTERS; do
         cn="${host%%.*}"
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 3870a3e96..782da6863 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,6 +26,8 @@
     - kube-scheduler-key.pem
     - kube-controller-manager.pem
     - kube-controller-manager-key.pem
+    - aggregator-proxy-client.pem
+    - aggregator-proxy-client-key.pem
     - admin-{{ inventory_hostname }}.pem
     - admin-{{ inventory_hostname }}-key.pem
     - node-{{ inventory_hostname }}.pem
@@ -46,6 +48,8 @@
        '{{ kube_cert_dir }}/kube-scheduler-key.pem',
        '{{ kube_cert_dir }}/kube-controller-manager.pem',
        '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
        {% for host in groups['kube-master'] %}
        '{{ kube_cert_dir }}/admin-{{ host }}.pem'
        '{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -66,7 +70,7 @@
       {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
       {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
                       'kube-scheduler-key.pem', 'kube-controller-manager.pem',
-                      'kube-controller-manager-key.pem'] -%}
+                      'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
         {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
         {% if not cert_file in existing_certs -%}
         {%- set gen = True -%}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 619bbe445..9be59fb7b 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,6 +73,8 @@
                        'kube-scheduler-key.pem',
                        'kube-controller-manager.pem',
                        'kube-controller-manager-key.pem',
+                       'aggregator-proxy-client.pem',
+                       'aggregator-proxy-client-key.pem',
                        {% for node in groups['kube-master'] %}
                        'admin-{{ node }}.pem',
                        'admin-{{ node }}-key.pem',
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index d54bf2b67..f488cc61b 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
     sync_file_hosts: "{{ groups['kube-master'] }}"
     sync_file_is_cert: true
     sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
 
 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
   set_fact: