From 4dab92ce69805dc607220e7d9f07d58ae3936270 Mon Sep 17 00:00:00 2001 From: woopstar Date: Wed, 7 Feb 2018 09:50:08 +0100 Subject: [PATCH] Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault --- .../master/templates/kubeadm-config.yaml.j2 | 10 ++++++++++ .../manifests/kube-apiserver.manifest.j2 | 12 ++++++------ roles/kubernetes/secrets/files/make-ssl.sh | 2 +- roles/kubernetes/secrets/tasks/check-certs.yml | 15 ++++++++------- .../kubernetes/secrets/tasks/gen_certs_script.yml | 8 ++++---- .../secrets/tasks/sync_kube_master_certs.yml | 2 +- roles/kubespray-defaults/defaults/main.yaml | 4 ++++ 7 files changed, 34 insertions(+), 19 deletions(-) diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 index 26e3b46a4..e25804e66 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 @@ -54,6 +54,16 @@ apiServerExtraArgs: runtime-config: {{ kube_api_runtime_config | join(',') }} {% endif %} allow-privileged: "true" +{% if kube_version | version_compare('1.9', '>=') %} + requestheader-client-ca-file: "{{ kube_cert_dir }}/ca.pem" + requestheader-allowed-names: "{{ kube_api_requestheader_allowed_names }}" + requestheader-extra-headers-prefix: "X-Remote-Extra-" + requestheader-group-headers: "X-Remote-Group" + requestheader-username-headers: "X-Remote-User" + enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" + proxy-client-cert-file: "{{ kube_cert_dir }}/front-proxy-client.pem" + proxy-client-key-file: "{{ kube_cert_dir }}/front-proxy-client-key.pem" +{% endif %} controllerManagerExtraArgs: node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }} node-monitor-period: {{ kube_controller_node_monitor_period }} diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 751ce9392..d6f065ea5 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -101,14 +101,14 @@ spec: - --feature-gates={{ kube_feature_gates|join(',') }} {% endif %} {% if kube_version | version_compare('1.9', '>=') %} - - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem - - --requestheader-allowed-names=system:aggregator-proxy-client - - "--requestheader-extra-headers-prefix=X-Remote-Extra-" + - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem + - --requestheader-allowed-names={{ kube_api_requestheader_allowed_names }} + - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - - --enable-aggregator-routing=true - - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem - - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem + - --enable-aggregator-routing={{ kube_api_aggregator_routing }} + - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem + - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem {% endif %} {% if apiserver_custom_flags is string %} - {{ apiserver_custom_flags }} diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh index 8cfc0728a..750e9c4fe 100755 --- a/roles/kubernetes/secrets/files/make-ssl.sh +++ b/roles/kubernetes/secrets/files/make-ssl.sh @@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then # kube-controller-manager gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager" # metrics aggregator - gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client" + gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client" for host in $MASTERS; do cn="${host%%.*}" diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml index 3b3b20300..627889771 100644 --- a/roles/kubernetes/secrets/tasks/check-certs.yml +++ b/roles/kubernetes/secrets/tasks/check-certs.yml @@ -26,8 +26,8 @@ - kube-scheduler-key.pem - kube-controller-manager.pem - kube-controller-manager-key.pem - - aggregator-proxy-client.pem - - aggregator-proxy-client-key.pem + - front-proxy-client.pem + - front-proxy-client-key.pem - admin-{{ inventory_hostname }}.pem - admin-{{ inventory_hostname }}-key.pem - node-{{ inventory_hostname }}.pem @@ -48,8 +48,8 @@ '{{ kube_cert_dir }}/kube-scheduler-key.pem', '{{ kube_cert_dir }}/kube-controller-manager.pem', '{{ kube_cert_dir }}/kube-controller-manager-key.pem', - '{{ kube_cert_dir }}/aggregator-proxy-client.pem', - '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem', + '{{ kube_cert_dir }}/front-proxy-client.pem', + '{{ kube_cert_dir }}/front-proxy-client-key.pem', {% for host in groups['kube-master'] %} '{{ kube_cert_dir }}/admin-{{ host }}.pem' '{{ kube_cert_dir }}/admin-{{ host }}-key.pem' @@ -68,9 +68,10 @@ gen_master_certs: |- {%- set gen = False -%} {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} - {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem', - 'kube-scheduler-key.pem', 'kube-controller-manager.pem', - 'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%} + {% for cert in ['apiserver.pem', 'apiserver-key.pem', + 'kube-scheduler.pem','kube-scheduler-key.pem', + 'kube-controller-manager.pem','kube-controller-manager-key.pem', + 'front-proxy-client.pem','front-proxy-client-key.pem'] -%} {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %} {% if not cert_file in existing_certs -%} {%- set gen = True -%} diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml index 0b88e0f14..c1dfeb394 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml @@ -73,8 +73,8 @@ 'kube-scheduler-key.pem', 'kube-controller-manager.pem', 'kube-controller-manager-key.pem', - 'aggregator-proxy-client.pem', - 'aggregator-proxy-client-key.pem', + 'front-proxy-client.pem', + 'front-proxy-client-key.pem', {% for node in groups['kube-master'] %} 'admin-{{ node }}.pem', 'admin-{{ node }}-key.pem', @@ -84,8 +84,8 @@ 'admin-{{ inventory_hostname }}-key.pem', 'apiserver.pem', 'apiserver-key.pem', - 'aggregator-proxy-client.pem', - 'aggregator-proxy-client-key.pem', + 'front-proxy-client.pem', + 'front-proxy-client-key.pem', 'kube-scheduler.pem', 'kube-scheduler-key.pem', 'kube-controller-manager.pem', diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml index f488cc61b..f675f6eca 100644 --- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml +++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml @@ -32,7 +32,7 @@ sync_file_hosts: "{{ groups['kube-master'] }}" sync_file_is_cert: true sync_file_owner: kube - with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"] + with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"] - name: sync_kube_master_certs | Set facts for kube master components sync_file results set_fact: diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 498b14365..efec7bd3d 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -122,6 +122,10 @@ kube_apiserver_port: 6443 kube_apiserver_insecure_bind_address: 127.0.0.1 kube_apiserver_insecure_port: 8080 +# Metrics server +kube_api_requestheader_allowed_names: "front-proxy-client" +kube_api_aggregator_routing: true + # Path used to store Docker data docker_daemon_graph: "/var/lib/docker"