C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rename from aggregator-proxy-client to front-proxy-client to match kubeadm design. Added kubeadm support too. Changed to use variables set and not hardcode paths. Still missing cert generation for Vault

Browse source
This commit is contained in:
woopstar 2018-02-07 09:50:08 +01:00 committed by Andreas Kruger
parent b2d30d68e7
commit 4dab92ce69
7 changed files with 34 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
roles/kubernetes/master/templates/kubeadm-config.yaml.j2
View file

@ -54,6 +54,16 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }} runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %} {% endif %}
allow-privileged: "true" allow-privileged: "true"
{% if kube_version | version_compare('1.9', '>=') %}
requestheader-client-ca-file: "{{ kube_cert_dir }}/ca.pem"
requestheader-allowed-names: "{{ kube_api_requestheader_allowed_names }}"
requestheader-extra-headers-prefix: "X-Remote-Extra-"
requestheader-group-headers: "X-Remote-Group"
requestheader-username-headers: "X-Remote-User"
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
proxy-client-cert-file: "{{ kube_cert_dir }}/front-proxy-client.pem"
proxy-client-key-file: "{{ kube_cert_dir }}/front-proxy-client-key.pem"
{% endif %}
controllerManagerExtraArgs: controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }} node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }} node-monitor-period: {{ kube_controller_node_monitor_period }}

12
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
View file

@ -101,14 +101,14 @@ spec:
- --feature-gates={{ kube_feature_gates|join(',') }} - --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %} {% endif %}
{% if kube_version | version_compare('1.9', '>=') %} {% if kube_version | version_compare('1.9', '>=') %}
- --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
- --requestheader-allowed-names=system:aggregator-proxy-client - --requestheader-allowed-names={{ kube_api_requestheader_allowed_names }}
- "--requestheader-extra-headers-prefix=X-Remote-Extra-" - --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group - --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User - --requestheader-username-headers=X-Remote-User
- --enable-aggregator-routing=true - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
- --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
- --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
{% endif %} {% endif %}
{% if apiserver_custom_flags is string %} {% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }} - {{ apiserver_custom_flags }}

2
roles/kubernetes/secrets/files/make-ssl.sh
View file

@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
# kube-controller-manager # kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager" gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
# metrics aggregator # metrics aggregator
gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client" gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"
for host in $MASTERS; do for host in $MASTERS; do
cn="${host%%.*}" cn="${host%%.*}"

15
roles/kubernetes/secrets/tasks/check-certs.yml
View file

@ -26,8 +26,8 @@
- kube-scheduler-key.pem - kube-scheduler-key.pem
- kube-controller-manager.pem - kube-controller-manager.pem
- kube-controller-manager-key.pem - kube-controller-manager-key.pem
- aggregator-proxy-client.pem - front-proxy-client.pem
- aggregator-proxy-client-key.pem - front-proxy-client-key.pem
- admin-{{ inventory_hostname }}.pem - admin-{{ inventory_hostname }}.pem
- admin-{{ inventory_hostname }}-key.pem - admin-{{ inventory_hostname }}-key.pem
- node-{{ inventory_hostname }}.pem - node-{{ inventory_hostname }}.pem
@ -48,8 +48,8 @@
'{{ kube_cert_dir }}/kube-scheduler-key.pem', '{{ kube_cert_dir }}/kube-scheduler-key.pem',
'{{ kube_cert_dir }}/kube-controller-manager.pem', '{{ kube_cert_dir }}/kube-controller-manager.pem',
'{{ kube_cert_dir }}/kube-controller-manager-key.pem', '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
'{{ kube_cert_dir }}/aggregator-proxy-client.pem', '{{ kube_cert_dir }}/front-proxy-client.pem',
'{{ kube_cert_dir }}/aggregator-proxy-client-key.pem', '{{ kube_cert_dir }}/front-proxy-client-key.pem',
{% for host in groups['kube-master'] %} {% for host in groups['kube-master'] %}
'{{ kube_cert_dir }}/admin-{{ host }}.pem' '{{ kube_cert_dir }}/admin-{{ host }}.pem'
'{{ kube_cert_dir }}/admin-{{ host }}-key.pem' '{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@ -68,9 +68,10 @@
gen_master_certs: |- gen_master_certs: |-
{%- set gen = False -%} {%- set gen = False -%}
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %} {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
{% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem', {% for cert in ['apiserver.pem', 'apiserver-key.pem',
'kube-scheduler-key.pem', 'kube-controller-manager.pem', 'kube-scheduler.pem','kube-scheduler-key.pem',
'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%} 'kube-controller-manager.pem','kube-controller-manager-key.pem',
'front-proxy-client.pem','front-proxy-client-key.pem'] -%}
{% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %} {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
{% if not cert_file in existing_certs -%} {% if not cert_file in existing_certs -%}
{%- set gen = True -%} {%- set gen = True -%}

8
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -73,8 +73,8 @@
'kube-scheduler-key.pem', 'kube-scheduler-key.pem',
'kube-controller-manager.pem', 'kube-controller-manager.pem',
'kube-controller-manager-key.pem', 'kube-controller-manager-key.pem',
'aggregator-proxy-client.pem', 'front-proxy-client.pem',
'aggregator-proxy-client-key.pem', 'front-proxy-client-key.pem',
{% for node in groups['kube-master'] %} {% for node in groups['kube-master'] %}
'admin-{{ node }}.pem', 'admin-{{ node }}.pem',
'admin-{{ node }}-key.pem', 'admin-{{ node }}-key.pem',
@ -84,8 +84,8 @@
'admin-{{ inventory_hostname }}-key.pem', 'admin-{{ inventory_hostname }}-key.pem',
'apiserver.pem', 'apiserver.pem',
'apiserver-key.pem', 'apiserver-key.pem',
'aggregator-proxy-client.pem', 'front-proxy-client.pem',
'aggregator-proxy-client-key.pem', 'front-proxy-client-key.pem',
'kube-scheduler.pem', 'kube-scheduler.pem',
'kube-scheduler-key.pem', 'kube-scheduler-key.pem',
'kube-controller-manager.pem', 'kube-controller-manager.pem',

2
roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
View file

@ -32,7 +32,7 @@
sync_file_hosts: "{{ groups['kube-master'] }}" sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true sync_file_is_cert: true
sync_file_owner: kube sync_file_owner: kube
with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"] with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]
- name: sync_kube_master_certs | Set facts for kube master components sync_file results - name: sync_kube_master_certs | Set facts for kube master components sync_file results
set_fact: set_fact:

4
roles/kubespray-defaults/defaults/main.yaml
View file

@ -122,6 +122,10 @@ kube_apiserver_port: 6443
kube_apiserver_insecure_bind_address: 127.0.0.1 kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 8080 kube_apiserver_insecure_port: 8080
# Metrics server
kube_api_requestheader_allowed_names: "front-proxy-client"
kube_api_aggregator_routing: true
# Path used to store Docker data # Path used to store Docker data
docker_daemon_graph: "/var/lib/docker" docker_daemon_graph: "/var/lib/docker"