kube-master: Use TLS for scheduler and controllers communications

This commit aims to enable the scheduler and controller-manager to
access the proper {{ kube_api_endpoint }}, instead of the
unauthenticated localhost port. Two aditionnal certs are generated
on master nodes, and kubeconfig files are added for both pods.

roles/kubernetes/master/tasks/main.yml

@@ -60,6 +60,13 @@
   when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
   tags: apps
 
+- name: Write kube-controller-manager kubeconfig
+  template:
+    src: controller-manager-kubeconfig.yaml.j2
+    dest: "{{ kube_config_dir}}/controller-manager-kubeconfig.yaml"
+  notify: Master | wait for kube-controller-manager
+  tags: kube-controller-manager
+
 - name: Write kube-controller-manager manifest
   template:
     src: manifests/kube-controller-manager.manifest.j2
@@ -67,6 +74,13 @@
   notify: Master | wait for kube-controller-manager
   tags: kube-controller-manager
 
+- name: Write kube-scheduler kubeconfig
+  template:
+    src: scheduler-kubeconfig.yaml.j2
+    dest: "{{ kube_config_dir}}/scheduler-kubeconfig.yaml"
+  notify: Master | wait for kube-controller-manager
+  tags: kube-scheduler
+
 - name: Write kube-scheduler manifest
   template:
     src: manifests/kube-scheduler.manifest.j2

roles/kubernetes/master/templates/controller-manager-kubeconfig.yaml.j2

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: local
+  cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.pem
+    server: {{ kube_apiserver_endpoint }}
+users:
+- name: controller-manager
+  user:
+    client-certificate: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}.pem
+    client-key: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}-key.pem
+contexts:
+- context:
+    cluster: local
+    user: controller-manager
+  name: controller-manager-{{ cluster_name }}
+current-context: controller-manager-{{ cluster_name }}

roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2

@@ -35,6 +35,7 @@ spec:
     - --node-monitor-period={{ kube_controller_node_monitor_period }}
     - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
     - --v={{ kube_log_level }}
+    - --kubeconfig={{ kube_config_dir}}/controller-manager-kubeconfig.yaml
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
     - --cloud-provider={{cloud_provider}}
     - --cloud-config={{ kube_config_dir }}/cloud_config

roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2

@@ -27,6 +27,7 @@ spec:
     - --leader-elect=true
     - --master={{ kube_apiserver_endpoint }}
     - --v={{ kube_log_level }}
+    - --kubeconfig={{ kube_config_dir}}/scheduler-kubeconfig.yaml
 {% if scheduler_custom_flags is string %}
     - {{ scheduler_custom_flags }}
 {% else %}

roles/kubernetes/master/templates/scheduler-kubeconfig.yaml.j2

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: local
+  cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.pem
+    server: {{ kube_apiserver_endpoint }}
+users:
+- name: scheduler
+  user:
+    client-certificate: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}.pem
+    client-key: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}-key.pem
+contexts:
+- context:
+    cluster: local
+    user: scheduler
+  name: scheduler-{{ cluster_name }}
+current-context: scheduler-{{ cluster_name }}

roles/kubernetes/secrets/files/make-ssl.sh

@@ -87,6 +87,14 @@ if [ -n "$MASTERS" ]; then
         openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
         openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
         openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
+        # controller-manager key
+        openssl genrsa -out controller-manager-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl req -new -key controller-manager-${host}-key.pem -out controller-manager-${host}.csr -subj "/CN=kube-controller-manager-${cn}/O=system:kube-controller-manager" > /dev/null 2>&1
+        openssl x509 -req -in controller-manager-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out controller-manager-${host}.pem -days 3650 > /dev/null 2>&1
+        # scheduler
+        openssl genrsa -out scheduler-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl req -new -key scheduler-${host}-key.pem -out scheduler-${host}.csr -subj "/CN=kube-scheduler-${cn}/O=system:kube-scheduler" > /dev/null 2>&1
+        openssl x509 -req -in scheduler-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out scheduler-${host}.pem -days 3650 > /dev/null 2>&1
     done
 fi
 

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -59,12 +59,20 @@
                       {% for node in groups['kube-master'] %}
                       'admin-{{ node }}.pem',
                       'admin-{{ node }}-key.pem',
+                      'controller-manager-{{ node }}.pem',
+                      'controller-manager-{{ node }}-key.pem',
+                      'scheduler-{{ node }}.pem',
+                      'scheduler-{{ node }}-key.pem',
                       'apiserver.pem',
                       'apiserver-key.pem',
                       {% endfor %}]"
     my_master_certs: ['ca-key.pem',
                      'admin-{{ inventory_hostname }}.pem',
                      'admin-{{ inventory_hostname }}-key.pem',
+                     'controller-manager-{{ inventory_hostname }}.pem',
+                     'controller-manager-{{ inventory_hostname }}-key.pem',
+                     'scheduler-{{ inventory_hostname }}.pem',
+                     'scheduler-{{ inventory_hostname }}-key.pem',
                      'apiserver.pem',
                      'apiserver-key.pem'
                      ]