Add possibility to configure auth for contrail

Change-Id: I83b7b90ef14d55805fef50adb9f1eef1c293a01d
Related-PROD: PROD-27531
diff --git a/kubernetes/files/conformance/conformance.yml b/kubernetes/files/conformance/conformance.yml
index 3e6a424..0a5a825 100644
--- a/kubernetes/files/conformance/conformance.yml
+++ b/kubernetes/files/conformance/conformance.yml
@@ -1,3 +1,4 @@
+{%- from "kubernetes/map.jinja" import master with context -%}
 {%- from "kubernetes/map.jinja" import full_version -%}
 ---
 apiVersion: v1
@@ -37,13 +38,28 @@
   verbs:
   - '*'
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: root-conformance-binding
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: Group
+    name: system:nodes
+    apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: v1
 kind: Pod
 metadata:
   name: conformance
   namespace: conformance
 spec:
+{%- if not master.network.get('opencontrail',{}).get('enabled', False) %}
   hostNetwork: true
+{%- endif %}
   restartPolicy: Never
   serviceAccountName: conformance
   affinity:
@@ -51,7 +67,11 @@
       requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+          - key: node-role.kubernetes.io/node
+{%- else %}
           - key: node-role.kubernetes.io/master
+{%- endif %}
             operator: In
             values:
             - "true"
@@ -69,18 +89,44 @@
       privileged: true
     env:
     - name: API_SERVER
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+      value: https://10.254.0.1:443
+{%- else %}
       value: http://localhost:8080
+{%- endif %}
 # Uncomment to use FOCUS for conformance runs
 #    - name: FOCUS
 #      value: "Conformance"
 #    - name: CONCURRENCY
 #      value: 25
+{%- if master.network.get('opencontrail',{}).get('enabled', False) %}
+    - name: K8S_CA
+      value: /ssl/ca-kubernetes.crt
+    - name: KUBELET_CERT
+      value: /ssl/kubelet-client.crt
+    - name: KUBELET_KEY
+      value: /ssl/kubelet-client.key
+{%- else %}
+# Needed to use only https secured endpoint
+#    - name: K8S_CA
+#      value: /ssl/ca-kubernetes.crt
+#    - name: KUBELET_CERT
+#    value: /ssl/kubelet-client.crt
+#    - name: KUBELET_KEY
+#    value: /ssl/kubelet-client.key
+{%- endif %}
     image: docker-prod-local.artifactory.mirantis.com/mirantis/kubernetes/k8s-conformance:v{{ full_version }}
     volumeMounts:
     - mountPath: /report
       name: output-volume
       mountPropagation: Bidirectional
+    - mountPath: /ssl
+      name: ssl-auth
+      readOnly: true
   volumes:
   - hostPath:
       path: /tmp/conformance
-    name: output-volume
\ No newline at end of file
+    name: output-volume
+  - hostPath:
+      path: /etc/kubernetes/ssl
+    name: ssl-auth
\ No newline at end of file