change kubelet connection to secure endpoint/use ssl certs
Change-Id: I0081e1393f38dd4be84fc5b55bbd9d582624f744
diff --git a/README.rst b/README.rst
index 4f7a3e3..f2aa350 100644
--- a/README.rst
+++ b/README.rst
@@ -347,23 +347,19 @@
Kubernetes labels
-----------------
-Create namespace:
+Label node:
.. code-block:: yaml
- kubernetes:
- pool
+ kubernetes:
+ master:
+ label:
+ label01:
+ value: value01
+ node: node01
+ enabled: true
+ key: key01
...
- host:
- label:
- key01:
- value: value01
- enable: True
- key02:
- value: value02
- enable: False
- name: ${linux:system:name}
- ...
Pull images from private registries
-----------------------------------
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig b/kubernetes/files/kubelet/kubelet.kubeconfig
index a33b7ba..6d95933 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig
@@ -6,19 +6,16 @@
preferences: {}
clusters:
- cluster:
- certificate-authority: /etc/kubernetes/ssl/kubelet-client.crt
+ certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
server: https://{{ pool.apiserver.host }}:443
name: cluster.local
-- cluster:
- certificate-authority: /etc/kubernetes/ssl/kubelet-client.crt
- server: http://{{ pool.apiserver.host }}:8080
- name: cluster-http.local
contexts:
- context:
- cluster: cluster-http.local
+ cluster: cluster.local
user: kubelet
name: kubelet-to-cluster.local
users:
- name: kubelet
user:
- token: {{ pool.token.kubelet }}
+ client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
\ No newline at end of file
diff --git a/kubernetes/files/systemd/kube-controller-manager.service b/kubernetes/files/systemd/kube-controller-manager.service
index 19c56fb..d08829b 100644
--- a/kubernetes/files/systemd/kube-controller-manager.service
+++ b/kubernetes/files/systemd/kube-controller-manager.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/files/systemd/kube-proxy.service b/kubernetes/files/systemd/kube-proxy.service
index 0620223..44006fa 100644
--- a/kubernetes/files/systemd/kube-proxy.service
+++ b/kubernetes/files/systemd/kube-proxy.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/files/systemd/kube-scheduler.service b/kubernetes/files/systemd/kube-scheduler.service
index d29f9c9..f576341 100644
--- a/kubernetes/files/systemd/kube-scheduler.service
+++ b/kubernetes/files/systemd/kube-scheduler.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/master/setup.sls b/kubernetes/master/setup.sls
index cf3d7a8..56f8cf7 100644
--- a/kubernetes/master/setup.sls
+++ b/kubernetes/master/setup.sls
@@ -12,4 +12,32 @@
{%- endif %}
{%- endfor %}
+
+{%- if master.label is defined %}
+
+{%- for name,label in master.label.iteritems() %}
+
+{%- if label.enabled %}
+
+{{ name }}_{{ label.node }}:
+ k8s.label_present:
+ - name: {{ label.key }}
+ - value: {{ label.value }}
+ - node: {{ label.node }}
+ - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+
+{%- else %}
+
+{{ name }}_{{ label.node }}:
+ k8s.label_absent:
+ - name: {{ label.key }}
+ - node: {{ label.node }}
+ - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- endif %}
+
{%- endif %}
diff --git a/kubernetes/pool/init.sls b/kubernetes/pool/init.sls
index 713f849..398e905 100644
--- a/kubernetes/pool/init.sls
+++ b/kubernetes/pool/init.sls
@@ -5,7 +5,6 @@
- kubernetes.pool.calico
{%- endif %}
- kubernetes.pool.service
-- kubernetes.pool.kubelet
{%- if pool.network.engine == "flannel" %}
- kubernetes.pool.flannel
{%- endif %}
diff --git a/kubernetes/pool/kubelet.sls b/kubernetes/pool/kubelet.sls
deleted file mode 100644
index 6581ab2..0000000
--- a/kubernetes/pool/kubelet.sls
+++ /dev/null
@@ -1,31 +0,0 @@
-{%- from "kubernetes/map.jinja" import pool with context %}
-{%- if pool.enabled %}
-
-{%- if pool.host.label is defined %}
-
-{%- for name,label in pool.host.label.iteritems() %}
-
-{%- if label.enabled %}
-
-{{ name }}:
- k8s.label_present:
- - name: {{ name }}
- - value: {{ label.value }}
- - node: {{ pool.host.name }}
- - apiserver: http://{{ pool.apiserver.host }}:8080
-
-{%- else %}
-
-{{ name }}:
- k8s.label_absent:
- - name: {{ name }}
- - node: {{ pool.host.name }}
- - apiserver: http://{{ pool.apiserver.host }}:8080
-
-{%- endif %}
-
-{%- endfor %}
-
-{%- endif %}
-
-{%- endif %}
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 62e1042..6663bf2 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -17,7 +17,7 @@
allow_privileged: True
apiserver:
address: ${_param:cluster_local_address}
- insecure_address: ${_param:cluster_local_address}
+ insecure_address: 127.0.0.1
etcd:
members:
- host: ${_param:cluster_node01_address}
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 6a56ca5..172f009 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -17,7 +17,7 @@
allow_privileged: True
apiserver:
address: ${_param:single_address}
- insecure_address: 0.0.0.0
+ insecure_address: 127.0.0.1
etcd:
members:
- host: ${_param:single_address}