use kubeconfig to configure master services
Change-Id: I3c783dca90ccf3aea48661900aea1b7717136d86
diff --git a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
new file mode 100644
index 0000000..97d2a7a
--- /dev/null
+++ b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
@@ -0,0 +1,21 @@
+{%- from "kubernetes/map.jinja" import pool with context %}
+
+apiVersion: v1
+kind: Config
+current-context: cluster.local
+preferences: {}
+clusters:
+- cluster:
+ certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
+ server: https://{{ pool.apiserver.host }}:443
+ name: cluster.local
+contexts:
+- context:
+ cluster: cluster.local
+ user: controller_manager
+ name: cluster.local
+users:
+- name: controller_manager
+ user:
+ client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
diff --git a/kubernetes/files/kube-proxy/proxy.kubeconfig b/kubernetes/files/kube-proxy/proxy.kubeconfig
index 4fb09d6..b50f6b2 100644
--- a/kubernetes/files/kube-proxy/proxy.kubeconfig
+++ b/kubernetes/files/kube-proxy/proxy.kubeconfig
@@ -2,19 +2,20 @@
apiVersion: v1
kind: Config
-current-context: proxy-to-cluster.local
+current-context: cluster.local
preferences: {}
+clusters:
+- cluster:
+ certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
+ server: https://{{ pool.apiserver.host }}:443
+ name: cluster.local
contexts:
- context:
cluster: cluster.local
user: kube_proxy
- name: proxy-to-cluster.local
-clusters:
-- cluster:
- certificate-authority: /etc/kubernetes/ssl/kubelet-client.crt
-# server: https://{{ pool.apiserver.host }}:443
name: cluster.local
users:
- name: kube_proxy
user:
- token: {{ pool.token.kube_proxy}}
\ No newline at end of file
+ client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
diff --git a/kubernetes/files/kube-scheduler/scheduler.kubeconfig b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
new file mode 100644
index 0000000..3e85d07
--- /dev/null
+++ b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
@@ -0,0 +1,21 @@
+{%- from "kubernetes/map.jinja" import pool with context %}
+
+apiVersion: v1
+kind: Config
+current-context: cluster.local
+preferences: {}
+clusters:
+- cluster:
+ certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
+ server: https://{{ pool.apiserver.host }}:443
+ name: cluster.local
+contexts:
+- context:
+ cluster: cluster.local
+ user: scheduler
+ name: cluster.local
+users:
+- name: scheduler
+ user:
+ client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig b/kubernetes/files/kubelet/kubelet.kubeconfig
index 6d95933..74a5ae9 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig
@@ -2,7 +2,7 @@
apiVersion: v1
kind: Config
-current-context: kubelet-to-cluster.local
+current-context: cluster.local
preferences: {}
clusters:
- cluster:
@@ -13,9 +13,9 @@
- context:
cluster: cluster.local
user: kubelet
- name: kubelet-to-cluster.local
+ name: cluster.local
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
- client-key: /etc/kubernetes/ssl/kubelet-client.key
\ No newline at end of file
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index a9ddd35..f69e476 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -78,19 +78,34 @@
- mode: 644
- contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}"
+{% for component in ['scheduler', 'controller-manager'] %}
+
+/etc/kubernetes/{{ component }}.kubeconfig:
+ file.managed:
+ - source: salt://kubernetes/files/kube-{{ component }}/{{ component }}.kubeconfig
+ - template: jinja
+ - user: root
+ - group: root
+ - mode: 644
+ - makedirs: True
+ - watch_in:
+ - service: master_services
+
+{% endfor %}
+
/etc/default/kube-controller-manager:
file.managed:
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --cluster-name=kubernetes --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --v=2 --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --leader-elect=true"
+ - contents: DAEMON_ARGS=" --kubeconfig /etc/kubernetes/controller-manager.kubeconfig --cluster-name=kubernetes --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --v=2 --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --leader-elect=true"
/etc/default/kube-scheduler:
file.managed:
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --v=2 --leader-elect=true"
+ - contents: DAEMON_ARGS=" --kubeconfig /etc/kubernetes/scheduler.kubeconfig --v=2 --leader-elect=true"
/etc/systemd/system/kube-apiserver.service:
file.managed:
diff --git a/kubernetes/pool/kube-proxy.sls b/kubernetes/pool/kube-proxy.sls
index 8aa64be..c25e84e 100644
--- a/kubernetes/pool/kube-proxy.sls
+++ b/kubernetes/pool/kube-proxy.sls
@@ -37,7 +37,7 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --logtostderr=true --v=2 --kubeconfig=/etc/kubernetes/proxy.kubeconfig --master={%- if pool.apiserver.insecure.enabled %}http://{{ pool.apiserver.host }}:8080{%- else %}https://{{ pool.apiserver.host }}{%- endif %}{%- if pool.network.engine == 'calico' %} --proxy-mode=iptables{% endif %}"
+ - contents: DAEMON_ARGS=" --logtostderr=true --v=2 --kubeconfig=/etc/kubernetes/proxy.kubeconfig {%- if pool.network.engine == 'calico' %} --proxy-mode=iptables{% endif %}"
pool_services:
service.running:
@@ -46,6 +46,7 @@
- watch:
- file: /etc/default/kube-proxy
- file: /usr/bin/hyperkube
+ - file: /etc/kubernetes/proxy.kubeconfig
{%- endif %}