Merge "remote require on ca-kubernetes"
diff --git a/README.rst b/README.rst
index 4f7a3e3..f2aa350 100644
--- a/README.rst
+++ b/README.rst
@@ -347,23 +347,19 @@
Kubernetes labels
-----------------
-Create namespace:
+Label node:
.. code-block:: yaml
- kubernetes:
- pool
+ kubernetes:
+ master:
+ label:
+ label01:
+ value: value01
+ node: node01
+ enabled: true
+ key: key01
...
- host:
- label:
- key01:
- value: value01
- enable: True
- key02:
- value: value02
- enable: False
- name: ${linux:system:name}
- ...
Pull images from private registries
-----------------------------------
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig b/kubernetes/files/kubelet/kubelet.kubeconfig
index a33b7ba..6d95933 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig
@@ -6,19 +6,16 @@
preferences: {}
clusters:
- cluster:
- certificate-authority: /etc/kubernetes/ssl/kubelet-client.crt
+ certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
server: https://{{ pool.apiserver.host }}:443
name: cluster.local
-- cluster:
- certificate-authority: /etc/kubernetes/ssl/kubelet-client.crt
- server: http://{{ pool.apiserver.host }}:8080
- name: cluster-http.local
contexts:
- context:
- cluster: cluster-http.local
+ cluster: cluster.local
user: kubelet
name: kubelet-to-cluster.local
users:
- name: kubelet
user:
- token: {{ pool.token.kubelet }}
+ client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
+ client-key: /etc/kubernetes/ssl/kubelet-client.key
\ No newline at end of file
diff --git a/kubernetes/files/systemd/kube-controller-manager.service b/kubernetes/files/systemd/kube-controller-manager.service
index 19c56fb..d08829b 100644
--- a/kubernetes/files/systemd/kube-controller-manager.service
+++ b/kubernetes/files/systemd/kube-controller-manager.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/files/systemd/kube-proxy.service b/kubernetes/files/systemd/kube-proxy.service
index 0620223..44006fa 100644
--- a/kubernetes/files/systemd/kube-proxy.service
+++ b/kubernetes/files/systemd/kube-proxy.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/files/systemd/kube-scheduler.service b/kubernetes/files/systemd/kube-scheduler.service
index d29f9c9..f576341 100644
--- a/kubernetes/files/systemd/kube-scheduler.service
+++ b/kubernetes/files/systemd/kube-scheduler.service
@@ -5,7 +5,6 @@
After=network.target
[Service]
-Environment=KUBE_MASTER=--master=127.0.0.1:8080
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/default/%p
User=root
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index 040d1e7..cb90adb 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -76,7 +76,7 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true"
+ - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}"
/etc/default/kube-controller-manager:
file.managed:
@@ -120,7 +120,7 @@
/etc/kubernetes/ssl/{{ filename }}:
file.managed:
- - source: salt://_certs/kubernetes/{{ filename }}
+ - source: salt://{{ master.get('cert_source','_certs/kubernetes') }}/{{ filename }}
- user: root
- group: haproxy
- mode: 640
@@ -146,9 +146,11 @@
{%- if namespace.enabled %}
+{%- set date = salt['cmd.run']('date "+%FT%TZ"') %}
+
/registry/namespaces/{{ name }}:
etcd.set:
- - value: '{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"{{ name }}"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}}'
+ - value: '{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"{{ name }}","creationTimestamp":"{{ date }}"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}}'
{%- else %}
diff --git a/kubernetes/master/setup.sls b/kubernetes/master/setup.sls
index cf3d7a8..56f8cf7 100644
--- a/kubernetes/master/setup.sls
+++ b/kubernetes/master/setup.sls
@@ -12,4 +12,32 @@
{%- endif %}
{%- endfor %}
+
+{%- if master.label is defined %}
+
+{%- for name,label in master.label.iteritems() %}
+
+{%- if label.enabled %}
+
+{{ name }}_{{ label.node }}:
+ k8s.label_present:
+ - name: {{ label.key }}
+ - value: {{ label.value }}
+ - node: {{ label.node }}
+ - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+
+{%- else %}
+
+{{ name }}_{{ label.node }}:
+ k8s.label_absent:
+ - name: {{ label.key }}
+ - node: {{ label.node }}
+ - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- endif %}
+
{%- endif %}
diff --git a/kubernetes/pool/init.sls b/kubernetes/pool/init.sls
index 713f849..398e905 100644
--- a/kubernetes/pool/init.sls
+++ b/kubernetes/pool/init.sls
@@ -5,7 +5,6 @@
- kubernetes.pool.calico
{%- endif %}
- kubernetes.pool.service
-- kubernetes.pool.kubelet
{%- if pool.network.engine == "flannel" %}
- kubernetes.pool.flannel
{%- endif %}
diff --git a/kubernetes/pool/kubelet.sls b/kubernetes/pool/kubelet.sls
deleted file mode 100644
index 6581ab2..0000000
--- a/kubernetes/pool/kubelet.sls
+++ /dev/null
@@ -1,31 +0,0 @@
-{%- from "kubernetes/map.jinja" import pool with context %}
-{%- if pool.enabled %}
-
-{%- if pool.host.label is defined %}
-
-{%- for name,label in pool.host.label.iteritems() %}
-
-{%- if label.enabled %}
-
-{{ name }}:
- k8s.label_present:
- - name: {{ name }}
- - value: {{ label.value }}
- - node: {{ pool.host.name }}
- - apiserver: http://{{ pool.apiserver.host }}:8080
-
-{%- else %}
-
-{{ name }}:
- k8s.label_absent:
- - name: {{ name }}
- - node: {{ pool.host.name }}
- - apiserver: http://{{ pool.apiserver.host }}:8080
-
-{%- endif %}
-
-{%- endfor %}
-
-{%- endif %}
-
-{%- endif %}
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 62e1042..6663bf2 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -17,7 +17,7 @@
allow_privileged: True
apiserver:
address: ${_param:cluster_local_address}
- insecure_address: ${_param:cluster_local_address}
+ insecure_address: 127.0.0.1
etcd:
members:
- host: ${_param:cluster_node01_address}
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 6a56ca5..172f009 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -17,7 +17,7 @@
allow_privileged: True
apiserver:
address: ${_param:single_address}
- insecure_address: 0.0.0.0
+ insecure_address: 127.0.0.1
etcd:
members:
- host: ${_param:single_address}