Configure aggregation layer
https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/
Related story: https://mirantis.jira.com/browse/PROD-24599
Change-Id: Ia6d581c63648ce49ec0eb2bae6d3ad5921ba69f0
diff --git a/kubernetes/map.jinja b/kubernetes/map.jinja
index 5d1f39f..615404c 100644
--- a/kubernetes/map.jinja
+++ b/kubernetes/map.jinja
@@ -38,6 +38,14 @@
'extra': 'X-Remote-Extra-',
},
},
+ 'proxy': {
+ 'enabled': true,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
'anonymous': {
'enabled': false,
},
@@ -66,6 +74,14 @@
'extra': 'X-Remote-Extra-',
},
},
+ 'proxy': {
+ 'enabled': true,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
'anonymous': {
'enabled': false,
},
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index 54bcf34..9d92467 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -154,10 +154,13 @@
--client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
{%- endif %}
{%- if master.auth.get('proxy', {}).enabled|default(False) %}
+ --requestheader-allowed-names=system:kube-controller-manager
--requestheader-username-headers={{ master.auth.proxy.header.user }}
--requestheader-group-headers={{ master.auth.proxy.header.group }}
--requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
--requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ --proxy-client-cert-file={{ master.auth.proxy.client_cert|default("/etc/kubernetes/ssl/kube-aggregator-proxy-client.crt") }}
+ --proxy-client-key-file={{ master.auth.proxy.client_key|default("/etc/kubernetes/ssl/kube-aggregator-proxy-client.key") }}
{%- endif %}
--anonymous-auth={{ master.auth.get('anonymous', {}).enabled|default(False) }}
--etcd-quorum-read=true