Bind kube-apiserver to 0.0.0.0 and shift port to 6443
Single mode and unspecified metadata points to 443.
Updated all refs to kube-apiserver to point to correct vars.
Loadbalancer still operates on port 443.
Change-Id: Id67acd50e24cf65b3978679616c1f754a6685f68
diff --git a/kubernetes/files/calico/network-environment.pool b/kubernetes/files/calico/network-environment.pool
index 7746947..c834b3f 100644
--- a/kubernetes/files/calico/network-environment.pool
+++ b/kubernetes/files/calico/network-environment.pool
@@ -4,7 +4,7 @@
DEFAULT_IPV4={{ pool.address }}
# The Kubernetes master IP
-KUBERNETES_MASTER={{ pool.apiserver.host }}
+KUBERNETES_MASTER={{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
# IP and port of etcd instance used by Calico
-ETCD_ENDPOINTS={% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
\ No newline at end of file
+ETCD_ENDPOINTS={% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
diff --git a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
index 91206bc..7505864 100644
--- a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
+++ b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
@@ -7,7 +7,7 @@
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
- server: https://{{ pool.apiserver.host }}:443
+ server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
name: {{ pool.cluster_domain }}
contexts:
- context:
diff --git a/kubernetes/files/kube-proxy/proxy.kubeconfig b/kubernetes/files/kube-proxy/proxy.kubeconfig
index 868ecb5..a089f0b 100644
--- a/kubernetes/files/kube-proxy/proxy.kubeconfig
+++ b/kubernetes/files/kube-proxy/proxy.kubeconfig
@@ -7,7 +7,7 @@
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
- server: https://{{ pool.apiserver.host }}:443
+ server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
name: {{ pool.cluster_domain }}
contexts:
- context:
diff --git a/kubernetes/files/kube-scheduler/scheduler.kubeconfig b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
index 8441a2e..cb09b95 100644
--- a/kubernetes/files/kube-scheduler/scheduler.kubeconfig
+++ b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
@@ -6,7 +6,7 @@
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
- server: https://{{ pool.apiserver.host }}:443
+ server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.port|default('443') }}
name: {{ pool.cluster_domain }}
contexts:
- context:
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig.master b/kubernetes/files/kubelet/kubelet.kubeconfig.master
index 7514b6d..5f66a5f 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig.master
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig.master
@@ -7,7 +7,7 @@
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
- server: https://{{ master.apiserver.address }}:443
+ server: https://{{ master.apiserver.address }}:{{ master.apiserver.get('secure_port', '443') }}
name: {{ master.addons.dns.domain }}
contexts:
- context:
diff --git a/kubernetes/files/kubelet/kubelet.kubeconfig.pool b/kubernetes/files/kubelet/kubelet.kubeconfig.pool
index 494c038..392a8da 100644
--- a/kubernetes/files/kubelet/kubelet.kubeconfig.pool
+++ b/kubernetes/files/kubelet/kubelet.kubeconfig.pool
@@ -7,7 +7,7 @@
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ssl/ca-kubernetes.crt
- server: https://{{ pool.apiserver.host }}:443
+ server: https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}
name: {{ pool.cluster_domain }}
contexts:
- context:
diff --git a/kubernetes/files/manifest/kube-proxy.manifest.pool b/kubernetes/files/manifest/kube-proxy.manifest.pool
index 2d563e9..7044c7c 100644
--- a/kubernetes/files/manifest/kube-proxy.manifest.pool
+++ b/kubernetes/files/manifest/kube-proxy.manifest.pool
@@ -19,7 +19,7 @@
--logtostderr=true
--v={{ pool.get('verbosity', 2) }}
--kubeconfig=/etc/kubernetes/proxy.kubeconfig
- --master={%- if pool.apiserver.insecure.enabled %}http://{{ pool.apiserver.host }}:8080{%- else %}https://{{ pool.apiserver.host }}{%- endif %}
+ --master={%- if pool.apiserver.insecure.enabled %}http://{{ pool.apiserver.host }}:8080{%- else %}https://{{ pool.apiserver.host }}:{{ pool.apiserver.get('port', '443') }}{%- endif %}
{%- if pool.network.engine == 'calico' %}
--proxy-mode=iptables
{%- endif %}
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index d52190d..d15ab32 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -82,7 +82,7 @@
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
--allow-privileged=True
--basic-auth-file=/srv/kubernetes/basic_auth.csv
- --bind-address={{ master.apiserver.address }}
+ --bind-address={{ master.apiserver.get('bind_address', master.apiserver.address) }}
--client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
--etcd-quorum-read=true
--insecure-bind-address={{ master.apiserver.insecure_address }}
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index f755401..fb17497 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -20,6 +20,7 @@
allow_privileged: True
apiserver:
address: ${_param:cluster_local_address}
+ secure_port: 6443
internal_address: ${_param:kubernetes_internal_api_address}
insecure_address: 127.0.0.1
insecure_port: 8080
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 00dff34..86d5b7e 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -20,6 +20,7 @@
allow_privileged: True
apiserver:
address: ${_param:single_address}
+ secure_port: 443
internal_address: ${_param:kubernetes_internal_api_address}
insecure_address: 127.0.0.1
insecure_port: 8080
diff --git a/metadata/service/pool/cluster.yml b/metadata/service/pool/cluster.yml
index 41c8ffb..26122f0 100644
--- a/metadata/service/pool/cluster.yml
+++ b/metadata/service/pool/cluster.yml
@@ -13,6 +13,7 @@
name: ${linux:system:name}
apiserver:
host: ${_param:cluster_vip_address}
+ port: 443
insecure:
enabled: True
members:
diff --git a/metadata/service/pool/single.yml b/metadata/service/pool/single.yml
index e5826c3..4e7a736 100644
--- a/metadata/service/pool/single.yml
+++ b/metadata/service/pool/single.yml
@@ -13,6 +13,7 @@
name: ${linux:system:name}
apiserver:
host: ${_param:master_address}
+ port: 443
insecure:
enabled: True
members:
diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index 2d03b69..a904a72 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -51,6 +51,7 @@
name: node040
apiserver:
address: 10.0.175.100
+ secure_port: 6443
internal_address: 182.22.97.1
insecure_address: 127.0.0.1
insecure_port: 8080
diff --git a/tests/pillar/master_contrail.sls b/tests/pillar/master_contrail.sls
index 7cf9d68..667783e 100644
--- a/tests/pillar/master_contrail.sls
+++ b/tests/pillar/master_contrail.sls
@@ -48,6 +48,7 @@
name: node040
apiserver:
address: 10.0.175.100
+ secure_port: 6443
internal_address: 185.22.97.1
insecure_address: 127.0.0.1
insecure_port: 8080
diff --git a/tests/pillar/master_contrail4_0.sls b/tests/pillar/master_contrail4_0.sls
index b303623..a7f5d93 100644
--- a/tests/pillar/master_contrail4_0.sls
+++ b/tests/pillar/master_contrail4_0.sls
@@ -41,6 +41,7 @@
name: node040
apiserver:
address: 10.0.175.100
+ secure_port: 6443
internal_address: 185.22.97.1
insecure_address: 127.0.0.1
insecure_port: 8080