Explicitly configure the insecure_port for apiserver
Change-Id: I5f1aa6e382e99c7c719e9e596f1d0ad2f0d79157
diff --git a/README.rst b/README.rst
index be3af09..7f38048 100644
--- a/README.rst
+++ b/README.rst
@@ -97,7 +97,9 @@
username: admin
apiserver:
address: 10.0.175.100
- port: 8080
+ secure_port: 443
+ insecure_address: 127.0.0.1
+ insecure_port: 8080
ca: kubernetes
enabled: true
etcd:
diff --git a/kubernetes/files/manifest/kube-apiserver.manifest b/kubernetes/files/manifest/kube-apiserver.manifest
index b1962bb..fcb3ea0 100644
--- a/kubernetes/files/manifest/kube-apiserver.manifest
+++ b/kubernetes/files/manifest/kube-apiserver.manifest
@@ -42,7 +42,7 @@
httpGet:
host: 127.0.0.1
path: /healthz
- port: 8080
+ port: {{ master.apiserver.get('insecure_port', '8080') }}
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 15
@@ -51,8 +51,8 @@
hostPort: {{ master.apiserver.get('secure_port', '443') }}
name: https
protocol: TCP
- - containerPort: 8080
- hostPort: 8080
+ - containerPort: {{ master.apiserver.get('insecure_port', '8080') }}
+ hostPort: {{ master.apiserver.get('insecure_port', '8080') }}
name: local
protocol: TCP
resources:
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index f8463c3..a08cdcf 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -76,7 +76,7 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}{% for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %} --{{ key }}={{ value }}{% endfor %}"
+ - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --insecure-port={{ master.apiserver.get('insecure_port', '8080') }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}{% for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %} --{{ key }}={{ value }}{% endfor %}"
{% for component in ['scheduler', 'controller-manager'] %}
diff --git a/kubernetes/master/setup.sls b/kubernetes/master/setup.sls
index 4b771ae..432cdce 100644
--- a/kubernetes/master/setup.sls
+++ b/kubernetes/master/setup.sls
@@ -24,7 +24,7 @@
- name: {{ label.key }}
- value: {{ label.value }}
- node: {{ label.node }}
- - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+ - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.get('insecure_port', '8080') }}
{%- else %}
@@ -32,7 +32,7 @@
k8s.label_absent:
- name: {{ label.key }}
- node: {{ label.node }}
- - apiserver: http://{{ master.apiserver.insecure_address }}:8080
+ - apiserver: http://{{ master.apiserver.insecure_address }}:{{ master.apiserver.get('insecure_port', '8080') }}
{%- endif %}
diff --git a/metadata/service/master/cluster.yml b/metadata/service/master/cluster.yml
index 70ea012..0f8abad 100644
--- a/metadata/service/master/cluster.yml
+++ b/metadata/service/master/cluster.yml
@@ -18,6 +18,7 @@
apiserver:
address: ${_param:cluster_local_address}
insecure_address: 127.0.0.1
+ insecure_port: 8080
etcd:
members:
- host: ${_param:cluster_node01_address}
diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 3ceebf6..beb7bd2 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -18,6 +18,7 @@
apiserver:
address: ${_param:single_address}
insecure_address: 127.0.0.1
+ insecure_port: 8080
etcd:
members:
- host: ${_param:single_address}
diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index d9b326f..abc18dd 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -25,7 +25,8 @@
host: tcpcloud
apiserver:
address: 10.0.175.100
- port: 8080
+ insecure_address: 127.0.0.1
+ insecure_port: 8080
ca: kubernetes
enabled: true
etcd: