Merge pull request #49 from Mirantis/k8s_certs
[WIP] add kubernetes secure to haproxy
diff --git a/haproxy/proxy/listen/kubernetes/apiserver.yml b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
similarity index 100%
rename from haproxy/proxy/listen/kubernetes/apiserver.yml
rename to haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
diff --git a/haproxy/proxy/listen/kubernetes/apiserver_secure.yml b/haproxy/proxy/listen/kubernetes/apiserver_secure.yml
new file mode 100644
index 0000000..a2994ef
--- /dev/null
+++ b/haproxy/proxy/listen/kubernetes/apiserver_secure.yml
@@ -0,0 +1,36 @@
+parameters:
+ haproxy:
+ proxy:
+ listen:
+ k8s_secure:
+ mode: http
+ http_request:
+ # Common proxy headers
+ - action: "set-header X-Forwarded-Port %[dst_port]"
+ - action: "add-header X-Forwarded-Proto https"
+ condition: "if { ssl_fc }"
+ - action: "add-header X-Forwarded-Proto http"
+ condition: "if !{ ssl_fc }"
+ options:
+ - forwardfor
+ - httpclose
+ - httplog
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: 443
+ ssl:
+ enabled: true
+ pem_file: /etc/kubernetes/ssl/kubernetes-server.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: 443
+ params: "check ssl verify none"
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: 443
+ params: "check ssl verify none"
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: 443
+ params: "check ssl verify none"
diff --git a/salt/minion/cert/k8s_client_certificate.yml b/salt/minion/cert/k8s_client.yml
similarity index 90%
rename from salt/minion/cert/k8s_client_certificate.yml
rename to salt/minion/cert/k8s_client.yml
index 37bf618..06d83c4 100644
--- a/salt/minion/cert/k8s_client_certificate.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -7,6 +7,7 @@
authority: ${_param:salt_minion_ca_authority}
key_file: /etc/kubernetes/ssl/kubelet-client.key
cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
common_name: kubelet-client
signing_policy: cert_client
alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
diff --git a/salt/minion/cert/k8s_server.yml b/salt/minion/cert/k8s_server.yml
new file mode 100644
index 0000000..d9b1da6
--- /dev/null
+++ b/salt/minion/cert/k8s_server.yml
@@ -0,0 +1,13 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ k8s_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: kubernetes-server
+ key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.key
+ cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.crt
+ all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
+ signing_policy: cert_server
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
diff --git a/salt/minion/cert/k8s_server_certificate.yml b/salt/minion/cert/k8s_server_certificate.yml
deleted file mode 100644
index 835f043..0000000
--- a/salt/minion/cert/k8s_server_certificate.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-parameters:
- salt:
- minion:
- cert:
- k8s_server:
- host: ${_param:salt_minion_ca_host}
- authority: ${_param:salt_minion_ca_authority}
- common_name: kubernetes-server
- key_file: /etc/kubernetes/ssl/kubernetes-server.key
- cert_file: /etc/kubernetes/ssl/kubernetes-server.crt
- ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
- signing_policy: cert_server
- alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file