commit 803aa03f419531ae0cd82b468d04f3a97b5dfcfc
author Tomáš Kukrál <tkukral@mirantis.com> Tue Feb 06 13:03:28 2018 +0100
committer Tomas Kukral <tkukral@mirantis.com> Tue Feb 06 12:04:26 2018 +0000
tree 4f78419b2cac029afb2b0bff77c61566a3e12a39
parent 5aa447bd1131c2b0be1c33ceb9e74f51d6a5b00c

fix Kubernetes certs

* move scheduler and controller manager to k8s_server
* add admin user

Change-Id: Ic611ef59d1115239b804dcc294db093beca452de

salt/minion/cert/k8s_client.yml

diff --git a/salt/minion/cert/k8s_client.yml b/salt/minion/cert/k8s_client.yml
index be262b5..53ff3ba 100644
--- a/salt/minion/cert/k8s_client.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -21,21 +21,3 @@
           common_name: system:kube-proxy
           signing_policy: cert_client
           alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
-        k8s_scheduler:
-          host: ${_param:salt_minion_ca_host}
-          authority: ${_param:salt_minion_ca_authority}
-          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
-          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
-          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: system:kube-scheduler
-          signing_policy: cert_client
-          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
-        k8s_controller_manager:
-          host: ${_param:salt_minion_ca_host}
-          authority: ${_param:salt_minion_ca_authority}
-          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
-          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
-          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: system:kube-controller-manager
-          signing_policy: cert_client
-          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}

salt/minion/cert/k8s_client_single.yml

diff --git a/salt/minion/cert/k8s_client_single.yml b/salt/minion/cert/k8s_client_single.yml
index e9c7d79..eb7b21c 100644
--- a/salt/minion/cert/k8s_client_single.yml
+++ b/salt/minion/cert/k8s_client_single.yml
@@ -21,21 +21,3 @@
           common_name: system:kube-proxy
           signing_policy: cert_client
           alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
-        k8s_scheduler:
-          host: ${_param:salt_minion_ca_host}
-          authority: ${_param:salt_minion_ca_authority}
-          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
-          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
-          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: system:kube-scheduler
-          signing_policy: cert_client
-          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
-        k8s_controller_manager:
-          host: ${_param:salt_minion_ca_host}
-          authority: ${_param:salt_minion_ca_authority}
-          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
-          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
-          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: system:kube-controller-manager
-          signing_policy: cert_client
-          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}

salt/minion/cert/k8s_server.yml

diff --git a/salt/minion/cert/k8s_server.yml b/salt/minion/cert/k8s_server.yml
index 603d369..d81f5a5 100644
--- a/salt/minion/cert/k8s_server.yml
+++ b/salt/minion/cert/k8s_server.yml
@@ -11,3 +11,30 @@
           all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
           signing_policy: cert_server
           alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address},DNS:kubernetes.default,DNS:kubernetes.default.svc
+        k8s_scheduler:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-scheduler
+          signing_policy: cert_client
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_controller_manager:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_admin:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/admin.key
+          cert_file: /etc/kubernetes/ssl/admin.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: admin
+          organization_name: system:masters
+          signing_policy: cert_client

salt/minion/cert/k8s_server_single.yml

diff --git a/salt/minion/cert/k8s_server_single.yml b/salt/minion/cert/k8s_server_single.yml
index 33637e4..fa3a008 100644
--- a/salt/minion/cert/k8s_server_single.yml
+++ b/salt/minion/cert/k8s_server_single.yml
@@ -11,3 +11,30 @@
           all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kubernetes/kubernetes-server.pem
           signing_policy: cert_server
           alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_scheduler:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-scheduler
+          signing_policy: cert_client
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_controller_manager:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_admin:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/admin.key
+          cert_file: /etc/kubernetes/ssl/admin.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: admin
+          organization_name: system:masters
+          signing_policy: cert_client