commit 86b2b7d39180feba9efc61e7e44323ee4ee69beb
author Łukasz Oleś <loles@mirantis.com> Tue Nov 20 10:53:58 2018 +0100
committer Łukasz Oleś <loles@mirantis.com> Mon Dec 17 23:15:06 2018 +0100
tree c0f9a5dcf754299b3518098d6b96bcffc478afb8
parent 5ffe2b354ed5fb48310b292bffef41a887619950

Generate certs for aggregation layer

Will be used for api server flags: --proxy-client-cert-file, --proxy-client-key-file
https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/

Related story: https://mirantis.jira.com/browse/PROD-24599

Change-Id: I673665949fd912ace5332c2dfd6500a61d45b136

salt/minion/cert/k8s_client.yml

diff --git a/salt/minion/cert/k8s_client.yml b/salt/minion/cert/k8s_client.yml
index ff7dabf..3afb16f 100644
--- a/salt/minion/cert/k8s_client.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -49,3 +49,12 @@
           common_name: system:kube-controller-manager
           signing_policy: cert_client
           alternative_names: IP:${_param:kubernetes_control_address},IP:${_param:kubernetes_control_node01_address},IP:${_param:kubernetes_control_node02_address},IP:${_param:kubernetes_control_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_aggregator_proxy:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.key
+          cert_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:kubernetes_control_address},IP:${_param:kubernetes_control_node01_address},IP:${_param:kubernetes_control_node02_address},IP:${_param:kubernetes_control_node03_address},IP:${_param:kubernetes_internal_api_address}

salt/minion/cert/k8s_client_single.yml

diff --git a/salt/minion/cert/k8s_client_single.yml b/salt/minion/cert/k8s_client_single.yml
index a2f3d89..17236ec 100644
--- a/salt/minion/cert/k8s_client_single.yml
+++ b/salt/minion/cert/k8s_client_single.yml
@@ -49,3 +49,12 @@
           common_name: system:kube-controller-manager
           signing_policy: cert_client
           alternative_names: IP:${_param:kubernetes_control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_aggregator_proxy:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.key
+          cert_file: /etc/kubernetes/ssl/kube-aggregator-proxy-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:kubernetes_control_address},IP:${_param:kubernetes_internal_api_address}