add kubernetes secure to haproxy
diff --git a/haproxy/proxy/listen/kubernetes/apiserver.yml b/haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
similarity index 100%
rename from haproxy/proxy/listen/kubernetes/apiserver.yml
rename to haproxy/proxy/listen/kubernetes/apiserver_insecure.yml
diff --git a/haproxy/proxy/listen/kubernetes/apiserver_secure.yml b/haproxy/proxy/listen/kubernetes/apiserver_secure.yml
new file mode 100644
index 0000000..a4c59ac
--- /dev/null
+++ b/haproxy/proxy/listen/kubernetes/apiserver_secure.yml
@@ -0,0 +1,36 @@
+parameters:
+ haproxy:
+ proxy:
+ listen:
+ k8s_secure:
+ mode: http
+ http_request:
+ # Common proxy headers
+ - action: "set-header X-Forwarded-Port %[dst_port]"
+ - action: "add-header X-Forwarded-Proto https"
+ condition: "if { ssl_fc }"
+ - action: "add-header X-Forwarded-Proto http"
+ condition: "if !{ ssl_fc }"
+ options:
+ - forwardfor
+ - httpclose
+ - httplog
+ binds:
+ - address: ${_param:cluster_vip_address}
+ port: 443
+ ssl:
+ enabled: true
+ pem_file: /etc/haproxy/ssl/kubernetes.pem
+ servers:
+ - name: ${_param:cluster_node01_hostname}
+ host: ${_param:cluster_node01_address}
+ port: 443
+ params: "check ssl verify none"
+ - name: ${_param:cluster_node02_hostname}
+ host: ${_param:cluster_node02_address}
+ port: 443
+ params: "check ssl verify none"
+ - name: ${_param:cluster_node03_hostname}
+ host: ${_param:cluster_node03_address}
+ port: 443
+ params: "check ssl verify none"
\ No newline at end of file
diff --git a/salt/minion/cert/k8s_client_certificate.yml b/salt/minion/cert/k8s_client.yml
similarity index 90%
rename from salt/minion/cert/k8s_client_certificate.yml
rename to salt/minion/cert/k8s_client.yml
index 37bf618..06d83c4 100644
--- a/salt/minion/cert/k8s_client_certificate.yml
+++ b/salt/minion/cert/k8s_client.yml
@@ -7,6 +7,7 @@
authority: ${_param:salt_minion_ca_authority}
key_file: /etc/kubernetes/ssl/kubelet-client.key
cert_file: /etc/kubernetes/ssl/kubelet-client.crt
+ ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
common_name: kubelet-client
signing_policy: cert_client
alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
diff --git a/salt/minion/cert/k8s_server_certificate.yml b/salt/minion/cert/k8s_server.yml
similarity index 82%
rename from salt/minion/cert/k8s_server_certificate.yml
rename to salt/minion/cert/k8s_server.yml
index 835f043..c7b38f9 100644
--- a/salt/minion/cert/k8s_server_certificate.yml
+++ b/salt/minion/cert/k8s_server.yml
@@ -8,6 +8,9 @@
common_name: kubernetes-server
key_file: /etc/kubernetes/ssl/kubernetes-server.key
cert_file: /etc/kubernetes/ssl/kubernetes-server.crt
- ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+ all_file: /etc/haproxy/ssl/kubernetes.pem
signing_policy: cert_server
- alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
+ alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+ user: root
+ group: haproxy
+ mode: 640
\ No newline at end of file