Browse Source

Disable anonymous-auth

- Turn off anonymous-auth.
- Reworked haproxy helm test and updated test images.
- Reworked kubernetes-apiserver readiness and liveness tests.

Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
Aaron Sheffield 11 months ago
parent
commit
6fa106fe2a

+ 10
- 5
charts/apiserver/templates/daemonset.yaml View File

@@ -64,11 +64,16 @@ spec:
64 64
                   - /tmp/bin/pre_stop
65 65
 
66 66
           readinessProbe:
67
-            httpGet:
68
-              host: 127.0.0.1
69
-              path: /healthz
70
-              port: {{ .Values.network.kubernetes_apiserver.port }}
71
-              scheme: HTTPS
67
+            exec:
68
+              command:
69
+              - /bin/bash
70
+              - -c
71
+              - |-
72
+                if [ ! -f /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem ]; then
73
+                  cat /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-key.pem /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
74
+                fi
75
+                echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem,cafile=/host{{ .Values.apiserver.host_etc_path }}/pki/cluster-ca.pem | grep '200 OK'
76
+                exit $?
72 77
             initialDelaySeconds: 10
73 78
             periodSeconds: 5
74 79
             timeoutSeconds: 5

+ 21
- 11
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl View File

@@ -39,7 +39,7 @@ spec:
39 39
         - {{ . }}
40 40
         {{- end }}
41 41
         - --advertise-address=$(POD_IP)
42
-        - --anonymous-auth=true
42
+        - --anonymous-auth=false
43 43
         - --bind-address=0.0.0.0
44 44
         - --secure-port={{ .Values.network.kubernetes_apiserver.port }}
45 45
         - --insecure-port=0
@@ -61,22 +61,32 @@ spec:
61 61
         - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
62 62
 
63 63
       readinessProbe:
64
-        httpGet:
65
-          host: 127.0.0.1
66
-          path: /healthz
67
-          port: {{ .Values.network.kubernetes_apiserver.port }}
68
-          scheme: HTTPS
64
+        exec:
65
+          command:
66
+          - /bin/bash
67
+          - -c
68
+          - |-
69
+            if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
70
+              cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
71
+            fi
72
+            echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
73
+            exit $?
69 74
         initialDelaySeconds: 10
70 75
         periodSeconds: 5
71 76
         timeoutSeconds: 5
72 77
 
73 78
       livenessProbe:
79
+        exec:
80
+          command:
81
+          - /bin/bash
82
+          - -c
83
+          - |-
84
+            if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
85
+              cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
86
+            fi
87
+            echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
88
+            exit $?
74 89
         failureThreshold: 2
75
-        httpGet:
76
-          host: 127.0.0.1
77
-          path: /healthz
78
-          port: {{ .Values.network.kubernetes_apiserver.port }}
79
-          scheme: HTTPS
80 90
         initialDelaySeconds: 15
81 91
         periodSeconds: 10
82 92
         successThreshold: 1

+ 1
- 1
charts/haproxy/templates/tests/test-haproxy-health.yaml View File

@@ -33,7 +33,7 @@ spec:
33 33
             fieldRef:
34 34
               fieldPath: status.hostIP
35 35
         - name: 'HAPROXY_URL'
36
-          value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}/{{ .Values.endpoints.health.path }}
36
+          value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}
37 37
       image: {{ .Values.images.tags.test }}
38 38
       imagePullPolicy: {{ .Values.images.pull_policy }}
39 39
 {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}

+ 0
- 1
charts/haproxy/values.yaml View File

@@ -70,7 +70,6 @@ manifests:
70 70
 endpoints:
71 71
   health:
72 72
     port: 6553
73
-    path: "healthz"
74 73
 
75 74
 pod:
76 75
   lifecycle:

+ 1
- 1
examples/basic/armada-resources.yaml View File

@@ -613,7 +613,7 @@ data:
613 613
       tags:
614 614
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
615 615
         haproxy: haproxy:1.8.3
616
-        test: busybox:1.28.3
616
+        test: python:3.6
617 617
 
618 618
   source:
619 619
     type: local

+ 1
- 1
examples/complete/armada-resources.yaml View File

@@ -647,7 +647,7 @@ data:
647 647
       tags:
648 648
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
649 649
         haproxy: haproxy:1.8.3
650
-        test: busybox:1.28.3
650
+        test: python:3.6
651 651
 
652 652
   source:
653 653
     type: local

+ 1
- 1
promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml View File

@@ -124,7 +124,7 @@ spec:
124 124
       - --advertise-address={{ config['Genesis:ip'] }}
125 125
       - --authorization-mode=Node,RBAC
126 126
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
127
-      - --anonymous-auth=true
127
+      - --anonymous-auth=false
128 128
       - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
129 129
       - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
130 130
       - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem

+ 1
- 1
promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml View File

@@ -20,7 +20,7 @@ spec:
20 20
         - --advertise-address={{ config['Genesis:ip'] }}
21 21
         - --authorization-mode=Node,RBAC
22 22
         - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
23
-        - --anonymous-auth=true
23
+        - --anonymous-auth=false
24 24
         - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
25 25
         - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
26 26
         - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem

Loading…
Cancel
Save