Merge "Add devstack support for https k8s api server"

devstack/local.conf.sample

@@ -105,8 +105,12 @@ enable_service kubernetes-scheduler
 #
 # If, however, you are reusing an existing deployment, you should uncomment and
 # set an ENV var so that the Kubelet devstack runs can find the API server:
-# KURYR_K8S_API_URL="http://k8s_api_ip:k8s_api_port"
+# KURYR_K8S_API_URL="http (or https, if K8S is SSL/TLS enabled)://k8s_api_ip:k8s_api_port"
 #
+# If kubernetes API server is 'https' enabled, set path of the ssl cert files
+# KURYR_K8S_API_CERT="/etc/kubernetes/certs/kubecfg.crt"
+# KURYR_K8S_API_KEY="/etc/kubernetes/certs/kubecfg.key"
+# KURYR_K8S_API_CACERT="/etc/kubernetes/certs/ca.crt"
 
 # Kubelet
 # =======

devstack/plugin.sh

@@ -73,6 +73,15 @@ function configure_kuryr {
     # "$(get_distutils_data_path)/libexec/kuryr"
 
     iniset "$KURYR_CONFIG" kubernetes api_root "$KURYR_K8S_API_URL"
+    if [ "$KURYR_K8S_API_CERT" ]; then
+        iniset "$KURYR_CONFIG" kubernetes ssl_client_crt_file "$KURYR_K8S_API_CERT"
+    fi
+    if [ "$KURYR_K8S_API_KEY" ]; then
+        iniset "$KURYR_CONFIG" kubernetes ssl_client_key_file "$KURYR_K8S_API_KEY"
+    fi
+    if [ "$KURYR_K8S_API_CACERT" ]; then
+        iniset "$KURYR_CONFIG" kubernetes ssl_ca_crt_file "$KURYR_K8S_API_CACERT"
+    fi
     # REVISIT(ivc): 'use_stderr' is required for current CNI driver. Once a
     # daemon-based CNI driver is implemented, this could be removed.
     iniset "$KURYR_CONFIG" DEFAULT use_stderr true

devstack/settings

@@ -32,3 +32,6 @@ KURYR_HYPERKUBE_BINARY=${KURYR_HYPERKUBE_BINARY:-/usr/local/bin/hyperkube}
 KURYR_K8S_CLUSTER_IP_RANGE=${KURYR_K8S_CLUSTER_IP_RANGE:-10.20.0.0/24}
 KURYR_K8S_API_PORT=${KURYR_K8S_API_PORT:-8080}
 KURYR_K8S_API_URL=${KURYR_K8S_API_URL:-http://${HOST_IP}:${KURYR_K8S_API_PORT}}
+KURYR_K8S_API_CERT=${KURYR_K8S_API_CERT:-}
+KURYR_K8S_API_KEY=${KURYR_K8S_API_KEY:-}
+KURYR_K8S_API_CACERT=${KURYR_K8S_API_CACERT:-}