Make kubelet and kube-proxy use the secure port

Create certificates for kubelet and kube-proxy on control-plane nodes similar to worker nodes. Use the secure kube-apiserver port on control-plane nodes. story: 2008524 task: 41602 Change-Id: Ibeb32a24ca25914cab32c63a9ccafaf711148a84 Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
2021-01-15 12:27:54 +00:00 · 2021-01-15 12:27:54 +00:00 · d11f4e8393
parent f2aae8834e
commit d11f4e8393
3 changed files with 15 additions and 10 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@ -46,6 +46,7 @@ elif [ "$NETWORK_DRIVER" = "flannel" ]; then
 fi
 KUBE_MASTER_URI="https://127.0.0.1:$KUBE_API_PORT"
 mkdir -p /srv/magnum/kubernetes/
 cat > /etc/kubernetes/config <<EOF
 KUBE_LOGTOSTDERR="--logtostderr=true"
@ -277,16 +278,16 @@ cat > /etc/kubernetes/proxy << EOF
 KUBE_PROXY_ARGS="${KUBE_PROXY_ARGS} ${KUBEPROXY_OPTIONS}"
 EOF
-cat > ${PROXY_KUBECONFIG} << EOF
+cat << EOF >> ${PROXY_KUBECONFIG}
 apiVersion: v1
 clusters:
 - cluster:
    certificate-authority: ${CERT_DIR}/ca.crt
-    server: http://127.0.0.1:8080
+    server: ${KUBE_MASTER_URI}
-  name: kubernetes
+  name: ${CLUSTER_UUID}
 contexts:
 - context:
-    cluster: kubernetes
+    cluster: ${CLUSTER_UUID}
    user: kube-proxy
  name: default
 current-context: default
@ -296,6 +297,8 @@ users:
 - name: kube-proxy
  user:
    as-user-extra: {}
    client-certificate: ${CERT_DIR}/proxy.crt
    client-key: ${CERT_DIR}/proxy.key
 EOF
 sed -i '
@ -383,7 +386,7 @@ apiVersion: v1
 clusters:
 - cluster:
    certificate-authority: ${CERT_DIR}/ca.crt
-    server: https://127.0.0.1:$KUBE_API_PORT
+    server: ${KUBE_MASTER_URI}
  name: ${CLUSTER_UUID}
 contexts:
 - context:
@ -468,11 +471,11 @@ apiVersion: v1
 clusters:
 - cluster:
    certificate-authority: ${CERT_DIR}/ca.crt
-    server: http://127.0.0.1:8080
+    server: ${KUBE_MASTER_URI}
-  name: kubernetes
+  name: ${CLUSTER_UUID}
 contexts:
 - context:
-    cluster: kubernetes
+    cluster: ${CLUSTER_UUID}
    user: system:node:${INSTANCE_NAME}
  name: default
 current-context: default
@ -482,8 +485,8 @@ users:
 - name: system:node:${INSTANCE_NAME}
  user:
    as-user-extra: {}
-    client-certificate: ${CERT_DIR}/server.crt
+    client-certificate: ${CERT_DIR}/kubelet.crt
-    client-key: ${CERT_DIR}/server.key
+    client-key: ${CERT_DIR}/kubelet.key
 EOF
 cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@ -838,6 +838,7 @@ resources:
            - get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
            - get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
            - get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
            - get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
            - str_replace:
                template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
                params:
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@ -850,6 +850,7 @@ resources:
            - get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
            - get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
            - get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
            - get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
            - str_replace:
                template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
                params: