From d11f4e8393ee5fd6bb2872af035352f7df2baa03 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date: Fri, 15 Jan 2021 12:27:54 +0000
Subject: [PATCH] Make kubelet and kube-proxy use the secure port

Create certificates for kubelet and kube-proxy on control-plane
nodes similar to worker nodes.  Use the secure kube-apiserver
port on control-plane nodes.

story: 2008524
task: 41602

Change-Id: Ibeb32a24ca25914cab32c63a9ccafaf711148a84
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
---
 .../fragments/configure-kubernetes-master.sh  | 23 +++++++++++--------
 .../templates/kubemaster.yaml                 |  1 +
 .../templates/kubemaster.yaml                 |  1 +
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index 88d3b3e861..12efbccf97 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -46,6 +46,7 @@ elif [ "$NETWORK_DRIVER" = "flannel" ]; then
 fi
 
 
+KUBE_MASTER_URI="https://127.0.0.1:$KUBE_API_PORT"
 mkdir -p /srv/magnum/kubernetes/
 cat > /etc/kubernetes/config <<EOF
 KUBE_LOGTOSTDERR="--logtostderr=true"
@@ -277,16 +278,16 @@ cat > /etc/kubernetes/proxy << EOF
 KUBE_PROXY_ARGS="${KUBE_PROXY_ARGS} ${KUBEPROXY_OPTIONS}"
 EOF
 
-cat > ${PROXY_KUBECONFIG} << EOF
+cat << EOF >> ${PROXY_KUBECONFIG}
 apiVersion: v1
 clusters:
 - cluster:
     certificate-authority: ${CERT_DIR}/ca.crt
-    server: http://127.0.0.1:8080
-  name: kubernetes
+    server: ${KUBE_MASTER_URI}
+  name: ${CLUSTER_UUID}
 contexts:
 - context:
-    cluster: kubernetes
+    cluster: ${CLUSTER_UUID}
     user: kube-proxy
   name: default
 current-context: default
@@ -296,6 +297,8 @@ users:
 - name: kube-proxy
   user:
     as-user-extra: {}
+    client-certificate: ${CERT_DIR}/proxy.crt
+    client-key: ${CERT_DIR}/proxy.key
 EOF
 
 sed -i '
@@ -383,7 +386,7 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority: ${CERT_DIR}/ca.crt
-    server: https://127.0.0.1:$KUBE_API_PORT
+    server: ${KUBE_MASTER_URI}
   name: ${CLUSTER_UUID}
 contexts:
 - context:
@@ -468,11 +471,11 @@ apiVersion: v1
 clusters:
 - cluster:
     certificate-authority: ${CERT_DIR}/ca.crt
-    server: http://127.0.0.1:8080
-  name: kubernetes
+    server: ${KUBE_MASTER_URI}
+  name: ${CLUSTER_UUID}
 contexts:
 - context:
-    cluster: kubernetes
+    cluster: ${CLUSTER_UUID}
     user: system:node:${INSTANCE_NAME}
   name: default
 current-context: default
@@ -482,8 +485,8 @@ users:
 - name: system:node:${INSTANCE_NAME}
   user:
     as-user-extra: {}
-    client-certificate: ${CERT_DIR}/server.crt
-    client-key: ${CERT_DIR}/server.key
+    client-certificate: ${CERT_DIR}/kubelet.crt
+    client-key: ${CERT_DIR}/kubelet.key
 EOF
 
 cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index 3aea250151..0df24d0e33 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -838,6 +838,7 @@ resources:
             - get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
             - get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
             - get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
+            - get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
             - str_replace:
                 template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
                 params:
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
index 4ee303358e..825c1ac0ca 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -850,6 +850,7 @@ resources:
             - get_file: ../../common/templates/kubernetes/fragments/install-cri.sh
             - get_file: ../../common/templates/kubernetes/fragments/install-clients.sh
             - get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
+            - get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
             - str_replace:
                 template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
                 params: