Browse Source

Fix auto-evaluated API access endpoint for bind IP

Auto configure API access endpoint with a custom bind IP, if provided.
Fix HA docs' http URLs are https in fact, clarify the insecure vs secure
API access modes as well.

Closes: #issues/2051

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
pull/2086/head
Bogdan Dobrelya 7 years ago
parent
commit
81347298a3
2 changed files with 19 additions and 10 deletions
  1. 21
      docs/ha-mode.md
  2. 8
      roles/kubespray-defaults/defaults/main.yaml

21
docs/ha-mode.md

@ -92,22 +92,27 @@ localhost LB configuration.
the each node in the `k8s-cluster` group as well, but require no VIP, thus the each node in the `k8s-cluster` group as well, but require no VIP, thus
no VIP management. no VIP management.
Access endpoints are evaluated automagically, as the following:
Access API endpoints are evaluated automagically, as the following:
| Endpoint type | kube-master | non-master |
|------------------------------|---------------|---------------------|
| Local LB (default) | http://lc:p | https://lc:nsp |
| External LB, no internal | https://lb:lp | https://lb:lp |
| No ext/int LB | http://lc:p | https://m[0].aip:sp |
| Endpoint type | kube-master | non-master |
|------------------------------|----------------|---------------------|
| Local LB (default) | https://lc:sp | https://lc:nsp |
| External LB, no internal | https://lb:lp | https://lb:lp |
| No ext/int LB, bind 0.0.0.0 | https://lc:sp | https://m[0].aip:sp |
| No ext/int LB, a custom bind | https://bip:sp | https://m[0].aip:sp |
Where: Where:
* `m[0]` - the first node in the `kube-master` group; * `m[0]` - the first node in the `kube-master` group;
* `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`; * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
* `lc` - localhost; * `lc` - localhost;
* `p` - insecure port, `kube_apiserver_insecure_port`
* `nsp` - nginx secure port, `nginx_kube_apiserver_port`;
* `bip` - a custom bind IP value (defaults to '0.0.0.0');
* `nsp` - nginx secure port, `nginx_kube_apiserver_port`, defers to `sp`;
* `sp` - secure port, `kube_apiserver_port`; * `sp` - secure port, `kube_apiserver_port`;
* `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port; * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
* `ip` - the node IP, defers to the ansible IP; * `ip` - the node IP, defers to the ansible IP;
* `aip` - `access_ip`, defers to the ip. * `aip` - `access_ip`, defers to the ip.
**Note** that for some cases, like healthchecks of applications deployed by
Kubespray, the masters' APIs are accessed via the insecure endpoint, which
consists of the local `kube_apiserver_insecure_bind_address` and
`kube_apiserver_insecure_port`.

8
roles/kubespray-defaults/defaults/main.yaml

@ -98,8 +98,12 @@ kube_pods_subnet: 10.233.64.0/18
# room for 4096 nodes with 254 pods per node. # room for 4096 nodes with 254 pods per node.
kube_network_node_prefix: 24 kube_network_node_prefix: 24
# The port the API Server will be listening on.
# The virtual cluster IP, real host IPs and ports the API Server will be
# listening on.
# NOTE: loadbalancer_apiserver_localhost somewhat alters the final API enpdoint
# access IP value (automatically evaluated below)
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_bind_address: 0.0.0.0
# https # https
kube_apiserver_port: 6443 kube_apiserver_port: 6443
# http # http
@ -210,7 +214,7 @@ kube_apiserver_endpoint: |-
{% if not is_kube_master and loadbalancer_apiserver_localhost -%} {% if not is_kube_master and loadbalancer_apiserver_localhost -%}
https://localhost:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }} https://localhost:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }}
{%- elif is_kube_master -%} {%- elif is_kube_master -%}
https://127.0.0.1:{{ kube_apiserver_port }}
https://{{ kube_apiserver_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_port }}
{%- else -%} {%- else -%}
{%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%} {%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
https://{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }} https://{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}

Loading…
Cancel
Save