From a5509fc2ce427b8af8dfe27ec497912c3b2eedf3 Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan666@gmail.com>
Date: Thu, 6 Sep 2018 13:46:09 +0200
Subject: [PATCH] Remove insecure-port and insecure-bind-address when possible

---
 .../master/templates/kubeadm-config.v1alpha1.yaml.j2          | 4 ++++
 .../master/templates/kubeadm-config.v1alpha2.yaml.j2          | 4 ++++
 .../master/templates/manifests/kube-apiserver.manifest.j2     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index fefc5632e..21d768029 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -45,8 +45,12 @@ authorizationModes:
 selfHosted: false
 apiServerExtraArgs:
   bind-address: {{ kube_apiserver_bind_address }}
+{% if kube_apiserver_insecure_port|string != "0" %}
   insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
+{% endif %}
+{% if kube_apiserver_insecure_port|string != "0" or kube_version | version_compare('v1.10', '<') %}
   insecure-port: "{{ kube_apiserver_insecure_port }}"
+{% endif %}
 {% if kube_version | version_compare('v1.10', '<') %}
   admission-control: {{ kube_apiserver_admission_control | join(',') }}
 {% else %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 09dc520b4..94db3e3ae 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -37,8 +37,12 @@ authorizationModes:
 {% endfor %}
 apiServerExtraArgs:
   bind-address: {{ kube_apiserver_bind_address }}
+{% if kube_apiserver_insecure_port|string != "0" %}
   insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
+{% endif %}
+{% if kube_apiserver_insecure_port|string != "0" or kube_version | version_compare('v1.10', '<') %}
   insecure-port: "{{ kube_apiserver_insecure_port }}"
+{% endif %}
 {% if kube_version | version_compare('v1.10', '<') %}
   admission-control: {{ kube_apiserver_admission_control | join(',') }}
 {% else %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 765b3d151..7fc0cdc51 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -46,7 +46,9 @@ spec:
     - --etcd-cafile={{ etcd_cert_dir }}/ca.pem
     - --etcd-certfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem
     - --etcd-keyfile={{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem
+{% if kube_apiserver_insecure_port|string != "0" %}
     - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
+{% endif %}
     - --bind-address={{ kube_apiserver_bind_address }}
     - --apiserver-count={{ kube_apiserver_count }}
 {% if kube_version | version_compare('v1.9', '>=') %}
@@ -100,7 +102,9 @@ spec:
 {%   endif %}
 {% endif %}
     - --secure-port={{ kube_apiserver_port }}
+{% if kube_apiserver_insecure_port|string != "0" or kube_version | version_compare('v1.10', '<') %}
     - --insecure-port={{ kube_apiserver_insecure_port }}
+{% endif %}
     - --storage-backend={{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
 {%   for conf in kube_api_runtime_config %}