calico talks to apiserver with https

8 years ago · e7e03bae9f
3 changed files with 27 additions and 2 deletions
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@ -10,7 +10,6 @@ spec:
    command:
    - /hyperkube
    - apiserver
-    - --insecure-bind-address=0.0.0.0
    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}

    - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ b/roles/kubernetes/node/tasks/secrets.yml
@ -21,6 +21,32 @@
  run_once: true
  when: inventory_hostname == groups['kube-master'][0]

+- name: tokens | generate tokens for calico
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ "system:calico" ]
+    - "{{ groups['k8s-cluster'] }}"
+  register: gentoken
+  changed_when: "'Added' in gentoken.stdout"
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: tokens | get the calico token values
+  slurp:
+    src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token"
+  register: calico_token
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: tokens | Add KUBE_AUTH_TOKEN for calico
+  lineinfile:
+    regexp: "^KUBE_AUTH_TOKEN=.*$"
+    line: "KUBE_AUTH_TOKEN={{ calico_token.content|b64decode }}"
+    dest: "/etc/network-environment"
+  when: kube_network_plugin == "calico"
+
 # Sync certs between nodes
 - user:
    name: '{{ansible_user_id}}'
--- a/roles/network_plugin/templates/network-environment.j2
+++ b/roles/network_plugin/templates/network-environment.j2
@ -16,7 +16,7 @@ ETCD_AUTHORITY="127.0.0.1:23799"
 {% endif %}

 # The kubernetes-apiserver location - used by the calico plugin
-KUBE_API_ROOT=http://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_insecure_port}}/api/v1/
+KUBE_API_ROOT=https://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_port}}/api/v1/
 {% else %}
 FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network"
 {% endif %}