From e7e03bae9fba2e6bd633b7fdfb1542eb34f6286a Mon Sep 17 00:00:00 2001 From: Smaine Kahlouch Date: Fri, 18 Dec 2015 22:22:52 +0100 Subject: [PATCH] calico talks to apiserver with https --- .../manifests/kube-apiserver.manifest.j2 | 1 - roles/kubernetes/node/tasks/secrets.yml | 26 +++++++++++++++++++ .../templates/network-environment.j2 | 2 +- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 940ec1ace..0d8cfb026 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -10,7 +10,6 @@ spec: command: - /hyperkube - apiserver - - --insecure-bind-address=0.0.0.0 - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %} - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota diff --git a/roles/kubernetes/node/tasks/secrets.yml b/roles/kubernetes/node/tasks/secrets.yml index 3d0c76734..5154b9b59 100644 --- a/roles/kubernetes/node/tasks/secrets.yml +++ b/roles/kubernetes/node/tasks/secrets.yml @@ -21,6 +21,32 @@ run_once: true when: inventory_hostname == groups['kube-master'][0] +- name: tokens | generate tokens for calico + command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" + environment: + TOKEN_DIR: "{{ kube_token_dir }}" + with_nested: + - [ "system:calico" ] + - "{{ groups['k8s-cluster'] }}" + register: gentoken + changed_when: "'Added' in gentoken.stdout" + when: kube_network_plugin == "calico" + delegate_to: "{{ groups['kube-master'][0] }}" + +- name: tokens | get the calico token values + slurp: + src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token" + register: calico_token + when: kube_network_plugin == "calico" + delegate_to: "{{ groups['kube-master'][0] }}" + +- name: tokens | Add KUBE_AUTH_TOKEN for calico + lineinfile: + regexp: "^KUBE_AUTH_TOKEN=.*$" + line: "KUBE_AUTH_TOKEN={{ calico_token.content|b64decode }}" + dest: "/etc/network-environment" + when: kube_network_plugin == "calico" + # Sync certs between nodes - user: name: '{{ansible_user_id}}' diff --git a/roles/network_plugin/templates/network-environment.j2 b/roles/network_plugin/templates/network-environment.j2 index b926c8cf2..0aaf4bb69 100755 --- a/roles/network_plugin/templates/network-environment.j2 +++ b/roles/network_plugin/templates/network-environment.j2 @@ -16,7 +16,7 @@ ETCD_AUTHORITY="127.0.0.1:23799" {% endif %} # The kubernetes-apiserver location - used by the calico plugin -KUBE_API_ROOT=http://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_insecure_port}}/api/v1/ +KUBE_API_ROOT=https://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_port}}/api/v1/ {% else %} FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network" {% endif %}