Add etcd TLS support

2026-02-21 21:20:15 -03:30 · 2016-11-09 13:44:41 +03:00
parent 95b460ae94
commit a32cd85eb7
25 changed files with 408 additions and 35 deletions
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -28,3 +28,9 @@ kube_apiserver_insecure_bind_address: 127.0.0.1

 # Logging directory (sysvinit systems)
 kube_log_dir: "/var/log/kubernetes"
+
+# ETCD cert dir for connecting apiserver to etcd
+etcd_config_dir: /etc/ssl/etcd
+etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
+
+
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -14,6 +14,9 @@ spec:
    - --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
    - --etcd-servers={{ etcd_access_endpoint }}
    - --etcd-quorum-read=true
+    - --etcd-cafile={{ etcd_cert_dir }}/ca.pem
+    - --etcd-certfile={{ etcd_cert_dir }}/node.pem
+    - --etcd-keyfile={{ etcd_cert_dir }}/node-key.pem
    - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }}
    - --apiserver-count={{ kube_apiserver_count }}
    - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
@@ -50,6 +53,9 @@ spec:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
+    - mountPath: {{ etcd_cert_dir }}
+      name: etcd-certs
+      readOnly: true
    - mountPath: /var/log/
      name: logfile
  volumes:
@@ -59,7 +65,9 @@ spec:
  - hostPath:
      path: /etc/ssl/certs/
    name: ssl-certs-host
+  - hostPath:
+      path: {{ etcd_cert_dir }}
+    name: etcd-certs
  - hostPath:
      path: /var/log/
    name: logfile
-