External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-07 09:27:38 -02:30
Code Issues Packages Projects Releases Wiki Activity

Use dedicated front-proxy-ca for front-proxy-client

Browse Source
This commit is contained in:
Chad Swenson
2018-04-05 14:32:12 -05:00
parent a6a47dbc96
commit d87b6fd9f3
12 changed files with 73 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
View File

@@ -9,6 +9,10 @@
- {src: apiserver-key.pem, dest: apiserver.key}
- {src: ca.pem, dest: ca.crt}
- {src: ca-key.pem, dest: ca.key}
- {src: front-proxy-ca.pem, dest: front-proxy-ca.crt}
- {src: front-proxy-ca-key.pem, dest: front-proxy-ca.key}
- {src: front-proxy-client.pem, dest: front-proxy-client.crt}
- {src: front-proxy-client-key.pem, dest: front-proxy-client.key}
- {src: service-account-key.pem, dest: sa.pub}
- {src: service-account-key.pem, dest: sa.key}
register: kubeadm_copy_old_certs

2
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
View File

@@ -111,7 +111,7 @@ spec:
- --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_version | version_compare('v1.9', '>=') %}
- --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
- --requestheader-client-ca-file={{ kube_cert_dir }}/front-proxy-ca.pem
- --requestheader-allowed-names=front-proxy-client
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group