From 113ab741e6d8012814436c4844fc8e5c104131be Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Thu, 18 Apr 2019 19:51:37 +0000 Subject: [PATCH 1/2] add option to set the value of the apiserver's insecure port --- cluster/gce/gci/configure-helper.sh | 4 ++++ cluster/gce/manifests/kube-apiserver.manifest | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index c916f1f4f3b..655f493785e 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1593,6 +1593,10 @@ function start-kube-apiserver { params+=" --etcd-servers-overrides=${ETCD_SERVERS_OVERRIDES:-}" fi params+=" --secure-port=443" + if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then + # Default is :8080 + params+=" --insecure-port=0" + fi params+=" --tls-cert-file=${APISERVER_SERVER_CERT_PATH}" params+=" --tls-private-key-file=${APISERVER_SERVER_KEY_PATH}" params+=" --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname" diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest index d045c844c47..acbdcee0a55 100644 --- a/cluster/gce/manifests/kube-apiserver.manifest +++ b/cluster/gce/manifests/kube-apiserver.manifest @@ -32,8 +32,9 @@ {{container_env}} "livenessProbe": { "httpGet": { + "scheme": "HTTPS", "host": "127.0.0.1", - "port": 8080, + "port": {{secure_port}}, "path": "/healthz?exclude=etcd" }, "initialDelaySeconds": {{liveness_probe_initial_delay}}, @@ -41,8 +42,9 @@ }, "readinessProbe": { "httpGet": { + "scheme": "HTTPS", "host": "127.0.0.1", - "port": 8080, + "port": {{secure_port}}, "path": "/healthz" }, "periodSeconds": 1, From 42fcd5eb635dad664f5b136401c15718a7309ed7 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Fri, 19 Apr 2019 17:40:28 +0000 Subject: [PATCH 2/2] remove erroneous kube-apiserver.manifest sed line --- cluster/gce/gci/configure-helper.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 655f493785e..70ebda6e04e 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1882,7 +1882,6 @@ function start-kube-apiserver { sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}" sed -i -e "s@{{liveness_probe_initial_delay}}@${KUBE_APISERVER_LIVENESS_PROBE_INITIAL_DELAY_SEC:-15}@g" "${src_file}" sed -i -e "s@{{secure_port}}@443@g" "${src_file}" - sed -i -e "s@{{secure_port}}@8080@g" "${src_file}" sed -i -e "s@{{additional_cloud_config_mount}}@@g" "${src_file}" sed -i -e "s@{{additional_cloud_config_volume}}@@g" "${src_file}" sed -i -e "s@{{webhook_authn_config_mount}}@${webhook_authn_config_mount}@g" "${src_file}"