Move ingress to kube-system. Rename enable-rbac to authorization-mode.

cluster/juju/layers/kubernetes-master/config.yaml

@@ -40,7 +40,9 @@ options:
         runtime-config=batch/v2alpha1=true profiling=true
       will result in kube-apiserver being run with the following options:
         --runtime-config=batch/v2alpha1=true --profiling=true
-  enable-rbac:
-    type: boolean
-    default: True
-    description: Enable RBAC authorization mode.
+  authorization-mode:
+    type: string
+    default: "RBAC"
+    description: |
+      Set the cluster's authorization mode. Allowed values are
+      "RBAC" and "None".

cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py

@@ -59,6 +59,7 @@ nrpe.Check.shortname_re = '[\.A-Za-z0-9-_]+$'
 
 os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')
 
+valid_auth_modes = ['rbac', 'none']
 
 def service_cidr():
     ''' Return the charm's service-cidr config '''
@@ -321,6 +322,11 @@ def idle_status(kube_api, kube_control):
         msg = 'WARN: cannot change service-cidr, still using ' + service_cidr()
         hookenv.status_set('active', msg)
     else:
+        mode = hookenv.config().get('authorization-mode').lower()
+        if mode not in valid_auth_modes:
+            hookenv.status_set('blocked', 'Incorrect authorization mode.')
+            return
+
         # All services should be up and running at this point. Double-check...
         failing_services = master_services_down()
         if len(failing_services) == 0:
@@ -656,11 +662,13 @@ def initial_nrpe_config(nagios=None):
     update_nrpe_config(nagios)
 
 
-@when('config.changed.enable-rbac',
+@when('config.changed.authorization-mode',
       'kubernetes-master.components.started')
-def enable_rbac_config():
+def switch_auth_mode():
     config = hookenv.config()
-    if data_changed('rbac-flag', str(config.get('enable-rbac'))):
+    mode = config.get('authorization-mode').lower()
+    if mode in valid_auth_modes and \
+            data_changed('auth-mode', mode):
         remove_state('kubernetes-master.components.started')
 
 
@@ -1015,7 +1023,7 @@ def configure_apiserver():
         'DefaultTolerationSeconds'
     ]
 
-    if hookenv.config('enable-rbac'):
+    if hookenv.config('authorization-mode').lower() == 'rbac':
         admission_control.append('NodeRestriction')
         api_opts.add('authorization-mode', 'Node,RBAC', strict=True)
     else:
@@ -1178,4 +1186,4 @@ def touch(fname):
     try:
         os.utime(fname, None)
     except OSError:
-        open(fname, 'a').close()
+        open(fname, 'a').close()

cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml

@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: default-http-backend
+  namespace: kube-system
   labels:
     k8s-app: default-http-backend
 spec:
@@ -39,6 +40,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: default-http-backend
+  namespace: kube-system
   labels:
     k8s-app: default-http-backend
 spec:

cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: nginx-ingress-serviceaccount
-  namespace: default
+  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@@ -60,7 +60,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
   name: nginx-ingress-role
-  namespace: default
+  namespace: kube-system
 rules:
   - apiGroups:
       - ""
@@ -103,7 +103,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
   name: nginx-ingress-role-nisa-binding
-  namespace: default
+  namespace: kube-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -111,7 +111,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: nginx-ingress-serviceaccount
-    namespace: default
+    namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@@ -124,7 +124,7 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: nginx-ingress-serviceaccount
-    namespace: default
+    namespace: kube-system
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -135,6 +135,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: nginx-ingress-controller
+  namespace: kube-system
   labels:
     k8s-app: nginx-ingress-lb
 spec: