github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #43715 from deads2k/kubeadm-01-proxy

Browse Source 
Automatic merge from submit-queue

add proxy client-certs to kube-apiserver to allow it to proxy aggregated api servers

The `kube-apiserver` contains the aggregator for combining API servers and `kubeadm` has the client certificates required for aggregated API servers to trust the authentication info.  This wires those bits together.

@luxas
This commit is contained in:
Kubernetes Submit Queue 2017-03-27 14:23:19 -07:00 committed by GitHub
commit c25c186ec5
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/master/manifests.go
View File

@ -323,6 +323,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
"requestheader-extra-headers-prefix": "X-Remote-Extra-", "requestheader-extra-headers-prefix": "X-Remote-Extra-",
"requestheader-client-ca-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertName), "requestheader-client-ca-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertName),
"requestheader-allowed-names": "front-proxy-client", "requestheader-allowed-names": "front-proxy-client",
// add options which allow the kube-apiserver to act as a front-proxy to aggregated API servers
"proxy-client-cert-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyClientCertName),
"proxy-client-key-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyClientKeyName),
} }
command = getComponentBaseCommand(apiServer) command = getComponentBaseCommand(apiServer)

6
cmd/kubeadm/app/master/manifests_test.go
View File

@ -453,6 +453,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",
@ -485,6 +487,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",
@ -518,6 +522,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",