Merge pull request #7303 from erictune/kube_env3

kube-proxy uses token to access port 443 of apiserver

cluster/saltbase/salt/kube-proxy/default

@@ -2,11 +2,18 @@
 {% if grains['os_family'] == 'RedHat' -%}
 	{% set daemon_args = "" -%}
 {% endif -%}
-{% if grains.api_servers is defined -%}
-  {% set api_servers = "--master=http://" + grains.api_servers + ":7080" -%}
-{% else -%}
-  {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
+{# TODO(azure-maintainer): add support for distributing kubeconfig with token to kube-proxy #}
+{# so it can use https #}
+{% if grains['cloud'] is defined and grains['cloud'] == 'azure' -%}
   {% set api_servers = "--master=http://" + ips[0][0] + ":7080" -%}
+  {% set kubeconfig = "" -%}
+{% else -%}
+  {% set kubeconfig = "--kubeconfig=/var/lib/kube-proxy/kubeconfig" -%}
+  {% if grains.api_servers is defined -%}
+    {% set api_servers = "--master=https://" + grains.api_servers -%}
+  {% else -%}
+    {% set ips = salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').values() -%}
+    {% set api_servers = "--master=https://" + ips[0][0] -%}
+  {% endif -%}
 {% endif -%}
-
-DAEMON_ARGS="{{daemon_args}} {{api_servers}} {{pillar['log_level']}}"
+DAEMON_ARGS="{{daemon_args}} {{api_servers}} {{kubeconfig}} {{pillar['log_level']}}"

cluster/saltbase/salt/kube-proxy/init.sls

@@ -55,3 +55,12 @@ kube-proxy:
 {% if grains['os_family'] != 'RedHat' %}
       - file: /etc/init.d/kube-proxy
 {% endif %}
+      - file: /var/lib/kube-proxy/kubeconfig
+
+/var/lib/kube-proxy/kubeconfig:
+  file.managed:
+    - source: salt://kube-proxy/kubeconfig
+    - user: root
+    - group: root
+    - mode: 400
+    - makedirs: true