add proxy client-certs to kube-apiserver to allow it to proxy aggregated api servers

This commit is contained in:
deads2k
2017-03-27 13:31:31 -04:00
parent d6c5f05954
commit d8be13fee8
2 changed files with 9 additions and 0 deletions

View File

@@ -323,6 +323,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
"requestheader-extra-headers-prefix": "X-Remote-Extra-", "requestheader-extra-headers-prefix": "X-Remote-Extra-",
"requestheader-client-ca-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertName), "requestheader-client-ca-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyCACertName),
"requestheader-allowed-names": "front-proxy-client", "requestheader-allowed-names": "front-proxy-client",
// add options which allow the kube-apiserver to act as a front-proxy to aggregated API servers
"proxy-client-cert-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyClientCertName),
"proxy-client-key-file": path.Join(cfg.CertificatesDir, kubeadmconstants.FrontProxyClientKeyName),
} }
command = getComponentBaseCommand(apiServer) command = getComponentBaseCommand(apiServer)

View File

@@ -453,6 +453,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",
@@ -485,6 +487,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",
@@ -518,6 +522,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--storage-backend=etcd3", "--storage-backend=etcd3",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--experimental-bootstrap-token-auth=true", "--experimental-bootstrap-token-auth=true",
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
"--requestheader-username-headers=X-Remote-User", "--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group", "--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-", "--requestheader-extra-headers-prefix=X-Remote-Extra-",