Merge pull request #41667 from mikedanese/certs

Automatic merge from submit-queue (batch tested with PRs 41667, 41820, 40910, 41645, 41361) refactor certs in GCE to break up usages TODO: debian
2017-02-23 20:57:27 -08:00
parent 072e68f0a6 192392bddd
commit e70d23db2a
4 changed files with 119 additions and 45 deletions
--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@@ -188,7 +188,7 @@
  {% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
 {% endif -%}

-{% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}
+{% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=" + pillar.get('ca_cert_bundle_path', '/var/lib/kubelet/ca.crt') %}

 # test_args has to be kept at the end, so they'll overwrite any prior configuration
 DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}}  {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"
--- a/cluster/saltbase/salt/kubelet/init.sls
+++ b/cluster/saltbase/salt/kubelet/init.sls
@@ -31,6 +31,7 @@
    - mode: 400
    - makedirs: true

+{% if grains.cloud != 'gce' %}
 /var/lib/kubelet/ca.crt:
  file.managed:
    - source: salt://kubelet/ca.crt
@@ -38,6 +39,7 @@
    - group: root
    - mode: 400
    - makedirs: true
+{% endif %}

 {% if pillar.get('is_systemd') %}

@@ -59,7 +61,9 @@ fix-service-kubelet:
      - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
      - file: {{ environment_file }}
      - file: /var/lib/kubelet/kubeconfig
+{% if grains.cloud != 'gce' %}
      - file: /var/lib/kubelet/ca.crt
+{% endif %}

 {% else %}

@@ -87,7 +91,9 @@ kubelet:
 {% endif %}
      - file: {{ environment_file }}
      - file: /var/lib/kubelet/kubeconfig
+{% if grains.cloud != 'gce' %}
      - file: /var/lib/kubelet/ca.crt
+{% endif %}
 {% if pillar.get('is_systemd') %}
    - provider:
      - service: systemd