Disable anonymous-auth
- Turn off anonymous-auth. - Reworked haproxy helm test and updated test images. - Reworked kubernetes-apiserver readiness and liveness tests. Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
This commit is contained in:
parent
0b0e0ee164
commit
6fa106fe2a
|
@ -64,11 +64,16 @@ spec:
|
||||||
- /tmp/bin/pre_stop
|
- /tmp/bin/pre_stop
|
||||||
|
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
exec:
|
||||||
host: 127.0.0.1
|
command:
|
||||||
path: /healthz
|
- /bin/bash
|
||||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
- -c
|
||||||
scheme: HTTPS
|
- |-
|
||||||
|
if [ ! -f /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem ]; then
|
||||||
|
cat /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-key.pem /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||||
|
fi
|
||||||
|
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem,cafile=/host{{ .Values.apiserver.host_etc_path }}/pki/cluster-ca.pem | grep '200 OK'
|
||||||
|
exit $?
|
||||||
initialDelaySeconds: 10
|
initialDelaySeconds: 10
|
||||||
periodSeconds: 5
|
periodSeconds: 5
|
||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
|
|
|
@ -39,7 +39,7 @@ spec:
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- --advertise-address=$(POD_IP)
|
- --advertise-address=$(POD_IP)
|
||||||
- --anonymous-auth=true
|
- --anonymous-auth=false
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --secure-port={{ .Values.network.kubernetes_apiserver.port }}
|
- --secure-port={{ .Values.network.kubernetes_apiserver.port }}
|
||||||
- --insecure-port=0
|
- --insecure-port=0
|
||||||
|
@ -61,22 +61,32 @@ spec:
|
||||||
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
||||||
|
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
exec:
|
||||||
host: 127.0.0.1
|
command:
|
||||||
path: /healthz
|
- /bin/bash
|
||||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
- -c
|
||||||
scheme: HTTPS
|
- |-
|
||||||
|
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
|
||||||
|
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||||
|
fi
|
||||||
|
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
|
||||||
|
exit $?
|
||||||
initialDelaySeconds: 10
|
initialDelaySeconds: 10
|
||||||
periodSeconds: 5
|
periodSeconds: 5
|
||||||
timeoutSeconds: 5
|
timeoutSeconds: 5
|
||||||
|
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/bash
|
||||||
|
- -c
|
||||||
|
- |-
|
||||||
|
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
|
||||||
|
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||||
|
fi
|
||||||
|
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
|
||||||
|
exit $?
|
||||||
failureThreshold: 2
|
failureThreshold: 2
|
||||||
httpGet:
|
|
||||||
host: 127.0.0.1
|
|
||||||
path: /healthz
|
|
||||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
|
||||||
scheme: HTTPS
|
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
successThreshold: 1
|
successThreshold: 1
|
||||||
|
|
|
@ -33,7 +33,7 @@ spec:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: status.hostIP
|
fieldPath: status.hostIP
|
||||||
- name: 'HAPROXY_URL'
|
- name: 'HAPROXY_URL'
|
||||||
value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}/{{ .Values.endpoints.health.path }}
|
value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}
|
||||||
image: {{ .Values.images.tags.test }}
|
image: {{ .Values.images.tags.test }}
|
||||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
|
|
|
@ -70,7 +70,6 @@ manifests:
|
||||||
endpoints:
|
endpoints:
|
||||||
health:
|
health:
|
||||||
port: 6553
|
port: 6553
|
||||||
path: "healthz"
|
|
||||||
|
|
||||||
pod:
|
pod:
|
||||||
lifecycle:
|
lifecycle:
|
||||||
|
|
|
@ -613,7 +613,7 @@ data:
|
||||||
tags:
|
tags:
|
||||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||||
haproxy: haproxy:1.8.3
|
haproxy: haproxy:1.8.3
|
||||||
test: busybox:1.28.3
|
test: python:3.6
|
||||||
|
|
||||||
source:
|
source:
|
||||||
type: local
|
type: local
|
||||||
|
|
|
@ -647,7 +647,7 @@ data:
|
||||||
tags:
|
tags:
|
||||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||||
haproxy: haproxy:1.8.3
|
haproxy: haproxy:1.8.3
|
||||||
test: busybox:1.28.3
|
test: python:3.6
|
||||||
|
|
||||||
source:
|
source:
|
||||||
type: local
|
type: local
|
||||||
|
|
|
@ -124,7 +124,7 @@ spec:
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||||
- --anonymous-auth=true
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
|
|
|
@ -20,7 +20,7 @@ spec:
|
||||||
- --advertise-address={{ config['Genesis:ip'] }}
|
- --advertise-address={{ config['Genesis:ip'] }}
|
||||||
- --authorization-mode=Node,RBAC
|
- --authorization-mode=Node,RBAC
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||||
- --anonymous-auth=true
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
|
|
Loading…
Reference in New Issue