Disable anonymous-auth
- Turn off anonymous-auth. - Reworked haproxy helm test and updated test images. - Reworked kubernetes-apiserver readiness and liveness tests. Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
This commit is contained in:
parent
0b0e0ee164
commit
6fa106fe2a
|
@ -64,11 +64,16 @@ spec:
|
|||
- /tmp/bin/pre_stop
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
host: 127.0.0.1
|
||||
path: /healthz
|
||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
scheme: HTTPS
|
||||
exec:
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
if [ ! -f /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem ]; then
|
||||
cat /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-key.pem /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||
fi
|
||||
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem,cafile=/host{{ .Values.apiserver.host_etc_path }}/pki/cluster-ca.pem | grep '200 OK'
|
||||
exit $?
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 5
|
||||
|
|
|
@ -39,7 +39,7 @@ spec:
|
|||
- {{ . }}
|
||||
{{- end }}
|
||||
- --advertise-address=$(POD_IP)
|
||||
- --anonymous-auth=true
|
||||
- --anonymous-auth=false
|
||||
- --bind-address=0.0.0.0
|
||||
- --secure-port={{ .Values.network.kubernetes_apiserver.port }}
|
||||
- --insecure-port=0
|
||||
|
@ -61,22 +61,32 @@ spec:
|
|||
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
host: 127.0.0.1
|
||||
path: /healthz
|
||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
scheme: HTTPS
|
||||
exec:
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
|
||||
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||
fi
|
||||
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
|
||||
exit $?
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 5
|
||||
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
|
||||
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||
fi
|
||||
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
|
||||
exit $?
|
||||
failureThreshold: 2
|
||||
httpGet:
|
||||
host: 127.0.0.1
|
||||
path: /healthz
|
||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
|
|
|
@ -33,7 +33,7 @@ spec:
|
|||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: 'HAPROXY_URL'
|
||||
value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}/{{ .Values.endpoints.health.path }}
|
||||
value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}
|
||||
image: {{ .Values.images.tags.test }}
|
||||
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||
{{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
|
|
|
@ -70,7 +70,6 @@ manifests:
|
|||
endpoints:
|
||||
health:
|
||||
port: 6553
|
||||
path: "healthz"
|
||||
|
||||
pod:
|
||||
lifecycle:
|
||||
|
|
|
@ -613,7 +613,7 @@ data:
|
|||
tags:
|
||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||
haproxy: haproxy:1.8.3
|
||||
test: busybox:1.28.3
|
||||
test: python:3.6
|
||||
|
||||
source:
|
||||
type: local
|
||||
|
|
|
@ -647,7 +647,7 @@ data:
|
|||
tags:
|
||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||
haproxy: haproxy:1.8.3
|
||||
test: busybox:1.28.3
|
||||
test: python:3.6
|
||||
|
||||
source:
|
||||
type: local
|
||||
|
|
|
@ -124,7 +124,7 @@ spec:
|
|||
- --advertise-address={{ config['Genesis:ip'] }}
|
||||
- --authorization-mode=Node,RBAC
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||
- --anonymous-auth=true
|
||||
- --anonymous-auth=false
|
||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||
|
|
|
@ -20,7 +20,7 @@ spec:
|
|||
- --advertise-address={{ config['Genesis:ip'] }}
|
||||
- --authorization-mode=Node,RBAC
|
||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||
- --anonymous-auth=true
|
||||
- --anonymous-auth=false
|
||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
||||
|
|
Loading…
Reference in New Issue