Merge "Disable anonymous-auth"

charts/apiserver/templates/daemonset.yaml

@@ -64,11 +64,16 @@ spec:
                   - /tmp/bin/pre_stop
 
           readinessProbe:
-            httpGet:
-              host: 127.0.0.1
-              path: /healthz
-              port: {{ .Values.network.kubernetes_apiserver.port }}
-              scheme: HTTPS
+            exec:
+              command:
+              - /bin/bash
+              - -c
+              - |-
+                if [ ! -f /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem ]; then
+                  cat /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-key.pem /host{{ .Values.apiserver.host_etc_path }}/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
+                fi
+                echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/host{{ .Values.apiserver.host_etc_path }}/pki/apiserver-both.pem,cafile=/host{{ .Values.apiserver.host_etc_path }}/pki/cluster-ca.pem | grep '200 OK'
+                exit $?
             initialDelaySeconds: 10
             periodSeconds: 5
             timeoutSeconds: 5

charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl

@@ -39,7 +39,7 @@ spec:
         - {{ . }}
         {{- end }}
         - --advertise-address=$(POD_IP)
-        - --anonymous-auth=true
+        - --anonymous-auth=false
         - --bind-address=0.0.0.0
         - --secure-port={{ .Values.network.kubernetes_apiserver.port }}
         - --insecure-port=0
@@ -61,22 +61,32 @@ spec:
         - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
 
       readinessProbe:
-        httpGet:
-          host: 127.0.0.1
-          path: /healthz
-          port: {{ .Values.network.kubernetes_apiserver.port }}
-          scheme: HTTPS
+        exec:
+          command:
+          - /bin/bash
+          - -c
+          - |-
+            if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
+              cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
+            fi
+            echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
+            exit $?
         initialDelaySeconds: 10
         periodSeconds: 5
         timeoutSeconds: 5
 
       livenessProbe:
+        exec:
+          command:
+          - /bin/bash
+          - -c
+          - |-
+            if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
+              cat /etc/kubernetes/apiserver/pki/apiserver-key.pem /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
+            fi
+            echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
+            exit $?
         failureThreshold: 2
-        httpGet:
-          host: 127.0.0.1
-          path: /healthz
-          port: {{ .Values.network.kubernetes_apiserver.port }}
-          scheme: HTTPS
         initialDelaySeconds: 15
         periodSeconds: 10
         successThreshold: 1

charts/haproxy/templates/tests/test-haproxy-health.yaml

@@ -33,7 +33,7 @@ spec:
             fieldRef:
               fieldPath: status.hostIP
         - name: 'HAPROXY_URL'
-          value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}/{{ .Values.endpoints.health.path }}
+          value: https://$(HOST_IP):{{ .Values.endpoints.health.port }}
       image: {{ .Values.images.tags.test }}
       imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple . .Values.pod.resources.test | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}

charts/haproxy/values.yaml

@@ -70,7 +70,6 @@ manifests:
 endpoints:
   health:
     port: 6553
-    path: "healthz"
 
 pod:
   lifecycle:

examples/basic/armada-resources.yaml

@@ -613,7 +613,7 @@ data:
       tags:
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
         haproxy: haproxy:1.8.3
-        test: busybox:1.28.3
+        test: python:3.6
 
   source:
     type: local

examples/complete/armada-resources.yaml

@@ -647,7 +647,7 @@ data:
       tags:
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
         haproxy: haproxy:1.8.3
-        test: busybox:1.28.3
+        test: python:3.6
 
   source:
     type: local

promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml

@@ -124,7 +124,7 @@ spec:
       - --advertise-address={{ config['Genesis:ip'] }}
       - --authorization-mode=Node,RBAC
       - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
-      - --anonymous-auth=true
+      - --anonymous-auth=false
       - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
       - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
       - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem

promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml

@@ -20,7 +20,7 @@ spec:
         - --advertise-address={{ config['Genesis:ip'] }}
         - --authorization-mode=Node,RBAC
         - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
-        - --anonymous-auth=true
+        - --anonymous-auth=false
         - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
         - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
         - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem