WIP Kube 1.8.3 support (#21)

Kube 1.8.3 support

Author: scotty-c

CHANGELOG.md

@@ -1,7 +1,9 @@
+# Version 0.1.2
+Supports Kubernetes up to 1.8.x
+
 # Version 0.1.1
 Hotfix for kubeproxy
 
-
 # Version 0.1.0
 First release 
 Supports Kubernetes 1.6 - 1.7.5

manifests/cluster_roles.pp

@@ -3,7 +3,7 @@
 class kubernetes::cluster_roles (
 
   $bootstrap_controller = $kubernetes::bootstrap_controller,
-
+  $kubernetes_version = $kubernetes::kubernetes_version,
 ){
 
   if $bootstrap_controller {
@@ -31,5 +31,12 @@
     refreshonly => true,
     require     => File['/etc/kubernetes/manifests/clusterRoleBinding.yaml'],
     }
+
+  if $kubernetes_version =~ /1[.]8[.]\d/ {
+
+    exec { 'Create role biniding for system nodes':
+      command => 'kubectl set subject clusterrolebinding system:node --group=system:nodes',
+      }
+    }
   }
 }

manifests/config.pp

@@ -20,6 +20,7 @@
   $bootstrap_token_id = $kubernetes::bootstrap_token_id,
   $bootstrap_token_secret = $kubernetes::bootstrap_token_secret,
   $bootstrap_token_usage_bootstrap_authentication = $kubernetes::bootstrap_token_usage_bootstrap_authentication,
+  $bootstrap_token_expiration = $kubernetes::bootstrap_token_expiration,
   $bootstrap_token_usage_bootstrap_signing = $kubernetes::bootstrap_token_usage_bootstrap_signing,
   $certificate_authority_data = $kubernetes::certificate_authority_data,
   $client_certificate_data_controller = $kubernetes::client_certificate_data_controller,

manifests/init.pp

@@ -220,6 +220,7 @@
   $bootstrap_token_id =  $kubernetes::params::bootstrap_token_id,
   $bootstrap_token_secret =  $kubernetes::params::bootstrap_token_secret,
   $bootstrap_token_usage_bootstrap_authentication = $kubernetes::params::bootstrap_token_usage_bootstrap_authentication,
+  $bootstrap_token_expiration = $kubernetes::params::bootstrap_token_expiration,
   $bootstrap_token_usage_bootstrap_signing = $kubernetes::params::bootstrap_token_usage_bootstrap_signing,
   $certificate_authority_data = $kubernetes::params::certificate_authority_data,
   $client_certificate_data_controller = $kubernetes::params::client_certificate_data_controller,

manifests/kube_addons.pp

@@ -73,7 +73,7 @@
 
   if $install_dashboard {
     exec { 'Install Kubernetes dashboard':
-      command => 'kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.6.3/src/deploy/kubernetes-dashboard.yaml',
+      command => 'kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml',
       onlyif  => 'kubectl get nodes',
       unless  => 'kubectl -n kube-system get pods | grep kubernetes-dashboard',
       }

manifests/params.pp

@@ -31,6 +31,7 @@
 $bootstrap_token_id = undef
 $bootstrap_token_secret = undef
 $bootstrap_token_usage_bootstrap_authentication = undef
+$bootstrap_token_expiration = undef
 $bootstrap_token_usage_bootstrap_signing = undef
 $certificate_authority_data = undef
 $client_certificate_data_controller = undef

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-kubernetes",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "author": "Puppet",
   "summary": "The module installs and configures a Kubernetes cluster",
   "license": "Apache-2.0",

spec/classes/cluster_roles_spec.rb

@@ -2,9 +2,9 @@
 describe 'kubernetes::cluster_roles', :type => :class do
 
   context 'with bootstrap_controller => true' do
-    let(:params) { { 'bootstrap_controller' => true } }
+	  let(:params) { { 'bootstrap_controller' => true, 'kubernetes_version' => '1.7.3' } }
 
       it { should contain_exec('Create kube bootstrap token') }
       it { should contain_exec('Create kube proxy cluster bindings') }
   end
-end
+end

spec/classes/config_spec.rb

@@ -32,6 +32,7 @@
       'bootstrap_token_secret' => 'foo',
       'bootstrap_token_usage_bootstrap_authentication' => 'foo',
       'bootstrap_token_usage_bootstrap_signing' => 'foo',
+      'bootstrap_token_expiration' => 'foo',
       'certificate_authority_data' => 'foo',
       'client_certificate_data_controller' => 'foo',
       'client_certificate_data_controller_manager' => 'foo',
@@ -131,4 +132,4 @@
       it { should contain_file("/etc/kubernetes/pki/#{kube_pki_file}") }
     end
   end
-end
+end

templates/clusterRoleBinding.yaml.erb

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: kube-master:node-proxier
+  name: <%= @hostname %>:node-proxier
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

templates/kube-apiserver.yaml.erb

@@ -30,7 +30,8 @@ spec:
     - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
     - --requestheader-username-headers=X-Remote-User
     - --requestheader-allowed-names=front-proxy-client
-    - --authorization-mode=RBAC
+    <% if @kubernetes_version =~ /1[.]8[.]\d/ -%>- --authorization-mode=Node,RBAC<% end %> 
+    <% if @kubernetes_version =~ /1[.](6|7)[.]\d/ -%>- --authorization-mode=RBAC<% end %>
     - --advertise-address=<%= @kube_api_advertise_address  %>
     - --etcd-servers=http://127.0.0.1:2379
     image: gcr.io/google_containers/kube-apiserver-amd64:v<%= @kubernetes_version  %>

templates/kubelet.conf.erb

@@ -8,13 +8,13 @@ clusters:
 contexts:
 - context:
     cluster: kubernetes
-    user: system:node:kube-master
-  name: system:node:kube-master@kubernetes
-current-context: system:node:kube-master@kubernetes
+    user: system:node:<%= @hostname %>
+  name: system:node:<%= @hostname %>@kubernetes
+current-context: system:node:<%= @hostname %>@kubernetes
 kind: Config
 preferences: {}
 users:
-- name: system:node:kube-master
+- name: system:node:<%= @hostname %>
   user:
     client-certificate-data: <%= @client_certificate_data_controller  %>
     client-key-data: <%= @client_key_data_controller  %>

templates/secrets/bootstraptoken.yaml.erb

@@ -11,3 +11,4 @@ data:
   expiration: <%= @bootstrap_token_expiration %>
   usage-bootstrap-authentication: <%= @bootstrap_token_usage_bootstrap_authentication %>
   usage-bootstrap-signing: <%= @bootstrap_token_usage_bootstrap_signing %>
+  auth-extra-groups: c3lzdGVtOjpub2RlOjprdWJlLW1hc3Rlcg==