- add a new kops secret command to store encryption config
- add the experimential-encryption-provider-config flag to the kube-apiserver
- add functionality to nodeup to create the stored encryption config in the correct path
This enables external admission controller webhooks, api aggregation,
and anything else that relies on the
--proxy-client-cert-file/--proxy-client-key-file apiserver args.
The current implementation does not put any transport security on the etcd cluster. The PR provides and optional flag to enable TLS the etcd cluster
- cleaned up and fixed any formatting issues on the journey
- added two new certificates (server/client) for etcd peers and a client certificate for kubeapi and others perhaps (perhaps calico?)
- disabled the protokube service for nodes completely is not required; note this was first raised in https://github.com/kubernetes/kops/pull/3091, but figured it would be easier to place in here given the relation
- updated protokube codebase to reflect the changes, removing the master option as its no longer required
- added additional integretion tests for the protokube manifests;
- note, still need to add documentation, but opening the PR to get feedback
- one outstanding issue is the migration from http -> https for preexisting clusters, i'm gonna hit the coreos board to ask for the best options
This adds a well-known secret name `nodedockercfg` which will automatically
be used if present to create /root/.docker/config.json on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
As present a number of secrets are downloaded to the /src/kubernetes directory regardless of role (master, node). This limits the
the node role to only donwload the ca.crt. The rest are for master nodes only
- removes basic_auth.csv, ca.key, known_tokens.csv, server.cert and server.key leaving only the ca.crt
Ciprian Hacman
John Gardiner Myers
Justin SB
mikesplain
Rohith
k8s-ci-robot
Chris Phillips
Touch Ungboriboonpisal
Justin Santa Barbara
Kashif Saadat
georgebuckerfield
Torin Sandall
asifdxtreme
Blake