kube-apiserver doesn't expose the healthcheck via a dedicated
endpoint, instead relying on anonyomous-access being enabled. That
has previously forced us to enable the unauthenticated endpoint on
127.0.0.1:8080.
Instead we now run a small sidecar container, which
proxies /healthz and /readyz requests (only) adding appropriate
authentication using a client certificate.
This will also enable better load balancer checks in future, as these
have previously been hampered by the custom CA certificate.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
We had a port collision on 3997; change the default memberlist ports
to avoid the collision (we haven't shipped a release with this in it).
Also create a go file so that we can use constants to keep track of
our port numbers, rather than magic values.
Refactor to start to centralize the env-var configuration for system
components, also start to add test coverage so we can be sure we
haven't broken things!
Should prevent the scenario where etcd-manager can't come up because of a different version.
Can be bypassed with the SkipEtcdVersionCheck feature flag.
update template
Update notes for digital ocean
Update TTL to 60 seconds and version upgrade to 0.1.15 for DO Cloud Controller Manager
Update review comments
Format go code
Justin SB