WIP. Adding metrics-server support for K8s version 1.9

inventory/group_vars/k8s-cluster.yml

@@ -192,3 +192,14 @@ persistent_volumes_enabled: false
 ## See https://github.com/kubernetes-incubator/kubespray/issues/2141
 ## Set this variable to true to get rid of this issue
 volume_cross_zone_attachment: false
+
+## Add options for metrics-server
+#apiserver_custom_flags:
+#  - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
+#  - --requestheader-allowed-names=aggregator
+#  - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+#  - --requestheader-group-headers=X-Remote-Group
+#  - --requestheader-username-headers=X-Remote-User
+#  - --enable-aggregator-routing=true
+#  - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
+#  - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem

roles/kubernetes/secrets/files/make-ssl.sh

@@ -93,6 +93,8 @@ if [ -n "$MASTERS" ]; then
     gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
     # kube-controller-manager
     gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
+    # metrics aggregator
+    gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
 
     for host in $MASTERS; do
         cn="${host%%.*}"

roles/kubernetes/secrets/tasks/check-certs.yml

@@ -26,6 +26,8 @@
     - kube-scheduler-key.pem
     - kube-controller-manager.pem
     - kube-controller-manager-key.pem
+    - aggregator-proxy-client.pem
+    - aggregator-proxy-client-key.pem
     - admin-{{ inventory_hostname }}.pem
     - admin-{{ inventory_hostname }}-key.pem
     - node-{{ inventory_hostname }}.pem
@@ -46,6 +48,8 @@
        '{{ kube_cert_dir }}/kube-scheduler-key.pem',
        '{{ kube_cert_dir }}/kube-controller-manager.pem',
        '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
+       '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
        {% for host in groups['kube-master'] %}
        '{{ kube_cert_dir }}/admin-{{ host }}.pem'
        '{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -66,7 +70,7 @@
       {% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
       {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
                       'kube-scheduler-key.pem', 'kube-controller-manager.pem',
-                      'kube-controller-manager-key.pem'] -%}
+                      'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
         {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
         {% if not cert_file in existing_certs -%}
         {%- set gen = True -%}

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -73,6 +73,8 @@
                        'kube-scheduler-key.pem',
                        'kube-controller-manager.pem',
                        'kube-controller-manager-key.pem',
+                       'aggregator-proxy-client.pem',
+                       'aggregator-proxy-client-key.pem',
                        {% for node in groups['kube-master'] %}
                        'admin-{{ node }}.pem',
                        'admin-{{ node }}-key.pem',

roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml

@@ -32,7 +32,7 @@
     sync_file_hosts: "{{ groups['kube-master'] }}"
     sync_file_is_cert: true
     sync_file_owner: kube
-  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem"]
+  with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
 
 - name: sync_kube_master_certs | Set facts for kube master components sync_file results
   set_fact: