Generate external admin.conf with kubeadm (#4056)

* Generate external admin.conf with kubeadm

* Fix apiserver sans

roles/kubernetes/client/tasks/main.yml

@@ -1,11 +1,17 @@
 ---
 - name: Set external kube-apiserver endpoint
   set_fact:
-    external_apiserver_endpoint: >-
+    external_apiserver_address: >-
       {%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
-      https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+      {{ apiserver_loadbalancer_domain_name }}
       {%- else -%}
-      https://{{ kube_apiserver_access_address }}:{{ kube_apiserver_port }}
+      {{ kube_apiserver_access_address }}
+      {%- endif -%}
+    external_apiserver_port: >-
+      {%- if loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
+      {{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+      {%- else -%}
+      {{ kube_apiserver_port }}
       {%- endif -%}
   tags:
     - facts
@@ -24,12 +30,28 @@
     mode: "0600"
     backup: yes
 
-- name: Copy admin kubeconfig to ansible host
+- name: Generate admin kubeconfig with external api endpoint
-  fetch:
+  shell: >-
-    src: "{{ kube_config_dir }}/admin.conf"
+    {{ bin_dir }}/kubeadm alpha
+    {% if kubeadm_version is version('v1.13.0', '<') %}
+    phase
+    {% endif %}
+    kubeconfig user
+    --client-name kubernetes-admin
+    --org system:masters
+    --cert-dir {{ kube_config_dir }}/ssl
+    --apiserver-advertise-address {{ external_apiserver_address }}
+    --apiserver-bind-port {{ external_apiserver_port }}
+  run_once: yes
+  register: admin_kubeconfig
+
+- name: Write admin kubeconfig on ansible host
+  copy:
+    content: "{{ admin_kubeconfig.stdout }}"
     dest: "{{ artifacts_dir }}/admin.conf"
-    flat: yes
+    mode: 0640
-    validate_checksum: no
+  delegate_to: localhost
+  become: no
   run_once: yes
   when: kubeconfig_localhost|default(false)
 

roles/kubernetes/client/templates/admin.conf.j2

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Config
-current-context: admin-{{ cluster_name }}
-preferences: {}
-clusters:
-- cluster:
-    certificate-authority-data: {{ admin_certs.results[0]['content'] }}
-    server: {{ external_apiserver_endpoint }}
-  name: {{ cluster_name }}
-contexts:
-- context:
-    cluster: {{ cluster_name }}
-    user: admin-{{ cluster_name }}
-  name: admin-{{ cluster_name }}
-users:
-- name: admin-{{ cluster_name }}
-  user:
-    client-certificate-data: {{ admin_certs.results[1]['content'] }}
-    client-key-data: {{ admin_certs.results[2]['content'] }}

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -56,11 +56,11 @@
       {{ ' '.join(groups['kube-master']) }}
       {%- if loadbalancer_apiserver is defined %}
       {{ apiserver_loadbalancer_domain_name }}
-      {%- endif %}
+      {% endif %}
       {% for host in groups['kube-master'] -%}
       {%- if hostvars[host]['access_ip'] is defined -%}
       {{ hostvars[host]['access_ip'] }}
-      {%- endif %}
+      {% endif %}
       {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
       {%- endfor %}
       {%- if supplementary_addresses_in_ssl_keys is defined -%}