diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2024-04-20 15:29:08 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2024-04-20 15:29:08 +0200 |
| commit | 0c587ebf966307446b3e7a9094cd6c44bbca89e2 (patch) | |
| tree | eee43ea586441ae00508d054bcae369b3e3c57b4 | |
| parent | kubernetes: upgrade images for node-local-dns-cache (diff) | |
ch-apps: upgrade to kubernetes 1.30 and improve certificate handling for standalone kubelet
| -rw-r--r-- | inventory/host_vars/ch-apps/vars.yml | 2 | ||||
| -rw-r--r-- | roles/kubernetes/standalone/base/tasks/tls.yml | 4 | ||||
| -rw-r--r-- | roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml | 6 |
3 files changed, 10 insertions, 2 deletions
diff --git a/inventory/host_vars/ch-apps/vars.yml b/inventory/host_vars/ch-apps/vars.yml index 1b30239a..2dc0877b 100644 --- a/inventory/host_vars/ch-apps/vars.yml +++ b/inventory/host_vars/ch-apps/vars.yml @@ -127,7 +127,7 @@ kubelet_storage: quota: 10G 'syncoid:sync': 'false' -kubernetes_version: 1.29.2 +kubernetes_version: 1.30.0 kubernetes_container_runtime: docker kubernetes_standalone_max_pods: 42 kubernetes_standalone_cni_variant: with-portmap diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml index 39952267..5603f8ec 100644 --- a/roles/kubernetes/standalone/base/tasks/tls.yml +++ b/roles/kubernetes/standalone/base/tasks/tls.yml @@ -68,7 +68,9 @@ openssl_csr: path: /etc/ssl/standalone-kubelet/server/csr.pem privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem - CN: "{{ inventory_hostname }}" + CN: "{{ kubernetes_standalone_address | default('127.0.0.1') }}" + subject_alt_name: + - "IP:{{ kubernetes_standalone_address | default('127.0.0.1') }}" key_usage: - digitalSignature key_usage_critical: yes diff --git a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml index ffeb974f..3335769a 100644 --- a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml @@ -4,16 +4,22 @@ content: | location = /standalone-kubelet { proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem; proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem; proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem; } location = /standalone-kubelet/resource { proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/resource; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem; proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem; proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem; } location = /standalone-kubelet/probes { proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/probes; + proxy_ssl_verify on; + proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem; proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem; proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem; } |