ch-apps: upgrade to kubernetes 1.30 and improve certificate handling for standalone kubelet

author: Christian Pointner <equinox@spreadspace.org> 2024-04-20 15:29:08 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2024-04-20 15:29:08 +0200
commit: 0c587ebf966307446b3e7a9094cd6c44bbca89e2 (patch)
tree: eee43ea586441ae00508d054bcae369b3e3c57b4 /roles
parent: kubernetes: upgrade images for node-local-dns-cache (diff)
2 files changed, 9 insertions, 1 deletions
diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml
index 39952267..5603f8ec 100644
--- a/roles/kubernetes/standalone/base/tasks/tls.yml
+++ b/roles/kubernetes/standalone/base/tasks/tls.yml
@@ -68,7 +68,9 @@
   openssl_csr:
     path: /etc/ssl/standalone-kubelet/server/csr.pem
     privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
-    CN: "{{ inventory_hostname }}"
+    CN: "{{ kubernetes_standalone_address | default('127.0.0.1') }}"
+    subject_alt_name:
+    - "IP:{{ kubernetes_standalone_address | default('127.0.0.1') }}"
     key_usage:
     - digitalSignature
     key_usage_critical: yes
diff --git a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
index ffeb974f..3335769a 100644
--- a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
@@ -4,16 +4,22 @@
     content: |
       location = /standalone-kubelet {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }
       location = /standalone-kubelet/resource {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/resource;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }
       location = /standalone-kubelet/probes {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/probes;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }
author	Christian Pointner <equinox@spreadspace.org>	2024-04-20 15:29:08 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2024-04-20 15:29:08 +0200
commit	0c587ebf966307446b3e7a9094cd6c44bbca89e2 (patch)
tree	eee43ea586441ae00508d054bcae369b3e3c57b4 /roles
parent	kubernetes: upgrade images for node-local-dns-cache (diff)