Merge pull request #7681 from jboyd01/secure-controller-port

service catalog: create service and ssl certs for controller manager

roles/openshift_prometheus/templates/prometheus.yml.j2

@@ -241,6 +241,24 @@ scrape_configs:
     action: keep
     regex: apiserver;https
 
+# Scrape config for Service Catalog controllers
+- job_name: 'catalog-controllers'
+  scheme: https
+  tls_config:
+    server_name: 'controller-manager.kube-service-catalog'
+    ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kube-service-catalog
+
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_name]
+    action: keep
+    regex: controller-manager
 
 alerting:
   alertmanagers:

roles/openshift_service_catalog/tasks/generate_certs.yml

@@ -26,7 +26,17 @@
     path: "{{ generated_certs_dir }}/apiserver.key"
     state: absent
 
-- name: Generating server keys
+- name: Delete old controllermanager.crt
+  file:
+    path: "{{ generated_certs_dir }}/controllermanager.crt"
+    state: absent
+
+- name: Delete old controllermanager.key
+  file:
+    path: "{{ generated_certs_dir }}/controllermanager.key"
+    state: absent
+
+- name: Generating API Server keys
   oc_adm_ca_server_cert:
     cert: "{{ generated_certs_dir }}/apiserver.crt"
     key: "{{ generated_certs_dir }}/apiserver.key"
@@ -35,6 +45,15 @@
     signer_key: "{{ generated_certs_dir }}/ca.key"
     signer_serial: "{{ generated_certs_dir }}/apiserver.serial.txt"
 
+- name: Generating Controller Manager keys
+  oc_adm_ca_server_cert:
+    cert: "{{ generated_certs_dir }}/controllermanager.crt"
+    key: "{{ generated_certs_dir }}/controllermanager.key"
+    hostnames: "controller-manager.kube-service-catalog.svc,controller-manager.kube-service-catalog.svc.cluster.local,controller-manager.kube-service-catalog"
+    signer_cert: "{{ generated_certs_dir }}/ca.crt"
+    signer_key: "{{ generated_certs_dir }}/ca.key"
+    signer_serial: "{{ generated_certs_dir }}/apiserver.serial.txt"
+
 - name: Create apiserver-ssl secret
   oc_secret:
     state: present
@@ -46,14 +65,16 @@
     - name: tls.key
       path: "{{ generated_certs_dir }}/apiserver.key"
 
-- name: Create service-catalog-ssl secret
+- name: Create controllermanager-ssl secret
   oc_secret:
     state: present
-    name: service-catalog-ssl
+    name: controllermanager-ssl
     namespace: kube-service-catalog
     files:
     - name: tls.crt
-      path: "{{ generated_certs_dir }}/apiserver.crt"
+      path: "{{ generated_certs_dir }}/controllermanager.crt"
+    - name: tls.key
+      path: "{{ generated_certs_dir }}/controllermanager.key"
 
 - slurp:
     src: "{{ generated_certs_dir }}/ca.crt"

roles/openshift_service_catalog/tasks/install.yml

@@ -182,6 +182,21 @@
     - "{{ mktemp.stdout }}/controller_manager.yml"
     delete_after: yes
 
+- name: Set Controller Manager service
+  oc_service:
+    name: controller-manager
+    namespace: kube-service-catalog
+    state: present
+    ports:
+    - name: secure
+      port: 443
+      protocol: TCP
+      targetPort: 6443
+    selector:
+      app: controller-manager
+    session_affinity: None
+    service_type: ClusterIP
+
 - name: Delete temp directory
   file:
     name: "{{ mktemp.stdout }}"

roles/openshift_service_catalog/templates/api_server.j2

@@ -40,7 +40,7 @@ spec:
         - --etcd-keyfile
         - /etc/origin/master/master.etcd-client.key
         - -v
-        - "10"
+        - "3"
         - --cors-allowed-origins
         - {{ cors_allowed_origin }}
         - --admission-control

roles/openshift_service_catalog/templates/controller_manager.j2

@@ -30,10 +30,10 @@ spec:
               fieldPath: metadata.namespace
         args:
         - controller-manager
-        - --port
-        - "8080"
+        - --secure-port
+        - "6443"
         - -v
-        - "5"
+        - "3"
         - --leader-election-namespace
         - kube-service-catalog
         - --broker-relist-interval
@@ -49,7 +49,7 @@ spec:
         imagePullPolicy: IfNotPresent
         name: controller-manager
         ports:
-        - containerPort: 8080
+        - containerPort: 6443
           protocol: TCP
         resources: {}
         terminationMessagePath: /dev/termination-log
@@ -68,4 +68,6 @@ spec:
           items:
           - key: tls.crt
             path: apiserver.crt
-          secretName: apiserver-ssl
+          - key: tls.key
+            path: apiserver.key
+          secretName: controllermanager-ssl