Change kube-apiserver port from 443 to 6443

* Adjust firewall rules, security groups, cloud load balancers,
and generated kubeconfig's
* Facilitates some future simplifications and cost reductions
* Bare-Metal users who exposed kube-apiserver on a WAN via their
router or load balancer will need to adjust its configuration.
This is uncommon, most apiserver are on LAN and/or behind VPN
so no routing infrastructure is configured with the port number
This commit is contained in:
Dalton Hubble
2018-06-18 21:57:58 -07:00
parent 6e64634748
commit 6c5a1964aa
15 changed files with 47 additions and 19 deletions

View File

@ -28,7 +28,7 @@ resource "aws_lb" "apiserver" {
resource "aws_lb_listener" "apiserver-https" {
load_balancer_arn = "${aws_lb.apiserver.arn}"
protocol = "TCP"
port = "443"
port = "6443"
default_action {
type = "forward"
@ -43,12 +43,12 @@ resource "aws_lb_target_group" "controllers" {
target_type = "instance"
protocol = "TCP"
port = 443
port = 6443
# TCP health check for apiserver
health_check {
protocol = "TCP"
port = 443
port = 6443
# NLBs required to use same healthy and unhealthy thresholds
healthy_threshold = 3
@ -65,5 +65,5 @@ resource "aws_lb_target_group_attachment" "controllers" {
target_group_arn = "${aws_lb_target_group.controllers.arn}"
target_id = "${element(aws_instance.controllers.*.id, count.index)}"
port = 443
port = 6443
}

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e98e89e14a074768db13c4e050ed0c13319a0c1"
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2bcf61b2b5f6268fcf99e6b803165b08fd0b73c0"
cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -36,8 +36,8 @@ resource "aws_security_group_rule" "controller-apiserver" {
type = "ingress"
protocol = "tcp"
from_port = 443
to_port = 443
from_port = 6443
to_port = 6443
cidr_blocks = ["0.0.0.0/0"]
}