Support https for kubernetes-dashboard #1947
Conversation
@@ -62,18 +62,20 @@ spec: | |||
spec: | |||
containers: | |||
- args: | |||
- --auto-generate-certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: this option only available in 1.8.0+ Dashboard image
pkg/acsengine/k8s_versions.go
Outdated
common.KubernetesVersion1Dot6Dot6: true, | ||
} | ||
|
||
func kubernetesDashboardUsesHTTP(version string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be based on the dashboard spec instead of the Kubernetes version? The kubernetes versions will support the new dashboard, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Changes here will be updated since #1946 introduces new approach for locating addons manifest.)
Yes, actually it should be decided by dashboard image version.
One thing to note is in kubernetes/kubernetes#53046, it changes default redirect of kubectl proxy
'/ui' to use https. And this change now applies for v1.9.0+ .
That means if we're using v1.8 k8s with dashboard configured to HTTPS. Navigating to '/ui' would still redirect to the HTTP dashboard, which is not available. This break existing user experience who is using '/ui' for redirecting.
Thus I'd propose enabling it for v1.9 only. See also below versioning test comment.
One quick comment. I'd like to see us deploy the new dashboard even for older 1.7/1.8 clusters assuming that works... |
A detailed support versioning matrix could be found here: https://github.com/kubernetes/dashboard/wiki/Compatibility-matrix It mentions that 1.8 dashboard will only fully support 1.8+ cluster. I've tested with acs-engine generate cluster of following versions to use the 1.8 dashboard with HTTPS: v1.6.13
v1.8.4
v1.9.0
|
18093fa
to
b880749
Compare
@karataliu could you kindly rebase from master? We just merged in v1.9.0 support, so getting that change in your branch should make it easier to test the effects of this change in 1.9 |
b880749
to
9e2a397
Compare
@jackfrancis sure. done rebasing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
I'm going to merge this as-is so we can get some bake time. @karataliu do you want submit a follow-up PR w/ this change for older k8s versions? @brendanburns FYI |
I would propose enabling https dashboard for 1.9+ only, see comment #1947 (comment) What do you think? |
What this PR does / why we need it:
For kubernetes v1.9, default dashboard was turn on with https: kubernetes/kubernetes#53046
Thus default dashboard location will turn to:
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
This will fail with
tls: oversized record received with length 20527
if dashboard does not use httpsWhich issue this PR fixes
Related:
Special notes for your reviewer:
The old
kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
was copied tokubernetesmasteraddons-kubernetes-dashboard-http-deployment.yaml
.https related changes were applied to
kubernetesmasteraddons-kubernetes-dashboard-http-deployment.yaml
directly.Release note:
Support https kubernetes dashboard