salt: Generate custom kubeconfig for Salt Master

Instead of using the `/etc/kubernetes/admin.conf` file which points to a
specific master's `kube-apiserver` instance, we generate another one
dedicated to Salt Master, and configure it to point to the local
`apiserver-proxy` (which can then route to other masters if the local
one isn't available).

In addition, this kubeconfig generates its own certificate, which could
later map to another group (and thus, other (Cluster)Role(s) than the
current "system:masters").

Note that we remove the unneeded `/etc/kubernetes` mount in both Salt
Master and Salt API containers (SaltAPI didn't need it since 41ba749).

Fixes: #2533

salt/metalk8s/salt/master/configured.sls

@@ -13,7 +13,7 @@ Configure salt master:
     - template: jinja
     - defaults:
         salt_ip: "{{ salt_ip }}"
-        kubeconfig: "/etc/kubernetes/admin.conf"
+        kubeconfig: "/etc/salt/master-kubeconfig.conf"
 
 Configure salt master roots paths:
   file.serialize:

salt/metalk8s/salt/master/files/salt-master-manifest.yaml.j2

@@ -76,9 +76,6 @@ spec:
         - name: metalk8s-config
           mountPath: '/etc/metalk8s'
           readOnly: true
-        - name: kubernetes-config
-          mountPath: '/etc/kubernetes'
-          readOnly: true
     - name: salt-api
       image: {{ image }}
       command: ['salt-api']
@@ -105,9 +102,6 @@ spec:
           readOnly: true
         - name: run
           mountPath: '/var/run/salt'
-        - name: kubernetes-config
-          mountPath: '/etc/kubernetes'
-          readOnly: true
   volumes:
     - name: config
       hostPath:
@@ -141,7 +135,3 @@ spec:
       hostPath:
         path: '/etc/metalk8s'
         type: Directory
-    - name: kubernetes-config
-      hostPath:
-        path: '/etc/kubernetes'
-        type: Directory

salt/metalk8s/salt/master/init.sls

@@ -1,4 +1,5 @@
 include:
   - .certs.salt-api
+  - .kubeconfig
   - .configured
   - .installed

salt/metalk8s/salt/master/installed.sls

@@ -17,6 +17,7 @@
 {%- endfor %}
 
 include:
+  - .kubeconfig
   - .configured
 
 Create salt master directories:
@@ -35,6 +36,7 @@ Install and start salt master manifest:
     - name: /etc/kubernetes/manifests/salt-master.yaml
     - source: salt://metalk8s/salt/master/files/salt-master-manifest.yaml.j2
     - config_files:
+      - /etc/salt/master-kubeconfig.conf
       - /etc/salt/master.d/99-metalk8s.conf
       - /etc/salt/master.d/99-metalk8s-roots.conf
     - context:
@@ -45,6 +47,7 @@ Install and start salt master manifest:
         salt_ip: "{{ salt_ip }}"
     - require:
       - file: Create salt master directories
+      - metalk8s_kubeconfig: Create kubeconfig file for Salt Master
       - file: /etc/salt/master.d/99-metalk8s.conf
       - file: /etc/salt/master.d/99-metalk8s-roots.conf
 

salt/metalk8s/salt/master/kubeconfig.sls

@@ -0,0 +1,18 @@
+{%- from "metalk8s/map.jinja" import kube_api with context %}
+{%- from "metalk8s/map.jinja" import kubernetes with context %}
+
+include:
+  - metalk8s.internal.m2crypto
+
+Create kubeconfig file for Salt Master:
+  metalk8s_kubeconfig.managed:
+    - name: /etc/salt/master-kubeconfig.conf
+    - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
+    - signing_policy: {{ kube_api.cert.client_signing_policy }}
+    - client_cert_info:
+        CN: "salt-master-{{ grains.id }}"
+        O: "system:masters"
+    - apiserver: "https://127.0.0.1:7443"
+    - cluster: {{ kubernetes.cluster }}
+    - require:
+      - metalk8s_package_manager: Install m2crypto