Ensure insecure API endpoint is disabled for 1.11+

Signed-off-by: Christian Simon <[email protected]>

puppet/modules/kubernetes/manifests/apiserver.pp

@@ -108,11 +108,14 @@
     $_oidc_signing_algs = []
   }
 
-  # Do not set insecure_port variable of the API server on kubernetes 1.11+
+  # Do not set etcd_qorum_read
   if !$post_1_11 {
-    $insecure_port = $::kubernetes::_apiserver_insecure_port
     $etcd_quorum_read = true
   }
+
+  # insecure_port variable of the API server (needs to be set to 0 at least up to 1.13)
+  $insecure_port = $::kubernetes::_apiserver_insecure_port
+
   $secure_port = $::kubernetes::apiserver_secure_port
 
   # Default to etcd3 for versions bigger than 1.5

puppet/modules/kubernetes/spec/classes/apiserver_spec.rb

@@ -245,14 +245,14 @@
           it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
         end
 
-        context 'should not exist after 1.11' do
+        context 'should exist after 1.11' do
           let(:pre_condition) {[
             """
             class{'kubernetes': version => '1.11.0'}
               """
           ]}
 
-          it {should_not contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
+          it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=0')}/)}
         end
       end