Merge pull request #1363 from abhinavdahiya/etcd-ca

BUG 1684206: *: store etcd CA and client certs in cluster

data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: etcd-ca-bundle
+ namespace: kube-system
+data:
+ ca-bundle.crt: |
+ {{.EtcdCaBundle | indent 4}}

data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: etcd-client-ca-deprecated
+ namespace: kube-system
+type: SecretTypeTLS
+data:
+ tls.crt: {{ .EtcdClientCaCert }}
+ tls.key: {{ .EtcdClientCaKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: etcd-signer-client
+ namespace: kube-system
+type: SecretTypeTLS
+data:
+ tls.crt: {{ .EtcdSignerClientCert }}
+ tls.key: {{ .EtcdSignerClientKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: etcd-signer
+ namespace: kube-system
+type: SecretTypeTLS
+data:
+ tls.crt: {{ .EtcdSignerCert }}
+ tls.key: {{ .EtcdSignerKey }}

pkg/asset/manifests/operators.go

@@ -60,25 +60,31 @@ func (m *Manifests) Dependencies() []asset.Asset {
  &Networking{},
  &tls.RootCA{},
  &tls.EtcdCA{},
+ &tls.EtcdSignerCertKey{},
+ &tls.EtcdCABundle{},
+ &tls.EtcdSignerClientCertKey{},
  &tls.EtcdClientCertKey{},
  &tls.EtcdMetricsCABundle{},
  &tls.EtcdMetricsSignerClientCertKey{},
  &tls.MCSCertKey{},
 
- &bootkube.KubeCloudConfig{},
- &bootkube.MachineConfigServerTLSSecret{},
- &bootkube.Pull{},
  &bootkube.CVOOverrides{},
+ &bootkube.EtcdServiceKubeSystem{},
  &bootkube.HostEtcdServiceEndpointsKubeSystem{},
+ &bootkube.HostEtcdServiceKubeSystem{},
+ &bootkube.KubeCloudConfig{},
+ &bootkube.KubeSystemConfigmapEtcdCA{},
  &bootkube.KubeSystemConfigmapEtcdServingCA{},
  &bootkube.KubeSystemConfigmapRootCA{},
  &bootkube.KubeSystemSecretEtcdClient{},
- &bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
+ &bootkube.KubeSystemSecretEtcdClientCADeprecated{},
+ &bootkube.KubeSystemSecretEtcdSigner{},
+ &bootkube.KubeSystemSecretEtcdSignerClient{},
+ &bootkube.MachineConfigServerTLSSecret{},
  &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{},
-
+ &bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
  &bootkube.OpenshiftMachineConfigOperator{},
- &bootkube.EtcdServiceKubeSystem{},
- &bootkube.HostEtcdServiceKubeSystem{},
+ &bootkube.Pull{},
  }
 }
 
@@ -132,10 +138,16 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
  etcdMetricsCABundle := &tls.EtcdMetricsCABundle{}
  etcdMetricsSignerClientCertKey := &tls.EtcdMetricsSignerClientCertKey{}
  rootCA := &tls.RootCA{}
+ etcdSignerCertKey := &tls.EtcdSignerCertKey{}
+ etcdCABundle := &tls.EtcdCABundle{}
+ etcdSignerClientCertKey := &tls.EtcdSignerClientCertKey{}
  dependencies.Get(
  clusterID,
  installConfig,
  etcdCA,
+ etcdSignerCertKey,
+ etcdCABundle,
+ etcdSignerClientCertKey,
  etcdClientCertKey,
  etcdMetricsCABundle,
  etcdMetricsSignerClientCertKey,
@@ -150,75 +162,56 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 
  templateData := &bootkubeTemplateData{
  Base64encodeCloudProviderConfig: "", // FIXME
+ CVOClusterID: clusterID.UUID,
+ EtcdCaBundle: base64.StdEncoding.EncodeToString(etcdCABundle.Cert()),
  EtcdCaCert: string(etcdCA.Cert()),
+ EtcdClientCaCert: base64.StdEncoding.EncodeToString(etcdCA.Cert()),
+ EtcdClientCaKey: base64.StdEncoding.EncodeToString(etcdCA.Key()),
  EtcdClientCert: base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()),
  EtcdClientKey: base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()),
+ EtcdEndpointDNSSuffix: installConfig.Config.ClusterDomain(),
+ EtcdEndpointHostnames: etcdEndpointHostnames,
  EtcdMetricsCaCert: string(etcdMetricsCABundle.Cert()),
  EtcdMetricsClientCert: base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Cert()),
  EtcdMetricsClientKey: base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Key()),
+ EtcdSignerCert: base64.StdEncoding.EncodeToString(etcdSignerCertKey.Cert()),
+ EtcdSignerClientCert: base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Cert()),
+ EtcdSignerClientKey: base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Key()),
+ EtcdSignerKey: base64.StdEncoding.EncodeToString(etcdSignerCertKey.Key()),
  McsTLSCert: base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
  McsTLSKey: base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
  PullSecretBase64: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
  RootCaCert: string(rootCA.Cert()),
- CVOClusterID: clusterID.UUID,
- EtcdEndpointHostnames: etcdEndpointHostnames,
- EtcdEndpointDNSSuffix: installConfig.Config.ClusterDomain(),
  }
 
- kubeCloudConfig := &bootkube.KubeCloudConfig{}
- machineConfigServerTLSSecret := &bootkube.MachineConfigServerTLSSecret{}
- pull := &bootkube.Pull{}
- cVOOverrides := &bootkube.CVOOverrides{}
- hostEtcdServiceEndpointsKubeSystem := &bootkube.HostEtcdServiceEndpointsKubeSystem{}
- kubeSystemConfigmapEtcdServingCA := &bootkube.KubeSystemConfigmapEtcdServingCA{}
- kubeSystemConfigmapRootCA := &bootkube.KubeSystemConfigmapRootCA{}
- kubeSystemSecretEtcdClient := &bootkube.KubeSystemSecretEtcdClient{}
- openshiftConfigSecretEtcdMetricsClient := &bootkube.OpenshiftConfigSecretEtcdMetricsClient{}
- openshiftConfigConfigmapEtcdMetricsServingCA := &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{}
-
- openshiftMachineConfigOperator := &bootkube.OpenshiftMachineConfigOperator{}
- etcdServiceKubeSystem := &bootkube.EtcdServiceKubeSystem{}
- hostEtcdServiceKubeSystem := &bootkube.HostEtcdServiceKubeSystem{}
- dependencies.Get(
- kubeCloudConfig,
- machineConfigServerTLSSecret,
- pull,
- cVOOverrides,
- hostEtcdServiceEndpointsKubeSystem,
- kubeSystemConfigmapEtcdServingCA,
- kubeSystemConfigmapRootCA,
- kubeSystemSecretEtcdClient,
- openshiftConfigSecretEtcdMetricsClient,
- openshiftConfigConfigmapEtcdMetricsServingCA,
- openshiftMachineConfigOperator,
- etcdServiceKubeSystem,
- hostEtcdServiceKubeSystem,
- )
- assetData := map[string][]byte{
- "kube-cloud-config.yaml": applyTemplateData(kubeCloudConfig.Files()[0].Data, templateData),
- "machine-config-server-tls-secret.yaml": applyTemplateData(machineConfigServerTLSSecret.Files()[0].Data, templateData),
- "pull.json": applyTemplateData(pull.Files()[0].Data, templateData),
- "cvo-overrides.yaml": applyTemplateData(cVOOverrides.Files()[0].Data, templateData),
- "host-etcd-service-endpoints.yaml": applyTemplateData(hostEtcdServiceEndpointsKubeSystem.Files()[0].Data, templateData),
- "kube-system-configmap-etcd-serving-ca.yaml": applyTemplateData(kubeSystemConfigmapEtcdServingCA.Files()[0].Data, templateData),
- "kube-system-configmap-root-ca.yaml": applyTemplateData(kubeSystemConfigmapRootCA.Files()[0].Data, templateData),
- "kube-system-secret-etcd-client.yaml": applyTemplateData(kubeSystemSecretEtcdClient.Files()[0].Data, templateData),
- "openshift-config-secret-etcd-metrics-client.yaml": applyTemplateData(openshiftConfigSecretEtcdMetricsClient.Files()[0].Data, templateData),
- "openshift-config-configmap-etcd-metrics-serving-ca.yaml": applyTemplateData(openshiftConfigConfigmapEtcdMetricsServingCA.Files()[0].Data, templateData),
-
- "04-openshift-machine-config-operator.yaml": []byte(openshiftMachineConfigOperator.Files()[0].Data),
- "etcd-service.yaml": []byte(etcdServiceKubeSystem.Files()[0].Data),
- "host-etcd-service.yaml": []byte(hostEtcdServiceKubeSystem.Files()[0].Data),
- }
-
- files := make([]*asset.File, 0, len(assetData))
- for name, data := range assetData {
- files = append(files, &asset.File{
- Filename: filepath.Join(manifestDir, name),
- Data: data,
- })
+ files := []*asset.File{}
+ for _, a := range []asset.WritableAsset{
+ &bootkube.CVOOverrides{},
+ &bootkube.EtcdServiceKubeSystem{},
+ &bootkube.HostEtcdServiceEndpointsKubeSystem{},
+ &bootkube.HostEtcdServiceKubeSystem{},
+ &bootkube.KubeCloudConfig{},
+ &bootkube.KubeSystemConfigmapEtcdCA{},
+ &bootkube.KubeSystemConfigmapEtcdServingCA{},
+ &bootkube.KubeSystemConfigmapRootCA{},
+ &bootkube.KubeSystemSecretEtcdClient{},
+ &bootkube.KubeSystemSecretEtcdClientCADeprecated{},
+ &bootkube.KubeSystemSecretEtcdSigner{},
+ &bootkube.KubeSystemSecretEtcdSignerClient{},
+ &bootkube.MachineConfigServerTLSSecret{},
+ &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{},
+ &bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
+ &bootkube.OpenshiftMachineConfigOperator{},
+ &bootkube.Pull{},
+ } {
+ dependencies.Get(a)
+ for _, f := range a.Files() {
+ files = append(files, &asset.File{
+ Filename: filepath.Join(manifestDir, strings.TrimSuffix(filepath.Base(f.Filename), ".template")),
+ Data: applyTemplateData(f.Data, templateData),
+ })
+ }
  }
-
  return files
 }
 

pkg/asset/manifests/template.go

@@ -18,20 +18,27 @@ type cloudCredsSecretData struct {
 
 type bootkubeTemplateData struct {
  Base64encodeCloudProviderConfig string
+ CVOClusterID string
+ EtcdCaBundle string
  EtcdCaCert string
+ EtcdClientCaCert string
+ EtcdClientCaKey string
  EtcdClientCert string
  EtcdClientKey string
+ EtcdEndpointDNSSuffix string
+ EtcdEndpointHostnames []string
  EtcdMetricsCaCert string
  EtcdMetricsClientCert string
  EtcdMetricsClientKey string
+ EtcdSignerCert string
+ EtcdSignerClientCert string
+ EtcdSignerClientKey string
+ EtcdSignerKey string
  McsTLSCert string
  McsTLSKey string
  PullSecretBase64 string
  RootCaCert string
  WorkerIgnConfig string
- CVOClusterID string
- EtcdEndpointHostnames []string
- EtcdEndpointDNSSuffix string
 }
 
 type openshiftTemplateData struct {

pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+ "os"
+ "path/filepath"
+
+ "github.com/openshift/installer/pkg/asset"
+ "github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+ kubeSystemConfigmapEtcdCAFileName = "kube-system-configmap-etcd-ca-bundle.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemConfigmapEtcdCA)(nil)
+
+// KubeSystemConfigmapEtcdCA is the constant to represent contents of kube-system-configmap-etcd-ca-bundle.yaml.template file.
+type KubeSystemConfigmapEtcdCA struct {
+ FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemConfigmapEtcdCA) Dependencies() []asset.Asset {
+ return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemConfigmapEtcdCA) Name() string {
+ return "KubeSystemConfigmapEtcdCA"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemConfigmapEtcdCA) Generate(parents asset.Parents) error {
+ fileName := kubeSystemConfigmapEtcdCAFileName
+ data, err := content.GetBootkubeTemplate(fileName)
+ if err != nil {
+ return err
+ }
+ t.FileList = []*asset.File{
+ {
+ Filename: filepath.Join(content.TemplateDir, fileName),
+ Data: []byte(data),
+ },
+ }
+ return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemConfigmapEtcdCA) Files() []*asset.File {
+ return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemConfigmapEtcdCA) Load(f asset.FileFetcher) (bool, error) {
+ file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemConfigmapEtcdCAFileName))
+ if err != nil {
+ if os.IsNotExist(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ t.FileList = []*asset.File{file}
+ return true, nil
+}

pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+ "os"
+ "path/filepath"
+
+ "github.com/openshift/installer/pkg/asset"
+ "github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+ kubeSystemSecretEtcdClientCADeprecatedFileName = "kube-system-secret-etcd-client-ca-deprecated.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemSecretEtcdClientCADeprecated)(nil)
+
+// KubeSystemSecretEtcdClientCADeprecated is the constant to represent contents of kube-system-secret-etcd-client-ca-deprecated.yaml.template file.
+type KubeSystemSecretEtcdClientCADeprecated struct {
+ FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Dependencies() []asset.Asset {
+ return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Name() string {
+ return "KubeSystemSecretEtcdClientCADeprecated"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Generate(parents asset.Parents) error {
+ fileName := kubeSystemSecretEtcdClientCADeprecatedFileName
+ data, err := content.GetBootkubeTemplate(fileName)
+ if err != nil {
+ return err
+ }
+ t.FileList = []*asset.File{
+ {
+ Filename: filepath.Join(content.TemplateDir, fileName),
+ Data: []byte(data),
+ },
+ }
+ return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Files() []*asset.File {
+ return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Load(f asset.FileFetcher) (bool, error) {
+ file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdClientCADeprecatedFileName))
+ if err != nil {
+ if os.IsNotExist(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ t.FileList = []*asset.File{file}
+ return true, nil
+}