Merge pull request #1363 from abhinavdahiya/etcd-ca

BUG 1684206: *: store etcd CA and client certs in cluster

data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: etcd-ca-bundle
+  namespace: kube-system
+data:
+  ca-bundle.crt: |
+    {{.EtcdCaBundle | indent 4}}

data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-client-ca-deprecated
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdClientCaCert }}
+  tls.key: {{ .EtcdClientCaKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-signer-client
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdSignerClientCert }}
+  tls.key: {{ .EtcdSignerClientKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-signer
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdSignerCert }}
+  tls.key: {{ .EtcdSignerKey }}

pkg/asset/manifests/operators.go

@@ -60,25 +60,31 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&Networking{},
 		&tls.RootCA{},
 		&tls.EtcdCA{},
+		&tls.EtcdSignerCertKey{},
+		&tls.EtcdCABundle{},
+		&tls.EtcdSignerClientCertKey{},
 		&tls.EtcdClientCertKey{},
 		&tls.EtcdMetricsCABundle{},
 		&tls.EtcdMetricsSignerClientCertKey{},
 		&tls.MCSCertKey{},
 
-		&bootkube.KubeCloudConfig{},
-		&bootkube.MachineConfigServerTLSSecret{},
-		&bootkube.Pull{},
 		&bootkube.CVOOverrides{},
+		&bootkube.EtcdServiceKubeSystem{},
 		&bootkube.HostEtcdServiceEndpointsKubeSystem{},
+		&bootkube.HostEtcdServiceKubeSystem{},
+		&bootkube.KubeCloudConfig{},
+		&bootkube.KubeSystemConfigmapEtcdCA{},
 		&bootkube.KubeSystemConfigmapEtcdServingCA{},
 		&bootkube.KubeSystemConfigmapRootCA{},
 		&bootkube.KubeSystemSecretEtcdClient{},
-		&bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
+		&bootkube.KubeSystemSecretEtcdClientCADeprecated{},
+		&bootkube.KubeSystemSecretEtcdSigner{},
+		&bootkube.KubeSystemSecretEtcdSignerClient{},
+		&bootkube.MachineConfigServerTLSSecret{},
 		&bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{},
-
+		&bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
 		&bootkube.OpenshiftMachineConfigOperator{},
-		&bootkube.EtcdServiceKubeSystem{},
-		&bootkube.HostEtcdServiceKubeSystem{},
+		&bootkube.Pull{},
 	}
 }
 
@@ -132,10 +138,16 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 	etcdMetricsCABundle := &tls.EtcdMetricsCABundle{}
 	etcdMetricsSignerClientCertKey := &tls.EtcdMetricsSignerClientCertKey{}
 	rootCA := &tls.RootCA{}
+	etcdSignerCertKey := &tls.EtcdSignerCertKey{}
+	etcdCABundle := &tls.EtcdCABundle{}
+	etcdSignerClientCertKey := &tls.EtcdSignerClientCertKey{}
 	dependencies.Get(
 		clusterID,
 		installConfig,
 		etcdCA,
+		etcdSignerCertKey,
+		etcdCABundle,
+		etcdSignerClientCertKey,
 		etcdClientCertKey,
 		etcdMetricsCABundle,
 		etcdMetricsSignerClientCertKey,
@@ -150,75 +162,56 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 
 	templateData := &bootkubeTemplateData{
 		Base64encodeCloudProviderConfig: "", // FIXME
+		CVOClusterID:                    clusterID.UUID,
+		EtcdCaBundle:                    base64.StdEncoding.EncodeToString(etcdCABundle.Cert()),
 		EtcdCaCert:                      string(etcdCA.Cert()),
+		EtcdClientCaCert:                base64.StdEncoding.EncodeToString(etcdCA.Cert()),
+		EtcdClientCaKey:                 base64.StdEncoding.EncodeToString(etcdCA.Key()),
 		EtcdClientCert:                  base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()),
 		EtcdClientKey:                   base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()),
+		EtcdEndpointDNSSuffix:           installConfig.Config.ClusterDomain(),
+		EtcdEndpointHostnames:           etcdEndpointHostnames,
 		EtcdMetricsCaCert:               string(etcdMetricsCABundle.Cert()),
 		EtcdMetricsClientCert:           base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Cert()),
 		EtcdMetricsClientKey:            base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Key()),
+		EtcdSignerCert:                  base64.StdEncoding.EncodeToString(etcdSignerCertKey.Cert()),
+		EtcdSignerClientCert:            base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Cert()),
+		EtcdSignerClientKey:             base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Key()),
+		EtcdSignerKey:                   base64.StdEncoding.EncodeToString(etcdSignerCertKey.Key()),
 		McsTLSCert:                      base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
 		McsTLSKey:                       base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
 		PullSecretBase64:                base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
 		RootCaCert:                      string(rootCA.Cert()),
-		CVOClusterID:                    clusterID.UUID,
-		EtcdEndpointHostnames:           etcdEndpointHostnames,
-		EtcdEndpointDNSSuffix:           installConfig.Config.ClusterDomain(),
 	}
 
-	kubeCloudConfig := &bootkube.KubeCloudConfig{}
-	machineConfigServerTLSSecret := &bootkube.MachineConfigServerTLSSecret{}
-	pull := &bootkube.Pull{}
-	cVOOverrides := &bootkube.CVOOverrides{}
-	hostEtcdServiceEndpointsKubeSystem := &bootkube.HostEtcdServiceEndpointsKubeSystem{}
-	kubeSystemConfigmapEtcdServingCA := &bootkube.KubeSystemConfigmapEtcdServingCA{}
-	kubeSystemConfigmapRootCA := &bootkube.KubeSystemConfigmapRootCA{}
-	kubeSystemSecretEtcdClient := &bootkube.KubeSystemSecretEtcdClient{}
-	openshiftConfigSecretEtcdMetricsClient := &bootkube.OpenshiftConfigSecretEtcdMetricsClient{}
-	openshiftConfigConfigmapEtcdMetricsServingCA := &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{}
-
-	openshiftMachineConfigOperator := &bootkube.OpenshiftMachineConfigOperator{}
-	etcdServiceKubeSystem := &bootkube.EtcdServiceKubeSystem{}
-	hostEtcdServiceKubeSystem := &bootkube.HostEtcdServiceKubeSystem{}
-	dependencies.Get(
-		kubeCloudConfig,
-		machineConfigServerTLSSecret,
-		pull,
-		cVOOverrides,
-		hostEtcdServiceEndpointsKubeSystem,
-		kubeSystemConfigmapEtcdServingCA,
-		kubeSystemConfigmapRootCA,
-		kubeSystemSecretEtcdClient,
-		openshiftConfigSecretEtcdMetricsClient,
-		openshiftConfigConfigmapEtcdMetricsServingCA,
-		openshiftMachineConfigOperator,
-		etcdServiceKubeSystem,
-		hostEtcdServiceKubeSystem,
-	)
-	assetData := map[string][]byte{
-		"kube-cloud-config.yaml":                                  applyTemplateData(kubeCloudConfig.Files()[0].Data, templateData),
-		"machine-config-server-tls-secret.yaml":                   applyTemplateData(machineConfigServerTLSSecret.Files()[0].Data, templateData),
-		"pull.json":                                               applyTemplateData(pull.Files()[0].Data, templateData),
-		"cvo-overrides.yaml":                                      applyTemplateData(cVOOverrides.Files()[0].Data, templateData),
-		"host-etcd-service-endpoints.yaml":                        applyTemplateData(hostEtcdServiceEndpointsKubeSystem.Files()[0].Data, templateData),
-		"kube-system-configmap-etcd-serving-ca.yaml":              applyTemplateData(kubeSystemConfigmapEtcdServingCA.Files()[0].Data, templateData),
-		"kube-system-configmap-root-ca.yaml":                      applyTemplateData(kubeSystemConfigmapRootCA.Files()[0].Data, templateData),
-		"kube-system-secret-etcd-client.yaml":                     applyTemplateData(kubeSystemSecretEtcdClient.Files()[0].Data, templateData),
-		"openshift-config-secret-etcd-metrics-client.yaml":        applyTemplateData(openshiftConfigSecretEtcdMetricsClient.Files()[0].Data, templateData),
-		"openshift-config-configmap-etcd-metrics-serving-ca.yaml": applyTemplateData(openshiftConfigConfigmapEtcdMetricsServingCA.Files()[0].Data, templateData),
-
-		"04-openshift-machine-config-operator.yaml": []byte(openshiftMachineConfigOperator.Files()[0].Data),
-		"etcd-service.yaml":                         []byte(etcdServiceKubeSystem.Files()[0].Data),
-		"host-etcd-service.yaml":                    []byte(hostEtcdServiceKubeSystem.Files()[0].Data),
-	}
-
-	files := make([]*asset.File, 0, len(assetData))
-	for name, data := range assetData {
-		files = append(files, &asset.File{
-			Filename: filepath.Join(manifestDir, name),
-			Data:     data,
-		})
+	files := []*asset.File{}
+	for _, a := range []asset.WritableAsset{
+		&bootkube.CVOOverrides{},
+		&bootkube.EtcdServiceKubeSystem{},
+		&bootkube.HostEtcdServiceEndpointsKubeSystem{},
+		&bootkube.HostEtcdServiceKubeSystem{},
+		&bootkube.KubeCloudConfig{},
+		&bootkube.KubeSystemConfigmapEtcdCA{},
+		&bootkube.KubeSystemConfigmapEtcdServingCA{},
+		&bootkube.KubeSystemConfigmapRootCA{},
+		&bootkube.KubeSystemSecretEtcdClient{},
+		&bootkube.KubeSystemSecretEtcdClientCADeprecated{},
+		&bootkube.KubeSystemSecretEtcdSigner{},
+		&bootkube.KubeSystemSecretEtcdSignerClient{},
+		&bootkube.MachineConfigServerTLSSecret{},
+		&bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{},
+		&bootkube.OpenshiftConfigSecretEtcdMetricsClient{},
+		&bootkube.OpenshiftMachineConfigOperator{},
+		&bootkube.Pull{},
+	} {
+		dependencies.Get(a)
+		for _, f := range a.Files() {
+			files = append(files, &asset.File{
+				Filename: filepath.Join(manifestDir, strings.TrimSuffix(filepath.Base(f.Filename), ".template")),
+				Data:     applyTemplateData(f.Data, templateData),
+			})
+		}
 	}
-
 	return files
 }
 

pkg/asset/manifests/template.go

@@ -18,20 +18,27 @@ type cloudCredsSecretData struct {
 
 type bootkubeTemplateData struct {
 	Base64encodeCloudProviderConfig string
+	CVOClusterID                    string
+	EtcdCaBundle                    string
 	EtcdCaCert                      string
+	EtcdClientCaCert                string
+	EtcdClientCaKey                 string
 	EtcdClientCert                  string
 	EtcdClientKey                   string
+	EtcdEndpointDNSSuffix           string
+	EtcdEndpointHostnames           []string
 	EtcdMetricsCaCert               string
 	EtcdMetricsClientCert           string
 	EtcdMetricsClientKey            string
+	EtcdSignerCert                  string
+	EtcdSignerClientCert            string
+	EtcdSignerClientKey             string
+	EtcdSignerKey                   string
 	McsTLSCert                      string
 	McsTLSKey                       string
 	PullSecretBase64                string
 	RootCaCert                      string
 	WorkerIgnConfig                 string
-	CVOClusterID                    string
-	EtcdEndpointHostnames           []string
-	EtcdEndpointDNSSuffix           string
 }
 
 type openshiftTemplateData struct {

pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemConfigmapEtcdCAFileName = "kube-system-configmap-etcd-ca-bundle.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemConfigmapEtcdCA)(nil)
+
+// KubeSystemConfigmapEtcdCA is the constant to represent contents of kube-system-configmap-etcd-ca-bundle.yaml.template file.
+type KubeSystemConfigmapEtcdCA struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemConfigmapEtcdCA) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemConfigmapEtcdCA) Name() string {
+	return "KubeSystemConfigmapEtcdCA"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemConfigmapEtcdCA) Generate(parents asset.Parents) error {
+	fileName := kubeSystemConfigmapEtcdCAFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemConfigmapEtcdCA) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemConfigmapEtcdCA) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemConfigmapEtcdCAFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}

pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemSecretEtcdClientCADeprecatedFileName = "kube-system-secret-etcd-client-ca-deprecated.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemSecretEtcdClientCADeprecated)(nil)
+
+// KubeSystemSecretEtcdClientCADeprecated is the constant to represent contents of kube-system-secret-etcd-client-ca-deprecated.yaml.template file.
+type KubeSystemSecretEtcdClientCADeprecated struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Name() string {
+	return "KubeSystemSecretEtcdClientCADeprecated"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Generate(parents asset.Parents) error {
+	fileName := kubeSystemSecretEtcdClientCADeprecatedFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdClientCADeprecatedFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}