diff --git a/data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template b/data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template new file mode 100644 index 00000000000..0729c216a7c --- /dev/null +++ b/data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: etcd-ca-bundle + namespace: kube-system +data: + ca-bundle.crt: | + {{.EtcdCaBundle | indent 4}} diff --git a/data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template b/data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template new file mode 100644 index 00000000000..b1d1b68bc2e --- /dev/null +++ b/data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-client-ca-deprecated + namespace: kube-system +type: SecretTypeTLS +data: + tls.crt: {{ .EtcdClientCaCert }} + tls.key: {{ .EtcdClientCaKey }} diff --git a/data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template b/data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template new file mode 100644 index 00000000000..9b99cc93782 --- /dev/null +++ b/data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-signer-client + namespace: kube-system +type: SecretTypeTLS +data: + tls.crt: {{ .EtcdSignerClientCert }} + tls.key: {{ .EtcdSignerClientKey }} diff --git a/data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template b/data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template new file mode 100644 index 00000000000..3355fd8e9de --- /dev/null +++ b/data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-signer + namespace: kube-system +type: SecretTypeTLS +data: + tls.crt: {{ .EtcdSignerCert }} + tls.key: {{ .EtcdSignerKey }} diff --git a/data/data/manifests/bootkube/pull.yaml.template b/data/data/manifests/bootkube/pull.json.template similarity index 100% rename from data/data/manifests/bootkube/pull.yaml.template rename to data/data/manifests/bootkube/pull.json.template diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go index c3aadfe1155..76f4738740b 100644 --- a/pkg/asset/manifests/operators.go +++ b/pkg/asset/manifests/operators.go @@ -60,25 +60,31 @@ func (m *Manifests) Dependencies() []asset.Asset { &Networking{}, &tls.RootCA{}, &tls.EtcdCA{}, + &tls.EtcdSignerCertKey{}, + &tls.EtcdCABundle{}, + &tls.EtcdSignerClientCertKey{}, &tls.EtcdClientCertKey{}, &tls.EtcdMetricsCABundle{}, &tls.EtcdMetricsSignerClientCertKey{}, &tls.MCSCertKey{}, - &bootkube.KubeCloudConfig{}, - &bootkube.MachineConfigServerTLSSecret{}, - &bootkube.Pull{}, &bootkube.CVOOverrides{}, + &bootkube.EtcdServiceKubeSystem{}, &bootkube.HostEtcdServiceEndpointsKubeSystem{}, + &bootkube.HostEtcdServiceKubeSystem{}, + &bootkube.KubeCloudConfig{}, + &bootkube.KubeSystemConfigmapEtcdCA{}, &bootkube.KubeSystemConfigmapEtcdServingCA{}, &bootkube.KubeSystemConfigmapRootCA{}, &bootkube.KubeSystemSecretEtcdClient{}, - &bootkube.OpenshiftConfigSecretEtcdMetricsClient{}, + &bootkube.KubeSystemSecretEtcdClientCADeprecated{}, + &bootkube.KubeSystemSecretEtcdSigner{}, + &bootkube.KubeSystemSecretEtcdSignerClient{}, + &bootkube.MachineConfigServerTLSSecret{}, &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{}, - + &bootkube.OpenshiftConfigSecretEtcdMetricsClient{}, &bootkube.OpenshiftMachineConfigOperator{}, - &bootkube.EtcdServiceKubeSystem{}, - &bootkube.HostEtcdServiceKubeSystem{}, + &bootkube.Pull{}, } } @@ -132,10 +138,16 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass etcdMetricsCABundle := &tls.EtcdMetricsCABundle{} etcdMetricsSignerClientCertKey := &tls.EtcdMetricsSignerClientCertKey{} rootCA := &tls.RootCA{} + etcdSignerCertKey := &tls.EtcdSignerCertKey{} + etcdCABundle := &tls.EtcdCABundle{} + etcdSignerClientCertKey := &tls.EtcdSignerClientCertKey{} dependencies.Get( clusterID, installConfig, etcdCA, + etcdSignerCertKey, + etcdCABundle, + etcdSignerClientCertKey, etcdClientCertKey, etcdMetricsCABundle, etcdMetricsSignerClientCertKey, @@ -150,75 +162,56 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass templateData := &bootkubeTemplateData{ Base64encodeCloudProviderConfig: "", // FIXME + CVOClusterID: clusterID.UUID, + EtcdCaBundle: base64.StdEncoding.EncodeToString(etcdCABundle.Cert()), EtcdCaCert: string(etcdCA.Cert()), + EtcdClientCaCert: base64.StdEncoding.EncodeToString(etcdCA.Cert()), + EtcdClientCaKey: base64.StdEncoding.EncodeToString(etcdCA.Key()), EtcdClientCert: base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()), EtcdClientKey: base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()), + EtcdEndpointDNSSuffix: installConfig.Config.ClusterDomain(), + EtcdEndpointHostnames: etcdEndpointHostnames, EtcdMetricsCaCert: string(etcdMetricsCABundle.Cert()), EtcdMetricsClientCert: base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Cert()), EtcdMetricsClientKey: base64.StdEncoding.EncodeToString(etcdMetricsSignerClientCertKey.Key()), + EtcdSignerCert: base64.StdEncoding.EncodeToString(etcdSignerCertKey.Cert()), + EtcdSignerClientCert: base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Cert()), + EtcdSignerClientKey: base64.StdEncoding.EncodeToString(etcdSignerClientCertKey.Key()), + EtcdSignerKey: base64.StdEncoding.EncodeToString(etcdSignerCertKey.Key()), McsTLSCert: base64.StdEncoding.EncodeToString(mcsCertKey.Cert()), McsTLSKey: base64.StdEncoding.EncodeToString(mcsCertKey.Key()), PullSecretBase64: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)), RootCaCert: string(rootCA.Cert()), - CVOClusterID: clusterID.UUID, - EtcdEndpointHostnames: etcdEndpointHostnames, - EtcdEndpointDNSSuffix: installConfig.Config.ClusterDomain(), } - kubeCloudConfig := &bootkube.KubeCloudConfig{} - machineConfigServerTLSSecret := &bootkube.MachineConfigServerTLSSecret{} - pull := &bootkube.Pull{} - cVOOverrides := &bootkube.CVOOverrides{} - hostEtcdServiceEndpointsKubeSystem := &bootkube.HostEtcdServiceEndpointsKubeSystem{} - kubeSystemConfigmapEtcdServingCA := &bootkube.KubeSystemConfigmapEtcdServingCA{} - kubeSystemConfigmapRootCA := &bootkube.KubeSystemConfigmapRootCA{} - kubeSystemSecretEtcdClient := &bootkube.KubeSystemSecretEtcdClient{} - openshiftConfigSecretEtcdMetricsClient := &bootkube.OpenshiftConfigSecretEtcdMetricsClient{} - openshiftConfigConfigmapEtcdMetricsServingCA := &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{} - - openshiftMachineConfigOperator := &bootkube.OpenshiftMachineConfigOperator{} - etcdServiceKubeSystem := &bootkube.EtcdServiceKubeSystem{} - hostEtcdServiceKubeSystem := &bootkube.HostEtcdServiceKubeSystem{} - dependencies.Get( - kubeCloudConfig, - machineConfigServerTLSSecret, - pull, - cVOOverrides, - hostEtcdServiceEndpointsKubeSystem, - kubeSystemConfigmapEtcdServingCA, - kubeSystemConfigmapRootCA, - kubeSystemSecretEtcdClient, - openshiftConfigSecretEtcdMetricsClient, - openshiftConfigConfigmapEtcdMetricsServingCA, - openshiftMachineConfigOperator, - etcdServiceKubeSystem, - hostEtcdServiceKubeSystem, - ) - assetData := map[string][]byte{ - "kube-cloud-config.yaml": applyTemplateData(kubeCloudConfig.Files()[0].Data, templateData), - "machine-config-server-tls-secret.yaml": applyTemplateData(machineConfigServerTLSSecret.Files()[0].Data, templateData), - "pull.json": applyTemplateData(pull.Files()[0].Data, templateData), - "cvo-overrides.yaml": applyTemplateData(cVOOverrides.Files()[0].Data, templateData), - "host-etcd-service-endpoints.yaml": applyTemplateData(hostEtcdServiceEndpointsKubeSystem.Files()[0].Data, templateData), - "kube-system-configmap-etcd-serving-ca.yaml": applyTemplateData(kubeSystemConfigmapEtcdServingCA.Files()[0].Data, templateData), - "kube-system-configmap-root-ca.yaml": applyTemplateData(kubeSystemConfigmapRootCA.Files()[0].Data, templateData), - "kube-system-secret-etcd-client.yaml": applyTemplateData(kubeSystemSecretEtcdClient.Files()[0].Data, templateData), - "openshift-config-secret-etcd-metrics-client.yaml": applyTemplateData(openshiftConfigSecretEtcdMetricsClient.Files()[0].Data, templateData), - "openshift-config-configmap-etcd-metrics-serving-ca.yaml": applyTemplateData(openshiftConfigConfigmapEtcdMetricsServingCA.Files()[0].Data, templateData), - - "04-openshift-machine-config-operator.yaml": []byte(openshiftMachineConfigOperator.Files()[0].Data), - "etcd-service.yaml": []byte(etcdServiceKubeSystem.Files()[0].Data), - "host-etcd-service.yaml": []byte(hostEtcdServiceKubeSystem.Files()[0].Data), - } - - files := make([]*asset.File, 0, len(assetData)) - for name, data := range assetData { - files = append(files, &asset.File{ - Filename: filepath.Join(manifestDir, name), - Data: data, - }) + files := []*asset.File{} + for _, a := range []asset.WritableAsset{ + &bootkube.CVOOverrides{}, + &bootkube.EtcdServiceKubeSystem{}, + &bootkube.HostEtcdServiceEndpointsKubeSystem{}, + &bootkube.HostEtcdServiceKubeSystem{}, + &bootkube.KubeCloudConfig{}, + &bootkube.KubeSystemConfigmapEtcdCA{}, + &bootkube.KubeSystemConfigmapEtcdServingCA{}, + &bootkube.KubeSystemConfigmapRootCA{}, + &bootkube.KubeSystemSecretEtcdClient{}, + &bootkube.KubeSystemSecretEtcdClientCADeprecated{}, + &bootkube.KubeSystemSecretEtcdSigner{}, + &bootkube.KubeSystemSecretEtcdSignerClient{}, + &bootkube.MachineConfigServerTLSSecret{}, + &bootkube.OpenshiftConfigConfigmapEtcdMetricsServingCA{}, + &bootkube.OpenshiftConfigSecretEtcdMetricsClient{}, + &bootkube.OpenshiftMachineConfigOperator{}, + &bootkube.Pull{}, + } { + dependencies.Get(a) + for _, f := range a.Files() { + files = append(files, &asset.File{ + Filename: filepath.Join(manifestDir, strings.TrimSuffix(filepath.Base(f.Filename), ".template")), + Data: applyTemplateData(f.Data, templateData), + }) + } } - return files } diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go index bbb4af2de20..c63e4d6bbfe 100644 --- a/pkg/asset/manifests/template.go +++ b/pkg/asset/manifests/template.go @@ -18,20 +18,27 @@ type cloudCredsSecretData struct { type bootkubeTemplateData struct { Base64encodeCloudProviderConfig string + CVOClusterID string + EtcdCaBundle string EtcdCaCert string + EtcdClientCaCert string + EtcdClientCaKey string EtcdClientCert string EtcdClientKey string + EtcdEndpointDNSSuffix string + EtcdEndpointHostnames []string EtcdMetricsCaCert string EtcdMetricsClientCert string EtcdMetricsClientKey string + EtcdSignerCert string + EtcdSignerClientCert string + EtcdSignerClientKey string + EtcdSignerKey string McsTLSCert string McsTLSKey string PullSecretBase64 string RootCaCert string WorkerIgnConfig string - CVOClusterID string - EtcdEndpointHostnames []string - EtcdEndpointDNSSuffix string } type openshiftTemplateData struct { diff --git a/pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go b/pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go new file mode 100644 index 00000000000..e261c07b05f --- /dev/null +++ b/pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go @@ -0,0 +1,64 @@ +package bootkube + +import ( + "os" + "path/filepath" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/templates/content" +) + +const ( + kubeSystemConfigmapEtcdCAFileName = "kube-system-configmap-etcd-ca-bundle.yaml.template" +) + +var _ asset.WritableAsset = (*KubeSystemConfigmapEtcdCA)(nil) + +// KubeSystemConfigmapEtcdCA is the constant to represent contents of kube-system-configmap-etcd-ca-bundle.yaml.template file. +type KubeSystemConfigmapEtcdCA struct { + FileList []*asset.File +} + +// Dependencies returns all of the dependencies directly needed by the asset +func (t *KubeSystemConfigmapEtcdCA) Dependencies() []asset.Asset { + return []asset.Asset{} +} + +// Name returns the human-friendly name of the asset. +func (t *KubeSystemConfigmapEtcdCA) Name() string { + return "KubeSystemConfigmapEtcdCA" +} + +// Generate generates the actual files by this asset +func (t *KubeSystemConfigmapEtcdCA) Generate(parents asset.Parents) error { + fileName := kubeSystemConfigmapEtcdCAFileName + data, err := content.GetBootkubeTemplate(fileName) + if err != nil { + return err + } + t.FileList = []*asset.File{ + { + Filename: filepath.Join(content.TemplateDir, fileName), + Data: []byte(data), + }, + } + return nil +} + +// Files returns the files generated by the asset. +func (t *KubeSystemConfigmapEtcdCA) Files() []*asset.File { + return t.FileList +} + +// Load returns the asset from disk. +func (t *KubeSystemConfigmapEtcdCA) Load(f asset.FileFetcher) (bool, error) { + file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemConfigmapEtcdCAFileName)) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + t.FileList = []*asset.File{file} + return true, nil +} diff --git a/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go new file mode 100644 index 00000000000..9ed575e2309 --- /dev/null +++ b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go @@ -0,0 +1,64 @@ +package bootkube + +import ( + "os" + "path/filepath" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/templates/content" +) + +const ( + kubeSystemSecretEtcdClientCADeprecatedFileName = "kube-system-secret-etcd-client-ca-deprecated.yaml.template" +) + +var _ asset.WritableAsset = (*KubeSystemSecretEtcdClientCADeprecated)(nil) + +// KubeSystemSecretEtcdClientCADeprecated is the constant to represent contents of kube-system-secret-etcd-client-ca-deprecated.yaml.template file. +type KubeSystemSecretEtcdClientCADeprecated struct { + FileList []*asset.File +} + +// Dependencies returns all of the dependencies directly needed by the asset +func (t *KubeSystemSecretEtcdClientCADeprecated) Dependencies() []asset.Asset { + return []asset.Asset{} +} + +// Name returns the human-friendly name of the asset. +func (t *KubeSystemSecretEtcdClientCADeprecated) Name() string { + return "KubeSystemSecretEtcdClientCADeprecated" +} + +// Generate generates the actual files by this asset +func (t *KubeSystemSecretEtcdClientCADeprecated) Generate(parents asset.Parents) error { + fileName := kubeSystemSecretEtcdClientCADeprecatedFileName + data, err := content.GetBootkubeTemplate(fileName) + if err != nil { + return err + } + t.FileList = []*asset.File{ + { + Filename: filepath.Join(content.TemplateDir, fileName), + Data: []byte(data), + }, + } + return nil +} + +// Files returns the files generated by the asset. +func (t *KubeSystemSecretEtcdClientCADeprecated) Files() []*asset.File { + return t.FileList +} + +// Load returns the asset from disk. +func (t *KubeSystemSecretEtcdClientCADeprecated) Load(f asset.FileFetcher) (bool, error) { + file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdClientCADeprecatedFileName)) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + t.FileList = []*asset.File{file} + return true, nil +} diff --git a/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer-client.go b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer-client.go new file mode 100644 index 00000000000..b166f1b4e3e --- /dev/null +++ b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer-client.go @@ -0,0 +1,64 @@ +package bootkube + +import ( + "os" + "path/filepath" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/templates/content" +) + +const ( + kubeSystemSecretEtcdSignerClientFileName = "kube-system-secret-etcd-signer-client.yaml.template" +) + +var _ asset.WritableAsset = (*KubeSystemSecretEtcdSignerClient)(nil) + +// KubeSystemSecretEtcdSignerClient is the constant to represent contents of kube-system-secret-etcd-signer-client.yaml.template file. +type KubeSystemSecretEtcdSignerClient struct { + FileList []*asset.File +} + +// Dependencies returns all of the dependencies directly needed by the asset +func (t *KubeSystemSecretEtcdSignerClient) Dependencies() []asset.Asset { + return []asset.Asset{} +} + +// Name returns the human-friendly name of the asset. +func (t *KubeSystemSecretEtcdSignerClient) Name() string { + return "KubeSystemSecretEtcdSignerClient" +} + +// Generate generates the actual files by this asset +func (t *KubeSystemSecretEtcdSignerClient) Generate(parents asset.Parents) error { + fileName := kubeSystemSecretEtcdSignerClientFileName + data, err := content.GetBootkubeTemplate(fileName) + if err != nil { + return err + } + t.FileList = []*asset.File{ + { + Filename: filepath.Join(content.TemplateDir, fileName), + Data: []byte(data), + }, + } + return nil +} + +// Files returns the files generated by the asset. +func (t *KubeSystemSecretEtcdSignerClient) Files() []*asset.File { + return t.FileList +} + +// Load returns the asset from disk. +func (t *KubeSystemSecretEtcdSignerClient) Load(f asset.FileFetcher) (bool, error) { + file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdSignerClientFileName)) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + t.FileList = []*asset.File{file} + return true, nil +} diff --git a/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer.go b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer.go new file mode 100644 index 00000000000..56a07a108bb --- /dev/null +++ b/pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer.go @@ -0,0 +1,64 @@ +package bootkube + +import ( + "os" + "path/filepath" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/templates/content" +) + +const ( + kubeSystemSecretEtcdSignerFileName = "kube-system-secret-etcd-signer.yaml.template" +) + +var _ asset.WritableAsset = (*KubeSystemSecretEtcdSigner)(nil) + +// KubeSystemSecretEtcdSigner is the constant to represent contents of kube-system-secret-etcd-signer.yaml.template file. +type KubeSystemSecretEtcdSigner struct { + FileList []*asset.File +} + +// Dependencies returns all of the dependencies directly needed by the asset +func (t *KubeSystemSecretEtcdSigner) Dependencies() []asset.Asset { + return []asset.Asset{} +} + +// Name returns the human-friendly name of the asset. +func (t *KubeSystemSecretEtcdSigner) Name() string { + return "KubeSystemSecretEtcdSigner" +} + +// Generate generates the actual files by this asset +func (t *KubeSystemSecretEtcdSigner) Generate(parents asset.Parents) error { + fileName := kubeSystemSecretEtcdSignerFileName + data, err := content.GetBootkubeTemplate(fileName) + if err != nil { + return err + } + t.FileList = []*asset.File{ + { + Filename: filepath.Join(content.TemplateDir, fileName), + Data: []byte(data), + }, + } + return nil +} + +// Files returns the files generated by the asset. +func (t *KubeSystemSecretEtcdSigner) Files() []*asset.File { + return t.FileList +} + +// Load returns the asset from disk. +func (t *KubeSystemSecretEtcdSigner) Load(f asset.FileFetcher) (bool, error) { + file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdSignerFileName)) + if err != nil { + if os.IsNotExist(err) { + return false, nil + } + return false, err + } + t.FileList = []*asset.File{file} + return true, nil +} diff --git a/pkg/asset/templates/content/bootkube/pull.go b/pkg/asset/templates/content/bootkube/pull.go index ba6627b032e..381a4de78ec 100644 --- a/pkg/asset/templates/content/bootkube/pull.go +++ b/pkg/asset/templates/content/bootkube/pull.go @@ -9,12 +9,12 @@ import ( ) const ( - pullFileName = "pull.yaml.template" + pullFileName = "pull.json.template" ) var _ asset.WritableAsset = (*Pull)(nil) -// Pull is the constant to represent contents of pull.yaml.template file +// Pull is the constant to represent contents of pull.json.template file type Pull struct { FileList []*asset.File }