Merge pull request openshift#3293 from crawford/tnc-tls

modules/tectonic/resources: add TNC key/cert pair
wking · Jun 14, 2018 · 16a1bf8 · 16a1bf8
2 parents 0a559ce + 37f29a5
commit 16a1bf8
Show file tree

Hide file tree

Showing 17 changed files with 162 additions and 0 deletions.
diff --git a/modules/ignition/variables.tf b/modules/ignition/variables.tf
@@ -75,3 +75,13 @@ variable "etcd_ca_cert_pem" {
   type        = "string"
   description = "The etcd kube CA certificate in PEM format."
 }
+
+variable "tnc_cert_pem" {
+  type        = "string"
+  description = "The TNC certificate in PEM format."
+}
+
+variable "tnc_key_pem" {
+  type        = "string"
+  description = "The TNC key in PEM format."
+}
diff --git a/modules/tectonic/manifests.tf b/modules/tectonic/manifests.tf
@@ -13,6 +13,7 @@ variable "manifest_names" {
     "rbac/role-user.yaml",
     "secrets/ca-cert.yaml",
     "secrets/ingress-tls.yaml",
+    "secrets/tnc-tls.yaml",
     "secrets/license.json",
     "secrets/pull.json",
     "security/priviledged-scc-tectonic.yaml",
@@ -73,6 +74,9 @@ data "template_file" "manifest_file_list" {
     ingress_tls_key         = "${base64encode(var.ingress_key_pem)}"
     ingress_tls_bundle      = "${base64encode(var.ingress_bundle_pem)}"
 
+    tnc_tls_cert = "${base64encode(var.tnc_cert_pem)}"
+    tnc_tls_key  = "${base64encode(var.tnc_key_pem)}"
+
     platform = "${var.platform}"
   }
 }

diff --git a/modules/tectonic/resources/manifests/secrets/tnc-tls.yaml b/modules/tectonic/resources/manifests/secrets/tnc-tls.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tectonic-node-controller-tls
+  namespace: kube-system
+type: Opaque
+data:
+  tls.crt: ${tnc_tls_cert}
+  tls.key: ${tnc_tls_key}
diff --git a/modules/tectonic/resources/tectonic.sh b/modules/tectonic/resources/tectonic.sh
@@ -144,6 +144,7 @@ echo "Creating Tectonic Secrets"
 kubectl create -f secrets/pull.json
 kubectl create -f secrets/license.json
 kubectl create -f secrets/ingress-tls.yaml
+kubectl create -f secrets/tnc-tls.yaml
 kubectl create -f secrets/ca-cert.yaml
 kubectl create -f ingress/pull.json
 

diff --git a/modules/tectonic/variables.tf b/modules/tectonic/variables.tf
@@ -70,3 +70,11 @@ variable "ingress_key_pem" {
 variable "ingress_bundle_pem" {
   type = "string"
 }
+
+variable "tnc_cert_pem" {
+  type = "string"
+}
+
+variable "tnc_key_pem" {
+  type = "string"
+}
diff --git a/modules/tls/ca/assets.tf b/modules/tls/ca/assets.tf
@@ -3,6 +3,11 @@ resource "local_file" "root_ca_cert" {
   filename = "./generated/tls/root-ca.crt"
 }
 
+resource "local_file" "root_ca_key" {
+  content  = "${var.root_ca_key_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : file(local._root_ca_key_pem_path )}"
+  filename = "./generated/tls/root-ca.key"
+}
+
 resource "local_file" "kube_ca_key" {
   content  = "${var.kube_ca_key_pem_path == "" ? join("", tls_private_key.kube_ca.*.private_key_pem) : file(local._kube_ca_key_pem_path)}"
   filename = "./generated/tls/kube-ca.key"

diff --git a/modules/tls/ca/outputs.tf b/modules/tls/ca/outputs.tf
@@ -2,6 +2,14 @@ output "root_ca_cert_pem" {
   value = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : file(local._root_ca_cert_pem_path)}"
 }
 
+output "root_ca_key_alg" {
+  value = "${var.root_ca_key_alg == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}"
+}
+
+output "root_ca_key_pem" {
+  value = "${var.root_ca_key_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : file(local._root_ca_key_pem_path)}"
+}
+
 output "kube_ca_cert_pem" {
   value = "${var.kube_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.kube_ca.*.cert_pem) : file(local._kube_ca_cert_pem_path)}"
 }
@@ -54,6 +62,7 @@ output "id" {
   value = "${sha1("
   ${join(" ",
     list(local_file.root_ca_cert.id,
+    local_file.root_ca_key.id,
     local_file.kube_ca_key.id,
     local_file.kube_ca_cert.id,
     local_file.aggregator_ca_key.id,

diff --git a/modules/tls/tnc/assets.tf b/modules/tls/tnc/assets.tf
@@ -0,0 +1,9 @@
+resource "local_file" "tnc_cert" {
+  content  = "${tls_locally_signed_cert.tnc.cert_pem}"
+  filename = "./generated/tls/tnc.crt"
+}
+
+resource "local_file" "tnc_key" {
+  content  = "${tls_private_key.tnc.private_key_pem}"
+  filename = "./generated/tls/tnc.key"
+}
diff --git a/modules/tls/tnc/main.tf b/modules/tls/tnc/main.tf
@@ -0,0 +1,31 @@
+# These are used for Ignition-to-TNC communication
+resource "tls_private_key" "tnc" {
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_cert_request" "tnc" {
+  key_algorithm   = "${tls_private_key.tnc.algorithm}"
+  private_key_pem = "${tls_private_key.tnc.private_key_pem}"
+
+  subject {
+    common_name = "${var.domain}"
+  }
+
+  dns_names = [
+    "${var.domain}",
+  ]
+}
+
+resource "tls_locally_signed_cert" "tnc" {
+  cert_request_pem = "${tls_cert_request.tnc.cert_request_pem}"
+
+  ca_key_algorithm      = "${var.ca_key_alg}"
+  ca_private_key_pem    = "${var.ca_key_pem}"
+  ca_cert_pem           = "${var.ca_cert_pem}"
+  validity_period_hours = "26280"
+
+  allowed_uses = [
+    "server_auth",
+  ]
+}
diff --git a/modules/tls/tnc/outputs.tf b/modules/tls/tnc/outputs.tf
@@ -0,0 +1,16 @@
+output "tnc_cert_pem" {
+  value = "${tls_locally_signed_cert.tnc.cert_pem}"
+}
+
+output "tnc_key_pem" {
+  value = "${tls_private_key.tnc.private_key_pem}"
+}
+
+output "id" {
+  value = "${sha1("
+  ${join(" ",
+    list(local_file.tnc_cert.id,
+    local_file.tnc_key.id)
+    )}
+  ")}"
+}
diff --git a/modules/tls/tnc/variables.tf b/modules/tls/tnc/variables.tf
@@ -0,0 +1,15 @@
+variable "domain" {
+  type = "string"
+}
+
+variable "ca_cert_pem" {
+  type = "string"
+}
+
+variable "ca_key_alg" {
+  type = "string"
+}
+
+variable "ca_key_pem" {
+  type = "string"
+}
diff --git a/steps/assets/base/ignition-bootstrap.tf b/steps/assets/base/ignition-bootstrap.tf
@@ -12,6 +12,8 @@ module "ignition_bootstrap" {
   kubelet_debug_config = "${var.tectonic_kubelet_debug_config}"
   kubelet_node_label   = "node-role.kubernetes.io/master"
   kubelet_node_taints  = "node-role.kubernetes.io/master=:NoSchedule"
+  tnc_cert_pem         = "${local.tnc_cert_pem}"
+  tnc_key_pem          = "${local.tnc_key_pem}"
 }
 
 # The cluster configs written by the install binary external to Terraform.

diff --git a/steps/assets/base/ignition-tls.tf b/steps/assets/base/ignition-tls.tf
@@ -231,6 +231,28 @@ data "ignition_file" "kubelet_cert" {
   path = "/opt/tectonic/tls/kubelet.crt"
 }
 
+data "ignition_file" "tnc_key" {
+  filesystem = "root"
+  mode       = "0644"
+
+  content {
+    content = "${local.tnc_key_pem}"
+  }
+
+  path = "/opt/tectonic/tls/tnc.key"
+}
+
+data "ignition_file" "tnc_cert" {
+  filesystem = "root"
+  mode       = "0644"
+
+  content {
+    content = "${local.tnc_cert_pem}"
+  }
+
+  path = "/opt/tectonic/tls/tnc.crt"
+}
+
 locals {
   ca_certs_ignition_file_id_list = [
     "${data.ignition_file.root_ca_cert.id}",
@@ -261,4 +283,9 @@ locals {
     "${data.ignition_file.kubelet_key.id}",
     "${data.ignition_file.kubelet_cert.id}",
   ]
+
+  tnc_certs_ignition_file_id_list = [
+    "${data.ignition_file.tnc_key.id}",
+    "${data.ignition_file.tnc_cert.id}",
+  ]
 }
diff --git a/steps/assets/base/inputs.tf b/steps/assets/base/inputs.tf
@@ -23,6 +23,8 @@ locals {
   kube_ca_key_pem              = "${file("${local.tls_path}/kube-ca.key")}"
   kubelet_cert_pem             = "${file("${local.tls_path}/kubelet.crt")}"
   kubelet_key_pem              = "${file("${local.tls_path}/kubelet.key")}"
+  tnc_cert_pem                 = "${file("${local.tls_path}/tnc.crt")}"
+  tnc_key_pem                  = "${file("${local.tls_path}/tnc.key")}"
   oidc_ca_cert                 = "${file("${local.tls_path}/ingress-ca.crt")}"
   root_ca_cert_pem             = "${file("${local.tls_path}/root-ca.crt")}"
 }
diff --git a/steps/assets/base/outputs.tf b/steps/assets/base/outputs.tf
@@ -20,6 +20,7 @@ output "ignition_bootstrap_files" {
     local.ca_certs_ignition_file_id_list,
     local.etcd_certs_ignition_file_id_list,
     local.kube_certs_ignition_file_id_list,
+    local.tnc_certs_ignition_file_id_list,
    )))}"]
 }
 

diff --git a/steps/assets/base/tectonic.tf b/steps/assets/base/tectonic.tf
@@ -68,6 +68,9 @@ module "tectonic" {
   ingress_key_pem     = "${local.ingress_key_pem}"
   ingress_bundle_pem  = "${join("", list(local.ingress_cert_pem, local.ingress_key_pem, local.ingress_ca_cert_pem))}"
 
+  tnc_cert_pem = "${local.tnc_cert_pem}"
+  tnc_key_pem  = "${local.tnc_key_pem}"
+
   platform     = "${var.tectonic_platform}"
   ingress_kind = "${var.ingress_kind}"
 }
diff --git a/steps/tls/main.tf b/steps/tls/main.tf
@@ -1,6 +1,7 @@
 locals {
   api_internal_fqdn     = "${var.tectonic_cluster_name}-api.${var.tectonic_base_domain}"
   ingress_internal_fqdn = "${var.tectonic_cluster_name}.${var.tectonic_base_domain}"
+  tnc_fqdn              = "${var.tectonic_cluster_name}-tnc.${var.tectonic_base_domain}"
 }
 
 module "ca_certs" {
@@ -43,3 +44,12 @@ module "ingress_certs" {
   ca_key_alg   = "${module.ca_certs.kube_ca_key_alg}"
   ca_key_pem   = "${module.ca_certs.kube_ca_key_pem}"
 }
+
+module "tnc_certs" {
+  source = "../../modules/tls/tnc"
+
+  domain      = "${local.tnc_fqdn}"
+  ca_cert_pem = "${module.ca_certs.root_ca_cert_pem}"
+  ca_key_alg  = "${module.ca_certs.root_ca_key_alg}"
+  ca_key_pem  = "${module.ca_certs.root_ca_key_pem}"
+}