data,asset/templates: create configmaps and secrets to store etcd CA …

…and certs in the cluster

The CA are stored as configmap for the purpose of establishing trust.

The CAs and client certs are stored as secrets for use inside the cluster.

data/data/manifests/bootkube/kube-system-configmap-etcd-ca-bundle.yaml.template

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: etcd-ca-bundle
+  namespace: kube-system
+data:
+  ca-bundle.crt: |
+    {{.EtcdCaBundle | indent 4}}

data/data/manifests/bootkube/kube-system-secret-etcd-client-ca-deprecated.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-client-ca-deprecated
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdClientCaCert }}
+  tls.key: {{ .EtcdClientCaKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer-client.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-signer-client
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdSignerClientCert }}
+  tls.key: {{ .EtcdSignerClientKey }}

data/data/manifests/bootkube/kube-system-secret-etcd-signer.yaml.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-signer
+  namespace: kube-system
+type: SecretTypeTLS
+data:
+  tls.crt: {{ .EtcdSignerCert }}
+  tls.key: {{ .EtcdSignerKey }}

pkg/asset/templates/content/bootkube/kube-system-configmap-etcd-ca-bundle.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemConfigmapEtcdCAFileName = "kube-system-configmap-etcd-ca-bundle.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemConfigmapEtcdCA)(nil)
+
+// KubeSystemConfigmapEtcdCA is the constant to represent contents of kube-system-configmap-etcd-ca-bundle.yaml.template file.
+type KubeSystemConfigmapEtcdCA struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemConfigmapEtcdCA) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemConfigmapEtcdCA) Name() string {
+	return "KubeSystemConfigmapEtcdCA"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemConfigmapEtcdCA) Generate(parents asset.Parents) error {
+	fileName := kubeSystemConfigmapEtcdCAFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemConfigmapEtcdCA) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemConfigmapEtcdCA) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemConfigmapEtcdCAFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}

pkg/asset/templates/content/bootkube/kube-system-secret-etcd-client-ca-deprecated.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemSecretEtcdClientCADeprecatedFileName = "kube-system-secret-etcd-client-ca-deprecated.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemSecretEtcdClientCADeprecated)(nil)
+
+// KubeSystemSecretEtcdClientCADeprecated is the constant to represent contents of kube-system-secret-etcd-client-ca-deprecated.yaml.template file.
+type KubeSystemSecretEtcdClientCADeprecated struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Name() string {
+	return "KubeSystemSecretEtcdClientCADeprecated"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemSecretEtcdClientCADeprecated) Generate(parents asset.Parents) error {
+	fileName := kubeSystemSecretEtcdClientCADeprecatedFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemSecretEtcdClientCADeprecated) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdClientCADeprecatedFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}

pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer-client.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemSecretEtcdSignerClientFileName = "kube-system-secret-etcd-signer-client.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemSecretEtcdSignerClient)(nil)
+
+// KubeSystemSecretEtcdSignerClient is the constant to represent contents of kube-system-secret-etcd-signer-client.yaml.template file.
+type KubeSystemSecretEtcdSignerClient struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemSecretEtcdSignerClient) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemSecretEtcdSignerClient) Name() string {
+	return "KubeSystemSecretEtcdSignerClient"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemSecretEtcdSignerClient) Generate(parents asset.Parents) error {
+	fileName := kubeSystemSecretEtcdSignerClientFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemSecretEtcdSignerClient) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemSecretEtcdSignerClient) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdSignerClientFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}

pkg/asset/templates/content/bootkube/kube-system-secret-etcd-signer.go

@@ -0,0 +1,64 @@
+package bootkube
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/templates/content"
+)
+
+const (
+	kubeSystemSecretEtcdSignerFileName = "kube-system-secret-etcd-signer.yaml.template"
+)
+
+var _ asset.WritableAsset = (*KubeSystemSecretEtcdSigner)(nil)
+
+// KubeSystemSecretEtcdSigner is the constant to represent contents of kube-system-secret-etcd-signer.yaml.template file.
+type KubeSystemSecretEtcdSigner struct {
+	FileList []*asset.File
+}
+
+// Dependencies returns all of the dependencies directly needed by the asset
+func (t *KubeSystemSecretEtcdSigner) Dependencies() []asset.Asset {
+	return []asset.Asset{}
+}
+
+// Name returns the human-friendly name of the asset.
+func (t *KubeSystemSecretEtcdSigner) Name() string {
+	return "KubeSystemSecretEtcdSigner"
+}
+
+// Generate generates the actual files by this asset
+func (t *KubeSystemSecretEtcdSigner) Generate(parents asset.Parents) error {
+	fileName := kubeSystemSecretEtcdSignerFileName
+	data, err := content.GetBootkubeTemplate(fileName)
+	if err != nil {
+		return err
+	}
+	t.FileList = []*asset.File{
+		{
+			Filename: filepath.Join(content.TemplateDir, fileName),
+			Data:     []byte(data),
+		},
+	}
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (t *KubeSystemSecretEtcdSigner) Files() []*asset.File {
+	return t.FileList
+}
+
+// Load returns the asset from disk.
+func (t *KubeSystemSecretEtcdSigner) Load(f asset.FileFetcher) (bool, error) {
+	file, err := f.FetchByName(filepath.Join(content.TemplateDir, kubeSystemSecretEtcdSignerFileName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	t.FileList = []*asset.File{file}
+	return true, nil
+}