From c8c56ca64a9b6bb5a0ed7917b8dab82cb22797e6 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 12 Jul 2017 15:32:56 -0700 Subject: [PATCH] Update assets generation for bootkube v0.5.0 --- README.md | 2 +- assets-etcd.tf | 8 +- outputs.tf | 8 + .../bootstrap-apiserver.yaml | 2 +- resources/etcd/migrate-etcd-cluster.json | 6 +- .../bootstrap-manifests/bootstrap-etcd.yaml | 12 +- .../manifests/etcd-client-tls.yaml | 10 ++ .../manifests/etcd-member-client-tls.yaml | 10 -- .../manifests/etcd-member-peer-tls.yaml | 10 -- .../manifests/etcd-operator-client-tls.yaml | 10 -- .../experimental/manifests/etcd-operator.yaml | 2 +- .../experimental/manifests/etcd-peer-tls.yaml | 10 ++ .../manifests/etcd-server-tls.yaml | 10 ++ .../manifests/kube-apiserver-secret.yaml | 2 +- resources/manifests/kube-apiserver.yaml | 2 +- tls-etcd.tf | 150 ++++++++++-------- 16 files changed, 140 insertions(+), 114 deletions(-) create mode 100644 resources/experimental/manifests/etcd-client-tls.yaml delete mode 100644 resources/experimental/manifests/etcd-member-client-tls.yaml delete mode 100644 resources/experimental/manifests/etcd-member-peer-tls.yaml delete mode 100644 resources/experimental/manifests/etcd-operator-client-tls.yaml create mode 100644 resources/experimental/manifests/etcd-peer-tls.yaml create mode 100644 resources/experimental/manifests/etcd-server-tls.yaml diff --git a/README.md b/README.md index 598ad58..cfa0cb9 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ terraform apply ### Comparison -Render bootkube assets directly with bootkube v0.4.5. +Render bootkube assets directly with bootkube v0.5.0. #### On-host etcd diff --git a/assets-etcd.tf b/assets-etcd.tf index 29cb901..0397820 100644 --- a/assets-etcd.tf +++ b/assets-etcd.tf @@ -24,7 +24,7 @@ resource "template_dir" "etcd-subfolder" { } # etcd-operator deployment and etcd-service manifests -# etcd member peer, member client, and operator client secrets +# etcd client, server, and peer tls secrets resource "template_dir" "experimental-manifests" { count = "${var.experimental_self_hosted_etcd ? 1 : 0}" source_dir = "${path.module}/resources/experimental/manifests" @@ -35,9 +35,11 @@ resource "template_dir" "experimental-manifests" { # Self-hosted etcd TLS certs / keys etcd_ca_cert = "${base64encode(tls_self_signed_cert.etcd-ca.cert_pem)}" + etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}" + etcd_client_key = "${base64encode(tls_private_key.client.private_key_pem)}" + etcd_server_cert = "${base64encode(tls_locally_signed_cert.server.cert_pem)}" + etcd_server_key = "${base64encode(tls_private_key.server.private_key_pem)}" etcd_peer_cert = "${base64encode(tls_locally_signed_cert.peer.cert_pem)}" etcd_peer_key = "${base64encode(tls_private_key.peer.private_key_pem)}" - etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}" - etcd_client_key = "${base64encode(tls_private_key.client.private_key_pem)}" } } diff --git a/outputs.tf b/outputs.tf index ede18d3..0dca13e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -36,6 +36,14 @@ output "etcd_client_key" { value = "${tls_private_key.client.private_key_pem}" } +output "etcd_server_cert" { + value = "${tls_locally_signed_cert.server.cert_pem}" +} + +output "etcd_server_key" { + value = "${tls_private_key.server.private_key_pem}" +} + output "etcd_peer_cert" { value = "${tls_locally_signed_cert.peer.cert_pem}" } diff --git a/resources/bootstrap-manifests/bootstrap-apiserver.yaml b/resources/bootstrap-manifests/bootstrap-apiserver.yaml index 59f2e02..ec904ce 100644 --- a/resources/bootstrap-manifests/bootstrap-apiserver.yaml +++ b/resources/bootstrap-manifests/bootstrap-apiserver.yaml @@ -18,7 +18,7 @@ spec: - --authorization-mode=RBAC - --bind-address=0.0.0.0 - --client-ca-file=/etc/kubernetes/secrets/ca.crt - - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt + - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key - --etcd-servers=${etcd_servers} diff --git a/resources/etcd/migrate-etcd-cluster.json b/resources/etcd/migrate-etcd-cluster.json index 7d4dae4..03577b2 100644 --- a/resources/etcd/migrate-etcd-cluster.json +++ b/resources/etcd/migrate-etcd-cluster.json @@ -26,10 +26,10 @@ "TLS": { "static": { "member": { - "peerSecret": "etcd-member-peer-tls", - "clientSecret": "etcd-member-client-tls" + "peerSecret": "etcd-peer-tls", + "serverSecret": "etcd-server-tls" }, - "operatorSecret": "etcd-operator-client-tls" + "operatorSecret": "etcd-client-tls" } } } diff --git a/resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml b/resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml index fc0d999..cfbd712 100644 --- a/resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml +++ b/resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml @@ -21,13 +21,13 @@ spec: - --initial-cluster-state=new - --data-dir=/var/etcd/data - --peer-client-cert-auth=true - - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca-crt.pem - - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer-crt.pem - - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer-key.pem + - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt + - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt + - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key - --client-cert-auth=true - - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/client-ca-crt.pem - - --cert-file=/etc/kubernetes/secrets/etcdMember/client-crt.pem - - --key-file=/etc/kubernetes/secrets/etcdMember/client-key.pem + - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt + - --cert-file=/etc/kubernetes/secrets/etcd/server.crt + - --key-file=/etc/kubernetes/secrets/etcd/server.key volumeMounts: - mountPath: /etc/kubernetes/secrets name: secrets diff --git a/resources/experimental/manifests/etcd-client-tls.yaml b/resources/experimental/manifests/etcd-client-tls.yaml new file mode 100644 index 0000000..a1a421b --- /dev/null +++ b/resources/experimental/manifests/etcd-client-tls.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-client-tls + namespace: kube-system +type: Opaque +data: + etcd-client-ca.crt: ${etcd_ca_cert} + etcd-client.crt: ${etcd_client_cert} + etcd-client.key: ${etcd_client_key} diff --git a/resources/experimental/manifests/etcd-member-client-tls.yaml b/resources/experimental/manifests/etcd-member-client-tls.yaml deleted file mode 100644 index 4a5dcfe..0000000 --- a/resources/experimental/manifests/etcd-member-client-tls.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: etcd-member-client-tls - namespace: kube-system -type: Opaque -data: - client-ca-crt.pem: ${etcd_ca_cert} - client-crt.pem: ${etcd_client_cert} - client-key.pem: ${etcd_client_key} diff --git a/resources/experimental/manifests/etcd-member-peer-tls.yaml b/resources/experimental/manifests/etcd-member-peer-tls.yaml deleted file mode 100644 index 7de384b..0000000 --- a/resources/experimental/manifests/etcd-member-peer-tls.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: etcd-member-peer-tls - namespace: kube-system -type: Opaque -data: - peer-ca-crt.pem: ${etcd_ca_cert} - peer-crt.pem: ${etcd_peer_cert} - peer-key.pem: ${etcd_peer_key} diff --git a/resources/experimental/manifests/etcd-operator-client-tls.yaml b/resources/experimental/manifests/etcd-operator-client-tls.yaml deleted file mode 100644 index dcbb457..0000000 --- a/resources/experimental/manifests/etcd-operator-client-tls.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: etcd-operator-client-tls - namespace: kube-system -type: Opaque -data: - etcd-ca-crt.pem: ${etcd_ca_cert} - etcd-crt.pem: ${etcd_client_cert} - etcd-key.pem: ${etcd_client_key} diff --git a/resources/experimental/manifests/etcd-operator.yaml b/resources/experimental/manifests/etcd-operator.yaml index 0ac85c3..6187f5b 100644 --- a/resources/experimental/manifests/etcd-operator.yaml +++ b/resources/experimental/manifests/etcd-operator.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - name: etcd-operator - image: quay.io/coreos/etcd-operator:v0.3.3 + image: quay.io/coreos/etcd-operator:v0.4.0 command: - /usr/local/bin/etcd-operator - --analytics=false diff --git a/resources/experimental/manifests/etcd-peer-tls.yaml b/resources/experimental/manifests/etcd-peer-tls.yaml new file mode 100644 index 0000000..4dcadc0 --- /dev/null +++ b/resources/experimental/manifests/etcd-peer-tls.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-peer-tls + namespace: kube-system +type: Opaque +data: + peer-ca.crt: ${etcd_ca_cert} + peer.crt: ${etcd_peer_cert} + peer.key: ${etcd_peer_key} diff --git a/resources/experimental/manifests/etcd-server-tls.yaml b/resources/experimental/manifests/etcd-server-tls.yaml new file mode 100644 index 0000000..b78391b --- /dev/null +++ b/resources/experimental/manifests/etcd-server-tls.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etcd-server-tls + namespace: kube-system +type: Opaque +data: + server-ca.crt: ${etcd_ca_cert} + server.crt: ${etcd_server_cert} + server.key: ${etcd_server_key} diff --git a/resources/manifests/kube-apiserver-secret.yaml b/resources/manifests/kube-apiserver-secret.yaml index 7cce407..4ead60b 100644 --- a/resources/manifests/kube-apiserver-secret.yaml +++ b/resources/manifests/kube-apiserver-secret.yaml @@ -9,6 +9,6 @@ data: apiserver.crt: ${apiserver_cert} service-account.pub: ${serviceaccount_pub} ca.crt: ${ca_cert} - etcd-ca.crt: ${etcd_ca_cert} + etcd-client-ca.crt: ${etcd_ca_cert} etcd-client.crt: ${etcd_client_cert} etcd-client.key: ${etcd_client_key} diff --git a/resources/manifests/kube-apiserver.yaml b/resources/manifests/kube-apiserver.yaml index 10fe81c..3125381 100644 --- a/resources/manifests/kube-apiserver.yaml +++ b/resources/manifests/kube-apiserver.yaml @@ -32,7 +32,7 @@ spec: - --bind-address=0.0.0.0 - --client-ca-file=/etc/kubernetes/secrets/ca.crt - --cloud-provider=${cloud_provider} - - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt + - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key - --etcd-servers=${etcd_servers} diff --git a/tls-etcd.tf b/tls-etcd.tf index 6f1b8eb..e021be5 100644 --- a/tls-etcd.tf +++ b/tls-etcd.tf @@ -1,7 +1,7 @@ -# etcd-ca.crt -resource "local_file" "etcd_ca_crt" { +# etcd-client-ca.crt +resource "local_file" "etcd_client_ca_crt" { content = "${tls_self_signed_cert.etcd-ca.cert_pem}" - filename = "${var.asset_dir}/tls/etcd-ca.crt" + filename = "${var.asset_dir}/tls/etcd-client-ca.crt" } # etcd-client.crt @@ -16,72 +16,40 @@ resource "local_file" "etcd_client_key" { filename = "${var.asset_dir}/tls/etcd-client.key" } -# etcd-peer.crt +# server-ca.crt +resource "local_file" "etcd_server_ca_crt" { + content = "${tls_self_signed_cert.etcd-ca.cert_pem}" + filename = "${var.asset_dir}/tls/etcd/server-ca.crt" +} + +# server.crt +resource "local_file" "etcd_server_crt" { + content = "${tls_locally_signed_cert.server.cert_pem}" + filename = "${var.asset_dir}/tls/etcd/server.crt" +} + +# server.key +resource "local_file" "etcd_server_key" { + content = "${tls_private_key.server.private_key_pem}" + filename = "${var.asset_dir}/tls/etcd/server.key" +} + +# peer-ca.crt +resource "local_file" "etcd_peer_ca_crt" { + content = "${tls_self_signed_cert.etcd-ca.cert_pem}" + filename = "${var.asset_dir}/tls/etcd/peer-ca.crt" +} + +# peer.crt resource "local_file" "etcd_peer_crt" { content = "${tls_locally_signed_cert.peer.cert_pem}" - filename = "${var.asset_dir}/tls/etcd-peer.crt" + filename = "${var.asset_dir}/tls/etcd/peer.crt" } -# etcd-peer.key +# peer.key resource "local_file" "etcd_peer_key" { content = "${tls_private_key.peer.private_key_pem}" - filename = "${var.asset_dir}/tls/etcd-peer.key" -} - -# add certs / keys for self-hosted etcd - -# operator/etcd-ca-crt.pem -resource "local_file" "etcd_operator_ca_crt" { - content = "${tls_self_signed_cert.etcd-ca.cert_pem}" - filename = "${var.asset_dir}/tls/operator/etcd-ca-crt.pem" -} - -# operator/etcd-crt.pem -resource "local_file" "etcd_operator_client_crt" { - content = "${tls_locally_signed_cert.client.cert_pem}" - filename = "${var.asset_dir}/tls/operator/etcd-crt.pem" -} - -# operator/etcd-key.pem -resource "local_file" "etcd_operator_client_key" { - content = "${tls_private_key.client.private_key_pem}" - filename = "${var.asset_dir}/tls/operator/etcd-key.pem" -} - -# etcdMember/client-ca-crt.pem -resource "local_file" "etcd_member_client_ca_crt" { - content = "${tls_self_signed_cert.etcd-ca.cert_pem}" - filename = "${var.asset_dir}/tls/etcdMember/client-ca-crt.pem" -} - -# etcdMember/client-crt.pem -resource "local_file" "etcd_member_client_crt" { - content = "${tls_locally_signed_cert.client.cert_pem}" - filename = "${var.asset_dir}/tls/etcdMember/client-crt.pem" -} - -# etcdMember/client-key.pem -resource "local_file" "etcd_member_client_key" { - content = "${tls_private_key.client.private_key_pem}" - filename = "${var.asset_dir}/tls/etcdMember/client-key.pem" -} - -# etcdMember/peer-ca-crt.pem -resource "local_file" "etcd_member_peer_ca_crt" { - content = "${tls_self_signed_cert.etcd-ca.cert_pem}" - filename = "${var.asset_dir}/tls/etcdMember/peer-ca-crt.pem" -} - -# etcdMember/peer-crt.pem -resource "local_file" "etcd_member_peer_crt" { - content = "${tls_locally_signed_cert.peer.cert_pem}" - filename = "${var.asset_dir}/tls/etcdMember/peer-crt.pem" -} - -# etcdMember/peer-key.pem -resource "local_file" "etcd_member_peer_key" { - content = "${tls_private_key.peer.private_key_pem}" - filename = "${var.asset_dir}/tls/etcdMember/peer-key.pem" + filename = "${var.asset_dir}/tls/etcd/peer.key" } # certificates and keys @@ -110,6 +78,8 @@ resource "tls_self_signed_cert" "etcd-ca" { ] } +# client certs are used for client (apiserver, locksmith, etcd-operator) +# to etcd communication resource "tls_private_key" "client" { algorithm = "RSA" rsa_bits = "2048" @@ -156,6 +126,52 @@ resource "tls_locally_signed_cert" "client" { ] } +resource "tls_private_key" "server" { + algorithm = "RSA" + rsa_bits = "2048" +} + +resource "tls_cert_request" "server" { + key_algorithm = "${tls_private_key.server.algorithm}" + private_key_pem = "${tls_private_key.server.private_key_pem}" + + subject { + common_name = "etcd-server" + organization = "etcd" + } + + ip_addresses = [ + "127.0.0.1", + "${cidrhost(var.service_cidr, 15)}", + "${cidrhost(var.service_cidr, 20)}", + ] + + dns_names = "${concat( + var.etcd_servers, + list( + "localhost", + "*.kube-etcd.kube-system.svc.cluster.local", + "kube-etcd-client.kube-system.svc.cluster.local", + ))}" +} + +resource "tls_locally_signed_cert" "server" { + cert_request_pem = "${tls_cert_request.server.cert_request_pem}" + + ca_key_algorithm = "${join(" ", tls_self_signed_cert.etcd-ca.*.key_algorithm)}" + ca_private_key_pem = "${join(" ", tls_private_key.etcd-ca.*.private_key_pem)}" + ca_cert_pem = "${join(" ", tls_self_signed_cert.etcd-ca.*.cert_pem)}" + + validity_period_hours = 8760 + + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + "client_auth", + ] +} + resource "tls_private_key" "peer" { algorithm = "RSA" rsa_bits = "2048" @@ -170,16 +186,16 @@ resource "tls_cert_request" "peer" { organization = "etcd" } + ip_addresses = [ + "${cidrhost(var.service_cidr, 20)}" + ] + dns_names = "${concat( var.etcd_servers, list( "*.kube-etcd.kube-system.svc.cluster.local", "kube-etcd-client.kube-system.svc.cluster.local", ))}" - - ip_addresses = [ - "${cidrhost(var.service_cidr, 20)}" - ] } resource "tls_locally_signed_cert" "peer" {