Enable hairpin mode on cbr0 in kube-flannel-cfg

Update assets generation for bootkube v0.5.0

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Dalton Hubble
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -30,7 +30,7 @@ terraform apply
 
 ### Comparison
 
-Render bootkube assets directly with bootkube v0.4.5.
+Render bootkube assets directly with bootkube v0.6.1.
 
 #### On-host etcd
 

assets-etcd.tf

@@ -24,7 +24,7 @@ resource "template_dir" "etcd-subfolder" {
 }
 
 # etcd-operator deployment and etcd-service manifests
-# etcd member peer, member client, and operator client secrets
+# etcd client, server, and peer tls secrets
 resource "template_dir" "experimental-manifests" {
   count      = "${var.experimental_self_hosted_etcd ? 1 : 0}"
   source_dir      = "${path.module}/resources/experimental/manifests"
@@ -35,9 +35,11 @@ resource "template_dir" "experimental-manifests" {
 
     # Self-hosted etcd TLS certs / keys
     etcd_ca_cert = "${base64encode(tls_self_signed_cert.etcd-ca.cert_pem)}"
+    etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}"
+    etcd_client_key = "${base64encode(tls_private_key.client.private_key_pem)}"
+    etcd_server_cert = "${base64encode(tls_locally_signed_cert.server.cert_pem)}"
+    etcd_server_key = "${base64encode(tls_private_key.server.private_key_pem)}"
     etcd_peer_cert = "${base64encode(tls_locally_signed_cert.peer.cert_pem)}"
     etcd_peer_key = "${base64encode(tls_private_key.peer.private_key_pem)}"
-    etcd_client_cert = "${base64encode(tls_locally_signed_cert.client.cert_pem)}"
-    etcd_client_key = "${base64encode(tls_private_key.client.private_key_pem)}" 
   }
 }

outputs.tf

@@ -36,6 +36,14 @@ output "etcd_client_key" {
   value = "${tls_private_key.client.private_key_pem}"
 }
 
+output "etcd_server_cert" {
+  value = "${tls_locally_signed_cert.server.cert_pem}"
+}
+
+output "etcd_server_key" {
+  value = "${tls_private_key.server.private_key_pem}"
+}
+
 output "etcd_peer_cert" {
   value = "${tls_locally_signed_cert.peer.cert_pem}"
 }

resources/bootstrap-manifests/bootstrap-apiserver.yaml

@@ -18,9 +18,10 @@ spec:
     - --authorization-mode=RBAC
     - --bind-address=0.0.0.0
     - --client-ca-file=/etc/kubernetes/secrets/ca.crt
-    - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt 
+    - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
     - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
     - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
+    - --etcd-quorum-read=true
     - --etcd-servers=${etcd_servers}
     - --insecure-port=0
     - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt

resources/etcd/migrate-etcd-cluster.json

@@ -26,10 +26,10 @@
     "TLS": {
       "static": {
         "member": {
-          "peerSecret": "etcd-member-peer-tls",
-          "clientSecret": "etcd-member-client-tls"
+          "peerSecret": "etcd-peer-tls",
+          "serverSecret": "etcd-server-tls"
         },
-        "operatorSecret": "etcd-operator-client-tls"
+        "operatorSecret": "etcd-client-tls"
       }
     }
   }

resources/experimental/bootstrap-manifests/bootstrap-etcd.yaml

@@ -21,13 +21,13 @@ spec:
     - --initial-cluster-state=new
     - --data-dir=/var/etcd/data
     - --peer-client-cert-auth=true
-    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca-crt.pem
-    - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer-crt.pem
-    - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer-key.pem
+    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt
+    - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt
+    - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key
     - --client-cert-auth=true
-    - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/client-ca-crt.pem
-    - --cert-file=/etc/kubernetes/secrets/etcdMember/client-crt.pem
-    - --key-file=/etc/kubernetes/secrets/etcdMember/client-key.pem
+    - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt
+    - --cert-file=/etc/kubernetes/secrets/etcd/server.crt
+    - --key-file=/etc/kubernetes/secrets/etcd/server.key
     volumeMounts:
       - mountPath: /etc/kubernetes/secrets
         name: secrets

resources/experimental/manifests/etcd-client-tls.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-client-tls
+  namespace: kube-system
+type: Opaque
+data:
+  etcd-client-ca.crt: ${etcd_ca_cert}
+  etcd-client.crt: ${etcd_client_cert}
+  etcd-client.key: ${etcd_client_key}

resources/experimental/manifests/etcd-member-client-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-member-client-tls
-  namespace: kube-system
-type: Opaque
-data:
-  client-ca-crt.pem: ${etcd_ca_cert}
-  client-crt.pem: ${etcd_client_cert}
-  client-key.pem: ${etcd_client_key}

resources/experimental/manifests/etcd-member-peer-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-member-peer-tls
-  namespace: kube-system
-type: Opaque
-data:
-  peer-ca-crt.pem: ${etcd_ca_cert}
-  peer-crt.pem: ${etcd_peer_cert}
-  peer-key.pem: ${etcd_peer_key}

resources/experimental/manifests/etcd-operator-client-tls.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: etcd-operator-client-tls
-  namespace: kube-system
-type: Opaque
-data:
-  etcd-ca-crt.pem: ${etcd_ca_cert}
-  etcd-crt.pem: ${etcd_client_cert}
-  etcd-key.pem: ${etcd_client_key}

resources/experimental/manifests/etcd-operator.yaml

@@ -19,7 +19,7 @@ spec:
     spec:
       containers:
       - name: etcd-operator
-        image: quay.io/coreos/etcd-operator:v0.3.3
+        image: quay.io/coreos/etcd-operator:v0.4.2
         command:
           - /usr/local/bin/etcd-operator
           - --analytics=false

resources/experimental/manifests/etcd-peer-tls.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-peer-tls
+  namespace: kube-system
+type: Opaque
+data:
+  peer-ca.crt: ${etcd_ca_cert}
+  peer.crt: ${etcd_peer_cert}
+  peer.key: ${etcd_peer_key}

resources/experimental/manifests/etcd-server-tls.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etcd-server-tls
+  namespace: kube-system
+type: Opaque
+data:
+  server-ca.crt: ${etcd_ca_cert}
+  server.crt: ${etcd_server_cert}
+  server.key: ${etcd_server_key}

resources/experimental/manifests/etcd-service.yaml

@@ -3,6 +3,10 @@ kind: Service
 metadata:
   name: etcd-service
   namespace: kube-system
+  # This alpha annotation will retain the endpoints even if the etcd pod isn't ready.
+  # This feature is always enabled in endpoint controller in k8s even it is alpha.
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   selector:
     app: etcd

resources/manifests/kube-apiserver-secret.yaml

@@ -9,6 +9,6 @@ data:
   apiserver.crt: ${apiserver_cert}
   service-account.pub: ${serviceaccount_pub}
   ca.crt: ${ca_cert}
-  etcd-ca.crt: ${etcd_ca_cert}
+  etcd-client-ca.crt: ${etcd_ca_cert}
   etcd-client.crt: ${etcd_client_cert}
   etcd-client.key: ${etcd_client_key}

resources/manifests/kube-apiserver.yaml

@@ -32,9 +32,10 @@ spec:
         - --bind-address=0.0.0.0
         - --client-ca-file=/etc/kubernetes/secrets/ca.crt
         - --cloud-provider=${cloud_provider}
-        - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt 
+        - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
         - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
         - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
+        - --etcd-quorum-read=true
         - --etcd-servers=${etcd_servers}
         - --insecure-port=0
         - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt

resources/manifests/kube-controller-manager.yaml

@@ -30,7 +30,7 @@ spec:
                 - key: k8s-app
                   operator: In
                   values:
-                  - kube-contoller-manager
+                  - kube-controller-manager
               topologyKey: kubernetes.io/hostname
       containers:
       - name: kube-controller-manager

resources/manifests/kube-dns-deployment.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     k8s-app: kube-dns
     kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
 spec:
   # replicas: not specified here:
   # 1. In order to make Addon Manager do not reconcile this replicas parameter.
@@ -25,9 +26,22 @@ spec:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: kube-dns-config
+        configMap:
+          name: kube-dns
+          optional: true
       containers:
       - name: kubedns
-        image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
+        image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.4
         resources:
           # TODO: Set memory limits when we've profiled the container for large
           # clusters, then set request = limit to keep this container in
@@ -78,7 +92,7 @@ spec:
         - name: kube-dns-config
           mountPath: /kube-dns-config
       - name: dnsmasq
-        image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
+        image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.4
         livenessProbe:
           httpGet:
             path: /healthcheck/dnsmasq
@@ -116,7 +130,7 @@ spec:
         - name: kube-dns-config
           mountPath: /etc/k8s/dns/dnsmasq-nanny
       - name: sidecar
-        image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
+        image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.4
         livenessProbe:
           httpGet:
             path: /metrics
@@ -140,16 +154,3 @@ spec:
             memory: 20Mi
             cpu: 10m
       dnsPolicy: Default  # Don't use cluster DNS.
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      tolerations:
-      - key: CriticalAddonsOnly
-        operator: Exists
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-      volumes:
-      - name: kube-dns-config
-        configMap:
-          name: kube-dns
-          optional: true

resources/manifests/kube-etcd-network-checkpointer.yaml

@@ -16,7 +16,7 @@ spec:
         checkpointer.alpha.coreos.com/checkpoint: "true"
     spec:
       containers:
-      - image: quay.io/coreos/kenc:8f6e2e885f790030fbbb0496ea2a2d8830e58b8f
+      - image: quay.io/coreos/kenc:0.0.2
         name: kube-etcd-network-checkpointer
         securityContext:
           privileged: true

resources/manifests/kube-flannel-cfg.yaml

@@ -12,7 +12,8 @@ data:
       "name": "cbr0",
       "type": "flannel",
       "delegate": {
-        "isDefaultGateway": true
+        "isDefaultGateway": true,
+        "hairpinMode": true
       }
     }
   net-conf.json: |

resources/manifests/kube-flannel.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: kube-flannel
-        image: quay.io/coreos/flannel:v0.7.1-amd64
+        image: quay.io/coreos/flannel:v0.8.0-amd64
         command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr", "--iface=$(POD_IP)"]
         securityContext:
           privileged: true

tls-etcd.tf

@@ -1,7 +1,7 @@
-# etcd-ca.crt
-resource "local_file" "etcd_ca_crt" {
+# etcd-client-ca.crt
+resource "local_file" "etcd_client_ca_crt" {
   content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcd-ca.crt"
+  filename = "${var.asset_dir}/tls/etcd-client-ca.crt"
 }
 
 # etcd-client.crt
@@ -16,72 +16,40 @@ resource "local_file" "etcd_client_key" {
   filename = "${var.asset_dir}/tls/etcd-client.key"
 }
 
-# etcd-peer.crt
+# server-ca.crt
+resource "local_file" "etcd_server_ca_crt" {
+  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
+  filename = "${var.asset_dir}/tls/etcd/server-ca.crt"
+}
+
+# server.crt
+resource "local_file" "etcd_server_crt" {
+  content  = "${tls_locally_signed_cert.server.cert_pem}"
+  filename = "${var.asset_dir}/tls/etcd/server.crt"
+}
+
+# server.key
+resource "local_file" "etcd_server_key" {
+  content  = "${tls_private_key.server.private_key_pem}"
+  filename = "${var.asset_dir}/tls/etcd/server.key"
+}
+
+# peer-ca.crt
+resource "local_file" "etcd_peer_ca_crt" {
+  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
+  filename = "${var.asset_dir}/tls/etcd/peer-ca.crt"
+}
+
+# peer.crt
 resource "local_file" "etcd_peer_crt" {
   content  = "${tls_locally_signed_cert.peer.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcd-peer.crt"
+  filename = "${var.asset_dir}/tls/etcd/peer.crt"
 }
 
-# etcd-peer.key
+# peer.key
 resource "local_file" "etcd_peer_key" {
   content  = "${tls_private_key.peer.private_key_pem}"
-  filename = "${var.asset_dir}/tls/etcd-peer.key"
-}
-
-# add certs / keys for self-hosted etcd
-
-# operator/etcd-ca-crt.pem
-resource "local_file" "etcd_operator_ca_crt" {
-  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
-  filename = "${var.asset_dir}/tls/operator/etcd-ca-crt.pem"
-}
-
-# operator/etcd-crt.pem
-resource "local_file" "etcd_operator_client_crt" {
-  content  = "${tls_locally_signed_cert.client.cert_pem}"
-  filename = "${var.asset_dir}/tls/operator/etcd-crt.pem"
-}
-
-# operator/etcd-key.pem
-resource "local_file" "etcd_operator_client_key" {
-  content  = "${tls_private_key.client.private_key_pem}"
-  filename = "${var.asset_dir}/tls/operator/etcd-key.pem"
-}
-
-# etcdMember/client-ca-crt.pem
-resource "local_file" "etcd_member_client_ca_crt" {
-  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/client-ca-crt.pem"
-}
-
-# etcdMember/client-crt.pem
-resource "local_file" "etcd_member_client_crt" {
-  content  = "${tls_locally_signed_cert.client.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/client-crt.pem"
-}
-
-# etcdMember/client-key.pem
-resource "local_file" "etcd_member_client_key" {
-  content  = "${tls_private_key.client.private_key_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/client-key.pem"
-}
-
-# etcdMember/peer-ca-crt.pem
-resource "local_file" "etcd_member_peer_ca_crt" {
-  content  = "${tls_self_signed_cert.etcd-ca.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/peer-ca-crt.pem"
-}
-
-# etcdMember/peer-crt.pem
-resource "local_file" "etcd_member_peer_crt" {
-  content  = "${tls_locally_signed_cert.peer.cert_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/peer-crt.pem"
-}
-
-# etcdMember/peer-key.pem
-resource "local_file" "etcd_member_peer_key" {
-  content  = "${tls_private_key.peer.private_key_pem}"
-  filename = "${var.asset_dir}/tls/etcdMember/peer-key.pem"
+  filename = "${var.asset_dir}/tls/etcd/peer.key"
 }
 
 # certificates and keys
@@ -110,6 +78,8 @@ resource "tls_self_signed_cert" "etcd-ca" {
   ]
 }
 
+# client certs are used for client (apiserver, locksmith, etcd-operator)
+# to etcd communication
 resource "tls_private_key" "client" {
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -156,6 +126,52 @@ resource "tls_locally_signed_cert" "client" {
   ]
 }
 
+resource "tls_private_key" "server" {
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
+resource "tls_cert_request" "server" {
+  key_algorithm   = "${tls_private_key.server.algorithm}"
+  private_key_pem = "${tls_private_key.server.private_key_pem}"
+
+  subject {
+    common_name  = "etcd-server"
+    organization = "etcd"
+  }
+  
+  ip_addresses = [
+    "127.0.0.1",
+    "${cidrhost(var.service_cidr, 15)}",
+    "${cidrhost(var.service_cidr, 20)}",
+  ]
+
+  dns_names = "${concat(
+    var.etcd_servers,
+    list(
+      "localhost",
+      "*.kube-etcd.kube-system.svc.cluster.local",
+      "kube-etcd-client.kube-system.svc.cluster.local",
+    ))}"
+}
+
+resource "tls_locally_signed_cert" "server" {
+  cert_request_pem = "${tls_cert_request.server.cert_request_pem}"
+
+  ca_key_algorithm   = "${join(" ", tls_self_signed_cert.etcd-ca.*.key_algorithm)}"
+  ca_private_key_pem = "${join(" ", tls_private_key.etcd-ca.*.private_key_pem)}"
+  ca_cert_pem        = "${join(" ", tls_self_signed_cert.etcd-ca.*.cert_pem)}"
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+    "client_auth",
+  ]
+}
+
 resource "tls_private_key" "peer" {
   algorithm = "RSA"
   rsa_bits  = "2048"
@@ -170,16 +186,16 @@ resource "tls_cert_request" "peer" {
     organization = "etcd"
   }
   
+  ip_addresses = [
+    "${cidrhost(var.service_cidr, 20)}"
+  ]
+  
   dns_names = "${concat(
     var.etcd_servers,
     list(
       "*.kube-etcd.kube-system.svc.cluster.local",
       "kube-etcd-client.kube-system.svc.cluster.local",
     ))}"
-
-  ip_addresses = [
-    "${cidrhost(var.service_cidr, 20)}"
-  ]
 }
 
 resource "tls_locally_signed_cert" "peer" {

variables.tf

@@ -50,7 +50,7 @@ variable "container_images" {
   type        = "map"
 
   default = {
-    hyperkube = "quay.io/coreos/hyperkube:v1.6.6_coreos.1"
+    hyperkube = "quay.io/coreos/hyperkube:v1.7.3_coreos.0"
     etcd      = "quay.io/coreos/etcd:v3.1.8"
   }
 }