Merge pull request #586 from hongchaodeng/f

SHE: autogen secrets containing etcd tls assets

Author: hongchaodeng

pkg/asset/asset.go

@@ -56,6 +56,9 @@ const (
 	AssetPathSystemNamespace                = "manifests/kube-system-ns.yaml"
 	AssetPathCheckpointer                   = "manifests/pod-checkpointer.yaml"
 	AssetPathEtcdOperator                   = "manifests/etcd-operator.yaml"
+	AssetPathSelfHostedEtcdOperatorSecret   = "manifests/etcd-operator-client-tls.yaml"
+	AssetPathSelfHostedEtcdMemberPeerSecret = "manifests/etcd-member-peer-tls.yaml"
+	AssetPathSelfHostedEtcdMemberCliSecret  = "manifests/etcd-member-client-tls.yaml"
 	AssetPathEtcdSvc                        = "manifests/etcd-service.yaml"
 	AssetPathKenc                           = "manifests/kube-etcd-network-checkpointer.yaml"
 	AssetPathKubeSystemSARoleBinding        = "manifests/kube-system-rbac-role-binding.yaml"
@@ -148,6 +151,12 @@ func NewDefaultAssets(conf Config) (Assets, error) {
 				return nil, err
 			}
 			as = append(as, tlsAssets...)
+
+			secretAssets, err := newSelfHostedEtcdSecretAssets(as)
+			if err != nil {
+				return nil, err
+			}
+			as = append(as, secretAssets...)
 		} else {
 			etcdTLSAssets, err := newEtcdTLSAssets(conf.EtcdCACert, conf.EtcdClientCert, conf.EtcdClientKey, conf.CACert, conf.CAPrivKey, conf.EtcdServers)
 			if err != nil {

pkg/asset/k8s.go

@@ -15,9 +15,12 @@ const (
 	// The name of the k8s service that selects self-hosted etcd pods
 	EtcdServiceName = "etcd-service"
 
-	secretNamespace     = "kube-system"
-	secretAPIServerName = "kube-apiserver"
-	secretCMName        = "kube-controller-manager"
+	secretNamespace      = "kube-system"
+	secretAPIServerName  = "kube-apiserver"
+	secretCMName         = "kube-controller-manager"
+	secretEtcdMemberPeer = "etcd-member-peer-tls"
+	secretEtcdMemberCli  = "etcd-member-client-tls"
+	secretEtcdOperator   = "etcd-operator-client-tls"
 )
 
 type staticConfig struct {
@@ -96,6 +99,42 @@ func newKubeConfigAsset(assets Assets, conf Config) (Asset, error) {
 	})
 }
 
+func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) {
+	var res Assets
+
+	secretYAML, err := secretFromAssets(secretEtcdMemberPeer, secretNamespace, []string{
+		AssetPathSelfHostedEtcdMemberPeerCA,
+		AssetPathSelfHostedEtcdMemberPeerCert,
+		AssetPathSelfHostedEtcdMemberPeerKey,
+	}, assets)
+	if err != nil {
+		return nil, err
+	}
+	res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberPeerSecret, Data: secretYAML})
+
+	secretYAML, err = secretFromAssets(secretEtcdMemberCli, secretNamespace, []string{
+		AssetPathSelfHostedEtcdMemberClientCA,
+		AssetPathSelfHostedEtcdMemberClientCert,
+		AssetPathSelfHostedEtcdMemberClientKey,
+	}, assets)
+	if err != nil {
+		return nil, err
+	}
+	res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberCliSecret, Data: secretYAML})
+
+	secretYAML, err = secretFromAssets(secretEtcdOperator, secretNamespace, []string{
+		AssetPathSelfHostedOperatorEtcdCA,
+		AssetPathSelfHostedOperatorEtcdCert,
+		AssetPathSelfHostedOperatorEtcdKey,
+	}, assets)
+	if err != nil {
+		return nil, err
+	}
+	res = append(res, Asset{Name: AssetPathSelfHostedEtcdOperatorSecret, Data: secretYAML})
+
+	return res, nil
+}
+
 func newAPIServerSecretAsset(assets Assets, etcdUseTLS bool) (Asset, error) {
 	secretAssets := []string{
 		AssetPathAPIServerKey,