selfHostedEtcd: autogen certs from CA cert

Author: hongchaodeng

cmd/bootkube/render.go

@@ -99,9 +99,6 @@ func validateRenderOpts(cmd *cobra.Command, args []string) error {
 	if (renderOpts.etcdCAPath != "" || renderOpts.etcdCertificatePath != "" || renderOpts.etcdPrivateKeyPath != "") && (renderOpts.etcdCAPath == "" || renderOpts.etcdCertificatePath == "" || renderOpts.etcdPrivateKeyPath == "") {
 		return errors.New("You must specify either all or none of --etcd-ca-path, --etcd-certificate-path, and --etcd-private-key-path")
 	}
-	if renderOpts.etcdCertificatePath != "" && renderOpts.selfHostedEtcd {
-		return errors.New("Cannot specify --etcd-certificate-path with --experimental-self-hosted-etcd")
-	}
 	if renderOpts.assetDir == "" {
 		return errors.New("Missing required flag: --asset-dir")
 	}

pkg/asset/asset.go

@@ -15,48 +15,57 @@ import (
 )
 
 const (
-	AssetPathSecrets                     = "tls"
-	AssetPathCAKey                       = "tls/ca.key"
-	AssetPathCACert                      = "tls/ca.crt"
-	AssetPathAPIServerKey                = "tls/apiserver.key"
-	AssetPathAPIServerCert               = "tls/apiserver.crt"
-	AssetPathEtcdCA                      = "tls/etcd-ca.crt"
-	AssetPathEtcdClientCert              = "tls/etcd-client.crt"
-	AssetPathEtcdClientKey               = "tls/etcd-client.key"
-	AssetPathEtcdPeerCert                = "tls/etcd-peer.crt"
-	AssetPathEtcdPeerKey                 = "tls/etcd-peer.key"
-	AssetPathServiceAccountPrivKey       = "tls/service-account.key"
-	AssetPathServiceAccountPubKey        = "tls/service-account.pub"
-	AssetPathKubeletKey                  = "tls/kubelet.key"
-	AssetPathKubeletCert                 = "tls/kubelet.crt"
-	AssetPathKubeConfig                  = "auth/kubeconfig"
-	AssetPathManifests                   = "manifests"
-	AssetPathKubelet                     = "manifests/kubelet.yaml"
-	AssetPathProxy                       = "manifests/kube-proxy.yaml"
-	AssetPathKubeFlannel                 = "manifests/kube-flannel.yaml"
-	AssetPathKubeFlannelCfg              = "manifests/kube-flannel-cfg.yaml"
-	AssetPathAPIServerSecret             = "manifests/kube-apiserver-secret.yaml"
-	AssetPathAPIServer                   = "manifests/kube-apiserver.yaml"
-	AssetPathControllerManager           = "manifests/kube-controller-manager.yaml"
-	AssetPathControllerManagerSecret     = "manifests/kube-controller-manager-secret.yaml"
-	AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml"
-	AssetPathScheduler                   = "manifests/kube-scheduler.yaml"
-	AssetPathSchedulerDisruption         = "manifests/kube-scheduler-disruption.yaml"
-	AssetPathKubeDNSDeployment           = "manifests/kube-dns-deployment.yaml"
-	AssetPathKubeDNSSvc                  = "manifests/kube-dns-svc.yaml"
-	AssetPathSystemNamespace             = "manifests/kube-system-ns.yaml"
-	AssetPathCheckpointer                = "manifests/pod-checkpointer.yaml"
-	AssetPathEtcdOperator                = "manifests/etcd-operator.yaml"
-	AssetPathEtcdSvc                     = "manifests/etcd-service.yaml"
-	AssetPathKenc                        = "manifests/kube-etcd-network-checkpointer.yaml"
-	AssetPathKubeSystemSARoleBinding     = "manifests/kube-system-rbac-role-binding.yaml"
-	AssetPathBootstrapManifests          = "bootstrap-manifests"
-	AssetPathBootstrapAPIServer          = "bootstrap-manifests/bootstrap-apiserver.yaml"
-	AssetPathBootstrapControllerManager  = "bootstrap-manifests/bootstrap-controller-manager.yaml"
-	AssetPathBootstrapScheduler          = "bootstrap-manifests/bootstrap-scheduler.yaml"
-	AssetPathBootstrapEtcd               = "bootstrap-manifests/bootstrap-etcd.yaml"
-	AssetPathBootstrapEtcdService        = "etcd/bootstrap-etcd-service.json"
-	AssetPathMigrateEtcdCluster          = "etcd/migrate-etcd-cluster.json"
+	AssetPathSecrets                        = "tls"
+	AssetPathCAKey                          = "tls/ca.key"
+	AssetPathCACert                         = "tls/ca.crt"
+	AssetPathAPIServerKey                   = "tls/apiserver.key"
+	AssetPathAPIServerCert                  = "tls/apiserver.crt"
+	AssetPathEtcdCA                         = "tls/etcd-ca.crt"
+	AssetPathEtcdClientCert                 = "tls/etcd-client.crt"
+	AssetPathEtcdClientKey                  = "tls/etcd-client.key"
+	AssetPathEtcdPeerCert                   = "tls/etcd-peer.crt"
+	AssetPathEtcdPeerKey                    = "tls/etcd-peer.key"
+	AssetPathSelfHostedOperatorEtcdCA       = "tls/operator/etcd-ca-crt.pem"
+	AssetPathSelfHostedOperatorEtcdCert     = "tls/operator/etcd-crt.pem"
+	AssetPathSelfHostedOperatorEtcdKey      = "tls/operator/etcd-key.pem"
+	AssetPathSelfHostedEtcdMemberClientCA   = "tls/etcdMember/client-ca-crt.pem"
+	AssetPathSelfHostedEtcdMemberClientCert = "tls/etcdMember/client-crt.pem"
+	AssetPathSelfHostedEtcdMemberClientKey  = "tls/etcdMember/client-key.pem"
+	AssetPathSelfHostedEtcdMemberPeerCA     = "tls/etcdMember/peer-ca-crt.pem"
+	AssetPathSelfHostedEtcdMemberPeerCert   = "tls/etcdMember/peer-crt.pem"
+	AssetPathSelfHostedEtcdMemberPeerKey    = "tls/etcdMember/peer-key.pem"
+	AssetPathServiceAccountPrivKey          = "tls/service-account.key"
+	AssetPathServiceAccountPubKey           = "tls/service-account.pub"
+	AssetPathKubeletKey                     = "tls/kubelet.key"
+	AssetPathKubeletCert                    = "tls/kubelet.crt"
+	AssetPathKubeConfig                     = "auth/kubeconfig"
+	AssetPathManifests                      = "manifests"
+	AssetPathKubelet                        = "manifests/kubelet.yaml"
+	AssetPathProxy                          = "manifests/kube-proxy.yaml"
+	AssetPathKubeFlannel                    = "manifests/kube-flannel.yaml"
+	AssetPathKubeFlannelCfg                 = "manifests/kube-flannel-cfg.yaml"
+	AssetPathAPIServerSecret                = "manifests/kube-apiserver-secret.yaml"
+	AssetPathAPIServer                      = "manifests/kube-apiserver.yaml"
+	AssetPathControllerManager              = "manifests/kube-controller-manager.yaml"
+	AssetPathControllerManagerSecret        = "manifests/kube-controller-manager-secret.yaml"
+	AssetPathControllerManagerDisruption    = "manifests/kube-controller-manager-disruption.yaml"
+	AssetPathScheduler                      = "manifests/kube-scheduler.yaml"
+	AssetPathSchedulerDisruption            = "manifests/kube-scheduler-disruption.yaml"
+	AssetPathKubeDNSDeployment              = "manifests/kube-dns-deployment.yaml"
+	AssetPathKubeDNSSvc                     = "manifests/kube-dns-svc.yaml"
+	AssetPathSystemNamespace                = "manifests/kube-system-ns.yaml"
+	AssetPathCheckpointer                   = "manifests/pod-checkpointer.yaml"
+	AssetPathEtcdOperator                   = "manifests/etcd-operator.yaml"
+	AssetPathEtcdSvc                        = "manifests/etcd-service.yaml"
+	AssetPathKenc                           = "manifests/kube-etcd-network-checkpointer.yaml"
+	AssetPathKubeSystemSARoleBinding        = "manifests/kube-system-rbac-role-binding.yaml"
+	AssetPathBootstrapManifests             = "bootstrap-manifests"
+	AssetPathBootstrapAPIServer             = "bootstrap-manifests/bootstrap-apiserver.yaml"
+	AssetPathBootstrapControllerManager     = "bootstrap-manifests/bootstrap-controller-manager.yaml"
+	AssetPathBootstrapScheduler             = "bootstrap-manifests/bootstrap-scheduler.yaml"
+	AssetPathBootstrapEtcd                  = "bootstrap-manifests/bootstrap-etcd.yaml"
+	AssetPathBootstrapEtcdService           = "etcd/bootstrap-etcd-service.json"
+	AssetPathMigrateEtcdCluster             = "etcd/migrate-etcd-cluster.json"
 )
 
 var (
@@ -133,11 +142,19 @@ func NewDefaultAssets(conf Config) (Assets, error) {
 
 	// etcd TLS assets.
 	if conf.EtcdUseTLS {
-		etcdTLSAssets, err := newEtcdTLSAssets(conf.EtcdCACert, conf.EtcdClientCert, conf.EtcdClientKey, conf.CACert, conf.CAPrivKey, conf.EtcdServers)
-		if err != nil {
-			return Assets{}, err
+		if conf.SelfHostedEtcd {
+			tlsAssets, err := newSelfHostedEtcdTLSAssets(conf.EtcdServiceIP.String(), conf.BootEtcdServiceIP.String(), conf.CACert, conf.CAPrivKey)
+			if err != nil {
+				return nil, err
+			}
+			as = append(as, tlsAssets...)
+		} else {
+			etcdTLSAssets, err := newEtcdTLSAssets(conf.EtcdCACert, conf.EtcdClientCert, conf.EtcdClientKey, conf.CACert, conf.CAPrivKey, conf.EtcdServers)
+			if err != nil {
+				return Assets{}, err
+			}
+			as = append(as, etcdTLSAssets...)
 		}
-		as = append(as, etcdTLSAssets...)
 	}
 
 	// K8S kubeconfig

pkg/asset/tls.go

@@ -148,14 +148,78 @@ func newEtcdTLSAssets(etcdCACert, etcdClientCert *x509.Certificate, etcdClientKe
 	return assets, nil
 }
 
+func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Certificate, caPrivKey *rsa.PrivateKey) (Assets, error) {
+	// TODO: This method uses tlsutil.NewSignedCertificate() which will create certs for both client and server auth.
+	//       We can limit on finer granularity.
+
+	var assets []Asset
+
+	key, cert, err := newKeyAndCert(caCert, caPrivKey, "etcd member client", []string{
+		etcdSvcIP,
+		bootEtcdSvcIP,
+		"127.0.0.1",
+		"localhost",
+		"*.kube-etcd.kube-system.svc.cluster.local",
+		"kube-etcd-client.kube-system.svc.cluster.local",
+	})
+	if err != nil {
+		return nil, err
+	}
+	assets = append(assets, []Asset{
+		{Name: AssetPathSelfHostedEtcdMemberClientCA, Data: tlsutil.EncodeCertificatePEM(caCert)},
+		{Name: AssetPathSelfHostedEtcdMemberClientKey, Data: tlsutil.EncodePrivateKeyPEM(key)},
+		{Name: AssetPathSelfHostedEtcdMemberClientCert, Data: tlsutil.EncodeCertificatePEM(cert)},
+	}...)
+
+	key, cert, err = newKeyAndCert(caCert, caPrivKey, "etcd member peer", []string{
+		bootEtcdSvcIP,
+		"*.kube-etcd.kube-system.svc.cluster.local",
+		"kube-etcd-client.kube-system.svc.cluster.local",
+	})
+	if err != nil {
+		return nil, err
+	}
+	assets = append(assets, []Asset{
+		{Name: AssetPathSelfHostedEtcdMemberPeerCA, Data: tlsutil.EncodeCertificatePEM(caCert)},
+		{Name: AssetPathSelfHostedEtcdMemberPeerKey, Data: tlsutil.EncodePrivateKeyPEM(key)},
+		{Name: AssetPathSelfHostedEtcdMemberPeerCert, Data: tlsutil.EncodeCertificatePEM(cert)},
+	}...)
+
+	key, cert, err = newKeyAndCert(caCert, caPrivKey, "operator etcd client", nil)
+	if err != nil {
+		return nil, err
+	}
+	assets = append(assets, []Asset{
+		{Name: AssetPathSelfHostedOperatorEtcdCA, Data: tlsutil.EncodeCertificatePEM(caCert)},
+		{Name: AssetPathSelfHostedOperatorEtcdKey, Data: tlsutil.EncodePrivateKeyPEM(key)},
+		{Name: AssetPathSelfHostedOperatorEtcdCert, Data: tlsutil.EncodeCertificatePEM(cert)},
+	}...)
+	// for APIServer
+	assets = append(assets, []Asset{
+		{Name: AssetPathEtcdCA, Data: tlsutil.EncodeCertificatePEM(caCert)},
+		{Name: AssetPathEtcdClientKey, Data: tlsutil.EncodePrivateKeyPEM(key)},
+		{Name: AssetPathEtcdClientCert, Data: tlsutil.EncodeCertificatePEM(cert)},
+	}...)
+
+	return assets, nil
+}
+
 func newEtcdKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, commonName string, etcdServers []*url.URL) (*rsa.PrivateKey, *x509.Certificate, error) {
+	addrs := make([]string, len(etcdServers))
+	for i := range etcdServers {
+		addrs[i] = etcdServers[i].Host
+	}
+	return newKeyAndCert(caCert, caPrivKey, commonName, addrs)
+}
+
+func newKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, commonName string, addrs []string) (*rsa.PrivateKey, *x509.Certificate, error) {
 	key, err := tlsutil.NewPrivateKey()
 	if err != nil {
 		return nil, nil, err
 	}
 	var altNames tlsutil.AltNames
-	for _, etcdServer := range etcdServers {
-		hostname := stripPort(etcdServer.Host)
+	for _, addr := range addrs {
+		hostname := stripPort(addr)
 		if ip := net.ParseIP(hostname); ip != nil {
 			altNames.IPs = append(altNames.IPs, ip)
 		} else {