Merge pull request #592 from hongchaodeng/t

selfHostedEtcd: enable TLS

Author: xiang90

cmd/bootkube/render.go

@@ -18,13 +18,12 @@ import (
 )
 
 const (
-	apiOffset                    = 1
-	dnsOffset                    = 10
-	etcdOffset                   = 15
-	bootEtcdOffset               = 20
-	defaultServiceBaseIP         = "10.3.0.0"
-	defaultEtcdServers           = "https://127.0.0.1:2379"
-	defaultSelfHostedEtcdServers = "http://127.0.0.1:2379"
+	apiOffset            = 1
+	dnsOffset            = 10
+	etcdOffset           = 15
+	bootEtcdOffset       = 20
+	defaultServiceBaseIP = "10.3.0.0"
+	defaultEtcdServers   = "https://127.0.0.1:2379"
 )
 
 var (
@@ -176,13 +175,13 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 
 	var etcdServers []*url.URL
 	if renderOpts.selfHostedEtcd {
-		etcdServerUrl, err := url.Parse(fmt.Sprintf("http://%s:2379", etcdServiceIP))
+		etcdServerUrl, err := url.Parse(fmt.Sprintf("https://%s:2379", etcdServiceIP))
 		if err != nil {
 			return nil, err
 		}
 		etcdServers = append(etcdServers, etcdServerUrl)
-		if renderOpts.etcdServers != defaultSelfHostedEtcdServers {
-			bootkube.UserOutput("--experimental-self-hosted-etcd and --service-cidr set. Overriding --etcd-servers setting with %s\n", etcdServers)
+		if renderOpts.etcdServers != defaultEtcdServers {
+			bootkube.UserOutput("--experimental-self-hosted-etcd and --service-cidr set. Overriding --etcd-servers setting (%s) with (%s) \n", etcdServers, defaultEtcdServers)
 		}
 	} else {
 		etcdServers, err = parseURLs(renderOpts.etcdServers)

pkg/asset/internal/templates.go

@@ -250,7 +250,7 @@ spec:
     - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
     - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
 {{- end }}
-    - --etcd-servers={{ range $i, $e := .EtcdServers }}{{ if $i }},{{end}}{{ $e }}{{end}}{{ if .SelfHostedEtcd }},http://127.0.0.1:12379{{end}}
+    - --etcd-servers={{ range $i, $e := .EtcdServers }}{{ if $i }},{{end}}{{ $e }}{{end}}{{ if .SelfHostedEtcd }},https://127.0.0.1:12379{{end}}
     - --insecure-port=0
     - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
     - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
@@ -955,14 +955,30 @@ spec:
     command:
     - /usr/local/bin/etcd
     - --name=boot-etcd
-    - --listen-client-urls=http://0.0.0.0:12379
-    - --listen-peer-urls=http://0.0.0.0:12380
-    - --advertise-client-urls=http://{{ .BootEtcdServiceIP }}:12379
-    - --initial-advertise-peer-urls=http://{{ .BootEtcdServiceIP }}:12380
-    - --initial-cluster=boot-etcd=http://{{ .BootEtcdServiceIP }}:12380
+    - --listen-client-urls=https://0.0.0.0:12379
+    - --listen-peer-urls=https://0.0.0.0:12380
+    - --advertise-client-urls=https://{{ .BootEtcdServiceIP }}:12379
+    - --initial-advertise-peer-urls=https://{{ .BootEtcdServiceIP }}:12380
+    - --initial-cluster=boot-etcd=https://{{ .BootEtcdServiceIP }}:12380
     - --initial-cluster-token=bootkube
     - --initial-cluster-state=new
     - --data-dir=/var/etcd/data
+    - --peer-client-cert-auth=true
+    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca-crt.pem
+    - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer-crt.pem
+    - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer-key.pem
+    - --client-cert-auth=true
+    - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/client-ca-crt.pem
+    - --cert-file=/etc/kubernetes/secrets/etcdMember/client-crt.pem
+    - --key-file=/etc/kubernetes/secrets/etcdMember/client-key.pem
+    volumeMounts:
+    - mountPath: /etc/kubernetes/secrets
+      name: secrets
+      readOnly: true
+  volumes:
+  - name: secrets
+    hostPath:
+      path: /etc/kubernetes/{{ .BootstrapSecretsSubdir }}
   hostNetwork: true
   restartPolicy: Never
   dnsPolicy: ClusterFirstWithHostNet
@@ -1018,7 +1034,16 @@ var EtcdTPRTemplate = []byte(`{
       ]
     },
     "selfHosted": {
-      "bootMemberClientEndpoint": "http://{{ .BootEtcdServiceIP }}:12379"
+      "bootMemberClientEndpoint": "https://{{ .BootEtcdServiceIP }}:12379"
+    },
+    "TLS": {
+      "static": {
+        "member": {
+          "peerSecret": "etcd-member-peer-tls",
+          "clientSecret": "etcd-member-client-tls"
+        },
+        "operatorSecret": "etcd-operator-client-tls"
+      }
     }
   }
 }`)

pkg/asset/k8s.go

@@ -15,12 +15,13 @@ const (
 	// The name of the k8s service that selects self-hosted etcd pods
 	EtcdServiceName = "etcd-service"
 
-	secretNamespace      = "kube-system"
-	secretAPIServerName  = "kube-apiserver"
-	secretCMName         = "kube-controller-manager"
-	secretEtcdMemberPeer = "etcd-member-peer-tls"
-	secretEtcdMemberCli  = "etcd-member-client-tls"
-	secretEtcdOperator   = "etcd-operator-client-tls"
+	SecretEtcdMemberPeer = "etcd-member-peer-tls"
+	SecretEtcdMemberCli  = "etcd-member-client-tls"
+	SecretEtcdOperator   = "etcd-operator-client-tls"
+
+	secretNamespace     = "kube-system"
+	secretAPIServerName = "kube-apiserver"
+	secretCMName        = "kube-controller-manager"
 )
 
 type staticConfig struct {
@@ -110,7 +111,7 @@ func newKubeConfigAsset(assets Assets, conf Config) (Asset, error) {
 func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) {
 	var res Assets
 
-	secretYAML, err := secretFromAssets(secretEtcdMemberPeer, secretNamespace, []string{
+	secretYAML, err := secretFromAssets(SecretEtcdMemberPeer, secretNamespace, []string{
 		AssetPathSelfHostedEtcdMemberPeerCA,
 		AssetPathSelfHostedEtcdMemberPeerCert,
 		AssetPathSelfHostedEtcdMemberPeerKey,
@@ -120,7 +121,7 @@ func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) {
 	}
 	res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberPeerSecret, Data: secretYAML})
 
-	secretYAML, err = secretFromAssets(secretEtcdMemberCli, secretNamespace, []string{
+	secretYAML, err = secretFromAssets(SecretEtcdMemberCli, secretNamespace, []string{
 		AssetPathSelfHostedEtcdMemberClientCA,
 		AssetPathSelfHostedEtcdMemberClientCert,
 		AssetPathSelfHostedEtcdMemberClientKey,
@@ -130,7 +131,7 @@ func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) {
 	}
 	res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberCliSecret, Data: secretYAML})
 
-	secretYAML, err = secretFromAssets(secretEtcdOperator, secretNamespace, []string{
+	secretYAML, err = secretFromAssets(SecretEtcdOperator, secretNamespace, []string{
 		AssetPathSelfHostedOperatorEtcdCA,
 		AssetPathSelfHostedOperatorEtcdCert,
 		AssetPathSelfHostedOperatorEtcdKey,

pkg/recovery/etcd_template.go

@@ -75,9 +75,9 @@ spec:
       /var/etcd-backupdir/{{ .BackupFile }} \
       --data-dir=/var/etcd/data \
       --name=boot-etcd \
-      --initial-cluster=boot-etcd=http://{{ .BootEtcdServiceIP }}:12380 \
+      --initial-cluster=boot-etcd=https://{{ .BootEtcdServiceIP }}:12380 \
       --initial-cluster-token={{ .ClusterToken }} \
-      --initial-advertise-peer-urls=http://{{ .BootEtcdServiceIP }}:12380 \
+      --initial-advertise-peer-urls=https://{{ .BootEtcdServiceIP }}:12380 \
       --skip-hash-check=true 
     env:
       - name: ETCDCTL_API
@@ -119,14 +119,25 @@ spec:
     command:
     - /usr/local/bin/etcd
     - --name=boot-etcd
-    - --listen-client-urls=http://0.0.0.0:12379
-    - --listen-peer-urls=http://0.0.0.0:12380
-    - --advertise-client-urls=http://{{ .BootEtcdServiceIP }}:12379
+    - --listen-client-urls=https://0.0.0.0:12379
+    - --listen-peer-urls=https://0.0.0.0:12380
+    - --advertise-client-urls=https://{{ .BootEtcdServiceIP }}:12379
     - --data-dir=/var/etcd/data
+    - --peer-client-cert-auth=true
+    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca-crt.pem
+    - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer-crt.pem
+    - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer-key.pem
+    - --client-cert-auth=true
+    - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/client-ca-crt.pem
+    - --cert-file=/etc/kubernetes/secrets/etcdMember/client-crt.pem
+    - --key-file=/etc/kubernetes/secrets/etcdMember/client-key.pem
     volumeMounts:
-        - mountPath: /var/etcd
-          name: etcd
-          readOnly: false
+      - mountPath: /var/etcd
+        name: etcd
+        readOnly: false
+      - mountPath: /etc/kubernetes/secrets
+        name: secrets
+        readOnly: true
   hostNetwork: true
   dnsPolicy: ClusterFirstWithHostNet
   restartPolicy: Never
@@ -136,6 +147,9 @@ spec:
     - name: etcdbackup
       hostPath:
         path: {{ .BackupDir }}
+    - name: secrets
+      hostPath:
+        path: /etc/kubernetes/bootstrap-secrets
 `)
 
 var recoveryEtcdSvcTemplate = []byte(`{

pkg/recovery/recover.go

@@ -119,7 +119,8 @@ func (cp *controlPlane) renderBootstrap() (asset.Assets, error) {
 	if err != nil {
 		return nil, err
 	}
-	requiredConfigMaps, requiredSecrets := fixUpBootstrapPods(pods, cp.bootEtcd != nil)
+	isSelfHostedEtcd := cp.bootEtcd != nil
+	requiredConfigMaps, requiredSecrets := fixUpBootstrapPods(pods, isSelfHostedEtcd)
 	as, err := outputBootstrapPods(pods)
 	if err != nil {
 		return nil, err
@@ -129,6 +130,12 @@ func (cp *controlPlane) renderBootstrap() (asset.Assets, error) {
 		return nil, err
 	}
 	as = append(as, configMaps...)
+
+	if isSelfHostedEtcd {
+		requiredSecrets[asset.SecretEtcdMemberPeer] = filepath.Dir(asset.AssetPathSelfHostedEtcdMemberPeerCA)
+		requiredSecrets[asset.SecretEtcdMemberCli] = filepath.Dir(asset.AssetPathSelfHostedEtcdMemberClientCA)
+		requiredSecrets[asset.SecretEtcdOperator] = filepath.Dir(asset.AssetPathSelfHostedOperatorEtcdCA)
+	}
 	secrets, err := outputBootstrapSecrets(cp.secrets, requiredSecrets)
 	if err != nil {
 		return nil, err

pkg/util/etcdutil/migrate.go

@@ -237,7 +237,7 @@ func cleanupBootstrapEtcdService(kubecli kubernetes.Interface) {
 }
 
 func detectEtcdTLS(assetDir string) (bool, error) {
-	etcdCAAssetPath := filepath.Join(assetDir, asset.AssetPathEtcdCA)
+	etcdCAAssetPath := filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCA)
 	_, err := os.Stat(etcdCAAssetPath)
 	if err == nil {
 		return true, nil

pkg/util/etcdutil/util.go

@@ -40,9 +40,9 @@ func WaitClusterReady(endpoint string, etcdTLS *tls.Config) error {
 
 func makeTLSConfig(assetDir string) (*tls.Config, error) {
 	tlsInfo := transport.TLSInfo{
-		TrustedCAFile: filepath.Join(assetDir, asset.AssetPathEtcdCA),
-		CertFile:      filepath.Join(assetDir, asset.AssetPathEtcdClientCert),
-		KeyFile:       filepath.Join(assetDir, asset.AssetPathEtcdClientKey),
+		TrustedCAFile: filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCA),
+		CertFile:      filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCert),
+		KeyFile:       filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdKey),
 	}
 	return tlsInfo.ClientConfig()
 }