Enable TLS for single-node and mult-node quickstart.

Author: Diego Pontoriero

hack/multi-node/Vagrantfile

@@ -22,6 +22,7 @@ CONTROLLER_USER_DATA_PATH = File.expand_path("./cluster/user-data-controller")
 WORKER_USER_DATA_PATH = File.expand_path("./cluster/user-data-worker")
 KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
 CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
+ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
 
 def etcdIP(num)
   return "172.17.4.#{num+50}"
@@ -41,7 +42,7 @@ if !$self_host_etcd
     $etcd_vm_memory = 512
     ETCD_CLOUD_CONFIG_PATH = File.expand_path("./etcd-cloud-config.yaml")
     etcdIPs = [*1..$etcd_count].map{ |i| etcdIP(i) }
-    initial_etcd_cluster = etcdIPs.map.with_index{ |ip, i| "e#{i+1}=http://#{ip}:2380" }.join(",")
+    initial_etcd_cluster = etcdIPs.map.with_index{ |ip, i| "e#{i+1}=https://#{ip}:2380" }.join(",")
 end
 
 Vagrant.configure("2") do |config|
@@ -109,6 +110,14 @@ Vagrant.configure("2") do |config|
 
         etcd.vm.provision :file, source: etcd_config_file.path, destination: "/tmp/vagrantfile-user-data"
         etcd.vm.provision :shell, inline: "mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/", privileged: true
+
+        etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
+        Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+          etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
+          etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
+        end
+        etcd.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
+        etcd.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
       end
     end
   end

hack/multi-node/bootkube-up

@@ -14,7 +14,8 @@ if [ ${SELF_HOST_ETCD} = "true" ]; then
     echo "WARNING: THIS IS NOT YET FULLY WORKING - merely here to make ongoing testing easier"
     etcd_render_flags="--experimental-self-hosted-etcd"
 else
-    etcd_render_flags="--etcd-servers=http://172.17.4.51:2379"
+    # Note: if you increase the number of etcd servers in the Vagrantfile you must also add them here.
+    etcd_render_flags="--etcd-servers=https://172.17.4.51:2379"
 fi
 
 # Render assets

hack/multi-node/etcd-cloud-config.yaml

@@ -15,8 +15,16 @@ coreos:
           [Service]
           Environment="ETCD_IMAGE_TAG=v3.1.0"
           Environment="ETCD_NAME={{ETCD_NODE_NAME}}"
-          Environment="ETCD_ADVERTISE_CLIENT_URLS=http://$private_ipv4:2379"
-          Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://$private_ipv4:2380"
-          Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
-          Environment="ETCD_LISTEN_PEER_URLS=http://$private_ipv4:2380"
+          Environment="ETCD_ADVERTISE_CLIENT_URLS=https://$private_ipv4:2379"
+          Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$private_ipv4:2380"
+          Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
+          Environment="ETCD_LISTEN_PEER_URLS=https://$private_ipv4:2380"
           Environment="ETCD_INITIAL_CLUSTER={{ETCD_INITIAL_CLUSTER}}"
+          Environment="ETCD_SSL_DIR=/etc/etcd/tls"
+          Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
+          Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
+          Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
+          Environment="ETCD_CLIENT_CERT_AUTH=true"
+          Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
+          Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
+          Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"

hack/single-node/Vagrantfile

@@ -14,6 +14,7 @@ NODE_IP = "172.17.4.100"
 USER_DATA_PATH = File.expand_path("cluster/user-data")
 KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
 CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
+ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
 
 Vagrant.configure("2") do |config|
   # always use Vagrant's insecure key
@@ -61,4 +62,12 @@ Vagrant.configure("2") do |config|
 
   config.vm.provision :file, :source => CA_CERT_PATH, :destination => "/tmp/ca.crt"
   config.vm.provision :shell, :inline => "mv /tmp/ca.crt /etc/kubernetes/ca.crt", :privileged => true
+
+  config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
+  Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+    config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
+    config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
+  end
+  config.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
+  config.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
 end

hack/single-node/user-data-etcd.sample

@@ -5,4 +5,18 @@
           content: |
             [Service]
             Environment="ETCD_IMAGE_TAG=v3.1.0"
+            Environment="ETCD_NAME=default"
+            Environment="ETCD_INITIAL_CLUSTER=default=https://127.0.0.1:2380"
+            Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://127.0.0.1:2380"
+            Environment="ETCD_ADVERTISE_CLIENT_URLS=https://127.0.0.1:2379"
+            Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
+            Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
+            Environment="ETCD_SSL_DIR=/etc/etcd/tls"
+            Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
+            Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
+            Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
+            Environment="ETCD_CLIENT_CERT_AUTH=true"
+            Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
+            Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
+            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
       command: start