Merge pull request #621 from hongchaodeng/up2

TLS: converge asset naming of SH and non-SH etcd

Author: hongchaodeng

hack/multi-node/Vagrantfile

@@ -22,7 +22,8 @@ CONTROLLER_USER_DATA_PATH = File.expand_path("./cluster/user-data-controller")
 WORKER_USER_DATA_PATH = File.expand_path("./cluster/user-data-worker")
 KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
 CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
-ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
+ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
+ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*")
 
 def etcdIP(num)
   return "172.17.4.#{num+50}"
@@ -112,10 +113,15 @@ Vagrant.configure("2") do |config|
         etcd.vm.provision :shell, inline: "mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/", privileged: true
 
         etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
-        Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+        Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file|
           etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
           etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
         end
+        etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true
+        Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+          etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
+          etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true
+        end
         etcd.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
         etcd.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
       end

hack/multi-node/bootkube-test-recovery

@@ -36,7 +36,7 @@ echo
 scp -q -F ssh_config ../../_output/bin/linux/bootkube cluster/auth/kubeconfig cluster/tls/etcd-* core@$HOST:/home/core
 ssh -q -F ssh_config core@$HOST "GLOG_v=${GLOG_v} /home/core/bootkube recover \
   --recovery-dir=/home/core/recovered \
-  --etcd-ca-path=/home/core/etcd-ca.crt \
+  --etcd-ca-path=/home/core/etcd-client-ca.crt \
   --etcd-certificate-path=/home/core/etcd-client.crt \
   --etcd-private-key-path=/home/core/etcd-client.key \
   --etcd-servers=https://172.17.4.51:2379 \

hack/multi-node/etcd-cloud-config.yaml

@@ -21,10 +21,10 @@ coreos:
           Environment="ETCD_LISTEN_PEER_URLS=https://$private_ipv4:2380"
           Environment="ETCD_INITIAL_CLUSTER={{ETCD_INITIAL_CLUSTER}}"
           Environment="ETCD_SSL_DIR=/etc/etcd/tls"
-          Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-          Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
-          Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
+          Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
+          Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
+          Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
           Environment="ETCD_CLIENT_CERT_AUTH=true"
-          Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-          Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
-          Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
+          Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
+          Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
+          Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"

hack/quickstart/init-master.sh

@@ -20,7 +20,9 @@ function usage() {
 function configure_etcd() {
     [ -f "/etc/systemd/system/etcd-member.service.d/10-etcd-member.conf" ] || {
         mkdir -p /etc/etcd/tls
-        cp /home/${REMOTE_USER}/assets/tls/etcd* /etc/etcd/tls
+        cp /home/${REMOTE_USER}/assets/tls/etcd-* /etc/etcd/tls
+        mkdir -p /etc/etcd/tls/etcd
+        cp /home/${REMOTE_USER}/assets/tls/etcd/* /etc/etcd/tls/etcd
         chown -R etcd:etcd /etc/etcd
         chmod -R u=rX,g=,o= /etc/etcd
         mkdir -p /etc/systemd/system/etcd-member.service.d
@@ -34,13 +36,13 @@ Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${COREOS_PRIVATE_IPV4}:2379"
 Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
 Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
 Environment="ETCD_SSL_DIR=/etc/etcd/tls"
-Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
-Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
+Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
+Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
+Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
 Environment="ETCD_CLIENT_CERT_AUTH=true"
-Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
-Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
+Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
+Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
+Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
 EOF
     }
 }

hack/single-node/Vagrantfile

@@ -14,7 +14,8 @@ NODE_IP = "172.17.4.100"
 USER_DATA_PATH = File.expand_path("cluster/user-data")
 KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
 CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
-ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
+ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
+ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*")
 
 Vagrant.configure("2") do |config|
   # always use Vagrant's insecure key
@@ -64,10 +65,15 @@ Vagrant.configure("2") do |config|
   config.vm.provision :shell, :inline => "mv /tmp/ca.crt /etc/kubernetes/ca.crt", :privileged => true
 
   config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
-  Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+  Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file|
     config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
     config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
   end
+  config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true
+  Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
+    config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
+    config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true
+  end
   config.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
   config.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
 end

hack/single-node/user-data-etcd.sample

@@ -12,11 +12,11 @@
             Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
             Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
             Environment="ETCD_SSL_DIR=/etc/etcd/tls"
-            Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-            Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
-            Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
+            Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
+            Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
+            Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
             Environment="ETCD_CLIENT_CERT_AUTH=true"
-            Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
-            Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
-            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
+            Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
+            Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
+            Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
       command: start

pkg/asset/asset.go

@@ -15,65 +15,60 @@ import (
 )
 
 const (
-	AssetPathSecrets                        = "tls"
-	AssetPathCAKey                          = "tls/ca.key"
-	AssetPathCACert                         = "tls/ca.crt"
-	AssetPathAPIServerKey                   = "tls/apiserver.key"
-	AssetPathAPIServerCert                  = "tls/apiserver.crt"
-	AssetPathEtcdCA                         = "tls/etcd-ca.crt"
-	AssetPathEtcdClientCert                 = "tls/etcd-client.crt"
-	AssetPathEtcdClientKey                  = "tls/etcd-client.key"
-	AssetPathEtcdPeerCert                   = "tls/etcd-peer.crt"
-	AssetPathEtcdPeerKey                    = "tls/etcd-peer.key"
-	AssetPathSelfHostedOperatorEtcdCA       = "tls/operator/etcd-client-ca.crt"
-	AssetPathSelfHostedOperatorEtcdCert     = "tls/operator/etcd-client.crt"
-	AssetPathSelfHostedOperatorEtcdKey      = "tls/operator/etcd-client.key"
-	AssetPathSelfHostedEtcdMemberClientCA   = "tls/etcdMember/server-ca.crt"
-	AssetPathSelfHostedEtcdMemberClientCert = "tls/etcdMember/server.crt"
-	AssetPathSelfHostedEtcdMemberClientKey  = "tls/etcdMember/server.key"
-	AssetPathSelfHostedEtcdMemberPeerCA     = "tls/etcdMember/peer-ca.crt"
-	AssetPathSelfHostedEtcdMemberPeerCert   = "tls/etcdMember/peer.crt"
-	AssetPathSelfHostedEtcdMemberPeerKey    = "tls/etcdMember/peer.key"
-	AssetPathServiceAccountPrivKey          = "tls/service-account.key"
-	AssetPathServiceAccountPubKey           = "tls/service-account.pub"
-	AssetPathKubeletKey                     = "tls/kubelet.key"
-	AssetPathKubeletCert                    = "tls/kubelet.crt"
-	AssetPathKubeConfig                     = "auth/kubeconfig"
-	AssetPathManifests                      = "manifests"
-	AssetPathKubelet                        = "manifests/kubelet.yaml"
-	AssetPathProxy                          = "manifests/kube-proxy.yaml"
-	AssetPathKubeFlannel                    = "manifests/kube-flannel.yaml"
-	AssetPathKubeFlannelCfg                 = "manifests/kube-flannel-cfg.yaml"
-	AssetPathKubeCalico                     = "manifests/kube-calico.yaml"
-	AssetPathKubeCalicoCfg                  = "manifests/kube-calico-cfg.yaml"
-	AssetPathKubeCalcioSA                   = "manifests/kube-calico-sa.yaml"
-	AssetPathKubeCalcioRole                 = "manifests/kube-calico-role.yaml"
-	AssetPathKubeCalcioRoleBinding          = "manifests/kube-calico-role-binding.yaml"
-	AssetPathAPIServerSecret                = "manifests/kube-apiserver-secret.yaml"
-	AssetPathAPIServer                      = "manifests/kube-apiserver.yaml"
-	AssetPathControllerManager              = "manifests/kube-controller-manager.yaml"
-	AssetPathControllerManagerSecret        = "manifests/kube-controller-manager-secret.yaml"
-	AssetPathControllerManagerDisruption    = "manifests/kube-controller-manager-disruption.yaml"
-	AssetPathScheduler                      = "manifests/kube-scheduler.yaml"
-	AssetPathSchedulerDisruption            = "manifests/kube-scheduler-disruption.yaml"
-	AssetPathKubeDNSDeployment              = "manifests/kube-dns-deployment.yaml"
-	AssetPathKubeDNSSvc                     = "manifests/kube-dns-svc.yaml"
-	AssetPathSystemNamespace                = "manifests/kube-system-ns.yaml"
-	AssetPathCheckpointer                   = "manifests/pod-checkpointer.yaml"
-	AssetPathEtcdOperator                   = "manifests/etcd-operator.yaml"
-	AssetPathSelfHostedEtcdOperatorSecret   = "manifests/etcd-operator-client-tls.yaml"
-	AssetPathSelfHostedEtcdMemberPeerSecret = "manifests/etcd-member-peer-tls.yaml"
-	AssetPathSelfHostedEtcdMemberCliSecret  = "manifests/etcd-member-client-tls.yaml"
-	AssetPathEtcdSvc                        = "manifests/etcd-service.yaml"
-	AssetPathKenc                           = "manifests/kube-etcd-network-checkpointer.yaml"
-	AssetPathKubeSystemSARoleBinding        = "manifests/kube-system-rbac-role-binding.yaml"
-	AssetPathBootstrapManifests             = "bootstrap-manifests"
-	AssetPathBootstrapAPIServer             = "bootstrap-manifests/bootstrap-apiserver.yaml"
-	AssetPathBootstrapControllerManager     = "bootstrap-manifests/bootstrap-controller-manager.yaml"
-	AssetPathBootstrapScheduler             = "bootstrap-manifests/bootstrap-scheduler.yaml"
-	AssetPathBootstrapEtcd                  = "bootstrap-manifests/bootstrap-etcd.yaml"
-	AssetPathBootstrapEtcdService           = "etcd/bootstrap-etcd-service.json"
-	AssetPathMigrateEtcdCluster             = "etcd/migrate-etcd-cluster.json"
+	AssetPathSecrets                     = "tls"
+	AssetPathCAKey                       = "tls/ca.key"
+	AssetPathCACert                      = "tls/ca.crt"
+	AssetPathAPIServerKey                = "tls/apiserver.key"
+	AssetPathAPIServerCert               = "tls/apiserver.crt"
+	AssetPathEtcdClientCA                = "tls/etcd-client-ca.crt"
+	AssetPathEtcdClientCert              = "tls/etcd-client.crt"
+	AssetPathEtcdClientKey               = "tls/etcd-client.key"
+	AssetPathEtcdServerCA                = "tls/etcd/server-ca.crt"
+	AssetPathEtcdServerCert              = "tls/etcd/server.crt"
+	AssetPathEtcdServerKey               = "tls/etcd/server.key"
+	AssetPathEtcdPeerCA                  = "tls/etcd/peer-ca.crt"
+	AssetPathEtcdPeerCert                = "tls/etcd/peer.crt"
+	AssetPathEtcdPeerKey                 = "tls/etcd/peer.key"
+	AssetPathServiceAccountPrivKey       = "tls/service-account.key"
+	AssetPathServiceAccountPubKey        = "tls/service-account.pub"
+	AssetPathKubeletKey                  = "tls/kubelet.key"
+	AssetPathKubeletCert                 = "tls/kubelet.crt"
+	AssetPathKubeConfig                  = "auth/kubeconfig"
+	AssetPathManifests                   = "manifests"
+	AssetPathKubelet                     = "manifests/kubelet.yaml"
+	AssetPathProxy                       = "manifests/kube-proxy.yaml"
+	AssetPathKubeFlannel                 = "manifests/kube-flannel.yaml"
+	AssetPathKubeFlannelCfg              = "manifests/kube-flannel-cfg.yaml"
+	AssetPathKubeCalico                  = "manifests/kube-calico.yaml"
+	AssetPathKubeCalicoCfg               = "manifests/kube-calico-cfg.yaml"
+	AssetPathKubeCalcioSA                = "manifests/kube-calico-sa.yaml"
+	AssetPathKubeCalcioRole              = "manifests/kube-calico-role.yaml"
+	AssetPathKubeCalcioRoleBinding       = "manifests/kube-calico-role-binding.yaml"
+	AssetPathAPIServerSecret             = "manifests/kube-apiserver-secret.yaml"
+	AssetPathAPIServer                   = "manifests/kube-apiserver.yaml"
+	AssetPathControllerManager           = "manifests/kube-controller-manager.yaml"
+	AssetPathControllerManagerSecret     = "manifests/kube-controller-manager-secret.yaml"
+	AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml"
+	AssetPathScheduler                   = "manifests/kube-scheduler.yaml"
+	AssetPathSchedulerDisruption         = "manifests/kube-scheduler-disruption.yaml"
+	AssetPathKubeDNSDeployment           = "manifests/kube-dns-deployment.yaml"
+	AssetPathKubeDNSSvc                  = "manifests/kube-dns-svc.yaml"
+	AssetPathSystemNamespace             = "manifests/kube-system-ns.yaml"
+	AssetPathCheckpointer                = "manifests/pod-checkpointer.yaml"
+	AssetPathEtcdOperator                = "manifests/etcd-operator.yaml"
+	AssetPathEtcdSvc                     = "manifests/etcd-service.yaml"
+	AssetPathEtcdClientSecret            = "manifests/etcd-client-tls.yaml"
+	AssetPathEtcdPeerSecret              = "manifests/etcd-peer-tls.yaml"
+	AssetPathEtcdServerSecret            = "manifests/etcd-server-tls.yaml"
+	AssetPathKenc                        = "manifests/kube-etcd-network-checkpointer.yaml"
+	AssetPathKubeSystemSARoleBinding     = "manifests/kube-system-rbac-role-binding.yaml"
+	AssetPathBootstrapManifests          = "bootstrap-manifests"
+	AssetPathBootstrapAPIServer          = "bootstrap-manifests/bootstrap-apiserver.yaml"
+	AssetPathBootstrapControllerManager  = "bootstrap-manifests/bootstrap-controller-manager.yaml"
+	AssetPathBootstrapScheduler          = "bootstrap-manifests/bootstrap-scheduler.yaml"
+	AssetPathBootstrapEtcd               = "bootstrap-manifests/bootstrap-etcd.yaml"
+	AssetPathBootstrapEtcdService        = "etcd/bootstrap-etcd-service.json"
+	AssetPathMigrateEtcdCluster          = "etcd/migrate-etcd-cluster.json"
 )
 
 var (

pkg/asset/internal/templates.go

@@ -170,7 +170,7 @@ spec:
         - --client-ca-file=/etc/kubernetes/secrets/ca.crt
         - --cloud-provider={{ .CloudProvider }}
 {{- if .EtcdUseTLS }}
-        - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
+        - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
         - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
         - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
 {{- end }}
@@ -246,7 +246,7 @@ spec:
     - --bind-address=0.0.0.0
     - --client-ca-file=/etc/kubernetes/secrets/ca.crt
 {{- if .EtcdUseTLS }}
-    - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
+    - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
     - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
     - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
 {{- end }}
@@ -964,13 +964,13 @@ spec:
     - --initial-cluster-state=new
     - --data-dir=/var/etcd/data
     - --peer-client-cert-auth=true
-    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca.crt
-    - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer.crt
-    - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer.key
+    - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt
+    - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt
+    - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key
     - --client-cert-auth=true
-    - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/server-ca.crt
-    - --cert-file=/etc/kubernetes/secrets/etcdMember/server.crt
-    - --key-file=/etc/kubernetes/secrets/etcdMember/server.key
+    - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt
+    - --cert-file=/etc/kubernetes/secrets/etcd/server.crt
+    - --key-file=/etc/kubernetes/secrets/etcd/server.key
     volumeMounts:
     - mountPath: /etc/kubernetes/secrets
       name: secrets
@@ -1039,10 +1039,10 @@ var EtcdTPRTemplate = []byte(`{
     "TLS": {
       "static": {
         "member": {
-          "peerSecret": "etcd-member-peer-tls",
-          "serverSecret": "etcd-member-client-tls"
+          "peerSecret": "etcd-peer-tls",
+          "serverSecret": "etcd-server-tls"
         },
-        "operatorSecret": "etcd-operator-client-tls"
+        "operatorSecret": "etcd-client-tls"
       }
     }
   }