Skip to content
This repository has been archived by the owner on Jul 30, 2021. It is now read-only.

Commit

Permalink
TLS: converge asset naming of SH and non-SH etcd
Browse files Browse the repository at this point in the history
  • Loading branch information
hongchaodeng committed Jul 5, 2017
1 parent e833c28 commit 4a87785
Show file tree
Hide file tree
Showing 14 changed files with 153 additions and 141 deletions.
10 changes: 8 additions & 2 deletions hack/multi-node/Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ CONTROLLER_USER_DATA_PATH = File.expand_path("./cluster/user-data-controller")
WORKER_USER_DATA_PATH = File.expand_path("./cluster/user-data-worker")
KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*")

def etcdIP(num)
return "172.17.4.#{num+50}"
Expand Down Expand Up @@ -112,10 +113,15 @@ Vagrant.configure("2") do |config|
etcd.vm.provision :shell, inline: "mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/", privileged: true

etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file|
etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
end
etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true
Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true
end
etcd.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
etcd.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
end
Expand Down
2 changes: 1 addition & 1 deletion hack/multi-node/bootkube-test-recovery
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ echo
scp -q -F ssh_config ../../_output/bin/linux/bootkube cluster/auth/kubeconfig cluster/tls/etcd-* core@$HOST:/home/core
ssh -q -F ssh_config core@$HOST "GLOG_v=${GLOG_v} /home/core/bootkube recover \
--recovery-dir=/home/core/recovered \
--etcd-ca-path=/home/core/etcd-ca.crt \
--etcd-ca-path=/home/core/etcd-client-ca.crt \
--etcd-certificate-path=/home/core/etcd-client.crt \
--etcd-private-key-path=/home/core/etcd-client.key \
--etcd-servers=https://172.17.4.51:2379 \
Expand Down
12 changes: 6 additions & 6 deletions hack/multi-node/etcd-cloud-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ coreos:
Environment="ETCD_LISTEN_PEER_URLS=https://$private_ipv4:2380"
Environment="ETCD_INITIAL_CLUSTER={{ETCD_INITIAL_CLUSTER}}"
Environment="ETCD_SSL_DIR=/etc/etcd/tls"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
16 changes: 9 additions & 7 deletions hack/quickstart/init-master.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@ function usage() {
function configure_etcd() {
[ -f "/etc/systemd/system/etcd-member.service.d/10-etcd-member.conf" ] || {
mkdir -p /etc/etcd/tls
cp /home/${REMOTE_USER}/assets/tls/etcd* /etc/etcd/tls
cp /home/${REMOTE_USER}/assets/tls/etcd-* /etc/etcd/tls
mkdir -p /etc/etcd/tls/etcd
cp /home/${REMOTE_USER}/assets/tls/etcd/* /etc/etcd/tls/etcd
chown -R etcd:etcd /etc/etcd
chmod -R u=rX,g=,o= /etc/etcd
mkdir -p /etc/systemd/system/etcd-member.service.d
Expand All @@ -34,13 +36,13 @@ Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${COREOS_PRIVATE_IPV4}:2379"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
Environment="ETCD_SSL_DIR=/etc/etcd/tls"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
EOF
}
}
Expand Down
10 changes: 8 additions & 2 deletions hack/single-node/Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ NODE_IP = "172.17.4.100"
USER_DATA_PATH = File.expand_path("cluster/user-data")
KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig")
CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt")
ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*")
ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*")

Vagrant.configure("2") do |config|
# always use Vagrant's insecure key
Expand Down Expand Up @@ -64,10 +65,15 @@ Vagrant.configure("2") do |config|
config.vm.provision :shell, :inline => "mv /tmp/ca.crt /etc/kubernetes/ca.crt", :privileged => true

config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true
Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file|
config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true
end
config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true
Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file|
config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}"
config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true
end
config.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true
config.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true
end
12 changes: 6 additions & 6 deletions hack/single-node/user-data-etcd.sample
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"
Environment="ETCD_SSL_DIR=/etc/etcd/tls"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt"
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt"
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
command: start
113 changes: 54 additions & 59 deletions pkg/asset/asset.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,65 +15,60 @@ import (
)

const (
AssetPathSecrets = "tls"
AssetPathCAKey = "tls/ca.key"
AssetPathCACert = "tls/ca.crt"
AssetPathAPIServerKey = "tls/apiserver.key"
AssetPathAPIServerCert = "tls/apiserver.crt"
AssetPathEtcdCA = "tls/etcd-ca.crt"
AssetPathEtcdClientCert = "tls/etcd-client.crt"
AssetPathEtcdClientKey = "tls/etcd-client.key"
AssetPathEtcdPeerCert = "tls/etcd-peer.crt"
AssetPathEtcdPeerKey = "tls/etcd-peer.key"
AssetPathSelfHostedOperatorEtcdCA = "tls/operator/etcd-client-ca.crt"
AssetPathSelfHostedOperatorEtcdCert = "tls/operator/etcd-client.crt"
AssetPathSelfHostedOperatorEtcdKey = "tls/operator/etcd-client.key"
AssetPathSelfHostedEtcdMemberClientCA = "tls/etcdMember/server-ca.crt"
AssetPathSelfHostedEtcdMemberClientCert = "tls/etcdMember/server.crt"
AssetPathSelfHostedEtcdMemberClientKey = "tls/etcdMember/server.key"
AssetPathSelfHostedEtcdMemberPeerCA = "tls/etcdMember/peer-ca.crt"
AssetPathSelfHostedEtcdMemberPeerCert = "tls/etcdMember/peer.crt"
AssetPathSelfHostedEtcdMemberPeerKey = "tls/etcdMember/peer.key"
AssetPathServiceAccountPrivKey = "tls/service-account.key"
AssetPathServiceAccountPubKey = "tls/service-account.pub"
AssetPathKubeletKey = "tls/kubelet.key"
AssetPathKubeletCert = "tls/kubelet.crt"
AssetPathKubeConfig = "auth/kubeconfig"
AssetPathManifests = "manifests"
AssetPathKubelet = "manifests/kubelet.yaml"
AssetPathProxy = "manifests/kube-proxy.yaml"
AssetPathKubeFlannel = "manifests/kube-flannel.yaml"
AssetPathKubeFlannelCfg = "manifests/kube-flannel-cfg.yaml"
AssetPathKubeCalico = "manifests/kube-calico.yaml"
AssetPathKubeCalicoCfg = "manifests/kube-calico-cfg.yaml"
AssetPathKubeCalcioSA = "manifests/kube-calico-sa.yaml"
AssetPathKubeCalcioRole = "manifests/kube-calico-role.yaml"
AssetPathKubeCalcioRoleBinding = "manifests/kube-calico-role-binding.yaml"
AssetPathAPIServerSecret = "manifests/kube-apiserver-secret.yaml"
AssetPathAPIServer = "manifests/kube-apiserver.yaml"
AssetPathControllerManager = "manifests/kube-controller-manager.yaml"
AssetPathControllerManagerSecret = "manifests/kube-controller-manager-secret.yaml"
AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml"
AssetPathScheduler = "manifests/kube-scheduler.yaml"
AssetPathSchedulerDisruption = "manifests/kube-scheduler-disruption.yaml"
AssetPathKubeDNSDeployment = "manifests/kube-dns-deployment.yaml"
AssetPathKubeDNSSvc = "manifests/kube-dns-svc.yaml"
AssetPathSystemNamespace = "manifests/kube-system-ns.yaml"
AssetPathCheckpointer = "manifests/pod-checkpointer.yaml"
AssetPathEtcdOperator = "manifests/etcd-operator.yaml"
AssetPathSelfHostedEtcdOperatorSecret = "manifests/etcd-operator-client-tls.yaml"
AssetPathSelfHostedEtcdMemberPeerSecret = "manifests/etcd-member-peer-tls.yaml"
AssetPathSelfHostedEtcdMemberCliSecret = "manifests/etcd-member-client-tls.yaml"
AssetPathEtcdSvc = "manifests/etcd-service.yaml"
AssetPathKenc = "manifests/kube-etcd-network-checkpointer.yaml"
AssetPathKubeSystemSARoleBinding = "manifests/kube-system-rbac-role-binding.yaml"
AssetPathBootstrapManifests = "bootstrap-manifests"
AssetPathBootstrapAPIServer = "bootstrap-manifests/bootstrap-apiserver.yaml"
AssetPathBootstrapControllerManager = "bootstrap-manifests/bootstrap-controller-manager.yaml"
AssetPathBootstrapScheduler = "bootstrap-manifests/bootstrap-scheduler.yaml"
AssetPathBootstrapEtcd = "bootstrap-manifests/bootstrap-etcd.yaml"
AssetPathBootstrapEtcdService = "etcd/bootstrap-etcd-service.json"
AssetPathMigrateEtcdCluster = "etcd/migrate-etcd-cluster.json"
AssetPathSecrets = "tls"
AssetPathCAKey = "tls/ca.key"
AssetPathCACert = "tls/ca.crt"
AssetPathAPIServerKey = "tls/apiserver.key"
AssetPathAPIServerCert = "tls/apiserver.crt"
AssetPathEtcdClientCA = "tls/etcd-client-ca.crt"
AssetPathEtcdClientCert = "tls/etcd-client.crt"
AssetPathEtcdClientKey = "tls/etcd-client.key"
AssetPathEtcdServerCA = "tls/etcd/server-ca.crt"
AssetPathEtcdServerCert = "tls/etcd/server.crt"
AssetPathEtcdServerKey = "tls/etcd/server.key"
AssetPathEtcdPeerCA = "tls/etcd/peer-ca.crt"
AssetPathEtcdPeerCert = "tls/etcd/peer.crt"
AssetPathEtcdPeerKey = "tls/etcd/peer.key"
AssetPathServiceAccountPrivKey = "tls/service-account.key"
AssetPathServiceAccountPubKey = "tls/service-account.pub"
AssetPathKubeletKey = "tls/kubelet.key"
AssetPathKubeletCert = "tls/kubelet.crt"
AssetPathKubeConfig = "auth/kubeconfig"
AssetPathManifests = "manifests"
AssetPathKubelet = "manifests/kubelet.yaml"
AssetPathProxy = "manifests/kube-proxy.yaml"
AssetPathKubeFlannel = "manifests/kube-flannel.yaml"
AssetPathKubeFlannelCfg = "manifests/kube-flannel-cfg.yaml"
AssetPathKubeCalico = "manifests/kube-calico.yaml"
AssetPathKubeCalicoCfg = "manifests/kube-calico-cfg.yaml"
AssetPathKubeCalcioSA = "manifests/kube-calico-sa.yaml"
AssetPathKubeCalcioRole = "manifests/kube-calico-role.yaml"
AssetPathKubeCalcioRoleBinding = "manifests/kube-calico-role-binding.yaml"
AssetPathAPIServerSecret = "manifests/kube-apiserver-secret.yaml"
AssetPathAPIServer = "manifests/kube-apiserver.yaml"
AssetPathControllerManager = "manifests/kube-controller-manager.yaml"
AssetPathControllerManagerSecret = "manifests/kube-controller-manager-secret.yaml"
AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml"
AssetPathScheduler = "manifests/kube-scheduler.yaml"
AssetPathSchedulerDisruption = "manifests/kube-scheduler-disruption.yaml"
AssetPathKubeDNSDeployment = "manifests/kube-dns-deployment.yaml"
AssetPathKubeDNSSvc = "manifests/kube-dns-svc.yaml"
AssetPathSystemNamespace = "manifests/kube-system-ns.yaml"
AssetPathCheckpointer = "manifests/pod-checkpointer.yaml"
AssetPathEtcdOperator = "manifests/etcd-operator.yaml"
AssetPathEtcdSvc = "manifests/etcd-service.yaml"
AssetPathEtcdClientSecret = "manifests/etcd-client-tls.yaml"
AssetPathEtcdPeerSecret = "manifests/etcd-peer-tls.yaml"
AssetPathEtcdServerSecret = "manifests/etcd-server-tls.yaml"
AssetPathKenc = "manifests/kube-etcd-network-checkpointer.yaml"
AssetPathKubeSystemSARoleBinding = "manifests/kube-system-rbac-role-binding.yaml"
AssetPathBootstrapManifests = "bootstrap-manifests"
AssetPathBootstrapAPIServer = "bootstrap-manifests/bootstrap-apiserver.yaml"
AssetPathBootstrapControllerManager = "bootstrap-manifests/bootstrap-controller-manager.yaml"
AssetPathBootstrapScheduler = "bootstrap-manifests/bootstrap-scheduler.yaml"
AssetPathBootstrapEtcd = "bootstrap-manifests/bootstrap-etcd.yaml"
AssetPathBootstrapEtcdService = "etcd/bootstrap-etcd-service.json"
AssetPathMigrateEtcdCluster = "etcd/migrate-etcd-cluster.json"
)

var (
Expand Down
22 changes: 11 additions & 11 deletions pkg/asset/internal/templates.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ spec:
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
- --cloud-provider={{ .CloudProvider }}
{{- if .EtcdUseTLS }}
- --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
{{- end }}
Expand Down Expand Up @@ -246,7 +246,7 @@ spec:
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
{{- if .EtcdUseTLS }}
- --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt
- --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt
- --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key
{{- end }}
Expand Down Expand Up @@ -964,13 +964,13 @@ spec:
- --initial-cluster-state=new
- --data-dir=/var/etcd/data
- --peer-client-cert-auth=true
- --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca.crt
- --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer.crt
- --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt
- --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt
- --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key
- --client-cert-auth=true
- --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/server-ca.crt
- --cert-file=/etc/kubernetes/secrets/etcdMember/server.crt
- --key-file=/etc/kubernetes/secrets/etcdMember/server.key
- --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt
- --cert-file=/etc/kubernetes/secrets/etcd/server.crt
- --key-file=/etc/kubernetes/secrets/etcd/server.key
volumeMounts:
- mountPath: /etc/kubernetes/secrets
name: secrets
Expand Down Expand Up @@ -1039,10 +1039,10 @@ var EtcdTPRTemplate = []byte(`{
"TLS": {
"static": {
"member": {
"peerSecret": "etcd-member-peer-tls",
"serverSecret": "etcd-member-client-tls"
"peerSecret": "etcd-peer-tls",
"serverSecret": "etcd-server-tls"
},
"operatorSecret": "etcd-operator-client-tls"
"operatorSecret": "etcd-client-tls"
}
}
}
Expand Down
Loading

0 comments on commit 4a87785

Please sign in to comment.