From 4a877855e63859264b4af3fa616582a554ba2b12 Mon Sep 17 00:00:00 2001 From: Hongchao Deng Date: Fri, 30 Jun 2017 10:20:08 -0700 Subject: [PATCH] TLS: converge asset naming of SH and non-SH etcd --- hack/multi-node/Vagrantfile | 10 ++- hack/multi-node/bootkube-test-recovery | 2 +- hack/multi-node/etcd-cloud-config.yaml | 12 +-- hack/quickstart/init-master.sh | 16 ++-- hack/single-node/Vagrantfile | 10 ++- hack/single-node/user-data-etcd.sample | 12 +-- pkg/asset/asset.go | 113 ++++++++++++------------- pkg/asset/internal/templates.go | 22 ++--- pkg/asset/k8s.go | 38 ++++----- pkg/asset/tls.go | 33 ++++---- pkg/recovery/etcd_template.go | 12 +-- pkg/recovery/recover.go | 6 +- pkg/util/etcdutil/migrate.go | 2 +- pkg/util/etcdutil/util.go | 6 +- 14 files changed, 153 insertions(+), 141 deletions(-) diff --git a/hack/multi-node/Vagrantfile b/hack/multi-node/Vagrantfile index 6d75885a9..6344cbc26 100644 --- a/hack/multi-node/Vagrantfile +++ b/hack/multi-node/Vagrantfile @@ -22,7 +22,8 @@ CONTROLLER_USER_DATA_PATH = File.expand_path("./cluster/user-data-controller") WORKER_USER_DATA_PATH = File.expand_path("./cluster/user-data-worker") KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig") CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt") -ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*") +ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*") +ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*") def etcdIP(num) return "172.17.4.#{num+50}" @@ -112,10 +113,15 @@ Vagrant.configure("2") do |config| etcd.vm.provision :shell, inline: "mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/", privileged: true etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true - Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file| + Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file| etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}" etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true end + etcd.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true + Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file| + etcd.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}" + etcd.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true + end etcd.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true etcd.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true end diff --git a/hack/multi-node/bootkube-test-recovery b/hack/multi-node/bootkube-test-recovery index 429de2f78..086dcc69e 100755 --- a/hack/multi-node/bootkube-test-recovery +++ b/hack/multi-node/bootkube-test-recovery @@ -36,7 +36,7 @@ echo scp -q -F ssh_config ../../_output/bin/linux/bootkube cluster/auth/kubeconfig cluster/tls/etcd-* core@$HOST:/home/core ssh -q -F ssh_config core@$HOST "GLOG_v=${GLOG_v} /home/core/bootkube recover \ --recovery-dir=/home/core/recovered \ - --etcd-ca-path=/home/core/etcd-ca.crt \ + --etcd-ca-path=/home/core/etcd-client-ca.crt \ --etcd-certificate-path=/home/core/etcd-client.crt \ --etcd-private-key-path=/home/core/etcd-client.key \ --etcd-servers=https://172.17.4.51:2379 \ diff --git a/hack/multi-node/etcd-cloud-config.yaml b/hack/multi-node/etcd-cloud-config.yaml index 615fa45f6..b9e7d18cf 100644 --- a/hack/multi-node/etcd-cloud-config.yaml +++ b/hack/multi-node/etcd-cloud-config.yaml @@ -21,10 +21,10 @@ coreos: Environment="ETCD_LISTEN_PEER_URLS=https://$private_ipv4:2380" Environment="ETCD_INITIAL_CLUSTER={{ETCD_INITIAL_CLUSTER}}" Environment="ETCD_SSL_DIR=/etc/etcd/tls" - Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" - Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt" - Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key" + Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" + Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" + Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" Environment="ETCD_CLIENT_CERT_AUTH=true" - Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" - Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt" - Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key" + Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" + Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" + Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key" diff --git a/hack/quickstart/init-master.sh b/hack/quickstart/init-master.sh index 8ff384f0b..1bbe3633d 100755 --- a/hack/quickstart/init-master.sh +++ b/hack/quickstart/init-master.sh @@ -20,7 +20,9 @@ function usage() { function configure_etcd() { [ -f "/etc/systemd/system/etcd-member.service.d/10-etcd-member.conf" ] || { mkdir -p /etc/etcd/tls - cp /home/${REMOTE_USER}/assets/tls/etcd* /etc/etcd/tls + cp /home/${REMOTE_USER}/assets/tls/etcd-* /etc/etcd/tls + mkdir -p /etc/etcd/tls/etcd + cp /home/${REMOTE_USER}/assets/tls/etcd/* /etc/etcd/tls/etcd chown -R etcd:etcd /etc/etcd chmod -R u=rX,g=,o= /etc/etcd mkdir -p /etc/systemd/system/etcd-member.service.d @@ -34,13 +36,13 @@ Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${COREOS_PRIVATE_IPV4}:2379" Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" Environment="ETCD_SSL_DIR=/etc/etcd/tls" -Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" -Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt" -Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key" +Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" +Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" +Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" Environment="ETCD_CLIENT_CERT_AUTH=true" -Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" -Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt" -Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key" +Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" +Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" +Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key" EOF } } diff --git a/hack/single-node/Vagrantfile b/hack/single-node/Vagrantfile index 478180ad9..936458b07 100644 --- a/hack/single-node/Vagrantfile +++ b/hack/single-node/Vagrantfile @@ -14,7 +14,8 @@ NODE_IP = "172.17.4.100" USER_DATA_PATH = File.expand_path("cluster/user-data") KUBECONFIG_PATH = File.expand_path("cluster/auth/kubeconfig") CA_CERT_PATH = File.expand_path("cluster/tls/ca.crt") -ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd-*") +ETCD_CLI_CERT_GLOB = File.expand_path("cluster/tls/etcd-*") +ETCD_CERT_GLOB = File.expand_path("cluster/tls/etcd/*") Vagrant.configure("2") do |config| # always use Vagrant's insecure key @@ -64,10 +65,15 @@ Vagrant.configure("2") do |config| config.vm.provision :shell, :inline => "mv /tmp/ca.crt /etc/kubernetes/ca.crt", :privileged => true config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls", :privileged => true - Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file| + Dir.glob(ETCD_CLI_CERT_GLOB) do |etcd_cert_file| config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}" config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/", :privileged => true end + config.vm.provision :shell, :inline => "mkdir -p /etc/etcd/tls/etcd", :privileged => true + Dir.glob(ETCD_CERT_GLOB) do |etcd_cert_file| + config.vm.provision :file, :source => etcd_cert_file, :destination => "/tmp/#{File.basename(etcd_cert_file)}" + config.vm.provision :shell, :inline => "mv /tmp/#{File.basename(etcd_cert_file)} /etc/etcd/tls/etcd/", :privileged => true + end config.vm.provision :shell, :inline => "chown -R etcd:etcd /etc/etcd", :privileged => true config.vm.provision :shell, :inline => "chmod -R u=rX,g=,o= /etc/etcd", :privileged => true end diff --git a/hack/single-node/user-data-etcd.sample b/hack/single-node/user-data-etcd.sample index 01bd88e54..ff1735018 100644 --- a/hack/single-node/user-data-etcd.sample +++ b/hack/single-node/user-data-etcd.sample @@ -12,11 +12,11 @@ Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" Environment="ETCD_SSL_DIR=/etc/etcd/tls" - Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" - Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd-client.crt" - Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd-client.key" + Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" + Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" + Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" Environment="ETCD_CLIENT_CERT_AUTH=true" - Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd-ca.crt" - Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd-peer.crt" - Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd-peer.key" + Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" + Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" + Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key" command: start diff --git a/pkg/asset/asset.go b/pkg/asset/asset.go index 14c331c20..73abbbbe8 100644 --- a/pkg/asset/asset.go +++ b/pkg/asset/asset.go @@ -15,65 +15,60 @@ import ( ) const ( - AssetPathSecrets = "tls" - AssetPathCAKey = "tls/ca.key" - AssetPathCACert = "tls/ca.crt" - AssetPathAPIServerKey = "tls/apiserver.key" - AssetPathAPIServerCert = "tls/apiserver.crt" - AssetPathEtcdCA = "tls/etcd-ca.crt" - AssetPathEtcdClientCert = "tls/etcd-client.crt" - AssetPathEtcdClientKey = "tls/etcd-client.key" - AssetPathEtcdPeerCert = "tls/etcd-peer.crt" - AssetPathEtcdPeerKey = "tls/etcd-peer.key" - AssetPathSelfHostedOperatorEtcdCA = "tls/operator/etcd-client-ca.crt" - AssetPathSelfHostedOperatorEtcdCert = "tls/operator/etcd-client.crt" - AssetPathSelfHostedOperatorEtcdKey = "tls/operator/etcd-client.key" - AssetPathSelfHostedEtcdMemberClientCA = "tls/etcdMember/server-ca.crt" - AssetPathSelfHostedEtcdMemberClientCert = "tls/etcdMember/server.crt" - AssetPathSelfHostedEtcdMemberClientKey = "tls/etcdMember/server.key" - AssetPathSelfHostedEtcdMemberPeerCA = "tls/etcdMember/peer-ca.crt" - AssetPathSelfHostedEtcdMemberPeerCert = "tls/etcdMember/peer.crt" - AssetPathSelfHostedEtcdMemberPeerKey = "tls/etcdMember/peer.key" - AssetPathServiceAccountPrivKey = "tls/service-account.key" - AssetPathServiceAccountPubKey = "tls/service-account.pub" - AssetPathKubeletKey = "tls/kubelet.key" - AssetPathKubeletCert = "tls/kubelet.crt" - AssetPathKubeConfig = "auth/kubeconfig" - AssetPathManifests = "manifests" - AssetPathKubelet = "manifests/kubelet.yaml" - AssetPathProxy = "manifests/kube-proxy.yaml" - AssetPathKubeFlannel = "manifests/kube-flannel.yaml" - AssetPathKubeFlannelCfg = "manifests/kube-flannel-cfg.yaml" - AssetPathKubeCalico = "manifests/kube-calico.yaml" - AssetPathKubeCalicoCfg = "manifests/kube-calico-cfg.yaml" - AssetPathKubeCalcioSA = "manifests/kube-calico-sa.yaml" - AssetPathKubeCalcioRole = "manifests/kube-calico-role.yaml" - AssetPathKubeCalcioRoleBinding = "manifests/kube-calico-role-binding.yaml" - AssetPathAPIServerSecret = "manifests/kube-apiserver-secret.yaml" - AssetPathAPIServer = "manifests/kube-apiserver.yaml" - AssetPathControllerManager = "manifests/kube-controller-manager.yaml" - AssetPathControllerManagerSecret = "manifests/kube-controller-manager-secret.yaml" - AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml" - AssetPathScheduler = "manifests/kube-scheduler.yaml" - AssetPathSchedulerDisruption = "manifests/kube-scheduler-disruption.yaml" - AssetPathKubeDNSDeployment = "manifests/kube-dns-deployment.yaml" - AssetPathKubeDNSSvc = "manifests/kube-dns-svc.yaml" - AssetPathSystemNamespace = "manifests/kube-system-ns.yaml" - AssetPathCheckpointer = "manifests/pod-checkpointer.yaml" - AssetPathEtcdOperator = "manifests/etcd-operator.yaml" - AssetPathSelfHostedEtcdOperatorSecret = "manifests/etcd-operator-client-tls.yaml" - AssetPathSelfHostedEtcdMemberPeerSecret = "manifests/etcd-member-peer-tls.yaml" - AssetPathSelfHostedEtcdMemberCliSecret = "manifests/etcd-member-client-tls.yaml" - AssetPathEtcdSvc = "manifests/etcd-service.yaml" - AssetPathKenc = "manifests/kube-etcd-network-checkpointer.yaml" - AssetPathKubeSystemSARoleBinding = "manifests/kube-system-rbac-role-binding.yaml" - AssetPathBootstrapManifests = "bootstrap-manifests" - AssetPathBootstrapAPIServer = "bootstrap-manifests/bootstrap-apiserver.yaml" - AssetPathBootstrapControllerManager = "bootstrap-manifests/bootstrap-controller-manager.yaml" - AssetPathBootstrapScheduler = "bootstrap-manifests/bootstrap-scheduler.yaml" - AssetPathBootstrapEtcd = "bootstrap-manifests/bootstrap-etcd.yaml" - AssetPathBootstrapEtcdService = "etcd/bootstrap-etcd-service.json" - AssetPathMigrateEtcdCluster = "etcd/migrate-etcd-cluster.json" + AssetPathSecrets = "tls" + AssetPathCAKey = "tls/ca.key" + AssetPathCACert = "tls/ca.crt" + AssetPathAPIServerKey = "tls/apiserver.key" + AssetPathAPIServerCert = "tls/apiserver.crt" + AssetPathEtcdClientCA = "tls/etcd-client-ca.crt" + AssetPathEtcdClientCert = "tls/etcd-client.crt" + AssetPathEtcdClientKey = "tls/etcd-client.key" + AssetPathEtcdServerCA = "tls/etcd/server-ca.crt" + AssetPathEtcdServerCert = "tls/etcd/server.crt" + AssetPathEtcdServerKey = "tls/etcd/server.key" + AssetPathEtcdPeerCA = "tls/etcd/peer-ca.crt" + AssetPathEtcdPeerCert = "tls/etcd/peer.crt" + AssetPathEtcdPeerKey = "tls/etcd/peer.key" + AssetPathServiceAccountPrivKey = "tls/service-account.key" + AssetPathServiceAccountPubKey = "tls/service-account.pub" + AssetPathKubeletKey = "tls/kubelet.key" + AssetPathKubeletCert = "tls/kubelet.crt" + AssetPathKubeConfig = "auth/kubeconfig" + AssetPathManifests = "manifests" + AssetPathKubelet = "manifests/kubelet.yaml" + AssetPathProxy = "manifests/kube-proxy.yaml" + AssetPathKubeFlannel = "manifests/kube-flannel.yaml" + AssetPathKubeFlannelCfg = "manifests/kube-flannel-cfg.yaml" + AssetPathKubeCalico = "manifests/kube-calico.yaml" + AssetPathKubeCalicoCfg = "manifests/kube-calico-cfg.yaml" + AssetPathKubeCalcioSA = "manifests/kube-calico-sa.yaml" + AssetPathKubeCalcioRole = "manifests/kube-calico-role.yaml" + AssetPathKubeCalcioRoleBinding = "manifests/kube-calico-role-binding.yaml" + AssetPathAPIServerSecret = "manifests/kube-apiserver-secret.yaml" + AssetPathAPIServer = "manifests/kube-apiserver.yaml" + AssetPathControllerManager = "manifests/kube-controller-manager.yaml" + AssetPathControllerManagerSecret = "manifests/kube-controller-manager-secret.yaml" + AssetPathControllerManagerDisruption = "manifests/kube-controller-manager-disruption.yaml" + AssetPathScheduler = "manifests/kube-scheduler.yaml" + AssetPathSchedulerDisruption = "manifests/kube-scheduler-disruption.yaml" + AssetPathKubeDNSDeployment = "manifests/kube-dns-deployment.yaml" + AssetPathKubeDNSSvc = "manifests/kube-dns-svc.yaml" + AssetPathSystemNamespace = "manifests/kube-system-ns.yaml" + AssetPathCheckpointer = "manifests/pod-checkpointer.yaml" + AssetPathEtcdOperator = "manifests/etcd-operator.yaml" + AssetPathEtcdSvc = "manifests/etcd-service.yaml" + AssetPathEtcdClientSecret = "manifests/etcd-client-tls.yaml" + AssetPathEtcdPeerSecret = "manifests/etcd-peer-tls.yaml" + AssetPathEtcdServerSecret = "manifests/etcd-server-tls.yaml" + AssetPathKenc = "manifests/kube-etcd-network-checkpointer.yaml" + AssetPathKubeSystemSARoleBinding = "manifests/kube-system-rbac-role-binding.yaml" + AssetPathBootstrapManifests = "bootstrap-manifests" + AssetPathBootstrapAPIServer = "bootstrap-manifests/bootstrap-apiserver.yaml" + AssetPathBootstrapControllerManager = "bootstrap-manifests/bootstrap-controller-manager.yaml" + AssetPathBootstrapScheduler = "bootstrap-manifests/bootstrap-scheduler.yaml" + AssetPathBootstrapEtcd = "bootstrap-manifests/bootstrap-etcd.yaml" + AssetPathBootstrapEtcdService = "etcd/bootstrap-etcd-service.json" + AssetPathMigrateEtcdCluster = "etcd/migrate-etcd-cluster.json" ) var ( diff --git a/pkg/asset/internal/templates.go b/pkg/asset/internal/templates.go index 9a64bc221..08cb67e73 100644 --- a/pkg/asset/internal/templates.go +++ b/pkg/asset/internal/templates.go @@ -170,7 +170,7 @@ spec: - --client-ca-file=/etc/kubernetes/secrets/ca.crt - --cloud-provider={{ .CloudProvider }} {{- if .EtcdUseTLS }} - - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt + - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key {{- end }} @@ -246,7 +246,7 @@ spec: - --bind-address=0.0.0.0 - --client-ca-file=/etc/kubernetes/secrets/ca.crt {{- if .EtcdUseTLS }} - - --etcd-cafile=/etc/kubernetes/secrets/etcd-ca.crt + - --etcd-cafile=/etc/kubernetes/secrets/etcd-client-ca.crt - --etcd-certfile=/etc/kubernetes/secrets/etcd-client.crt - --etcd-keyfile=/etc/kubernetes/secrets/etcd-client.key {{- end }} @@ -964,13 +964,13 @@ spec: - --initial-cluster-state=new - --data-dir=/var/etcd/data - --peer-client-cert-auth=true - - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca.crt - - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer.crt - - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer.key + - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt + - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt + - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key - --client-cert-auth=true - - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/server-ca.crt - - --cert-file=/etc/kubernetes/secrets/etcdMember/server.crt - - --key-file=/etc/kubernetes/secrets/etcdMember/server.key + - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt + - --cert-file=/etc/kubernetes/secrets/etcd/server.crt + - --key-file=/etc/kubernetes/secrets/etcd/server.key volumeMounts: - mountPath: /etc/kubernetes/secrets name: secrets @@ -1039,10 +1039,10 @@ var EtcdTPRTemplate = []byte(`{ "TLS": { "static": { "member": { - "peerSecret": "etcd-member-peer-tls", - "serverSecret": "etcd-member-client-tls" + "peerSecret": "etcd-peer-tls", + "serverSecret": "etcd-server-tls" }, - "operatorSecret": "etcd-operator-client-tls" + "operatorSecret": "etcd-client-tls" } } } diff --git a/pkg/asset/k8s.go b/pkg/asset/k8s.go index a2cabcfe2..9f9ca31e0 100644 --- a/pkg/asset/k8s.go +++ b/pkg/asset/k8s.go @@ -15,9 +15,9 @@ const ( // The name of the k8s service that selects self-hosted etcd pods EtcdServiceName = "etcd-service" - SecretEtcdMemberPeer = "etcd-member-peer-tls" - SecretEtcdMemberCli = "etcd-member-client-tls" - SecretEtcdOperator = "etcd-operator-client-tls" + SecretEtcdPeer = "etcd-peer-tls" + SecretEtcdServer = "etcd-server-tls" + SecretEtcdClient = "etcd-client-tls" secretNamespace = "kube-system" secretAPIServerName = "kube-apiserver" @@ -111,35 +111,35 @@ func newKubeConfigAsset(assets Assets, conf Config) (Asset, error) { func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) { var res Assets - secretYAML, err := secretFromAssets(SecretEtcdMemberPeer, secretNamespace, []string{ - AssetPathSelfHostedEtcdMemberPeerCA, - AssetPathSelfHostedEtcdMemberPeerCert, - AssetPathSelfHostedEtcdMemberPeerKey, + secretYAML, err := secretFromAssets(SecretEtcdPeer, secretNamespace, []string{ + AssetPathEtcdPeerCA, + AssetPathEtcdPeerCert, + AssetPathEtcdPeerKey, }, assets) if err != nil { return nil, err } - res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberPeerSecret, Data: secretYAML}) + res = append(res, Asset{Name: AssetPathEtcdPeerSecret, Data: secretYAML}) - secretYAML, err = secretFromAssets(SecretEtcdMemberCli, secretNamespace, []string{ - AssetPathSelfHostedEtcdMemberClientCA, - AssetPathSelfHostedEtcdMemberClientCert, - AssetPathSelfHostedEtcdMemberClientKey, + secretYAML, err = secretFromAssets(SecretEtcdServer, secretNamespace, []string{ + AssetPathEtcdServerCA, + AssetPathEtcdServerCert, + AssetPathEtcdServerKey, }, assets) if err != nil { return nil, err } - res = append(res, Asset{Name: AssetPathSelfHostedEtcdMemberCliSecret, Data: secretYAML}) + res = append(res, Asset{Name: AssetPathEtcdServerSecret, Data: secretYAML}) - secretYAML, err = secretFromAssets(SecretEtcdOperator, secretNamespace, []string{ - AssetPathSelfHostedOperatorEtcdCA, - AssetPathSelfHostedOperatorEtcdCert, - AssetPathSelfHostedOperatorEtcdKey, + secretYAML, err = secretFromAssets(SecretEtcdClient, secretNamespace, []string{ + AssetPathEtcdClientCA, + AssetPathEtcdClientCert, + AssetPathEtcdClientKey, }, assets) if err != nil { return nil, err } - res = append(res, Asset{Name: AssetPathSelfHostedEtcdOperatorSecret, Data: secretYAML}) + res = append(res, Asset{Name: AssetPathEtcdClientSecret, Data: secretYAML}) return res, nil } @@ -153,7 +153,7 @@ func newAPIServerSecretAsset(assets Assets, etcdUseTLS bool) (Asset, error) { } if etcdUseTLS { secretAssets = append(secretAssets, []string{ - AssetPathEtcdCA, + AssetPathEtcdClientCA, AssetPathEtcdClientCert, AssetPathEtcdClientKey, }...) diff --git a/pkg/asset/tls.go b/pkg/asset/tls.go index b96024882..31fa0ca70 100644 --- a/pkg/asset/tls.go +++ b/pkg/asset/tls.go @@ -132,14 +132,23 @@ func newEtcdTLSAssets(etcdCACert, etcdClientCert *x509.Certificate, etcdClientKe if err != nil { return nil, err } + etcdServerKey, etcdServerCert, err := newEtcdKeyAndCert(caCert, caPrivKey, "etcd-server", etcdServers) + if err != nil { + return nil, err + } + assets = append(assets, []Asset{ + {Name: AssetPathEtcdPeerCA, Data: tlsutil.EncodeCertificatePEM(etcdCACert)}, {Name: AssetPathEtcdPeerKey, Data: tlsutil.EncodePrivateKeyPEM(etcdPeerKey)}, {Name: AssetPathEtcdPeerCert, Data: tlsutil.EncodeCertificatePEM(etcdPeerCert)}, + {Name: AssetPathEtcdServerCA, Data: tlsutil.EncodeCertificatePEM(etcdCACert)}, + {Name: AssetPathEtcdServerKey, Data: tlsutil.EncodePrivateKeyPEM(etcdServerKey)}, + {Name: AssetPathEtcdServerCert, Data: tlsutil.EncodeCertificatePEM(etcdServerCert)}, }...) } assets = append(assets, []Asset{ - {Name: AssetPathEtcdCA, Data: tlsutil.EncodeCertificatePEM(etcdCACert)}, + {Name: AssetPathEtcdClientCA, Data: tlsutil.EncodeCertificatePEM(etcdCACert)}, {Name: AssetPathEtcdClientKey, Data: tlsutil.EncodePrivateKeyPEM(etcdClientKey)}, {Name: AssetPathEtcdClientCert, Data: tlsutil.EncodeCertificatePEM(etcdClientCert)}, }...) @@ -148,7 +157,7 @@ func newEtcdTLSAssets(etcdCACert, etcdClientCert *x509.Certificate, etcdClientKe } // newSelfHostedEtcdTLSAssets automatically generates three suites of x509 certificates (CA, key, cert) -// for self-hosted etcd related components. Two suites are used by etcd members' client and peer ports; +// for self-hosted etcd related components. Two suites are used by etcd members' server and peer ports; // one is used via etcd client to talk to etcd by operator, apiserver. // Self-hosted etcd doesn't allow user to specify etcd certs. func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Certificate, caPrivKey *rsa.PrivateKey) (Assets, error) { @@ -169,9 +178,9 @@ func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Ce return nil, err } assets = append(assets, []Asset{ - {Name: AssetPathSelfHostedEtcdMemberClientCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, - {Name: AssetPathSelfHostedEtcdMemberClientKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, - {Name: AssetPathSelfHostedEtcdMemberClientCert, Data: tlsutil.EncodeCertificatePEM(cert)}, + {Name: AssetPathEtcdServerCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, + {Name: AssetPathEtcdServerKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, + {Name: AssetPathEtcdServerCert, Data: tlsutil.EncodeCertificatePEM(cert)}, }...) key, cert, err = newKeyAndCert(caCert, caPrivKey, "etcd member peer", []string{ @@ -183,9 +192,9 @@ func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Ce return nil, err } assets = append(assets, []Asset{ - {Name: AssetPathSelfHostedEtcdMemberPeerCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, - {Name: AssetPathSelfHostedEtcdMemberPeerKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, - {Name: AssetPathSelfHostedEtcdMemberPeerCert, Data: tlsutil.EncodeCertificatePEM(cert)}, + {Name: AssetPathEtcdPeerCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, + {Name: AssetPathEtcdPeerKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, + {Name: AssetPathEtcdPeerCert, Data: tlsutil.EncodeCertificatePEM(cert)}, }...) key, cert, err = newKeyAndCert(caCert, caPrivKey, "operator etcd client", nil) @@ -193,13 +202,7 @@ func newSelfHostedEtcdTLSAssets(etcdSvcIP, bootEtcdSvcIP string, caCert *x509.Ce return nil, err } assets = append(assets, []Asset{ - {Name: AssetPathSelfHostedOperatorEtcdCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, - {Name: AssetPathSelfHostedOperatorEtcdKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, - {Name: AssetPathSelfHostedOperatorEtcdCert, Data: tlsutil.EncodeCertificatePEM(cert)}, - }...) - // for APIServer - assets = append(assets, []Asset{ - {Name: AssetPathEtcdCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, + {Name: AssetPathEtcdClientCA, Data: tlsutil.EncodeCertificatePEM(caCert)}, {Name: AssetPathEtcdClientKey, Data: tlsutil.EncodePrivateKeyPEM(key)}, {Name: AssetPathEtcdClientCert, Data: tlsutil.EncodeCertificatePEM(cert)}, }...) diff --git a/pkg/recovery/etcd_template.go b/pkg/recovery/etcd_template.go index 0970c02c1..4c2cb49f6 100644 --- a/pkg/recovery/etcd_template.go +++ b/pkg/recovery/etcd_template.go @@ -124,13 +124,13 @@ spec: - --advertise-client-urls=https://{{ .BootEtcdServiceIP }}:12379 - --data-dir=/var/etcd/data - --peer-client-cert-auth=true - - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcdMember/peer-ca.crt - - --peer-cert-file=/etc/kubernetes/secrets/etcdMember/peer.crt - - --peer-key-file=/etc/kubernetes/secrets/etcdMember/peer.key + - --peer-trusted-ca-file=/etc/kubernetes/secrets/etcd/peer-ca.crt + - --peer-cert-file=/etc/kubernetes/secrets/etcd/peer.crt + - --peer-key-file=/etc/kubernetes/secrets/etcd/peer.key - --client-cert-auth=true - - --trusted-ca-file=/etc/kubernetes/secrets/etcdMember/server-ca.crt - - --cert-file=/etc/kubernetes/secrets/etcdMember/server.crt - - --key-file=/etc/kubernetes/secrets/etcdMember/server.key + - --trusted-ca-file=/etc/kubernetes/secrets/etcd/server-ca.crt + - --cert-file=/etc/kubernetes/secrets/etcd/server.crt + - --key-file=/etc/kubernetes/secrets/etcd/server.key volumeMounts: - mountPath: /var/etcd name: etcd diff --git a/pkg/recovery/recover.go b/pkg/recovery/recover.go index 05e469636..0397416d0 100644 --- a/pkg/recovery/recover.go +++ b/pkg/recovery/recover.go @@ -132,9 +132,9 @@ func (cp *controlPlane) renderBootstrap() (asset.Assets, error) { as = append(as, configMaps...) if isSelfHostedEtcd { - requiredSecrets[asset.SecretEtcdMemberPeer] = filepath.Dir(asset.AssetPathSelfHostedEtcdMemberPeerCA) - requiredSecrets[asset.SecretEtcdMemberCli] = filepath.Dir(asset.AssetPathSelfHostedEtcdMemberClientCA) - requiredSecrets[asset.SecretEtcdOperator] = filepath.Dir(asset.AssetPathSelfHostedOperatorEtcdCA) + requiredSecrets[asset.SecretEtcdPeer] = filepath.Dir(asset.AssetPathEtcdPeerCA) + requiredSecrets[asset.SecretEtcdServer] = filepath.Dir(asset.AssetPathEtcdServerCA) + requiredSecrets[asset.SecretEtcdClient] = filepath.Dir(asset.AssetPathEtcdClientCA) } secrets, err := outputBootstrapSecrets(cp.secrets, requiredSecrets) if err != nil { diff --git a/pkg/util/etcdutil/migrate.go b/pkg/util/etcdutil/migrate.go index 8ea91917f..606b6ea1a 100644 --- a/pkg/util/etcdutil/migrate.go +++ b/pkg/util/etcdutil/migrate.go @@ -237,7 +237,7 @@ func cleanupBootstrapEtcdService(kubecli kubernetes.Interface) { } func detectEtcdTLS(assetDir string) (bool, error) { - etcdCAAssetPath := filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCA) + etcdCAAssetPath := filepath.Join(assetDir, asset.AssetPathEtcdClientCA) _, err := os.Stat(etcdCAAssetPath) if err == nil { return true, nil diff --git a/pkg/util/etcdutil/util.go b/pkg/util/etcdutil/util.go index d0e8cea8f..7f22b664f 100644 --- a/pkg/util/etcdutil/util.go +++ b/pkg/util/etcdutil/util.go @@ -40,9 +40,9 @@ func WaitClusterReady(endpoint string, etcdTLS *tls.Config) error { func makeTLSConfig(assetDir string) (*tls.Config, error) { tlsInfo := transport.TLSInfo{ - TrustedCAFile: filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCA), - CertFile: filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdCert), - KeyFile: filepath.Join(assetDir, asset.AssetPathSelfHostedOperatorEtcdKey), + TrustedCAFile: filepath.Join(assetDir, asset.AssetPathEtcdClientCA), + CertFile: filepath.Join(assetDir, asset.AssetPathEtcdClientCert), + KeyFile: filepath.Join(assetDir, asset.AssetPathEtcdClientKey), } return tlsInfo.ClientConfig() }