airship/promenade
Code Issues Proposed changes

Merge "Use separate CA for kubelet authorization"

Browse Source
This commit is contained in:
Zuul 2018-09-19 19:40:35 +00:00 committed by Gerrit Code Review
commit f7b8f230f1
13 changed files with 58 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/apiserver/templates/configmap-certs.yaml
View File

@ -28,4 +28,6 @@ data:
etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }} etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }} etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }} service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
kubelet-client-ca.pem: {{ .Values.secrets.kubelet.tls.ca | default .Values.secrets.tls.ca | quote }}
kubelet-client.pem: {{ .Values.secrets.kubelet.tls.cert | default .Values.secrets.tls.cert | quote }}
{{- end }} {{- end }}

4
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
View File

@ -54,8 +54,8 @@ spec:
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
- --etcd-servers={{ .Values.apiserver.etcd.endpoints }} - --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem

1
charts/apiserver/templates/secret-apiserver.yaml
View File

@ -25,4 +25,5 @@ type: Opaque
data: data:
apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }} apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }} etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }}
{{- end }} {{- end }}

12
charts/apiserver/values.yaml
View File

@ -33,6 +33,10 @@ anchor:
files_to_copy: files_to_copy:
- source: /certs/apiserver.pem - source: /certs/apiserver.pem
dest: /etc/kubernetes/apiserver/pki/apiserver.pem dest: /etc/kubernetes/apiserver/pki/apiserver.pem
- source: /certs/kubelet-client.pem
dest: /etc/kubernetes/apiserver/pki/kubelet-client.pem
- source: /certs/kubelet-client-ca.pem
dest: /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
- source: /certs/cluster-ca.pem - source: /certs/cluster-ca.pem
dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
- source: /certs/etcd-client-ca.pem - source: /certs/etcd-client-ca.pem
@ -43,6 +47,8 @@ anchor:
dest: /etc/kubernetes/apiserver/pki/service-account.pub dest: /etc/kubernetes/apiserver/pki/service-account.pub
- source: /keys/apiserver-key.pem - source: /keys/apiserver-key.pem
dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
- source: /keys/kubelet-client-key.pem
dest: /etc/kubernetes/apiserver/pki/kubelet-client-key.pem
- source: /keys/etcd-client-key.pem - source: /keys/etcd-client-key.pem
dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
- source: /tmp/etc/kubernetes-apiserver.yaml - source: /tmp/etc/kubernetes-apiserver.yaml
@ -97,6 +103,12 @@ secrets:
ca: placeholder ca: placeholder
cert: placeholder cert: placeholder
key: placeholder key: placeholder
kubelet:
tls:
ca: null
cert: null
key: null
# typically overriden by environmental # typically overriden by environmental
# values, but should include all endpoints # values, but should include all endpoints

5
examples/basic/PKICatalog.yaml
View File

@ -63,6 +63,11 @@ data:
common_name: armada common_name: armada
groups: groups:
- system:masters - system:masters
kubelet:
description: CA for Kubernetes node interactions
certificates:
- document_name: apiserver-kubelet-client
common_name: apiserver-kubelet-client
kubernetes-etcd: kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers description: Certificates for Kubernetes's etcd servers
certificates: certificates:

36
examples/basic/armada-resources.yaml
View File

@ -664,7 +664,6 @@ metadata:
path: . path: .
dest: dest:
path: .values.secrets.tls.ca path: .values.secrets.tls.ca
- -
src: src:
schema: deckhand/Certificate/v1 schema: deckhand/Certificate/v1
@ -679,6 +678,29 @@ metadata:
path: . path: .
dest: dest:
path: .values.secrets.tls.key path: .values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubelet
path: .
dest:
path: .values.secrets.kubelet.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-kubelet-client
path: .
dest:
path: .values.secrets.kubelet.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-kubelet-client
path: .
dest:
path: .values.secrets.kubelet.tls.key
- -
src: src:
schema: deckhand/CertificateAuthority/v1 schema: deckhand/CertificateAuthority/v1
@ -731,18 +753,6 @@ data:
tags: tags:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2 anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2 apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
secrets:
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
network: network:
kubernetes_service_ip: 10.96.0.1 kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16 pod_cidr: 10.97.0.0/16

5
examples/complete/PKICatalog.yaml
View File

@ -70,6 +70,11 @@ data:
common_name: armada common_name: armada
groups: groups:
- system:masters - system:masters
kubelet:
description: CA for Kubernetes node interactions
certificates:
- document_name: apiserver-kubelet-client
common_name: apiserver-kubelet-client
kubernetes-etcd: kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers description: Certificates for Kubernetes's etcd servers
certificates: certificates:

1
promenade/templates/roles/common/etc/kubernetes/pki/kubelet-client-ca.pem Normal file
View File

@ -0,0 +1 @@
{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

2
promenade/templates/roles/common/etc/systemd/system/kubelet.service
View File

@ -7,7 +7,7 @@ After=network-online.target
ExecStart=/opt/kubernetes/bin/kubelet \ ExecStart=/opt/kubernetes/bin/kubelet \
--allow-privileged=true \ --allow-privileged=true \
--anonymous-auth=false \ --anonymous-auth=false \
--client-ca-file=/etc/kubernetes/pki/cluster-ca.pem \ --client-ca-file=/etc/kubernetes/pki/kubelet-client-ca.pem \
--cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \ --cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \
--cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \ --cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \
--hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \ --hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \

1
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-ca.pem Normal file
View File

@ -0,0 +1 @@
{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

1
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-key.pem Normal file
View File

@ -0,0 +1 @@
{{ config.get(schema='deckhand/CertificateKey/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/CertificateKey/v1', name='apiserver')) }}

1
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client.pem Normal file
View File

@ -0,0 +1 @@
{{ config.get(schema='deckhand/Certificate/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/Certificate/v1', name='apiserver')) }}

6
promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml
View File

@ -24,9 +24,9 @@ spec:
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --anonymous-auth=false - --anonymous-auth=false
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
- --insecure-port=0 - --insecure-port=0
- --bind-address=0.0.0.0 - --bind-address=0.0.0.0
- --secure-port=6443 - --secure-port=6443