[k8s_coreos] Enable TLS in Etcd cluster

With this patch following are done:-
- Configure Etcd with TLS support

Configure Following to commuicate with TLS enabled Etcd:-
- Flannel

Etcd also listens at http://127.0.0.1:2379, so on master nodes
etcdctl can communicate without using certificates.

if TLS_DISABLED="True" then TLS is not enabled for etcd.

Change-Id: I7691ca328c4e1bc0738937b62cd813b5ad7df959
Implements: blueprint secure-etcd-cluster-coe

magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml

@@ -26,18 +26,37 @@ write_files:
 
       DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
       mkdir -p $(dirname $DROP_IN_FILE)
+      cert_dir="/etc/kubernetes/ssl"
+      protocol="https"
+
+      if [ "$TLS_DISABLED" = "True" ]; then
+          protocol="http"
+      fi
       cat > $DROP_IN_FILE <<EOF
       [Service]
       Environment=ETCD_NAME=$myip
       Environment=ETCD_DATA_DIR=/var/lib/etcd/default.etcd
-      Environment=ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
-      Environment=ETCD_LISTEN_PEER_URLS=http://$myip:2380
+      Environment=ETCD_LISTEN_CLIENT_URLS=$protocol://$myip:2379,http://127.0.0.1:2379
+      Environment=ETCD_LISTEN_PEER_URLS=$protocol://$myip:2380
 
-      Environment=ETCD_ADVERTISE_CLIENT_URLS=http://$myip:2379
-      Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=http://$myip:2380
+      Environment=ETCD_ADVERTISE_CLIENT_URLS=$protocol://$myip:2379,http://127.0.0.1:2379
+      Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=$protocol://$myip:2380
       Environment=ETCD_DISCOVERY=$ETCD_DISCOVERY_URL
       EOF
 
+      if [ "$TLS_DISABLED" = "False" ]; then
+
+      cat >> $DROP_IN_FILE <<EOF
+      Environment=ETCD_CA_FILE=$cert_dir/ca.pem
+      Environment=ETCD_CERT_FILE=$cert_dir/apiserver.pem
+      Environment=ETCD_KEY_FILE=$cert_dir/apiserver-key.pem
+      Environment=ETCD_PEER_CA_FILE=$cert_dir/ca.pem
+      Environment=ETCD_PEER_CERT_FILE=$cert_dir/apiserver.pem
+      Environment=ETCD_PEER_KEY_FILE=$cert_dir/apiserver-key.pem
+      EOF
+
+      fi
+
       if [ -n "$HTTP_PROXY" ]; then
           echo "Environment=ETCD_DISCOVERY_PROXY=$HTTP_PROXY" >> $DROP_IN_FILE
       fi

magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml

@@ -0,0 +1,71 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-network-service.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Network Service
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-network-service.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-network-service.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      if [ "$NETWORK_DRIVER" != "flannel" ]; then
+          exit 0
+      fi
+
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+      ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
+
+      CERT_DIR=/etc/kubernetes/ssl
+      PROTOCOL=https
+
+      if [ "$TLS_DISABLED" = "True" ]; then
+        PROTOCOL=http
+      fi
+
+      ENV_FILE=/etc/flannel/options.env
+      mkdir -p $(dirname $ENV_FILE)
+      cat > $ENV_FILE <<EOF
+      FLANNELD_IFACE=$myip
+      FLANNELD_ETCD_ENDPOINTS=${PROTOCOL}://${ETCD_SERVER_IP}:2379
+      EOF
+
+      if [ "$TLS_DISABLED" = "False" ]; then
+        cat >> $ENV_FILE <<EOF
+      FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
+      FLANNELD_ETCD_CERTFILE=$CERT_DIR/worker.pem
+      FLANNELD_ETCD_KEYFILE=$CERT_DIR/worker-key.pem
+      EOF
+      fi
+
+      DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf
+      mkdir -p $(dirname $DROP_IN_FILE)
+      cat > $DROP_IN_FILE <<EOF
+      [Service]
+      Environment="ETCD_SSL_DIR=$CERT_DIR"
+      ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
+      EOF
+
+      DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/40-flannel.conf
+      mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
+      cat > $DOCKER_FLANNEL_CONF <<EOF
+      [Unit]
+      Requires=flanneld.service
+      After=flanneld.service
+      EOF
+
+      systemctl enable flanneld
+      systemctl --no-block start flanneld

magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml

@@ -29,17 +29,33 @@ write_files:
              awk '$1 == "inet" {print $2}' | cut -f1 -d/)
       ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
 
+      CERT_DIR=/etc/kubernetes/ssl
+      PROTOCOL=https
+
+      if [ "$TLS_DISABLED" = "True" ]; then
+        PROTOCOL=http
+      fi
+
       ENV_FILE=/etc/flannel/options.env
       mkdir -p $(dirname $ENV_FILE)
       cat > $ENV_FILE <<EOF
       FLANNELD_IFACE=$myip
-      FLANNELD_ETCD_ENDPOINTS=http://${ETCD_SERVER_IP}:2379
+      FLANNELD_ETCD_ENDPOINTS=${PROTOCOL}://${ETCD_SERVER_IP}:2379
       EOF
 
+      if [ "$TLS_DISABLED" = "False" ]; then
+        cat >> $ENV_FILE <<EOF
+      FLANNELD_ETCD_CAFILE=$CERT_DIR/ca.pem
+      FLANNELD_ETCD_CERTFILE=$CERT_DIR/apiserver.pem
+      FLANNELD_ETCD_KEYFILE=$CERT_DIR/apiserver-key.pem
+      EOF
+      fi
+
       DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf
       mkdir -p $(dirname $DROP_IN_FILE)
       cat > $DROP_IN_FILE <<EOF
       [Service]
+      Environment="ETCD_SSL_DIR=$CERT_DIR"
       ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
       EOF
 

magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml

@@ -146,4 +146,5 @@ write_files:
       parse_json_response "${server_cert_json}" > ${SERVER_CERT}
 
       chmod 600 ${cert_dir}/*-key.pem
-      chown root:root ${cert_dir}/*-key.pem
+      # Certs will also be used by etcd service
+      chown -R etcd:etcd ${cert_dir}

magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml

@@ -11,6 +11,7 @@ write_files:
       KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP"
       KUBE_NODE_IP="$KUBE_NODE_IP"
       KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
+      ETCD_SERVER_IP="$ETCD_SERVER_IP"
       DOCKER_VOLUME="$DOCKER_VOLUME"
       DOCKER_STORAGE_DRIVER="$DOCKER_STORAGE_DRIVER"
       NETWORK_DRIVER="$NETWORK_DRIVER"

magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml

@@ -195,6 +195,7 @@ resources:
             "$KUBE_NODE_PUBLIC_IP": {get_attr: [kube_master_floating, floating_ip_address]}
             "$KUBE_NODE_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
             "$KUBE_ALLOW_PRIV": {get_param: kube_allow_priv}
+            "$ETCD_SERVER_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
             "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
             "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
             "$FLANNEL_BACKEND": {get_param: flannel_backend}

magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml

@@ -181,7 +181,7 @@ resources:
     type: OS::Heat::SoftwareConfig
     properties:
       group: ungrouped
-      config: {get_file: fragments/enable-network-service.yaml}
+      config: {get_file: fragments/enable-network-service-client.yaml}
 
   enable_kubelet:
     type: OS::Heat::SoftwareConfig