Skip to content

Commit

Permalink
adjusting certificates for node authentication
Browse files Browse the repository at this point in the history
  • Loading branch information
alkar committed Oct 10, 2017
1 parent e1fb215 commit 1ddef03
Show file tree
Hide file tree
Showing 11 changed files with 46 additions and 37 deletions.
8 changes: 8 additions & 0 deletions _data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
variable "node_name_command" {
type = "map"

default = {
"" = "hostname -f"
"aws" = "curl -s http://169.254.169.254/latest/meta-data/local-hostname"
}
}
12 changes: 7 additions & 5 deletions etcd.tf
Original file line number Diff line number Diff line change
@@ -1,27 +1,29 @@
data "template_file" "etcd-cfssl-new-cert" {
count = "${length(var.etcd_addresses)}"
template = "${file("${path.module}/resources/cfssl-new-cert.sh")}"

vars {
user = "etcd"
group = "etcd"
role = "k8s-etcd"
profile = "client-server"
path = "/etc/etcd/ssl"
cn = "${count.index}.etcd.${var.dns_domain}"
org = ""

hosts = "${join(",", list(
extra_names = "${join(",", list(
"etcd.${var.dns_domain}",
"*.etcd.${var.dns_domain}",
))}"
}
}

data "ignition_file" "etcd-cfssl-new-cert" {
count = "${length(var.etcd_addresses)}"
mode = 0755
filesystem = "root"
path = "/opt/bin/cfssl-new-cert"

content {
content = "${data.template_file.etcd-cfssl-new-cert.rendered}"
content = "${element(data.template_file.etcd-cfssl-new-cert.*.rendered, count.index)}"
}
}

Expand Down Expand Up @@ -157,7 +159,7 @@ data "ignition_config" "etcd" {
data.ignition_file.cfssl.id,
data.ignition_file.cfssljson.id,
data.ignition_file.cfssl-client-config.id,
data.ignition_file.etcd-cfssl-new-cert.id,
element(data.ignition_file.etcd-cfssl-new-cert.*.id, count.index),
data.ignition_file.etcd-prom-machine-role.id,
element(data.ignition_file.etcdctl-wrapper.*.id, count.index),
),
Expand Down
5 changes: 3 additions & 2 deletions master.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ data "template_file" "master-cfssl-new-cert" {
vars {
user = "root"
group = "root"
role = "k8s-apiserver"
profile = "client-server"
path = "/etc/kubernetes/ssl"
cn = "system:node:$(${var.node_name_command[var.cloud_provider]})"
org = "system:nodes"

hosts = "${join(",", list(
extra_names = "${join(",", list(
"10.3.0.1",
"kubernetes",
"kubernetes.default",
Expand Down
4 changes: 2 additions & 2 deletions resources/cfssl-new-cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ _hostname="$(hostname)"
/opt/bin/cfssl gencert \
-config=/etc/cfssl/config.json \
-profile=${profile} \
-hostname="$${_ip},$${_hostname},${hosts}" - << EOF | /opt/bin/cfssljson -bare "${role}"
{"CN":"${role}","key":{"algo":"ecdsa","size":384}}
-hostname="$${_ip},$${_hostname}${extra_names != "" ? ",${extra_names}" : "" }" - << EOF | /opt/bin/cfssljson -bare node
{"CN":"${cn}",${org != "" ? "\"names\":[{\"O\":\"${org}\"}]," : ""}"key":{"algo":"ecdsa","size":384}}
EOF

/opt/bin/cfssl info -config=/etc/cfssl/config.json | /opt/bin/cfssljson -bare ca
Expand Down
8 changes: 4 additions & 4 deletions resources/etcd-member-dropin.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${private_ipv4}:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${private_ipv4}:2380"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_TRUSTED_CA_FILE=/etc/etcd/ssl/ca.pem"
Environment="ETCD_CERT_FILE=/etc/etcd/ssl/k8s-etcd.pem"
Environment="ETCD_KEY_FILE=/etc/etcd/ssl/k8s-etcd-key.pem"
Environment="ETCD_CERT_FILE=/etc/etcd/ssl/node.pem"
Environment="ETCD_KEY_FILE=/etc/etcd/ssl/node-key.pem"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/etcd/ssl/ca.pem"
Environment="ETCD_PEER_CERT_FILE=/etc/etcd/ssl/k8s-etcd.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/etcd/ssl/k8s-etcd-key.pem"
Environment="ETCD_PEER_CERT_FILE=/etc/etcd/ssl/node.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/etcd/ssl/node-key.pem"
Environment="RKT_RUN_ARGS=\
--uuid-file-save=/var/lib/coreos/etcd-member-wrapper.uuid \
--volume etc-etcd,kind=host,source=/etc/etcd,readOnly=true \
Expand Down
4 changes: 2 additions & 2 deletions resources/etcd-metrics-proxy.service
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ ExecStart=/bin/sh -c "\
-v /etc/etcd/ssl:/etc/etcd/ssl \
quay.io/utilitywarehouse/etcd-metrics-proxy:v0.6.1 \
-etcd-ca /etc/etcd/ssl/ca.pem \
-etcd-cert /etc/etcd/ssl/k8s-etcd.pem \
-etcd-key /etc/etcd/ssl/k8s-etcd-key.pem \
-etcd-cert /etc/etcd/ssl/node.pem \
-etcd-key /etc/etcd/ssl/node-key.pem \
-upstream-host ${etcd_ip} \
-upstream-server-name ${etcd_ip}"
ExecStop=-/bin/sh -c 'docker stop -t 3 "$(docker ps -q --filter=name=%p_)"'
Expand Down
4 changes: 2 additions & 2 deletions resources/etcdctl-wrapper
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ docker run --rm \
--entrypoint /usr/local/bin/etcdctl \
${etcd_image_url}:${etcd_image_tag} \
--ca-file /etc/etcd/ssl/ca.pem \
--cert-file /etc/etcd/ssl/k8s-etcd.pem \
--key-file /etc/etcd/ssl/k8s-etcd-key.pem \
--cert-file /etc/etcd/ssl/node.pem \
--key-file /etc/etcd/ssl/node-key.pem \
--endpoint https://${private_ipv4}:2379 \
"$@"
14 changes: 7 additions & 7 deletions resources/kube-apiserver.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
apiVersion: v1
kind: Pod
metadata:
Expand All @@ -13,14 +14,14 @@ spec:
- apiserver
- --etcd-servers=${etcd_endpoints}
- --etcd-cafile=/etc/kubernetes/ssl/ca.pem
- --etcd-certfile=/etc/kubernetes/ssl/k8s-apiserver.pem
- --etcd-keyfile=/etc/kubernetes/ssl/k8s-apiserver-key.pem
- --etcd-certfile=/etc/kubernetes/ssl/node.pem
- --etcd-keyfile=/etc/kubernetes/ssl/node-key.pem
- --allow-privileged=true
- --service-cluster-ip-range=${service_network}
- --secure-port=443
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/k8s-apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/k8s-apiserver-key.pem
- --admission-control=NodeRestriction,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/node.pem
- --tls-private-key-file=/etc/kubernetes/ssl/node-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/signing-key.pem
- --service-account-lookup=true
Expand All @@ -29,8 +30,7 @@ spec:
- --oidc-issuer-url=${oidc_issuer_url}
- --oidc-username-claim=email
- --oidc-client-id=${oidc_client_id}
- --authorization-rbac-super-user=k8s-admin
- --authorization-mode=RBAC
- --authorization-mode=Node,RBAC
- --apiserver-count=${master_instance_count}
- --audit-log-path=/var/log/kube-api-server/audit
- --v=0
Expand Down
4 changes: 2 additions & 2 deletions resources/master-kubeconfig
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ clusters:
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/k8s-apiserver.pem
client-key: /etc/kubernetes/ssl/k8s-apiserver-key.pem
client-certificate: /etc/kubernetes/ssl/node.pem
client-key: /etc/kubernetes/ssl/node-key.pem
contexts:
- context:
cluster: local
Expand Down
4 changes: 2 additions & 2 deletions resources/worker-kubeconfig
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ clusters:
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/k8s-worker.pem
client-key: /etc/kubernetes/ssl/k8s-worker-key.pem
client-certificate: /etc/kubernetes/ssl/node.pem
client-key: /etc/kubernetes/ssl/node-key.pem
contexts:
- context:
cluster: local
Expand Down
16 changes: 7 additions & 9 deletions worker.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,13 @@ data "template_file" "worker-cfssl-new-cert" {
template = "${file("${path.module}/resources/cfssl-new-cert.sh")}"

vars {
user = "root"
group = "root"
role = "k8s-worker"
profile = "client"
path = "/etc/kubernetes/ssl"

hosts = "${join(",", list(
"*.worker.${var.dns_domain}",
))}"
user = "root"
group = "root"
profile = "client"
path = "/etc/kubernetes/ssl"
cn = "system:node:$(${var.node_name_command[var.cloud_provider]})"
org = "system:nodes"
extra_names = ""
}
}

Expand Down

0 comments on commit 1ddef03

Please sign in to comment.