Unverified Commit 5cff6c90 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #60385 from stealthybox/feature/kubeadm_710-etcd-ca

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm 710 Switch to a dedicated CA for kubeadm etcd identities **What this PR does / why we need it**: On `kubeadm init`/`kubeadm upgrade`, this PR generates an etcd specific CA for signing the following certs: - etcd serving cert - etcd peer cert - apiserver etcd client cert These certs were previously signed by the kubernetes CA. The etcd static pod in `local.go` has also been updated to only mount the `/etcd` subdir of `cfg.CertificatesDir`. New phase command: ``` kubeadm alpha phase certs etcd-ca ``` See the linked issue for details on why this change is an important security feature. **Which issue(s) this PR fixes** Fixes https://github.com/kubernetes/kubeadm/issues/710 **Special notes for your reviewer**: #### on the master this should still fail: ```bash curl localhost:2379/v2/keys # no output curl --cacert /etc/kubernetes/pki/etcd/ca.crt https://localhost:2379/v2/keys # handshake error ``` this should now fail: (previously would succeed) ``` cd /etc/kubernetes/pki curl --cacert etcd/ca.crt --cert apiserver-kubelet-client.crt --key apiserver-kubelet-client.key https://localhost:2379/v2/keys # curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate ``` this should still succeed: ``` cd /etc/kubernetes/pki curl --cacert etcd/ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys ``` **Release note**: ```release-note On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates. ```
parents 58731ae6 41974cb9
...@@ -44,7 +44,7 @@ var ( ...@@ -44,7 +44,7 @@ var (
allCertsExample = normalizer.Examples(` allCertsExample = normalizer.Examples(`
# Creates all PKI assets necessary to establish the control plane, # Creates all PKI assets necessary to establish the control plane,
# functionally equivalent to what generated by kubeadm init. # functionally equivalent to what generated by kubeadm init.
kubeadm alpha phase certs all kubeadm alpha phase certs all
# Creates all PKI assets using options read from a configuration file. # Creates all PKI assets using options read from a configuration file.
...@@ -52,7 +52,7 @@ var ( ...@@ -52,7 +52,7 @@ var (
`) `)
caCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` caCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
Generates the self-signed certificate authority and related key, and saves them into %s and %s files. Generates the self-signed kubernetes certificate authority and related key, and saves them into %s and %s files.
If both files already exist, kubeadm skips the generation step and existing files will be used. If both files already exist, kubeadm skips the generation step and existing files will be used.
`+cmdutil.AlphaDisclaimer), kubeadmconstants.CACertName, kubeadmconstants.CAKeyName) `+cmdutil.AlphaDisclaimer), kubeadmconstants.CACertName, kubeadmconstants.CAKeyName)
...@@ -74,6 +74,12 @@ var ( ...@@ -74,6 +74,12 @@ var (
If both files already exist, kubeadm skips the generation step and existing files will be used. If both files already exist, kubeadm skips the generation step and existing files will be used.
`+cmdutil.AlphaDisclaimer), kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName) `+cmdutil.AlphaDisclaimer), kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName)
etcdCaCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
Generates the self-signed etcd certificate authority and related key and saves them into %s and %s files.
If both files already exist, kubeadm skips the generation step and existing files will be used.
`+cmdutil.AlphaDisclaimer), kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName)
etcdServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` etcdServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(`
Generates the etcd serving certificate and key and saves them into %s and %s files. Generates the etcd serving certificate and key and saves them into %s and %s files.
...@@ -166,37 +172,43 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command { ...@@ -166,37 +172,43 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command {
}, },
{ {
use: "ca", use: "ca",
short: "Generates self-signed CA to provision identities for each component in the cluster", short: "Generates a self-signed kubernetes CA to provision identities for components of the cluster",
long: caCertLongDesc, long: caCertLongDesc,
cmdFunc: certsphase.CreateCACertAndKeyfiles, cmdFunc: certsphase.CreateCACertAndKeyFiles,
}, },
{ {
use: "apiserver", use: "apiserver",
short: "Generates API server serving certificate and key", short: "Generates an API server serving certificate and key",
long: apiServerCertLongDesc, long: apiServerCertLongDesc,
cmdFunc: certsphase.CreateAPIServerCertAndKeyFiles, cmdFunc: certsphase.CreateAPIServerCertAndKeyFiles,
}, },
{ {
use: "apiserver-kubelet-client", use: "apiserver-kubelet-client",
short: "Generates client certificate for the API server to connect to the kubelets securely", short: "Generates a client certificate for the API server to connect to the kubelets securely",
long: apiServerKubeletCertLongDesc, long: apiServerKubeletCertLongDesc,
cmdFunc: certsphase.CreateAPIServerKubeletClientCertAndKeyFiles, cmdFunc: certsphase.CreateAPIServerKubeletClientCertAndKeyFiles,
}, },
{ {
use: "etcd-ca",
short: "Generates a self-signed CA to provision identities for etcd",
long: etcdCaCertLongDesc,
cmdFunc: certsphase.CreateEtcdCACertAndKeyFiles,
},
{
use: "etcd-server", use: "etcd-server",
short: "Generates etcd serving certificate and key", short: "Generates an etcd serving certificate and key",
long: etcdServerCertLongDesc, long: etcdServerCertLongDesc,
cmdFunc: certsphase.CreateEtcdServerCertAndKeyFiles, cmdFunc: certsphase.CreateEtcdServerCertAndKeyFiles,
}, },
{ {
use: "etcd-peer", use: "etcd-peer",
short: "Generates etcd peer certificate and key", short: "Generates an etcd peer certificate and key",
long: etcdPeerCertLongDesc, long: etcdPeerCertLongDesc,
cmdFunc: certsphase.CreateEtcdPeerCertAndKeyFiles, cmdFunc: certsphase.CreateEtcdPeerCertAndKeyFiles,
}, },
{ {
use: "apiserver-etcd-client", use: "apiserver-etcd-client",
short: "Generates client certificate for the API server to connect to etcd securely", short: "Generates a client certificate for the API server to connect to etcd securely",
long: apiServerEtcdServerCertLongDesc, long: apiServerEtcdServerCertLongDesc,
cmdFunc: certsphase.CreateAPIServerEtcdClientCertAndKeyFiles, cmdFunc: certsphase.CreateAPIServerEtcdClientCertAndKeyFiles,
}, },
...@@ -208,13 +220,13 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command { ...@@ -208,13 +220,13 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command {
}, },
{ {
use: "front-proxy-ca", use: "front-proxy-ca",
short: "Generates front proxy CA certificate and key for a Kubernetes cluster", short: "Generates a front proxy CA certificate and key for a Kubernetes cluster",
long: frontProxyCaCertLongDesc, long: frontProxyCaCertLongDesc,
cmdFunc: certsphase.CreateFrontProxyCACertAndKeyFiles, cmdFunc: certsphase.CreateFrontProxyCACertAndKeyFiles,
}, },
{ {
use: "front-proxy-client", use: "front-proxy-client",
short: "Generates front proxy CA client certificate and key for a Kubernetes cluster", short: "Generates a front proxy CA client certificate and key for a Kubernetes cluster",
long: frontProxyClientCertLongDesc, long: frontProxyClientCertLongDesc,
cmdFunc: certsphase.CreateFrontProxyClientCertAndKeyFiles, cmdFunc: certsphase.CreateFrontProxyClientCertAndKeyFiles,
}, },
......
...@@ -65,6 +65,13 @@ const ( ...@@ -65,6 +65,13 @@ const (
// APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN) // APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN)
APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client" APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client"
// EtcdCACertAndKeyBaseName defines etcd's CA certificate and key base name
EtcdCACertAndKeyBaseName = "etcd/ca"
// EtcdCACertName defines etcd's CA certificate name
EtcdCACertName = "etcd/ca.crt"
// EtcdCAKeyName defines etcd's CA key name
EtcdCAKeyName = "etcd/ca.key"
// EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name // EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name
EtcdServerCertAndKeyBaseName = "etcd/server" EtcdServerCertAndKeyBaseName = "etcd/server"
// EtcdServerCertName defines etcd's server certificate name // EtcdServerCertName defines etcd's server certificate name
......
...@@ -310,6 +310,15 @@ func TestNewAPIServerKubeletClientCertAndKey(t *testing.T) { ...@@ -310,6 +310,15 @@ func TestNewAPIServerKubeletClientCertAndKey(t *testing.T) {
certstestutil.AssertCertificateHasOrganizations(t, apiKubeletClientCert, kubeadmconstants.MastersGroup) certstestutil.AssertCertificateHasOrganizations(t, apiKubeletClientCert, kubeadmconstants.MastersGroup)
} }
func TestNewEtcdCACertAndKey(t *testing.T) {
etcdCACert, _, err := NewEtcdCACertAndKey()
if err != nil {
t.Fatalf("failed creation of cert and key: %v", err)
}
certstestutil.AssertCertificateIsCa(t, etcdCACert)
}
func TestNewEtcdServerCertAndKey(t *testing.T) { func TestNewEtcdServerCertAndKey(t *testing.T) {
proxy := "user-etcd-proxy" proxy := "user-etcd-proxy"
proxyIP := "10.10.10.100" proxyIP := "10.10.10.100"
...@@ -481,7 +490,7 @@ func TestValidateMethods(t *testing.T) { ...@@ -481,7 +490,7 @@ func TestValidateMethods(t *testing.T) {
{ {
name: "validateCACert", name: "validateCACert",
setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{ setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
CreateCACertAndKeyfiles, CreateCACertAndKeyFiles,
}, },
validateFunc: validateCACert, validateFunc: validateCACert,
loc: certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"}, loc: certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"},
...@@ -490,7 +499,7 @@ func TestValidateMethods(t *testing.T) { ...@@ -490,7 +499,7 @@ func TestValidateMethods(t *testing.T) {
{ {
name: "validateCACertAndKey (files present)", name: "validateCACertAndKey (files present)",
setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{ setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
CreateCACertAndKeyfiles, CreateCACertAndKeyFiles,
}, },
validateFunc: validateCACertAndKey, validateFunc: validateCACertAndKey,
loc: certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"}, loc: certKeyLocation{caBaseName: "ca", baseName: "", uxName: "CA"},
...@@ -509,7 +518,7 @@ func TestValidateMethods(t *testing.T) { ...@@ -509,7 +518,7 @@ func TestValidateMethods(t *testing.T) {
{ {
name: "validateSignedCert", name: "validateSignedCert",
setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{ setupFuncs: []func(cfg *kubeadmapi.MasterConfiguration) error{
CreateCACertAndKeyfiles, CreateCACertAndKeyFiles,
CreateAPIServerCertAndKeyFiles, CreateAPIServerCertAndKeyFiles,
}, },
validateFunc: validateSignedCert, validateFunc: validateSignedCert,
...@@ -583,6 +592,7 @@ func TestCreateCertificateFilesMethods(t *testing.T) { ...@@ -583,6 +592,7 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
kubeadmconstants.CACertName, kubeadmconstants.CAKeyName, kubeadmconstants.CACertName, kubeadmconstants.CAKeyName,
kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName, kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName,
kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName, kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName,
kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName,
kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName, kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName,
kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName, kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName,
kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName, kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName,
...@@ -592,31 +602,35 @@ func TestCreateCertificateFilesMethods(t *testing.T) { ...@@ -592,31 +602,35 @@ func TestCreateCertificateFilesMethods(t *testing.T) {
}, },
}, },
{ {
createFunc: CreateCACertAndKeyfiles, createFunc: CreateCACertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.CACertName, kubeadmconstants.CAKeyName}, expectedFiles: []string{kubeadmconstants.CACertName, kubeadmconstants.CAKeyName},
}, },
{ {
setupFunc: CreateCACertAndKeyfiles, setupFunc: CreateCACertAndKeyFiles,
createFunc: CreateAPIServerCertAndKeyFiles, createFunc: CreateAPIServerCertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName}, expectedFiles: []string{kubeadmconstants.APIServerCertName, kubeadmconstants.APIServerKeyName},
}, },
{ {
setupFunc: CreateCACertAndKeyfiles, setupFunc: CreateCACertAndKeyFiles,
createFunc: CreateAPIServerKubeletClientCertAndKeyFiles, createFunc: CreateAPIServerKubeletClientCertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName}, expectedFiles: []string{kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName},
}, },
{ {
setupFunc: CreateCACertAndKeyfiles, createFunc: CreateEtcdCACertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName},
},
{
setupFunc: CreateEtcdCACertAndKeyFiles,
createFunc: CreateEtcdServerCertAndKeyFiles, createFunc: CreateEtcdServerCertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName}, expectedFiles: []string{kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName},
}, },
{ {
setupFunc: CreateCACertAndKeyfiles, setupFunc: CreateEtcdCACertAndKeyFiles,
createFunc: CreateEtcdPeerCertAndKeyFiles, createFunc: CreateEtcdPeerCertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName}, expectedFiles: []string{kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName},
}, },
{ {
setupFunc: CreateCACertAndKeyfiles, setupFunc: CreateEtcdCACertAndKeyFiles,
createFunc: CreateAPIServerEtcdClientCertAndKeyFiles, createFunc: CreateAPIServerEtcdClientCertAndKeyFiles,
expectedFiles: []string{kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName}, expectedFiles: []string{kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName},
}, },
......
...@@ -40,6 +40,8 @@ package certs ...@@ -40,6 +40,8 @@ package certs
- apiserver-kubelet-client.key - apiserver-kubelet-client.key
- apiserver-etcd-client.crt - apiserver-etcd-client.crt
- apiserver-etcd-client.key - apiserver-etcd-client.key
- etcd/ca.crt
- etcd/ca.key
- etcd/server.crt - etcd/server.crt
- etcd/server.key - etcd/server.key
- etcd/peer.crt - etcd/peer.crt
......
...@@ -206,7 +206,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, k8sVersion *versio ...@@ -206,7 +206,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, k8sVersion *versio
} else { } else {
// Default to etcd static pod on localhost // Default to etcd static pod on localhost
etcdEndpointsArg := "--etcd-servers=https://127.0.0.1:2379" etcdEndpointsArg := "--etcd-servers=https://127.0.0.1:2379"
etcdCAFileArg := fmt.Sprintf("--etcd-cafile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName)) etcdCAFileArg := fmt.Sprintf("--etcd-cafile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName))
etcdClientFileArg := fmt.Sprintf("--etcd-certfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientCertName)) etcdClientFileArg := fmt.Sprintf("--etcd-certfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientCertName))
etcdKeyFileArg := fmt.Sprintf("--etcd-keyfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientKeyName)) etcdKeyFileArg := fmt.Sprintf("--etcd-keyfile=%s", filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerEtcdClientKeyName))
command = append(command, etcdEndpointsArg, etcdCAFileArg, etcdClientFileArg, etcdKeyFileArg) command = append(command, etcdEndpointsArg, etcdCAFileArg, etcdClientFileArg, etcdKeyFileArg)
......
...@@ -225,7 +225,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -225,7 +225,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=1.2.3.4", "--advertise-address=1.2.3.4",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -262,7 +262,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -262,7 +262,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=1.2.3.4", "--advertise-address=1.2.3.4",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -299,7 +299,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -299,7 +299,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=4.3.2.1", "--advertise-address=4.3.2.1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -337,7 +337,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -337,7 +337,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=4.3.2.1", "--advertise-address=4.3.2.1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -380,7 +380,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -380,7 +380,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=4.3.2.1", "--advertise-address=4.3.2.1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -418,7 +418,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -418,7 +418,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=2001:db8::1", "--advertise-address=2001:db8::1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -456,7 +456,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -456,7 +456,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=2001:db8::1", "--advertise-address=2001:db8::1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -569,7 +569,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -569,7 +569,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=2001:db8::1", "--advertise-address=2001:db8::1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
}, },
...@@ -610,7 +610,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -610,7 +610,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=2001:db8::1", "--advertise-address=2001:db8::1",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
fmt.Sprintf("--endpoint-reconciler-type=%s", reconcilers.LeaseEndpointReconcilerType), fmt.Sprintf("--endpoint-reconciler-type=%s", reconcilers.LeaseEndpointReconcilerType),
...@@ -652,7 +652,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -652,7 +652,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=1.2.3.4", "--advertise-address=1.2.3.4",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
"--cloud-provider=gce", "--cloud-provider=gce",
...@@ -691,7 +691,7 @@ func TestGetAPIServerCommand(t *testing.T) { ...@@ -691,7 +691,7 @@ func TestGetAPIServerCommand(t *testing.T) {
"--authorization-mode=Node,RBAC", "--authorization-mode=Node,RBAC",
"--advertise-address=1.2.3.4", "--advertise-address=1.2.3.4",
"--etcd-servers=https://127.0.0.1:2379", "--etcd-servers=https://127.0.0.1:2379",
"--etcd-cafile=" + testCertsDir + "/ca.crt", "--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt", "--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key", "--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
"--cloud-provider=aws", "--cloud-provider=aws",
......
...@@ -30,7 +30,7 @@ import ( ...@@ -30,7 +30,7 @@ import (
const ( const (
etcdVolumeName = "etcd-data" etcdVolumeName = "etcd-data"
certsVolumeName = "k8s-certs" certsVolumeName = "etcd-certs"
) )
// CreateLocalEtcdStaticPodManifestFile will write local etcd static pod manifest file. // CreateLocalEtcdStaticPodManifestFile will write local etcd static pod manifest file.
...@@ -53,7 +53,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod { ...@@ -53,7 +53,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
pathType := v1.HostPathDirectoryOrCreate pathType := v1.HostPathDirectoryOrCreate
etcdMounts := map[string]v1.Volume{ etcdMounts := map[string]v1.Volume{
etcdVolumeName: staticpodutil.NewVolume(etcdVolumeName, cfg.Etcd.DataDir, &pathType), etcdVolumeName: staticpodutil.NewVolume(etcdVolumeName, cfg.Etcd.DataDir, &pathType),
certsVolumeName: staticpodutil.NewVolume(certsVolumeName, cfg.CertificatesDir, &pathType), certsVolumeName: staticpodutil.NewVolume(certsVolumeName, cfg.CertificatesDir+"/etcd", &pathType),
} }
return staticpodutil.ComponentPod(v1.Container{ return staticpodutil.ComponentPod(v1.Container{
Name: kubeadmconstants.Etcd, Name: kubeadmconstants.Etcd,
...@@ -63,7 +63,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod { ...@@ -63,7 +63,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
// Mount the etcd datadir path read-write so etcd can store data in a more persistent manner // Mount the etcd datadir path read-write so etcd can store data in a more persistent manner
VolumeMounts: []v1.VolumeMount{ VolumeMounts: []v1.VolumeMount{
staticpodutil.NewVolumeMount(etcdVolumeName, cfg.Etcd.DataDir, false), staticpodutil.NewVolumeMount(etcdVolumeName, cfg.Etcd.DataDir, false),
staticpodutil.NewVolumeMount(certsVolumeName, cfg.CertificatesDir, false), staticpodutil.NewVolumeMount(certsVolumeName, cfg.CertificatesDir+"/etcd", false),
}, },
LivenessProbe: staticpodutil.ComponentProbe(cfg, kubeadmconstants.Etcd, 2379, "/health", v1.URISchemeHTTP), LivenessProbe: staticpodutil.ComponentProbe(cfg, kubeadmconstants.Etcd, 2379, "/health", v1.URISchemeHTTP),
}, etcdMounts) }, etcdMounts)
...@@ -77,11 +77,11 @@ func getEtcdCommand(cfg *kubeadmapi.MasterConfiguration) []string { ...@@ -77,11 +77,11 @@ func getEtcdCommand(cfg *kubeadmapi.MasterConfiguration) []string {
"data-dir": cfg.Etcd.DataDir, "data-dir": cfg.Etcd.DataDir,
"cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName), "cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName),
"key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName), "key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName),
"trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), "trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName),
"client-cert-auth": "true", "client-cert-auth": "true",
"peer-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName), "peer-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName),
"peer-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName), "peer-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName),
"peer-trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), "peer-trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName),
"peer-client-cert-auth": "true", "peer-client-cert-auth": "true",
} }
......
...@@ -84,11 +84,11 @@ func TestGetEtcdCommand(t *testing.T) { ...@@ -84,11 +84,11 @@ func TestGetEtcdCommand(t *testing.T) {
"--data-dir=/var/lib/etcd", "--data-dir=/var/lib/etcd",
"--cert-file=" + kubeadmconstants.EtcdServerCertName, "--cert-file=" + kubeadmconstants.EtcdServerCertName,
"--key-file=" + kubeadmconstants.EtcdServerKeyName, "--key-file=" + kubeadmconstants.EtcdServerKeyName,
"--trusted-ca-file=" + kubeadmconstants.CACertName, "--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--client-cert-auth=true", "--client-cert-auth=true",
"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName, "--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName, "--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
"--peer-trusted-ca-file=" + kubeadmconstants.CACertName, "--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--peer-client-cert-auth=true", "--peer-client-cert-auth=true",
}, },
}, },
...@@ -109,11 +109,11 @@ func TestGetEtcdCommand(t *testing.T) { ...@@ -109,11 +109,11 @@ func TestGetEtcdCommand(t *testing.T) {
"--data-dir=/var/lib/etcd", "--data-dir=/var/lib/etcd",
"--cert-file=" + kubeadmconstants.EtcdServerCertName, "--cert-file=" + kubeadmconstants.EtcdServerCertName,
"--key-file=" + kubeadmconstants.EtcdServerKeyName, "--key-file=" + kubeadmconstants.EtcdServerKeyName,
"--trusted-ca-file=" + kubeadmconstants.CACertName, "--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--client-cert-auth=true", "--client-cert-auth=true",
"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName, "--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName, "--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
"--peer-trusted-ca-file=" + kubeadmconstants.CACertName, "--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--peer-client-cert-auth=true", "--peer-client-cert-auth=true",
}, },
}, },
...@@ -128,11 +128,11 @@ func TestGetEtcdCommand(t *testing.T) { ...@@ -128,11 +128,11 @@ func TestGetEtcdCommand(t *testing.T) {
"--data-dir=/etc/foo", "--data-dir=/etc/foo",
"--cert-file=" + kubeadmconstants.EtcdServerCertName, "--cert-file=" + kubeadmconstants.EtcdServerCertName,
"--key-file=" + kubeadmconstants.EtcdServerKeyName, "--key-file=" + kubeadmconstants.EtcdServerKeyName,
"--trusted-ca-file=" + kubeadmconstants.CACertName, "--trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--client-cert-auth=true", "--client-cert-auth=true",
"--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName, "--peer-cert-file=" + kubeadmconstants.EtcdPeerCertName,
"--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName, "--peer-key-file=" + kubeadmconstants.EtcdPeerKeyName,
"--peer-trusted-ca-file=" + kubeadmconstants.CACertName, "--peer-trusted-ca-file=" + kubeadmconstants.EtcdCACertName,
"--peer-client-cert-auth=true", "--peer-client-cert-auth=true",
}, },
}, },
......
...@@ -136,17 +136,22 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP ...@@ -136,17 +136,22 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP
} }
// ensure etcd certs are generated for etcd and kube-apiserver // ensure etcd certs are generated for etcd and kube-apiserver
if component == constants.Etcd || component == constants.KubeAPIServer {
if err := certsphase.CreateEtcdCACertAndKeyFiles(cfg); err != nil {
return fmt.Errorf("failed to upgrade the %s CA certificate and key: %v", constants.Etcd, err)
}
}
if component == constants.Etcd { if component == constants.Etcd {
if err := certsphase.CreateEtcdServerCertAndKeyFiles(cfg); err != nil { if err := certsphase.CreateEtcdServerCertAndKeyFiles(cfg); err != nil {
return fmt.Errorf("failed to upgrade the %s certificate: %v", constants.Etcd, err) return fmt.Errorf("failed to upgrade the %s certificate and key: %v", constants.Etcd, err)
} }
if err := certsphase.CreateEtcdPeerCertAndKeyFiles(cfg); err != nil { if err := certsphase.CreateEtcdPeerCertAndKeyFiles(cfg); err != nil {
return fmt.Errorf("failed to upgrade the %s peer certificate: %v", constants.Etcd, err) return fmt.Errorf("failed to upgrade the %s peer certificate and key: %v", constants.Etcd, err)
} }
} }
if component == constants.KubeAPIServer { if component == constants.KubeAPIServer {
if err := certsphase.CreateAPIServerEtcdClientCertAndKeyFiles(cfg); err != nil { if err := certsphase.CreateAPIServerEtcdClientCertAndKeyFiles(cfg); err != nil {
return fmt.Errorf("failed to upgrade the %s %s-client certificate: %v", constants.KubeAPIServer, constants.Etcd, err) return fmt.Errorf("failed to upgrade the %s %s-client certificate and key: %v", constants.KubeAPIServer, constants.Etcd, err)
} }
} }
......
...@@ -321,9 +321,10 @@ func TestStaticPodControlPlane(t *testing.T) { ...@@ -321,9 +321,10 @@ func TestStaticPodControlPlane(t *testing.T) {
// Initialize PKI minus any etcd certificates to simulate etcd PKI upgrade // Initialize PKI minus any etcd certificates to simulate etcd PKI upgrade
certActions := []func(cfg *kubeadmapi.MasterConfiguration) error{ certActions := []func(cfg *kubeadmapi.MasterConfiguration) error{
certsphase.CreateCACertAndKeyfiles, certsphase.CreateCACertAndKeyFiles,
certsphase.CreateAPIServerCertAndKeyFiles, certsphase.CreateAPIServerCertAndKeyFiles,
certsphase.CreateAPIServerKubeletClientCertAndKeyFiles, certsphase.CreateAPIServerKubeletClientCertAndKeyFiles,
// certsphase.CreateEtcdCACertAndKeyFiles,
// certsphase.CreateEtcdServerCertAndKeyFiles, // certsphase.CreateEtcdServerCertAndKeyFiles,
// certsphase.CreateEtcdPeerCertAndKeyFiles, // certsphase.CreateEtcdPeerCertAndKeyFiles,
// certsphase.CreateAPIServerEtcdClientCertAndKeyFiles, // certsphase.CreateAPIServerEtcdClientCertAndKeyFiles,
......
...@@ -24,6 +24,7 @@ docs/admin/kubeadm_alpha_phase_certs_apiserver-etcd-client.md ...@@ -24,6 +24,7 @@ docs/admin/kubeadm_alpha_phase_certs_apiserver-etcd-client.md
docs/admin/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md docs/admin/kubeadm_alpha_phase_certs_apiserver-kubelet-client.md
docs/admin/kubeadm_alpha_phase_certs_apiserver.md docs/admin/kubeadm_alpha_phase_certs_apiserver.md
docs/admin/kubeadm_alpha_phase_certs_ca.md docs/admin/kubeadm_alpha_phase_certs_ca.md
docs/admin/kubeadm_alpha_phase_certs_etcd-ca.md
docs/admin/kubeadm_alpha_phase_certs_etcd-peer.md docs/admin/kubeadm_alpha_phase_certs_etcd-peer.md
docs/admin/kubeadm_alpha_phase_certs_etcd-server.md docs/admin/kubeadm_alpha_phase_certs_etcd-server.md
docs/admin/kubeadm_alpha_phase_certs_front-proxy-ca.md docs/admin/kubeadm_alpha_phase_certs_front-proxy-ca.md
...@@ -90,6 +91,7 @@ docs/man/man1/kubeadm-alpha-phase-certs-apiserver-etcd-client.1 ...@@ -90,6 +91,7 @@ docs/man/man1/kubeadm-alpha-phase-certs-apiserver-etcd-client.1
docs/man/man1/kubeadm-alpha-phase-certs-apiserver-kubelet-client.1 docs/man/man1/kubeadm-alpha-phase-certs-apiserver-kubelet-client.1
docs/man/man1/kubeadm-alpha-phase-certs-apiserver.1 docs/man/man1/kubeadm-alpha-phase-certs-apiserver.1
docs/man/man1/kubeadm-alpha-phase-certs-ca.1 docs/man/man1/kubeadm-alpha-phase-certs-ca.1
docs/man/man1/kubeadm-alpha-phase-certs-etcd-ca.1
docs/man/man1/kubeadm-alpha-phase-certs-etcd-peer.1 docs/man/man1/kubeadm-alpha-phase-certs-etcd-peer.1
docs/man/man1/kubeadm-alpha-phase-certs-etcd-server.1 docs/man/man1/kubeadm-alpha-phase-certs-etcd-server.1
docs/man/man1/kubeadm-alpha-phase-certs-front-proxy-ca.1 docs/man/man1/kubeadm-alpha-phase-certs-front-proxy-ca.1
......
This file is autogenerated, but we've stopped checking such files into the
repository to reduce the need for rebases. Please run hack/generate-docs.sh to
populate this file.
This file is autogenerated, but we've stopped checking such files into the
repository to reduce the need for rebases. Please run hack/generate-docs.sh to
populate this file.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment