• Kubernetes Submit Queue's avatar
    Merge pull request #57415 from stealthybox/feature/kubeadm_594-etcd_tls · b32e9c45
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 59159, 60318, 60079, 59371, 57415). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    Feature/kubeadm 594 etcd TLS on init/upgrade
    
    **What this PR does / why we need it**:
    On `kubeadm init`/`kubeadm upgrade`, this PR generates certificates for securing local etcd:
    - etcd serving cert
    - etcd peer cert
    - apiserver etcd client cert
    
    Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs.
    For connections to etcd, `https` is now used in favor of `http` and tests have been added/updated.
    
    Etcd only listens on localhost, so the serving cert SAN defaults to `DNS:localhost,IP:127.0.0.1`.
    The etcd peer cert has SANs for `<hostname>,<api-advertise-address>`, but is unused.
    
    New kubeadm config options, `Etcd.ServerCertSANs` and `Etcd.PeerCertSANs`, are used for user additions to the default certificate SANs for the etcd server and peer certs.
    
    This feature continues to utilize the existence of `MasterConfiguration.Etcd.Endpoints` as a feature gate for external-etcd.
    If the user passes flags to configure `Etcd.{CAFile,CertFile,KeyFile}` but they omit `Endpoints`, these flags will be unused, and a warning is printed.
    
    New phase commands:
    ```
    kubeadm alpha phase certs etcd-server
    kubeadm alpha phase certs etcd-peer
    kubeadm alpha phase certs apiserver-etcd-client 
    ```
    
    **Which issue(s) this PR fixes**
    Fixes https://github.com/kubernetes/kubeadm/issues/594
    
    **Special notes for your reviewer**:
    
    #### on the master
    these should fail:
    ```bash
    curl localhost:2379/v2/keys  # no output
    curl --cacert /etc/kubernetes/pki/ca.crt https://localhost:2379/v2/keys  # handshake error
    ```
    these should succeed:
    ```
    cd /etc/kubernetes/pki
    curl --cacert ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys
    ```
    
    **Release note**:
    ```release-note
    On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS.
    ```
    b32e9c45
Name
Last commit
Last update
..
admin Loading commit data...
api-reference Loading commit data...
man/man1 Loading commit data...
user-guide/kubectl Loading commit data...
yaml/kubectl Loading commit data...
.generated_docs Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...