Allow talking to secure etcd (authentication through client certs)

cmd/bootkube/start.go

@@ -24,17 +24,21 @@ var (
 	}
 
 	startOpts struct {
-		assetDir       string
-		etcdServer     string
-		selfHostedEtcd bool
+		assetDir              string
+		etcdServer            string
+		etcdAuthEnabled       bool
+		selfHostedEtcd        bool
+		serviceClusterIPRange string
 	}
 )
 
 func init() {
 	cmdRoot.AddCommand(cmdStart)
 	cmdStart.Flags().StringVar(&startOpts.etcdServer, "etcd-server", "http://127.0.0.1:2379", "Single etcd node to use during bootkube bootstrap process.")
+	cmdStart.Flags().BoolVar(&startOpts.etcdAuthEnabled, "etcd-auth-enabled", false, "Etcd requires authentication through client certificates.")
 	cmdStart.Flags().StringVar(&startOpts.assetDir, "asset-dir", "", "Path to the cluster asset directory. Expected layout genereted by the `bootkube render` command.")
 	cmdStart.Flags().BoolVar(&startOpts.selfHostedEtcd, "experimental-self-hosted-etcd", false, "Self hosted etcd mode. Includes starting the initial etcd member by bootkube.")
+	cmdStart.Flags().StringVar(&startOpts.serviceClusterIPRange, "service-cluster-ip-range", "10.3.0.0/24", "A CIDR notation IP range from which to assign service cluster IPs.")
 }
 
 func runCmdStart(cmd *cobra.Command, args []string) error {
@@ -51,9 +55,11 @@ func runCmdStart(cmd *cobra.Command, args []string) error {
 	}
 
 	bk, err := bootkube.NewBootkube(bootkube.Config{
-		AssetDir:       startOpts.assetDir,
-		EtcdServer:     etcdServer,
-		SelfHostedEtcd: startOpts.selfHostedEtcd,
+		AssetDir:              startOpts.assetDir,
+		EtcdServer:            etcdServer,
+		EtcdAuthEnabled:       startOpts.etcdAuthEnabled,
+		SelfHostedEtcd:        startOpts.selfHostedEtcd,
+		ServiceClusterIPRange: startOpts.serviceClusterIPRange,
 	})
 
 	if err != nil {

pkg/asset/asset.go

@@ -21,6 +21,9 @@ const (
 	AssetPathServiceAccountPubKey    = "tls/service-account.pub"
 	AssetPathKubeletKey              = "tls/kubelet.key"
 	AssetPathKubeletCert             = "tls/kubelet.crt"
+	AssetPathEtcdCACert              = "tls/etcd-ca.crt"
+	AssetPathEtcdKey                 = "tls/etcd.key"
+	AssetPathEtcdCert                = "tls/etcd.crt"
 	AssetPathKubeConfig              = "auth/kubeconfig"
 	AssetPathManifests               = "manifests"
 	AssetPathKubelet                 = "manifests/kubelet.yaml"

pkg/bootkube/bootkube.go

@@ -30,9 +30,11 @@ var requiredPods = []string{
 }
 
 type Config struct {
-	AssetDir       string
-	EtcdServer     *url.URL
-	SelfHostedEtcd bool
+	AssetDir              string
+	EtcdServer            *url.URL
+	EtcdAuthEnabled       bool
+	SelfHostedEtcd        bool
+	ServiceClusterIPRange string
 }
 
 type bootkube struct {
@@ -86,14 +88,20 @@ func makeAPIServerFlags(config Config) []string {
 		"--tls-cert-file=" + filepath.Join(config.AssetDir, asset.AssetPathAPIServerCert),
 		"--client-ca-file=" + filepath.Join(config.AssetDir, asset.AssetPathCACert),
 		"--etcd-servers=" + config.EtcdServer.String(),
-		"--service-cluster-ip-range=10.3.0.0/24",
 		"--service-account-key-file=" + filepath.Join(config.AssetDir, asset.AssetPathServiceAccountPubKey),
 		"--admission-control=NamespaceLifecycle,ServiceAccount",
 		"--runtime-config=api/all=true",
+		"--service-cluster-ip-range=" + config.ServiceClusterIPRange,
 	}
 	if config.SelfHostedEtcd {
 		res = append(res, "--storage-backend=etcd3")
 	}
+	if config.EtcdAuthEnabled {
+		res = append(res, "--etcd-cafile="+filepath.Join(config.AssetDir, asset.AssetPathEtcdCACert))
+		res = append(res, "--etcd-keyfile="+filepath.Join(config.AssetDir, asset.AssetPathEtcdKey))
+		res = append(res, "--etcd-certfile="+filepath.Join(config.AssetDir, asset.AssetPathEtcdCert))
+	}
+
 	return res
 }