Add support for proxy client certs

This enables external admission controller webhooks, api aggregation,
and anything else that relies on the
--proxy-client-cert-file/--proxy-client-key-file apiserver args.

nodeup/pkg/model/kubeapiserver.go

@@ -163,6 +163,7 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"}
 	}
 
+<<<<<<< HEAD
 	// @check if we are using secure kubelet client certificates
 	if b.UseSecureKubelet() {
 		// @note we are making assumption were using the ones created by the pki model, not custom defined ones
@@ -171,6 +172,15 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	}
 
 	// build the kube-apiserver flags for the service
+=======
+	if b.IsKubernetesGTE("1.7") {
+		certPath := filepath.Join(b.PathSrvKubernetes(), "proxy-client.cert")
+		kubeAPIServer.ProxyClientCertFile = &certPath
+		keyPath := filepath.Join(b.PathSrvKubernetes(), "proxy-client.key")
+		kubeAPIServer.ProxyClientKeyFile = &keyPath
+	}
+
+>>>>>>> Add support for proxy client certs
 	flags, err := flagbuilder.BuildFlags(b.Cluster.Spec.KubeAPIServer)
 	if err != nil {
 		return nil, fmt.Errorf("error building kube-apiserver flags: %v", err)

nodeup/pkg/model/secrets.go

@@ -116,6 +116,43 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
+	if b.IsKubernetesGTE("1.7") {
+
+		cert, err := b.KeyStore.Cert("kube-proxy-client")
+		if err != nil {
+			return fmt.Errorf("proxy client cert lookup failed: %v", err.Error())
+		}
+
+		serialized, err := cert.AsString()
+		if err != nil {
+			return err
+		}
+
+		t := &nodetasks.File{
+			Path:     filepath.Join(b.PathSrvKubernetes(), "proxy-client.cert"),
+			Contents: fi.NewStringResource(serialized),
+			Type:     nodetasks.FileType_File,
+		}
+		c.AddTask(t)
+
+		key, err := b.KeyStore.PrivateKey("kube-proxy-client")
+		if err != nil {
+			return fmt.Errorf("proxy client private key lookup failed: %v", err.Error())
+		}
+
+		serialized, err = key.AsString()
+		if err != nil {
+			return err
+		}
+
+		t = &nodetasks.File{
+			Path:     filepath.Join(b.PathSrvKubernetes(), "proxy-client.key"),
+			Contents: fi.NewStringResource(serialized),
+			Type:     nodetasks.FileType_File,
+		}
+		c.AddTask(t)
+	}
+
 	if b.SecretStore != nil {
 		key := "kube"
 		token, err := b.SecretStore.FindSecret(key)

pkg/apis/kops/componentconfig.go

@@ -228,6 +228,10 @@ type KubeAPIServerConfig struct {
 	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
 	// If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// The apiserver's client certificate used for outbound requests.
+	ProxyClientCertFile *string `json:"proxyClientCertFile,omitempty" flag:"proxy-client-cert-file"`
+	// The apiserver's client key used for outbound requests.
+	ProxyClientKeyFile *string `json:"proxyClientKeyFile,omitempty" flag:"proxy-client-key-file"`
 	// If set, all requests coming to the apiserver will be logged to this file.
 	AuditLogPath *string `json:"auditLogPath,omitempty" flag:"audit-log-path"`
 	// The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.

pkg/apis/kops/v1alpha1/componentconfig.go

@@ -228,6 +228,10 @@ type KubeAPIServerConfig struct {
 	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
 	// If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// The apiserver's client certificate used for outbound requests.
+	ProxyClientCertFile *string `json:"proxyClientCertFile,omitempty" flag:"proxy-client-cert-file"`
+	// The apiserver's client key used for outbound requests.
+	ProxyClientKeyFile *string `json:"proxyClientKeyFile,omitempty" flag:"proxy-client-key-file"`
 	// If set, all requests coming to the apiserver will be logged to this file.
 	AuditLogPath *string `json:"auditLogPath,omitempty" flag:"audit-log-path"`
 	// The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.

pkg/apis/kops/v1alpha1/zz_generated.conversion.go

@@ -1518,6 +1518,8 @@ func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.OIDCIssuerURL = in.OIDCIssuerURL
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCCAFile = in.OIDCCAFile
+	out.ProxyClientCertFile = in.ProxyClientCertFile
+	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogPath = in.AuditLogPath
 	out.AuditLogMaxAge = in.AuditLogMaxAge
 	out.AuditLogMaxBackups = in.AuditLogMaxBackups
@@ -1566,6 +1568,8 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *ko
 	out.OIDCIssuerURL = in.OIDCIssuerURL
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCCAFile = in.OIDCCAFile
+	out.ProxyClientCertFile = in.ProxyClientCertFile
+	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogPath = in.AuditLogPath
 	out.AuditLogMaxAge = in.AuditLogMaxAge
 	out.AuditLogMaxBackups = in.AuditLogMaxBackups

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -228,6 +228,10 @@ type KubeAPIServerConfig struct {
 	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
 	// If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// The apiserver's client certificate used for outbound requests.
+	ProxyClientCertFile *string `json:"proxyClientCertFile,omitempty" flag:"proxy-client-cert-file"`
+	// The apiserver's client key used for outbound requests.
+	ProxyClientKeyFile *string `json:"proxyClientKeyFile,omitempty" flag:"proxy-client-key-file"`
 	// If set, all requests coming to the apiserver will be logged to this file.
 	AuditLogPath *string `json:"auditLogPath,omitempty" flag:"audit-log-path"`
 	// The maximum number of days to retain old audit log files based on the timestamp encoded in their filename.

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -1626,6 +1626,8 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.OIDCIssuerURL = in.OIDCIssuerURL
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCCAFile = in.OIDCCAFile
+	out.ProxyClientCertFile = in.ProxyClientCertFile
+	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogPath = in.AuditLogPath
 	out.AuditLogMaxAge = in.AuditLogMaxAge
 	out.AuditLogMaxBackups = in.AuditLogMaxBackups
@@ -1674,6 +1676,8 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko
 	out.OIDCIssuerURL = in.OIDCIssuerURL
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCCAFile = in.OIDCCAFile
+	out.ProxyClientCertFile = in.ProxyClientCertFile
+	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogPath = in.AuditLogPath
 	out.AuditLogMaxAge = in.AuditLogMaxAge
 	out.AuditLogMaxBackups = in.AuditLogMaxBackups

pkg/apis/kops/validation/validation.go

@@ -60,6 +60,10 @@ func validateClusterSpec(spec *kops.ClusterSpec, fieldPath *field.Path) field.Er
 		allErrs = append(allErrs, validateHook(&spec.Hooks[i], fieldPath.Child("hooks").Index(i))...)
 	}
 
+	if spec.KubeAPIServer != nil {
+		allErrs = append(allErrs, validateKubeAPIServer(spec.KubeAPIServer, fieldPath.Child("kubeAPIServer"))...)
+	}
+
 	return allErrs
 }
 
@@ -155,3 +159,18 @@ func validateExecContainerAction(v *kops.ExecContainerAction, fldPath *field.Pat
 
 	return allErrs
 }
+
+func validateKubeAPIServer(v *kops.KubeAPIServerConfig, fldPath *field.Path) field.ErrorList {
+
+	allErrs := field.ErrorList{}
+
+	proxyClientCertIsNil := v.ProxyClientCertFile == nil
+	proxyClientKeyIsNil := v.ProxyClientKeyFile == nil
+
+	if (proxyClientCertIsNil && !proxyClientKeyIsNil) || (!proxyClientCertIsNil && proxyClientKeyIsNil) {
+		flds := [2]*string{v.ProxyClientCertFile, v.ProxyClientKeyFile}
+		allErrs = append(allErrs, field.Invalid(fldPath, flds, "ProxyClientCertFile and ProxyClientKeyFile must both be specified (or not all)"))
+	}
+
+	return allErrs
+}

pkg/apis/kops/validation/validation_test.go

@@ -17,11 +17,12 @@ limitations under the License.
 package validation
 
 import (
+	"testing"
+
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kops/pkg/apis/kops"
-	"testing"
 )
 
 func Test_Validate_DNS(t *testing.T) {
@@ -143,6 +144,37 @@ func TestValidateSubnets(t *testing.T) {
 	}
 }
 
+func TestValidateKubeAPIServer(t *testing.T) {
+	str := "foobar"
+
+	grid := []struct {
+		Input          kops.KubeAPIServerConfig
+		ExpectedErrors []string
+	}{
+		{
+			Input: kops.KubeAPIServerConfig{
+				ProxyClientCertFile: &str,
+			},
+			ExpectedErrors: []string{
+				"Invalid value::KubeAPIServer",
+			},
+		},
+		{
+			Input: kops.KubeAPIServerConfig{
+				ProxyClientKeyFile: &str,
+			},
+			ExpectedErrors: []string{
+				"Invalid value::KubeAPIServer",
+			},
+		},
+	}
+	for _, g := range grid {
+		errs := validateKubeAPIServer(&g.Input, field.NewPath("KubeAPIServer"))
+
+		testErrors(t, g.Input, errs, g.ExpectedErrors)
+	}
+}
+
 func Test_Validate_DockerConfig_Storage(t *testing.T) {
 	for _, name := range []string{"aufs", "zfs", "overlay"} {
 		config := &kops.DockerConfig{Storage: &name}

pkg/model/pki.go

@@ -131,6 +131,16 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
+	{
+		t := &fitasks.Keypair{
+			Name:      fi.String("kube-proxy-client"),
+			Lifecycle: b.Lifecycle,
+			Subject:   "cn=kube-proxy-client",
+			Type:      "client",
+		}
+		c.AddTask(t)
+	}
+
 	{
 		t := &fitasks.Keypair{
 			Name:      fi.String("kops"),