Skip to content

Commit

Permalink
salt: Use certificates pillar for etcd role
Browse files Browse the repository at this point in the history 
This pillar entry will be consumed by the Salt
formulas configuring etcd, the beacon and the
reactor listening for certificate expiration
events.

If the path of an expired certificate matches one
in this list, the sls under `regen_sls` will be run.

Refs: #1887
  • Loading branch information
@alexandre-allard
alexandre-allard committed Dec 15, 2020
1 parent ee6e3ad commit 3668347
Show file tree
Hide file tree
Showing 7 changed files with 53 additions and 12 deletions.
2 changes: 0 additions & 2 deletions pillar/metalk8s/roles/ca.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,12 @@ x509_signing_policies:
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- days_valid: 365
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- days_valid: 365
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
Expand Down
17 changes: 17 additions & 0 deletions pillar/metalk8s/roles/etcd.sls
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
certificates:
client:
files:
etcd-healthcheck:
watched: True
kubeconfig:
files:
calico:
watched: True
kubelet:
watched: True
server:
files:
etcd-peer:
watched: True
etcd:
watched: True
9 changes: 8 additions & 1 deletion salt/metalk8s/kubernetes/etcd/certs/healthcheck-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{%- from "metalk8s/map.jinja" import certificates with context %}
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/healthcheck-client.key" %}
Expand All @@ -22,12 +23,18 @@ Create etcd healthcheck client private key:
Generate etcd healthcheck client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/healthcheck-client.crt
- name: {{ certificates.client.files['etcd-healthcheck'].path }}
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.healthcheck_client_signing_policy }}
- CN: kube-etcd-healthcheck-client
- O: "system:masters"
- days_valid: {{
certificates.client.files['etcd-healthcheck'].days_valid |
default(certificates.client.days_valid) }}
- days_remaining: {{
certificates.client.files['etcd-healthcheck'].days_remaining |
default(certificates.client.days_remaining) }}
- user: root
- group: root
- mode: 644
Expand Down
9 changes: 8 additions & 1 deletion salt/metalk8s/kubernetes/etcd/certs/peer.sls
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{%- from "metalk8s/map.jinja" import certificates with context %}
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/peer.key" %}
Expand All @@ -22,12 +23,18 @@ Create etcd peer private key:
Generate etcd peer certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/peer.crt
- name: {{ certificates.server.files['etcd-peer'].path }}
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.peer_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
- subjectAltName: "DNS:{{ grains['fqdn'] }}, DNS:localhost, IP:{{ grains['metalk8s']['control_plane_ip'] }}, IP:127.0.0.1"
- days_valid: {{
certificates.server.files['etcd-peer'].days_valid |
default(certificates.server.days_valid) }}
- days_remaining: {{
certificates.server.files['etcd-peer'].days_remaining |
default(certificates.server.days_remaining) }}
- user: root
- group: root
- mode: 644
Expand Down
9 changes: 8 additions & 1 deletion salt/metalk8s/kubernetes/etcd/certs/server.sls
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{%- from "metalk8s/map.jinja" import certificates with context %}
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/server.key" %}
Expand All @@ -22,12 +23,18 @@ Create etcd server private key:
Generate etcd server certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/server.crt
- name: {{ certificates.server.files.etcd.path }}
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.server_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
- subjectAltName: "DNS:{{ grains['fqdn'] }}, DNS:localhost, IP:{{ grains['metalk8s']['control_plane_ip'] }}, IP:127.0.0.1"
- days_valid: {{
certificates.server.files.etcd.days_valid |
default(certificates.server.days_valid) }}
- days_remaining: {{
certificates.server.files.etcd.days_remaining |
default(certificates.server.days_remaining) }}
- user: root
- group: root
- mode: 644
Expand Down
7 changes: 5 additions & 2 deletions salt/metalk8s/kubernetes/etcd/files/manifest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,11 @@ spec:
command:
- /bin/sh
- -ec
- ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
- ETCDCTL_API=3 etcdctl
--endpoints=https://[127.0.0.1]:2379
--cacert=/etc/kubernetes/pki/etcd/ca.crt
--cert={{ etcd_healthcheck_cert }}
--key=/etc/kubernetes/pki/etcd/healthcheck-client.key
get foo
failureThreshold: 8
initialDelaySeconds: 15
Expand Down
12 changes: 7 additions & 5 deletions salt/metalk8s/kubernetes/etcd/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{%- from "metalk8s/map.jinja" import certificates with context %}
{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
include:
Expand Down Expand Up @@ -50,17 +51,17 @@ Create local etcd Pod manifest:
- source: salt://{{ slspath }}/files/manifest.yaml
- config_files:
- /etc/kubernetes/pki/etcd/ca.crt
- /etc/kubernetes/pki/etcd/peer.crt
- {{ certificates.server.files['etcd-peer'].path }}
- /etc/kubernetes/pki/etcd/peer.key
- /etc/kubernetes/pki/etcd/server.crt
- {{ certificates.server.files.etcd.path }}
- /etc/kubernetes/pki/etcd/server.key
- context:
name: etcd
image_name: {{ build_image_name('etcd') }}
command:
- etcd
- --advertise-client-urls=https://{{ node_ip }}:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --cert-file={{ certificates.server.files.etcd.path }}
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://{{ node_ip }}:2380
Expand All @@ -71,7 +72,7 @@ Create local etcd Pod manifest:
- --listen-peer-urls=https://{{ node_ip }}:2380
- --listen-metrics-urls=http://127.0.0.1:2381,http://{{ node_ip }}:2381
- --name={{ node_name }}
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-cert-file={{ certificates.server.files['etcd-peer'].path }}
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
Expand All @@ -83,6 +84,7 @@ Create local etcd Pod manifest:
- path: /etc/kubernetes/pki/etcd
name: etcd-certs
readOnly: true
etcd_healthcheck_cert: {{ certificates.client.files['etcd-healthcheck'].path }}
- require:
- file: Create etcd database directory
- file: Ensure etcd CA cert is present
Expand All @@ -105,7 +107,7 @@ Waiting for etcd running:
- verify_ssl: True
- ca_bundle: /etc/kubernetes/pki/etcd/ca.crt
- cert:
- /etc/kubernetes/pki/etcd/server.crt
- {{ certificates.server.files.etcd.path }}
- /etc/kubernetes/pki/etcd/server.key
- status: 200
- match: '{"health":"true"}'
Expand Down

0 comments on commit 3668347

Please sign in to comment.