salt: Generate custom kubeconfig for Salt Master

Instead of using the `/etc/kubernetes/admin.conf` file which points to a specific master's `kube-apiserver` instance, we generate another one dedicated to Salt Master, and configure it to point to the local `apiserver-proxy` (which can then route to other masters if the local one isn't available). In addition, this kubeconfig generates its own certificate, which could later map to another group (and thus, other (Cluster)Role(s) than the current "system:masters"). Note that we reduce the unneeded `/etc/kubernetes` mount to `/etc/kubernetes/pki` (for SA signing key and etcd encryption key) in both Salt Master and Salt API containers (SaltAPI didn't need it since 41ba749). Fixes: #2533
scality · Jun 16, 2020 · 9480828 · 9480828
1 parent 9b0e169
commit 9480828
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 11 deletions.
diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
@@ -486,6 +486,7 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/salt/master/files/salt-master-manifest.yaml.j2'),
     Path('salt/metalk8s/salt/master/init.sls'),
     Path('salt/metalk8s/salt/master/installed.sls'),
+    Path('salt/metalk8s/salt/master/kubeconfig.sls'),
     Path('salt/metalk8s/salt/master/certs/etcd-client.sls'),
     Path('salt/metalk8s/salt/master/certs/init.sls'),
     Path('salt/metalk8s/salt/master/certs/salt-api.sls'),

diff --git a/salt/metalk8s/orchestrate/bootstrap/init.sls b/salt/metalk8s/orchestrate/bootstrap/init.sls
@@ -107,10 +107,11 @@ Wait for API server to be available:
   - require:
     - salt: Bring bootstrap minion to highstate
 
-Generate etcd client certs for salt master:
+Generate client certs for Salt master:
   salt.state:
   - sls:
     - metalk8s.salt.master.certs
+    - metalk8s.salt.master.kubeconfig
   - tgt: {{ pillar.bootstrap_id }}
   - pillar: {{ pillar_data | tojson }}
   - saltenv: {{ saltenv }}

diff --git a/salt/metalk8s/salt/master/configured.sls b/salt/metalk8s/salt/master/configured.sls
@@ -13,7 +13,7 @@ Configure salt master:
     - template: jinja
     - defaults:
         salt_ip: "{{ salt_ip }}"
-        kubeconfig: "/etc/kubernetes/admin.conf"
+        kubeconfig: "/etc/salt/master-kubeconfig.conf"
 
 Configure salt master roots paths:
   file.serialize:

diff --git a/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2 b/salt/metalk8s/salt/master/files/master-99-metalk8s.conf.j2
@@ -12,8 +12,8 @@ grains_cache: True
 ext_pillar_first: true
 ext_pillar:
   - metalk8s: /etc/metalk8s/bootstrap.yaml
-  - metalk8s_endpoints: /etc/kubernetes/admin.conf
-  - metalk8s_nodes: /etc/kubernetes/admin.conf
+  - metalk8s_endpoints: {{ kubeconfig }}
+  - metalk8s_nodes: {{ kubeconfig }}
   - metalk8s_private: {}
   - metalk8s_solutions: {}
   - metalk8s_etcd: {}
@@ -35,7 +35,7 @@ rest_cherrypy:
 
 external_auth:
   kubernetes_rbac:
-    ^kubeconfig: /etc/kubernetes/admin.conf
+    ^kubeconfig: {{ kubeconfig }}
     node-admins%:
       - '*':
         - '.*'

diff --git a/salt/metalk8s/salt/master/files/salt-master-manifest.yaml.j2 b/salt/metalk8s/salt/master/files/salt-master-manifest.yaml.j2
@@ -76,8 +76,8 @@ spec:
         - name: metalk8s-config
           mountPath: '/etc/metalk8s'
           readOnly: true
-        - name: kubernetes-config
-          mountPath: '/etc/kubernetes'
+        - name: kubernetes-pki
+          mountPath: '/etc/kubernetes/pki'
           readOnly: true
     - name: salt-api
       image: {{ image }}
@@ -105,8 +105,8 @@ spec:
           readOnly: true
         - name: run
           mountPath: '/var/run/salt'
-        - name: kubernetes-config
-          mountPath: '/etc/kubernetes'
+        - name: kubernetes-pki
+          mountPath: '/etc/kubernetes/pki'
           readOnly: true
   volumes:
     - name: config
@@ -141,7 +141,7 @@ spec:
       hostPath:
         path: '/etc/metalk8s'
         type: Directory
-    - name: kubernetes-config
+    - name: kubernetes-pki
       hostPath:
-        path: '/etc/kubernetes'
+        path: '/etc/kubernetes/pki'
         type: Directory
diff --git a/salt/metalk8s/salt/master/kubeconfig.sls b/salt/metalk8s/salt/master/kubeconfig.sls
@@ -0,0 +1,18 @@
+{%- from "metalk8s/map.jinja" import kube_api with context %}
+{%- from "metalk8s/map.jinja" import kubernetes with context %}
+
+include:
+  - metalk8s.internal.m2crypto
+
+Create kubeconfig file for Salt Master:
+  metalk8s_kubeconfig.managed:
+    - name: /etc/salt/master-kubeconfig.conf
+    - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
+    - signing_policy: {{ kube_api.cert.client_signing_policy }}
+    - client_cert_info:
+        CN: "salt-master-{{ grains.id }}"
+        O: "system:masters"
+    - apiserver: "https://127.0.0.1:7443"
+    - cluster: {{ kubernetes.cluster }}
+    - require:
+      - metalk8s_package_manager: Install m2crypto