TLS Termination #3
Labels
kind:design
Solution design choices
legacy
Anything related to MetalK8s 1.x
state:question
Further information is requested
topic:security
Security-related issues
Comments
NicolasT
added
state:question
|
Feedback from @Zempashi:
|
|
Feedback from @ballot-scality:
|
|
WIP at #26 |
NicolasT
added a commit
that referenced
this issue
Apr 24, 2018
51f4e6585 Revert "Add openSUSE support" (#2697) d1b4ea580 Merge pull request #2687 from noris-network/master f5db403c4 Merge pull request #2689 from lpaulmp/run-once-preinstall-upgrade 75950344f run_once pre_upgrade tasks which are executing in localhost a49e06b54 Document how to allow ipip traffic with calico on OpenStack 0945eb990 Make it possible to skip docker role as a var (#2686) a498cc223 Merge pull request #2673 from hswong3i/cephfs-provisioner-a71a49d4 ddd200bbf Merge pull request #2604 from shravanpn7/shravan-pr 9707aa809 Merge pull request #2677 from woopstar/bootstrap-fix-1 2e6a260ab Merge pull request #2683 from rsmitty/custom-etcd-vars 49c6bf8fa support custom env vars for etcd b2756d148 Merge pull request #2671 from hswong3i/cert-manager-0.2.4 756af5778 Properly check need_pip, always run pip to check if needed cb7096f2e Merge pull request #2672 from hswong3i/ingress-nginx-0.13.0 3c4871d9b Merge pull request #2670 from hswong3i/weave-2.3.0 f90673ac6 Merge pull request #2662 from ganeshmaharaj/vagrant-gitignore d435e1768 cephfs-provisioner: Upgrade to a71a49d4 23e9737b8 ingress-nginx: Upgrade to 0.13.0 54beb27ea cert-manager: Upgrade to v0.2.4 7968437a6 Weave: Upgrade to 2.3.0 693b7c5fd Merge pull request #2668 from Arslanbekov/kubernetes-logo 1bd49ff12 Add production uri 9f460dd1b Change uri 2441dd6f6 Usage kubernetes-logo in README.md ea44ad4d7 Added img kubernetes-logo.png 4b4786f75 Merge pull request #2381 from vikas027/inventory_fixes 02cd5418c Weave limits (#2660) c43269766 Vagrantfile: Add vagrant inventory file in any directory to .gitignore c7683f33c Merge pull request #2654 from ganeshmaharaj/fix-vagrant-default-inventory 49e3665d9 Remove prometheus operator from Kubespray (#2658) e95ba800e Define local volume provisioner dirs in defaults (#2656) 5d9bb300d Merge pull request #2646 from Atoms/fix-sync-container afcd5997b Vagrantfile: Fix default inventory path. f73717ea3 Mount local volume provisioner dirs for containerized kubelet (#2648) 196796370 Merge pull request #2380 from hwoarang/add-opensuse-support 76dd0cd77 Merge pull request #2609 from chadswen/front-proxy-client-ca d87b6fd9f Use dedicated front-proxy-ca for front-proxy-client a6a47dbc9 Merge pull request #2617 from bradbeam/savaultcert 61791bbb3 Remove condition for docker pull when using download delegate 298c6cb79 Merge pull request #2633 from grebois/patch-3 a561ee620 Merge pull request #2647 from riverzhang/build_rpm 3fa7468d5 Copy ca-key.pem to etcd and kube-masters accordingly bc3abad60 tests: Add CI jobs for openSUSE d75b5d693 README.md: Add openSUSE Leap and Tumbleweed as supported distributions 02bf742e1 roles: rkt: Add support for SUSE distributions d07f75b38 roles: kubernetes: secrets: Add SUSE support 2d3478125 roles: etcd: Add support for SUSE distributions cdb63a8c4 roles: docker: Ensure service is started if docker is already installed 44a0626fc roles: docker: Add support for SUSE distributions 45eac53ec roles: kubernetes: preinstall: Install openssl-1.1.0 on Tumbleweed e42203a13 roles: kubernetes: preinstall: Add SUSE support 4ba25326e roles: bootstrap-os: Use 'hostname' command on Tumbleweed dca477734 roles: bootstrap-os: Add support for SUSE distributions e113d1cca Vagrantfile: Use rsync to copy working directory to VM 112ccfa9d Vagrantfile: Add support for openSUSE Tumbleweed 0ed1919a3 Vagrantfile: Add support for openSUSE Leap 42.3 ff003cfa3 Fix missing install remove-node feature 6c954df63 move when condition to main.yml 981e61fb5 Merge pull request #2625 from kaarolch/master 5db1c3eef Add note about privilege escalation method to the README 88765f62e Updating order 0f35e17e2 Fix new envvar for setting openstack_tenant_id (#2641) 77b3f9bb9 Removing default for volume-plugins mountpoint (#2618) 09f93d9e0 Fix CI upgrade scenario by using dynamic inventory file (#2635) 45f15bf75 Revert "Fix new envvar for setting openstack_tenant_id" (#2640) 913cc5a9a Merge pull request #2639 from ironhouzi/openstack_tenant_id_fix a46acfcdd Merge pull request #2627 from mattymo/no_more_do_do 0c0f6b755 Fix new envvar for setting openstack_tenant_id 94eb18b3d Replaced ansible_ssh_host with ansible_host in sample inventory file as the former is deprecated since Ansible v2.0 af5943f7e Merge branch 'master' of github.com:kubernetes-incubator/kubespray ecda4e3a8 Merge pull request #2632 from Atoms/permission_fix 4c12b273a Enabling MutatingAdmissionWebhook for Istio Automatic sidecar injection b68854f79 fix kubectl download location and kubectl.sh helper owner/group remove f954bc0a5 Remove jinja2 dependency of do 7b8359df4 Merge pull request #2613 from riverzhang/atomic-docker 66b61866c Fix check docker error for atomic 3736bfa04 Merge pull request #2612 from riverzhang/os dfc46f02d Adding missing service-account certificate for vault 908666501 Fix issues #2522 Support Debian stretch 0210e53bb Merge pull request #2610 from danielhoherd/master ca40d51bc Fix typos (no logic changes) ca6a07f59 Add VMware vSphere to deployed b5bd959a9 Merge pull request #2598 from chenhonggc/persist_ipvs_module f26e16bf7 kubectl get pods from 'test' namespace as the pods were created in 'test' ns 973e7372b content: | b54e09188 Persist ip_vs modules 6c220e4e4 Merge pull request #2495 from holmsten/rotate-provisioner-token 2511e1428 Merge pull request #2346 from Miouge1/kube-scheduler-mode 0f5ea5474 Merge pull request #2593 from vterdunov/fix-check-vsphere_cloud_provider 6567b8e01 Merge pull request #2590 from hswong3i/istio-download aee3ec682 Merge pull request #2587 from tossmilestone/update-ingress-nginx-version 428a554dd istio: container download related things should defined in the download role 32f4194cf Bump ingress-nginx-controller to version 0.12.0 6f3ff70b1 Merge pull request #2585 from georgejdli/fix-sa-token-signing 76bb5f8d7 check if dedicated service account token signing key exists 4b98537f7 Properly check vsphere_cloud_provider.rc cac2196ad Merge pull request #2575 from hswong3i/local-volume-provisioner-download ba24fe322 Merge pull request #2570 from avoidik/transfer-cloud-configs 3004791c6 Add pre-upgrade task for moving credentials file (#2394) b1a7889ff local-volume-provisioner: container download related things should defined in the download role 92fc2df21 Merge pull request #2574 from hswong3i/cephfs-provisioner-download 4f714b07b cephfs-provisioner: container download related things should defined in the download role eb4038a6b Merge pull request #2573 from hswong3i/registry-download 4c0e9ba89 registry: container download related things should defined in the download role deac627dc Merge pull request #2571 from hswong3i/ingress-nginx-download 6ee3c053b Merge pull request #2547 from bobahspb/master 16961f69f Merge branch 'master' into master b9b028a73 Update etcd deployment to use correct cert and key (#2572) 5fe144aa0 ingress-nginx: container download related things should defined in the download role 5b0da4279 Merge pull request #2543 from hswong3i/cert-manager-0.2.3 1ac978b8f Merge pull request #2567 from mirwan/node_labels_doc_plus_kube_ingress_handling c1a2e9a8c Merge pull request #2569 from avoidik/allow-ssh-key-openstack 195d6d791 Integrate jetstack/cert-manager 0.2.3 to Kubespray aa301c31d Move credential checks into proper folder d9418b1dc Merge pull request #2554 from georgejdli/fix-sa-token-signing 2c89a02db Only download container/file if host is in defined group (#2565) 0ca08e03a Merge pull request #2566 from woopstar/etcd-fix-2 15efdf0c1 Move credential checks ab8760cc8 Move credentials pre-check b6da596ec Move default configuration parameters for cloud-config 3c12c6beb Move cloud config configurations to proper location 26caad4f1 Allow ansible_ssh_private_key_file for Openstack 8ece922ef node_labels documentation + kube-ingress label handling as role_node_label 887a468d3 Merge pull request #2562 from avoidik/fix-indexes-pr-2251 859a7f32f Fix import task. Has to be include task to evalutate etcd_cluster_setup variable at run time 1f28764ca Merge pull request #2512 from woopstar/hyperkube-fix-1 76cb37d6b Merge pull request #2544 from woopstar/cert-fix-2 7ddd4cd38 Merge pull request #2561 from rsmitty/no_proxy c1eb97554 Merge pull request #2557 from chenhonggc/vault_health_check_delay 414b73964 Merge pull request #2564 from rsmitty/jinja-ext 572ab650d copy dedicated service account token signing key for kubeadm migration e296ccb4d include do extension for jinja 72c2a8982 Fix kubecert_node.results indexes 13c57147e only set no_proxy if other proxy vars are defined 7e58b9632 Merge pull request #2525 from avoidik/openstack_subnet_fix ac4a71452 Merge pull request #2062 from wanix/ansible-vagrant-update 03bcfa7ff Stop templating kube-system namespace and creating it (#2545) af5f37616 Revert 004b0a3fc Fix merge conflict 4bb7d2b56 Merge branch 'master' of https://github.com/kubernetes-incubator/kubespray into cert-fix-2 94a0562c9 adding prometheus_operator_enabled, k8s_metrics_enabled parameters to tests f619eb08b Merge pull request #2350 from whereismyjetpack/kubeadm-nodename 55195fe54 Merge pull request #2500 from gorazio/patch-1 5711074c5 Merge pull request #2290 from mirwan/node_labels_from_inventory 4a705b3fb May vault health check needs delay 31e386886 Merge pull request #2555 from chenhonggc/redundancy 4d85e3765 remove redundancy code f0a04b4d6 wait 5 * 4 secs until Tiller starts 760ca1c3a adding checking for prometheus_operator_enabled 23b383380 running on the first master only. daeeae1a9 Added retries in pre-upgrade.yml and retries while applying kube-dns.yml (#2553) c8f857eae configure kubespray to sign service account tokens with a dedicated and stable key 270d21f5c Merge pull request #2540 from mattymo/cloud_config_timing bf29198ef Fix merge conflict db4e22534 Merge pull request #2548 from kmadnani/fix-openssl-conf 9ebbf1c3c Added a fix in openssl.conf template to check if IP of loadbalncer is available or not. ef7f5edbb Remove old docker packages and other docker upgrade fixes (#2536) 0b5404b2b Fix 19e1b11d9 prometheus operator, metrics for k8s cluster 0df32b03c Update openssl.conf to count better and work with Jinja 2.9 72a422388 Write cloud-config during kubelet configuration 03117d957 Merge pull request #2488 from LuckySB/ingress-nginx-node-role c78f5393c Merge pull request #2538 from hswong3i/weave-2.2.1-fixup fda49564b Merge pull request #2492 from chenhonggc/gather_all_instances ed48b6e4b Merge pull request #2537 from hswong3i/calico-2.6.8-docs 848fc323d Fixup for #2523: - Rename template for /etc/cni/net.d/00-weave.conflist to 00-weave.conflist.j2 - Apply resources requests/limits to both container weave and weave-npc e6f57f27e Fixup #2262: Update README.md for calico v2.6.8 015ea62e9 Merge pull request #2262 from tmjd/calico-canal-v2-6-7 2ca708701 Merge pull request #2524 from avoidik/systemd_user_kubelet d665f1468 Merge pull request #2526 from mzehrer/patch-1 e37567867 Set exact user for Kubelet services 076b5c153 Return subnet_id as defined in kubespray.tf d33a482c9 Merge pull request #2529 from dvazar/bugfix/azurerm_generate_inventory d64839e7d Merge pull request #2532 from LuckySB/etcd_tuning 31705a502 change vagrant version 5f5d0ffe1 replace sudo by become 4f7479d94 add etc tunning options https://coreos.com/etcd/docs/latest/tuning.html 951117866 fixed: creation of an inventory template b8d1652ba Remove kibana_base_url f7dc73b83 Merge pull request #2521 from f84anton/patch-1 8eac37fab Merge pull request #2523 from hswong3i/weave-2.2.1 1d0415a6c fixes typo in kube_override_hostname for kubeadm 3f5c60886 Upgrade Weave to 2.2.1 a75598b3f IP_AUTODETECTION_METHOD docs 60a057cac Update calico-node.yml.j2 dd9d0c053 optional calico_ip_auto_method variable with IP_AUTODETECTION_METHOD 9fa995ac9 only sets nodeName in kubeadm-config when kube_override_hostname is set f07734596 Merge pull request #2333 from hswong3i/cephfs_provisioner_fixup caec3de36 Updating to use calico-node v2.6.8 60bfc56e8 Update Calico and Canal 206e24448 CephFS Provisioner Addon Fixup 4175431dc Merge pull request #2332 from hswong3i/registry_fixup bb1eb9fec Add labels for namespace b0d7115e9 hswong3i/kubespray#3: Use {{ cluster_name }} for valid FQDN in REGISTRY_HOST f8ebd08e7 Registry Addon Fixup 6ac784019 Update to correct versions in README 30e4b8983 Merge pull request #2504 from brtknr/patch-1 405c711ed Remove v in tag 0e6b4e80f Merge pull request #2490 from woopstar/workaround-fix-1 9949782e9 Merge pull request #2489 from woopstar/token-fix-1 bbb6e7b3d Merge pull request #2508 from melkosoft/cilium bc6818820 Merge pull request #2498 from zmsp/master d3780e181 Switch hyperkube from CoreOS to Google 2e202051e Merge pull request #2364 from whereismyjetpack/default-download 448c1d5fa Merge pull request #2509 from chadswen/flannel-update ff2b8e5e6 Merge pull request #2503 from woopstar/kubelet-fix-1 8b71ef8ce Labels from role (node-role.k8s.io/node) and labels from inventory are merged into node-labels parameter in kubelet ee8f67801 Addition of the .creds extension to the credentials files generated by password lookup in order for Ansible not to consider them as inventory files with inventory_ignore_extensions set accordingly (#2446) 6425c837d Added GCE Cilium Ubuntu test a6b918c1a Merge pull request #2485 from LuckySB/flannel_iface_regexp c025ab4eb Update flannel version to v0.10.0 ae30009fb changed version to 1.0.0-rc8 158d77530 changed cilium to 1.0.0-rc7. Set CI to use coreos for cilium test 9d540165c Set kube_api_aggregator_routing to default false as we use kube-proxy 0cb51e753 Merge branch 'master' into patch-1 13e47e73c Update kubeadm-config.yaml.j2 6c4e5e0e3 Update kubeadm-config.yaml.j2 d2fd7b746 Update kube-apiserver.manifest.j2 d9453f323 Update kube-apiserver.manifest.j2 b787b76c6 Update kube-apiserver.manifest.j2 a94a407a4 Fix duplicate --proxy-client-cert-file and --proxy-client-key-file 96e46c420 bump after CLA signing aa30fa800 Add prometheus annotations to spec in ingress ebfee51ac Upgraded kubernetes from 1.9.3 to 1.9.5 8b6a6a5a2 Merge pull request #2487 from MQasimSarfraz/upgrade-playbook-fix 14ac7d797 Rotate local-volume-provisioner token f253691a6 Merge pull request #2347 from hswong3i/multiple_artifacts_dir 038da7255 check if group kube-ingress is not empty fix spelling mistaker ingress_nginx_host_network set default value for ingress_nginx_host_network: false 73cd24bf5 gather facts from all instances, maybe include calico-rr 4ee9cb2be gather facts from all instances, maybe include calico-rr f1d2f8404 Only apply roles from first master node to fix regression b9a949820 Only copy tokens if tokens_list contains any 50e5f0d28 Merge pull request #2468 from LuckySB/master 1481f7d64 Dedicated node for ingress nginx controller 7d3365001 Merge pull request #2462 from woopstar/coredns-patch 728598b23 Mark "calico-rr" as optional in fact gathering e40368ae2 Add CoreDNS support with various fixes 4ff17cb5a Merge pull request #2457 from MQasimSarfraz/vsphere-volumes-rbac b7e6dd0dd Add --iface-regex options to flannel 8ee209195 Merge pull request #3 from kubernetes-incubator/master 3fac55009 Merge remote-tracking branch 'upstream/master' d29a1db13 Merge pull request #2461 from woopstar/patch-11 653d97dda Merge pull request #2472 from woopstar/patch-12 5364160d6 Merge pull request #2476 from woopstar/patch-13 1a35948ff Enable encrypting the secrets 40c0f3756 Encapsulate item instead of casting to string 3d6fd4917 Added option for encrypting secrets to etcd v.2 (#2428) d843e3d56 Fix indent Custom ConfigMap ingress-nginx (#2447) 788e41a31 Make sure output from extra args is strings 1bcc641da Create vsphere clusterrole only if it doesnt exists f8fed0f30 change expirations period for generated certificate from 10 years to 100 years 39d247a23 Add support to kubeadm too 9a4aa4288 Fix vsphere cloud_provider RBAC permissions a086686e9 Support multiple artifacts under individual inventory directory 2d69b05c7 set local_release_dir in downloads to match others 95e2bde15 set nodeName to "{{ inventory_hostname }}" in kubeadm-config 4c280e59d Use legacy policy config to apply the scheduler policy git-subtree-dir: kubespray git-subtree-split: 51f4e6585a2000bd226c42ffde813639e4154ac6
|
I think we can consider this to be obsolete given the Metal 2 approach (Salt takes care of the certs of MetalK8s services, and we may deploy cert-manager in the future for workloads). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(What's below is copied and slightly edited from an earlier e-mail thread)
In the Zenko requirements and delivery roadmap, there's some mention of TLS (among others for the Prometheus/Grafana dashboards).
In Kubernetes, TLS is often terminate by the ingress controller (in our deployments, likely Nginx). One can set annotations on an Ingress object to set up certificates, instruct the use of ECMA/LetsEncrypt,...
At the same time, there are solutions to manage certificates automatically, by declaring them as a resource, after which a controller will make sure keys are creates and signed, certificates are deployed as namespace-local secrets,... using ECMA or some (potentially self-signed) CA.
I think it could be a cool plus for the demo, showing the versatility/flexibility and existing features added to K8s, to also show this off, e.g. using
cert-manager(which can be deployed using Helm) and a self-signed CA, or ECMA if we can get a floating IP and DNS set up somehow.The text was updated successfully, but these errors were encountered: