From f5f1dbc5eb7c1cb7d27e1729396d77ae6e5ab663 Mon Sep 17 00:00:00 2001 From: Cecile Robert-Michon Date: Thu, 21 Dec 2017 14:42:36 -0800 Subject: [PATCH] Only generate certs not provided by the user (#1958) * wip adding tls encryption to etcd communication * remove unwanted tab * fix etcd cert name * wip update args * rename etcd server cert * rename etcdServerPair * updated args * Use CSE to generate etcd certs * fix var replacement in apiserver.yaml * small fixes * WIP working for 1 master * add different certs per peer * fix peer cert and race condition * added certs for each peer and make peer certs arrays * peer array of certs and keys * remove duplicate line * only generate right number of peer certs * Use master_index to keep track of host * fix typo * Removing todo since CoreOS is broken * Prevent race condition in go routine * Make sure etcd certs generated before etcd restart * update etcd certs extended key usages * simplify array secret parameter encoding func * added etcdctl env variables * fix typo and wait for all go routines * typo fix * improve code readability * change client key access permissions * wip only generate certs not provided * add kubeconfig cert to verification * fix missing > 0 * fix logic with etcd certs * wip add tests * Simplified logic and added tests * wip only generate certs not provided * add kubeconfig cert to verification * fix missing > 0 * fix logic with etcd certs * wip add tests * Simplified logic and added tests * fix missed conflict --- pkg/acsengine/defaults.go | 109 ++++++++++-------- pkg/acsengine/defaults_test.go | 95 ++++++++++++--- pkg/acsengine/engine_test.go | 6 + .../disks-managed/kubernetes-vmas.json | 15 ++- .../disks-storageaccount/kubernetes.json | 13 ++- .../testdata/etcd-versions/kubernetes.json | 13 ++- .../testdata/extensions/kubernetes.json | 13 ++- .../testdata/key-vault-certs/kubernetes.json | 13 ++- .../testdata/key-vault-params/kubernetes.json | 13 ++- .../kubernetesversions/kubernetes1.7.9.json | 13 ++- .../kubernetesversions/kubernetes1.8.2.json | 13 ++- .../testdata/largeclusters/kubernetes.json | 13 ++- .../testdata/location/kubernetes.json | 13 ++- pkg/acsengine/testdata/simple/kubernetes.json | 13 ++- .../testdata/vnet/kubernetesvnet.json | 13 ++- .../testdata/windows/kubernetes-hybrid.json | 13 ++- .../testdata/windows/kubernetes.json | 13 ++- 17 files changed, 321 insertions(+), 73 deletions(-) diff --git a/pkg/acsengine/defaults.go b/pkg/acsengine/defaults.go index ab975bb839..16bcaf17b9 100644 --- a/pkg/acsengine/defaults.go +++ b/pkg/acsengine/defaults.go @@ -638,7 +638,14 @@ func setStorageDefaults(a *api.Properties) { } func setDefaultCerts(a *api.Properties) (bool, error) { - if !certGenerationRequired(a) { + + if a.MasterProfile == nil || a.OrchestratorProfile.OrchestratorType != api.Kubernetes { + return false, nil + } + + provided := certsAlreadyPresent(a.CertificateProfile, a.MasterProfile.Count) + + if areAllTrue(provided) { return false, nil } @@ -666,7 +673,7 @@ func setDefaultCerts(a *api.Properties) (bool, error) { // use the specified Certificate Authority pair, or generate a new pair var caPair *PkiKeyCertPair - if len(a.CertificateProfile.CaCertificate) != 0 && len(a.CertificateProfile.CaPrivateKey) != 0 { + if provided["ca"] { caPair = &PkiKeyCertPair{CertificatePem: a.CertificateProfile.CaCertificate, PrivateKeyPem: a.CertificateProfile.CaPrivateKey} } else { caCertificate, caPrivateKey, err := createCertificate("ca", nil, nil, false, false, nil, nil, nil) @@ -689,59 +696,71 @@ func setDefaultCerts(a *api.Properties) (bool, error) { return false, err } - a.CertificateProfile.APIServerCertificate = apiServerPair.CertificatePem - a.CertificateProfile.APIServerPrivateKey = apiServerPair.PrivateKeyPem - a.CertificateProfile.ClientCertificate = clientPair.CertificatePem - a.CertificateProfile.ClientPrivateKey = clientPair.PrivateKeyPem - a.CertificateProfile.KubeConfigCertificate = kubeConfigPair.CertificatePem - a.CertificateProfile.KubeConfigPrivateKey = kubeConfigPair.PrivateKeyPem - a.CertificateProfile.EtcdServerCertificate = etcdServerPair.CertificatePem - a.CertificateProfile.EtcdServerPrivateKey = etcdServerPair.PrivateKeyPem - a.CertificateProfile.EtcdClientCertificate = etcdClientPair.CertificatePem - a.CertificateProfile.EtcdClientPrivateKey = etcdClientPair.PrivateKeyPem - a.CertificateProfile.EtcdPeerCertificates = make([]string, a.MasterProfile.Count) - a.CertificateProfile.EtcdPeerPrivateKeys = make([]string, a.MasterProfile.Count) - for i, v := range etcdPeerPairs { - a.CertificateProfile.EtcdPeerCertificates[i] = v.CertificatePem - a.CertificateProfile.EtcdPeerPrivateKeys[i] = v.PrivateKeyPem + // If no Certificate Authority pair or no cert/key pair was provided, use generated cert/key pairs signed by provided Certificate Authority pair + if !provided["apiserver"] || !provided["ca"] { + a.CertificateProfile.APIServerCertificate = apiServerPair.CertificatePem + a.CertificateProfile.APIServerPrivateKey = apiServerPair.PrivateKeyPem } - return true, nil -} - -func certGenerationRequired(a *api.Properties) bool { - if certAlreadyPresent(a.CertificateProfile) { - return false + if !provided["client"] || !provided["ca"] { + a.CertificateProfile.ClientCertificate = clientPair.CertificatePem + a.CertificateProfile.ClientPrivateKey = clientPair.PrivateKeyPem } - if a.MasterProfile == nil { - return false + if !provided["kubeconfig"] || !provided["ca"] { + a.CertificateProfile.KubeConfigCertificate = kubeConfigPair.CertificatePem + a.CertificateProfile.KubeConfigPrivateKey = kubeConfigPair.PrivateKeyPem + } + if !provided["etcd"] || !provided["ca"] { + a.CertificateProfile.EtcdServerCertificate = etcdServerPair.CertificatePem + a.CertificateProfile.EtcdServerPrivateKey = etcdServerPair.PrivateKeyPem + a.CertificateProfile.EtcdClientCertificate = etcdClientPair.CertificatePem + a.CertificateProfile.EtcdClientPrivateKey = etcdClientPair.PrivateKeyPem + a.CertificateProfile.EtcdPeerCertificates = make([]string, a.MasterProfile.Count) + a.CertificateProfile.EtcdPeerPrivateKeys = make([]string, a.MasterProfile.Count) + for i, v := range etcdPeerPairs { + a.CertificateProfile.EtcdPeerCertificates[i] = v.CertificatePem + a.CertificateProfile.EtcdPeerPrivateKeys[i] = v.PrivateKeyPem + } } - switch a.OrchestratorProfile.OrchestratorType { - case api.Kubernetes: - return true - default: - return false + return true, nil +} + +func areAllTrue(m map[string]bool) bool { + for _, v := range m { + if !v { + return false + } } + return true } -// certAlreadyPresent determines if the passed in CertificateProfile includes certificate data -// TODO actually verify valid/useable certificate data -func certAlreadyPresent(c *api.CertificateProfile) bool { +// certsAlreadyPresent already present returns a map where each key is a type of cert and each value is true if that cert/key pair is user-provided +func certsAlreadyPresent(c *api.CertificateProfile, m int) map[string]bool { + g := map[string]bool{ + "ca": false, + "apiserver": false, + "kubeconfig": false, + "client": false, + "etcd": false, + } if c != nil { - switch { - case len(c.APIServerCertificate) > 0: - return true - case len(c.APIServerPrivateKey) > 0: - return true - case len(c.ClientCertificate) > 0: - return true - case len(c.ClientPrivateKey) > 0: - return true - default: - return false + etcdPeer := true + if len(c.EtcdPeerCertificates) != m || len(c.EtcdPeerPrivateKeys) != m { + etcdPeer = false + } else { + for i, p := range c.EtcdPeerCertificates { + if !(len(p) > 0) || !(len(c.EtcdPeerPrivateKeys[i]) > 0) { + etcdPeer = false + } + } } + g["ca"] = len(c.CaCertificate) > 0 && len(c.CaPrivateKey) > 0 + g["apiserver"] = len(c.APIServerCertificate) > 0 && len(c.APIServerPrivateKey) > 0 + g["kubeconfig"] = len(c.KubeConfigCertificate) > 0 && len(c.KubeConfigPrivateKey) > 0 + g["client"] = len(c.ClientCertificate) > 0 && len(c.ClientPrivateKey) > 0 + g["etcd"] = etcdPeer && len(c.EtcdClientCertificate) > 0 && len(c.EtcdClientPrivateKey) > 0 && len(c.EtcdServerCertificate) > 0 && len(c.EtcdServerPrivateKey) > 0 } - return false + return g } // getFirstConsecutiveStaticIPAddress returns the first static IP address of the given subnet. diff --git a/pkg/acsengine/defaults_test.go b/pkg/acsengine/defaults_test.go index 29131e37b7..07f09b1ac9 100644 --- a/pkg/acsengine/defaults_test.go +++ b/pkg/acsengine/defaults_test.go @@ -1,40 +1,109 @@ package acsengine import ( + "reflect" "testing" "github.com/Azure/acs-engine/pkg/api" - . "github.com/onsi/gomega" ) -func TestCertAlreadyPresent(t *testing.T) { - RegisterTestingT(t) +func TestCertsAlreadyPresent(t *testing.T) { var cert *api.CertificateProfile - Expect(certAlreadyPresent(nil)).To(BeFalse()) + result := certsAlreadyPresent(nil, 1) + expected := map[string]bool{ + "ca": false, + "apiserver": false, + "client": false, + "kubeconfig": false, + "etcd": false, + } + if !reflect.DeepEqual(result, expected) { + t.Fatalf("certsAlreadyPresent() did not return false for all certs for a non-existent CertificateProfile") + } cert = &api.CertificateProfile{} - Expect(certAlreadyPresent(cert)).To(BeFalse()) + result = certsAlreadyPresent(cert, 1) + expected = map[string]bool{ + "ca": false, + "apiserver": false, + "client": false, + "kubeconfig": false, + "etcd": false, + } + if !reflect.DeepEqual(result, expected) { + t.Fatalf("certsAlreadyPresent() did not return false for all certs for empty CertificateProfile") + } cert = &api.CertificateProfile{ APIServerCertificate: "a", } - Expect(certAlreadyPresent(cert)).To(BeTrue()) + result = certsAlreadyPresent(cert, 1) + expected = map[string]bool{ + "ca": false, + "apiserver": false, + "client": false, + "kubeconfig": false, + "etcd": false, + } - cert = &api.CertificateProfile{ - APIServerPrivateKey: "b", + if !reflect.DeepEqual(result, expected) { + t.Fatalf("certsAlreadyPresent() did not return false for all certs for 1 cert in CertificateProfile") } - Expect(certAlreadyPresent(cert)).To(BeTrue()) cert = &api.CertificateProfile{ - ClientCertificate: "c", + APIServerCertificate: "a", + CaCertificate: "c", + CaPrivateKey: "d", + ClientCertificate: "e", + ClientPrivateKey: "f", + KubeConfigCertificate: "g", + KubeConfigPrivateKey: "h", + EtcdClientCertificate: "i", + EtcdClientPrivateKey: "j", + EtcdServerCertificate: "k", + EtcdServerPrivateKey: "l", + } + result = certsAlreadyPresent(cert, 3) + expected = map[string]bool{ + "ca": true, + "apiserver": false, + "client": true, + "kubeconfig": true, + "etcd": false, } - Expect(certAlreadyPresent(cert)).To(BeTrue()) + if !reflect.DeepEqual(result, expected) { + t.Fatalf("certsAlreadyPresent() did not return expected result for some certs in CertificateProfile") + } cert = &api.CertificateProfile{ - ClientPrivateKey: "d", + APIServerCertificate: "a", + APIServerPrivateKey: "b", + CaCertificate: "c", + CaPrivateKey: "d", + ClientCertificate: "e", + ClientPrivateKey: "f", + KubeConfigCertificate: "g", + KubeConfigPrivateKey: "h", + EtcdClientCertificate: "i", + EtcdClientPrivateKey: "j", + EtcdServerCertificate: "k", + EtcdServerPrivateKey: "l", + EtcdPeerCertificates: []string{"0", "1", "2"}, + EtcdPeerPrivateKeys: []string{"0", "1", "2"}, + } + result = certsAlreadyPresent(cert, 3) + expected = map[string]bool{ + "ca": true, + "apiserver": true, + "client": true, + "kubeconfig": true, + "etcd": true, + } + + if !reflect.DeepEqual(result, expected) { + t.Fatalf("certsAlreadyPresent() did not return expected result for all certs in CertificateProfile") } - Expect(certAlreadyPresent(cert)).To(BeTrue()) } func TestSetMissingKubeletValues(t *testing.T) { diff --git a/pkg/acsengine/engine_test.go b/pkg/acsengine/engine_test.go index fd5e92c6cf..d3d68e17d5 100644 --- a/pkg/acsengine/engine_test.go +++ b/pkg/acsengine/engine_test.go @@ -211,6 +211,12 @@ func addTestCertificateProfile(api *api.CertificateProfile) { api.ClientPrivateKey = "clientPrivateKey" api.KubeConfigCertificate = "kubeConfigCertificate" api.KubeConfigPrivateKey = "kubeConfigPrivateKey" + api.EtcdClientCertificate = "etcdClientCertificate" + api.EtcdClientPrivateKey = "etcdClientPrivateKey" + api.EtcdServerCertificate = "etcdServerCertificate" + api.EtcdServerPrivateKey = "etcdServerPrivateKey" + api.EtcdPeerCertificates = []string{"etcdPeerCertificate0"} + api.EtcdPeerPrivateKeys = []string{"etcdPeerPrivateKey0"} } func TestGetStorageAccountType(t *testing.T) { diff --git a/pkg/acsengine/testdata/disks-managed/kubernetes-vmas.json b/pkg/acsengine/testdata/disks-managed/kubernetes-vmas.json index 6e8ec25cfe..4727a8cada 100644 --- a/pkg/acsengine/testdata/disks-managed/kubernetes-vmas.json +++ b/pkg/acsengine/testdata/disks-managed/kubernetes-vmas.json @@ -57,12 +57,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } -} +} \ No newline at end of file diff --git a/pkg/acsengine/testdata/disks-storageaccount/kubernetes.json b/pkg/acsengine/testdata/disks-storageaccount/kubernetes.json index dd383ed959..09b6c3bc69 100644 --- a/pkg/acsengine/testdata/disks-storageaccount/kubernetes.json +++ b/pkg/acsengine/testdata/disks-storageaccount/kubernetes.json @@ -43,12 +43,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/etcd-versions/kubernetes.json b/pkg/acsengine/testdata/etcd-versions/kubernetes.json index bd04394ce2..08572ce531 100644 --- a/pkg/acsengine/testdata/etcd-versions/kubernetes.json +++ b/pkg/acsengine/testdata/etcd-versions/kubernetes.json @@ -42,12 +42,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } diff --git a/pkg/acsengine/testdata/extensions/kubernetes.json b/pkg/acsengine/testdata/extensions/kubernetes.json index d81e7256d0..b8263a0759 100644 --- a/pkg/acsengine/testdata/extensions/kubernetes.json +++ b/pkg/acsengine/testdata/extensions/kubernetes.json @@ -58,12 +58,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/key-vault-certs/kubernetes.json b/pkg/acsengine/testdata/key-vault-certs/kubernetes.json index 4ca40595bd..f0a16075f3 100644 --- a/pkg/acsengine/testdata/key-vault-certs/kubernetes.json +++ b/pkg/acsengine/testdata/key-vault-certs/kubernetes.json @@ -51,12 +51,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/key-vault-params/kubernetes.json b/pkg/acsengine/testdata/key-vault-params/kubernetes.json index c78c455643..a5db65a7fa 100644 --- a/pkg/acsengine/testdata/key-vault-params/kubernetes.json +++ b/pkg/acsengine/testdata/key-vault-params/kubernetes.json @@ -47,12 +47,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "/subscriptions/my-sub/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-kv/secrets/my-secret1/ver1", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/kubernetesversions/kubernetes1.7.9.json b/pkg/acsengine/testdata/kubernetesversions/kubernetes1.7.9.json index 8fdf9db1bd..f8b10309a5 100644 --- a/pkg/acsengine/testdata/kubernetesversions/kubernetes1.7.9.json +++ b/pkg/acsengine/testdata/kubernetesversions/kubernetes1.7.9.json @@ -39,12 +39,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/kubernetesversions/kubernetes1.8.2.json b/pkg/acsengine/testdata/kubernetesversions/kubernetes1.8.2.json index 818bfe8b30..cdc6fad540 100644 --- a/pkg/acsengine/testdata/kubernetesversions/kubernetes1.8.2.json +++ b/pkg/acsengine/testdata/kubernetesversions/kubernetes1.8.2.json @@ -39,12 +39,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/largeclusters/kubernetes.json b/pkg/acsengine/testdata/largeclusters/kubernetes.json index ea54df0117..236559c152 100644 --- a/pkg/acsengine/testdata/largeclusters/kubernetes.json +++ b/pkg/acsengine/testdata/largeclusters/kubernetes.json @@ -99,12 +99,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/location/kubernetes.json b/pkg/acsengine/testdata/location/kubernetes.json index 76eeb08d0c..afa6190496 100644 --- a/pkg/acsengine/testdata/location/kubernetes.json +++ b/pkg/acsengine/testdata/location/kubernetes.json @@ -40,12 +40,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/simple/kubernetes.json b/pkg/acsengine/testdata/simple/kubernetes.json index 5c6365fd5c..141ef98f3f 100644 --- a/pkg/acsengine/testdata/simple/kubernetes.json +++ b/pkg/acsengine/testdata/simple/kubernetes.json @@ -39,12 +39,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/vnet/kubernetesvnet.json b/pkg/acsengine/testdata/vnet/kubernetesvnet.json index e898959ec4..8e690d356d 100644 --- a/pkg/acsengine/testdata/vnet/kubernetesvnet.json +++ b/pkg/acsengine/testdata/vnet/kubernetesvnet.json @@ -49,12 +49,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } diff --git a/pkg/acsengine/testdata/windows/kubernetes-hybrid.json b/pkg/acsengine/testdata/windows/kubernetes-hybrid.json index 7970d07358..5fb4aa91f1 100644 --- a/pkg/acsengine/testdata/windows/kubernetes-hybrid.json +++ b/pkg/acsengine/testdata/windows/kubernetes-hybrid.json @@ -44,12 +44,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file diff --git a/pkg/acsengine/testdata/windows/kubernetes.json b/pkg/acsengine/testdata/windows/kubernetes.json index 01da1803f6..c6c7aaa7ff 100644 --- a/pkg/acsengine/testdata/windows/kubernetes.json +++ b/pkg/acsengine/testdata/windows/kubernetes.json @@ -38,12 +38,23 @@ }, "certificateProfile": { "caCertificate": "caCertificate", + "caPrivateKey": "caPrivateKey", "apiServerCertificate": "apiServerCertificate", "apiServerPrivateKey": "apiServerPrivateKey", "clientCertificate": "clientCertificate", "clientPrivateKey": "clientPrivateKey", "kubeConfigCertificate": "kubeConfigCertificate", - "kubeConfigPrivateKey": "kubeConfigPrivateKey" + "kubeConfigPrivateKey": "kubeConfigPrivateKey", + "etcdClientCertificate": "etcdClientCertificate", + "etcdClientPrivateKey": "etcdClientPrivateKey", + "etcdServerCertificate": "etcdServerCertificate", + "etcdServerPrivateKey": "etcdServerPrivateKey", + "etcdPeerCertificates": [ + "etcdPeerCertificate0" + ], + "etcdPeerPrivateKeys": [ + "etcdPeerPrivateKey0" + ] } } } \ No newline at end of file