This repository has been archived by the owner on Sep 30, 2020. It is now read-only.
Dedicated worker CA and Etcd trusted CA bundle #885
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
…file available
1. Certificates are not secrets, they can be kept unencrypted
2. If only .enc file is provided and no unencrypted version is found
then don't try to load fingerprint files. This change allows .enc files
to be commited to Git and then used as-is
redbaron
force-pushed
the
separate-etcd-and-worker-ca
branch
from
ca2f623
to
7bf8b3b
Compare
TLSBootstap CA is now loaded from worker-ca.pem Etcd trusted CA bundle is now loaded from etcd-trusted-ca.pem Both files by default are symlinks to a well known ca.pem This change enables advanced, more secure setup, where certificates stored on worker nodes are trusted only by APIserver and NOT Etcd server. This kind of setup is not yet supported by "kube-aws render credentials" command out of the box, and therefore currently requires users to be generating and encrypting certs on their own to benefit from it.
redbaron
force-pushed
the
separate-etcd-and-worker-ca
branch
from
7bf8b3b
to
a8161f9
Compare
Codecov Report
@@ Coverage Diff @@
## master #885 +/- ##
==========================================
+ Coverage 34.77% 35.41% +0.64%
==========================================
Files 57 57
Lines 3919 3978 +59
==========================================
+ Hits 1363 1409 +46
- Misses 2396 2406 +10
- Partials 160 163 +3
Continue to review full report at Codecov.
|
|
@redbaron Thanks for your efforts. I like the motivation behind this change 👍 /lgtm |
mumoshu
reviewed
Sep 1, 2017
| name string | ||
| data []byte | ||
| overwrite bool | ||
| }{"ca-key.pem", r.CACert, true}) |
There was a problem hiding this comment.
r.CACert here should be r.CAKey
mumoshu
reviewed
Sep 1, 2017
| } | ||
| } | ||
|
|
||
| if err := os.Symlink(sl.from, to); err != nil { |
There was a problem hiding this comment.
to should be just sl.to while calling chdir before/after creating the symlink. Otherwise we get mysterious error when tried to read it from somewhere other than the parent directory of credentials/:
# The file is there
$ ls assets/k8s88/credentials/worker-ca-key.pem
assets/k8s88/credentials/worker-ca-key.pem
# However, actually trying to read it results in a no-such-file error
$ cat assets/k8s88/credentials/worker-ca-key.pem
cat: assets/k8s88/credentials/worker-ca-key.pem: No such file or directory
$ ls -lah
total 136
drwxr-xr-x 20 mumoshu staff 680B 9 1 15:29 .
drwxr-xr-x 7 mumoshu staff 238B 9 1 15:29 ..
-rw-r--r-- 1 mumoshu staff 1B 9 1 15:29 .gitignore
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 admin-key.pem
-rw------- 1 mumoshu staff 1.1K 9 1 15:29 admin.pem
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 apiserver-key.pem
-rw------- 1 mumoshu staff 1.2K 9 1 15:29 apiserver.pem
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 ca-key.pem
-rw------- 1 mumoshu staff 1.0K 9 1 15:29 ca.pem
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 etcd-client-key.pem
-rw------- 1 mumoshu staff 1.1K 9 1 15:29 etcd-client.pem
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 etcd-key.pem
lrwxr-xr-x 1 mumoshu staff 18B 9 1 15:29 etcd-trusted-ca.pem -> credentials/ca.pem
-rw------- 1 mumoshu staff 1.1K 9 1 15:29 etcd.pem
-rw------- 1 mumoshu staff 344B 9 1 15:29 kubelet-tls-bootstrap-token
-rw------- 1 mumoshu staff 0B 9 1 15:29 tokens.csv
lrwxr-xr-x 1 mumoshu staff 22B 9 1 15:29 worker-ca-key.pem -> credentials/ca-key.pem
lrwxr-xr-x 1 mumoshu staff 18B 9 1 15:29 worker-ca.pem -> credentials/ca.pem
-rw------- 1 mumoshu staff 1.6K 9 1 15:29 worker-key.pem
-rw------- 1 mumoshu staff 1.1K 9 1 15:29 worker.pem
For example, etcd-trusted-ca.pem -> credentials/ca.pem should be etcd-trusted-ca.pem -> ca.pem
There was a problem hiding this comment.
Here's my current work-around:
--- a/core/controlplane/config/encrypted_assets.go
+++ b/core/controlplane/config/encrypted_assets.go
@@ -509,8 +509,18 @@ func (r *RawAssetsOnMemory) WriteToDir(dirname string, includeCAKey bool) error
{"ca-key.pem", "worker-ca-key.pem"},
}
+ wd, err := os.Getwd()
+ if err != nil {
+ return err
+ }
+
+ if err := os.Chdir(dirname); err != nil {
+ return err
+ }
+
for _, sl := range symlinks {
- to := filepath.Join(dirname, sl.to)
+ from := sl.from
+ to := sl.to
if _, err := os.Lstat(to); err == nil {
if err := os.Remove(to); err != nil {
@@ -518,10 +528,15 @@ func (r *RawAssetsOnMemory) WriteToDir(dirname string, includeCAKey bool) error
}
}
- if err := os.Symlink(sl.from, to); err != nil {
+ if err := os.Symlink(from, to); err != nil {
return err
}
}
+
+ if err := os.Chdir(wd); err != nil {
+ return err
+ }
mumoshu
reviewed
Sep 1, 2017
| }{ | ||
| {"ca.pem", "worker-ca.pem"}, | ||
| {"ca.pem", "etcd-trusted-ca.pem"}, | ||
| {"ca-key.pem", "worker-ca-key.pem"}, |
There was a problem hiding this comment.
worker-ca-key.pem becomes a symlink to an inexistent file when ca-key.pem was not written because the user provided --ca-key-path while the TLS bootstrapping is disabled.
We should not create the worker-ca-key.pem symlink or try to read it afterwards when includeCAKey is false, the same as what we do for ca-key.pem in #877
kylehodgetts
pushed a commit
to HotelsDotCom/kube-aws
that referenced
this pull request
Mar 27, 2018
…etcd-and-worker-ca Dedicated worker CA and Etcd trusted CA bundle
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLSBootstap CA is now loaded from worker-ca.pem
Etcd trusted CA bundle is now loaded from etcd-trusted-ca.pem
Both files by default are symlinks to a well known ca.pem
This change enables advanced, more secure setup, where certificates
stored on worker nodes are trusted only by APIserver and NOT
Etcd server. This kind of setup is not yet supported by
"kube-aws render credentials" command out of the box, and
therefore currently requires users to be generating and
encrypting certs on their own to benefit from it.
Depends on #882