-
Notifications
You must be signed in to change notification settings - Fork 39.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #57415 from stealthybox/feature/kubeadm_594-etcd_tls
Automatic merge from submit-queue (batch tested with PRs 59159, 60318, 60079, 59371, 57415). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Feature/kubeadm 594 etcd TLS on init/upgrade **What this PR does / why we need it**: On `kubeadm init`/`kubeadm upgrade`, this PR generates certificates for securing local etcd: - etcd serving cert - etcd peer cert - apiserver etcd client cert Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs. For connections to etcd, `https` is now used in favor of `http` and tests have been added/updated. Etcd only listens on localhost, so the serving cert SAN defaults to `DNS:localhost,IP:127.0.0.1`. The etcd peer cert has SANs for `<hostname>,<api-advertise-address>`, but is unused. New kubeadm config options, `Etcd.ServerCertSANs` and `Etcd.PeerCertSANs`, are used for user additions to the default certificate SANs for the etcd server and peer certs. This feature continues to utilize the existence of `MasterConfiguration.Etcd.Endpoints` as a feature gate for external-etcd. If the user passes flags to configure `Etcd.{CAFile,CertFile,KeyFile}` but they omit `Endpoints`, these flags will be unused, and a warning is printed. New phase commands: ``` kubeadm alpha phase certs etcd-server kubeadm alpha phase certs etcd-peer kubeadm alpha phase certs apiserver-etcd-client ``` **Which issue(s) this PR fixes** Fixes kubernetes/kubeadm#594 **Special notes for your reviewer**: #### on the master these should fail: ```bash curl localhost:2379/v2/keys # no output curl --cacert /etc/kubernetes/pki/ca.crt https://localhost:2379/v2/keys # handshake error ``` these should succeed: ``` cd /etc/kubernetes/pki curl --cacert ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys ``` **Release note**: ```release-note On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS. ```
- Loading branch information
Showing
30 changed files
with
957 additions
and
184 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
10 changes: 10 additions & 0 deletions
10
cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.deepcopy.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.