-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL certificates for etcd cluster. #35516
SSL certificates for etcd cluster. #35516
Conversation
Jenkins Kubemark GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
Jenkins GCI GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
Jenkins GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
Jenkins GCE etcd3 e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
"usages": [ | ||
"signing", | ||
"key encipherment", | ||
"server auth", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't think you should ever add client or server auth to a ca cert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done (removed)
./cfssl print-defaults csr > ca-csr.json | ||
./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca - | ||
|
||
if [[ ! -z "${ca_key}" && ! -z "${ca_cert}" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about wrapping the if around the whole first block, so that we don't generate the ca if it isn't needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -375,6 +375,13 @@ current-context: service-account-context | |||
EOF | |||
} | |||
|
|||
function create-master-etcd-auth { | |||
local -r auth_dir="/etc/srv/kubernetes" | |||
echo "${ETCD_CA_CERT}" | base64 --decode > "${auth_dir}/etcd-ca.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this doesn't appear to be optional, so anyone (like gke) who calls this script w/o setting the new fields will fail here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -609,7 +616,7 @@ function prepare-etcd-manifest { | |||
local etcd_cluster="" | |||
local cluster_state="new" | |||
for host in $(echo "${INITIAL_ETCD_CLUSTER:-${host_name}}" | tr "," "\n"); do | |||
etcd_host="etcd-${host}=http://${host}:$3" | |||
etcd_host="etcd-${host}=https://${host}:$3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks like it sets https for every setup, regardless of HA or non-HA. should we leave explicit non-HA using localhost http, so that we don't have to have the apiserver connect insecurely to etcd?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should use https in every configuration: user should always have a possibility to make his cluster HA in future. In case of cluster with one master, there will be only one etcd server, so etcd server will not communicate with its peers (so, there is no different between http and https).
28571bf
to
665c746
Compare
Comments applied, PTAL |
665c746
to
7b093b5
Compare
Jenkins GCE Node e2e failed for commit 7b093b58259d5624f3b24a56735080bd2002012c. Full PR test history. The magic incantation to run this job again is |
|
||
mkdir -p "${KUBE_TEMP}/cfssl" | ||
pushd "${KUBE_TEMP}/cfssl" | ||
curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't work on a mac (and from what I remember common.sh executes on the host system where you are running kube-up.sh).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (moved under gce directory).
{% if pillar.get('etcd_over_ssl', '').lower() == 'true' -%} | ||
{% set etcd_protocol = 'https' -%} | ||
{% set etcd_creds = '--peer-trusted-ca-file /etc/srv/kubernetes/etcd-ca.crt --peer-cert-file /etc/srv/kubernetes/etcd-peer.crt --peer-key-file /etc/srv/kubernetes/etcd-peer.key -peer-client-cert-auth' -%} | ||
{% else -%} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The else seems unnecessary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed
7b093b5
to
086bf17
Compare
@@ -626,6 +635,8 @@ function prepare-etcd-manifest { | |||
sed -i -e "s@{{ *etcd_cluster *}}@$etcd_cluster@g" "${temp_file}" | |||
sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" | |||
sed -i -e "s@{{ *cluster_state *}}@$cluster_state@g" "${temp_file}" | |||
sed -i -e "s@{{ *etcd_protocol *}}@https@g" "${temp_file}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that with GCI we are always using https and it's not possible to use http. Is that what we want?
Do we have any performance results for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We want always to secure peer communication inside etcd cluster by SSL, to prevent malicious users from changing etcd state. It shouldn't have any performance impact in case of a single node clusters, as SSL is used only for communication between peers (so, it will only affect HA deployments).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So apiserver(s) will still talk to etcd using pure http, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we are not changing it.
086bf17
to
2a11d2f
Compare
2a11d2f
to
2f5a6a6
Compare
fcb894b
to
1a713a3
Compare
Added support for Darwin kernel. @roberthbailey |
1a713a3
to
55d4a24
Compare
4425ed1
to
c5a5dfc
Compare
Comments applied, PTAL |
Applying do-not-merge until the post-code freeze merge exception for this feature for 1.5 has been approved. https://groups.google.com/forum/#!topic/kubernetes-milestone-burndown/DTZu98YNuUE |
@@ -458,6 +458,7 @@ num_nodes: $(echo "${NUM_NODES:-}" | sed -e "s/'/''/g") | |||
e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")' | |||
kube_uid: '$(echo "${KUBE_UID}" | sed -e "s/'/''/g")' | |||
initial_etcd_cluster: '$(echo "${INITIAL_ETCD_CLUSTER:-}" | sed -e "s/'/''/g")' | |||
etcd_over_ssl: '$(if [[ -n "${ETCD_CA_KEY:-}" && -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then echo "true"; else echo "false"; fi)' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be an if/else block below the EOF rather than inline (like the storage backend, admission control, etc below).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
c5a5dfc
to
cc7c11d
Compare
I've applied the comments, run manual tests for debian OS and did some fixes for debian. |
lgtm |
The request for exception to 1.5 release code freeze for the "Simplify HA setup for master on GCE" feature has been approved. Adding 1.5 milestone and removing |
cc7c11d
to
777cd95
Compare
Jenkins unit/integration failed for commit 777cd95eb21b844891866e15e6b9b389841088ba. Full PR test history. The magic incantation to run this job again is |
Added generation of SSL certificates for etcd cluster internal communication. Turned on on gci & trusty.
777cd95
to
ab7266b
Compare
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
Part of kubernetes/enhancements#48 |
Added generation of SSL certificates for etcd cluster's internal communication.
Turned on on GCE (gci, trusty and debain).
This change is