SSL certificates for etcd cluster. #35516
Conversation
jszczepkowski
added
release-note-none
k8s-github-robot
added
the
size/L
|
Jenkins Kubemark GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
|
Jenkins GCI GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
|
Jenkins GCE e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
|
Jenkins GCE etcd3 e2e failed for commit 28571bf. Full PR test history. The magic incantation to run this job again is |
| "usages": [ | ||
| "signing", | ||
| "key encipherment", | ||
| "server auth", |
There was a problem hiding this comment.
i don't think you should ever add client or server auth to a ca cert.
There was a problem hiding this comment.
done (removed)
| ./cfssl print-defaults csr > ca-csr.json | ||
| ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca - | ||
|
|
||
| if [[ ! -z "${ca_key}" && ! -z "${ca_cert}" ]]; then |
There was a problem hiding this comment.
what about wrapping the if around the whole first block, so that we don't generate the ca if it isn't needed?
| @@ -375,6 +375,13 @@ current-context: service-account-context | |||
| EOF | |||
| } | |||
|
|
|||
| function create-master-etcd-auth { | |||
| local -r auth_dir="/etc/srv/kubernetes" | |||
| echo "${ETCD_CA_CERT}" | base64 --decode > "${auth_dir}/etcd-ca.crt" | |||
There was a problem hiding this comment.
this doesn't appear to be optional, so anyone (like gke) who calls this script w/o setting the new fields will fail here.
| @@ -609,7 +616,7 @@ function prepare-etcd-manifest { | |||
| local etcd_cluster="" | |||
| local cluster_state="new" | |||
| for host in $(echo "${INITIAL_ETCD_CLUSTER:-${host_name}}" | tr "," "\n"); do | |||
| etcd_host="etcd-${host}=http://${host}:$3" | |||
| etcd_host="etcd-${host}=https://${host}:$3" | |||
There was a problem hiding this comment.
this looks like it sets https for every setup, regardless of HA or non-HA. should we leave explicit non-HA using localhost http, so that we don't have to have the apiserver connect insecurely to etcd?
There was a problem hiding this comment.
I think we should use https in every configuration: user should always have a possibility to make his cluster HA in future. In case of cluster with one master, there will be only one etcd server, so etcd server will not communicate with its peers (so, there is no different between http and https).
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
28571bf
to
665c746
Compare
|
Comments applied, PTAL |
k8s-github-robot
added
the
needs-rebase
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
665c746
to
7b093b5
Compare
k8s-github-robot
removed
the
needs-rebase
|
Jenkins GCE Node e2e failed for commit 7b093b58259d5624f3b24a56735080bd2002012c. Full PR test history. The magic incantation to run this job again is |
|
|
||
| mkdir -p "${KUBE_TEMP}/cfssl" | ||
| pushd "${KUBE_TEMP}/cfssl" | ||
| curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 |
There was a problem hiding this comment.
This doesn't work on a mac (and from what I remember common.sh executes on the host system where you are running kube-up.sh).
There was a problem hiding this comment.
Done (moved under gce directory).
| {% if pillar.get('etcd_over_ssl', '').lower() == 'true' -%} | ||
| {% set etcd_protocol = 'https' -%} | ||
| {% set etcd_creds = '--peer-trusted-ca-file /etc/srv/kubernetes/etcd-ca.crt --peer-cert-file /etc/srv/kubernetes/etcd-peer.crt --peer-key-file /etc/srv/kubernetes/etcd-peer.key -peer-client-cert-auth' -%} | ||
| {% else -%} |
There was a problem hiding this comment.
The else seems unnecessary
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
7b093b5
to
086bf17
Compare
| @@ -626,6 +635,8 @@ function prepare-etcd-manifest { | |||
| sed -i -e "s@{{ *etcd_cluster *}}@$etcd_cluster@g" "${temp_file}" | |||
| sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" | |||
| sed -i -e "s@{{ *cluster_state *}}@$cluster_state@g" "${temp_file}" | |||
| sed -i -e "s@{{ *etcd_protocol *}}@https@g" "${temp_file}" | |||
There was a problem hiding this comment.
It seems that with GCI we are always using https and it's not possible to use http. Is that what we want?
Do we have any performance results for this change?
There was a problem hiding this comment.
We want always to secure peer communication inside etcd cluster by SSL, to prevent malicious users from changing etcd state. It shouldn't have any performance impact in case of a single node clusters, as SSL is used only for communication between peers (so, it will only affect HA deployments).
There was a problem hiding this comment.
So apiserver(s) will still talk to etcd using pure http, right?
There was a problem hiding this comment.
Yes, we are not changing it.
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
086bf17
to
2a11d2f
Compare
k8s-github-robot
added
the
needs-rebase
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
2a11d2f
to
2f5a6a6
Compare
jszczepkowski
removed
the
needs-rebase
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
2 times, most recently
from
fcb894b
to
1a713a3
Compare
|
Added support for Darwin kernel. @roberthbailey |
k8s-github-robot
added
the
needs-rebase
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
1a713a3
to
55d4a24
Compare
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
4425ed1
to
c5a5dfc
Compare
|
Comments applied, PTAL |
|
Applying do-not-merge until the post-code freeze merge exception for this feature for 1.5 has been approved. https://groups.google.com/forum/#!topic/kubernetes-milestone-burndown/DTZu98YNuUE |
saad-ali
added
the
do-not-merge
| @@ -458,6 +458,7 @@ num_nodes: $(echo "${NUM_NODES:-}" | sed -e "s/'/''/g") | |||
| e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")' | |||
| kube_uid: '$(echo "${KUBE_UID}" | sed -e "s/'/''/g")' | |||
| initial_etcd_cluster: '$(echo "${INITIAL_ETCD_CLUSTER:-}" | sed -e "s/'/''/g")' | |||
| etcd_over_ssl: '$(if [[ -n "${ETCD_CA_KEY:-}" && -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then echo "true"; else echo "false"; fi)' | |||
There was a problem hiding this comment.
This should be an if/else block below the EOF rather than inline (like the storage backend, admission control, etc below).
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
c5a5dfc
to
cc7c11d
Compare
|
I've applied the comments, run manual tests for debian OS and did some fixes for debian. |
roberthbailey
added
the
lgtm
|
lgtm |
The request for exception to 1.5 release code freeze for the "Simplify HA setup for master on GCE" feature has been approved. Adding 1.5 milestone and removing |
saad-ali
removed
the
do-not-merge
k8s-github-robot
added
the
needs-rebase
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
cc7c11d
to
777cd95
Compare
jszczepkowski
removed
the
needs-rebase
k8s-github-robot
removed
the
lgtm
jszczepkowski
added
the
lgtm
|
Jenkins unit/integration failed for commit 777cd95eb21b844891866e15e6b9b389841088ba. Full PR test history. The magic incantation to run this job again is |
k8s-github-robot
added
the
needs-rebase
Added generation of SSL certificates for etcd cluster internal communication. Turned on on gci & trusty.
jszczepkowski
force-pushed
the
ha-etcd-certs
branch
from
777cd95
to
ab7266b
Compare
jszczepkowski
removed
the
needs-rebase
k8s-github-robot
removed
the
lgtm
jszczepkowski
added
the
lgtm
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
Part of kubernetes/enhancements#48 |
Added generation of SSL certificates for etcd cluster's internal communication.
Turned on on GCE (gci, trusty and debain).
This change is