Centos provider: generate SSL certificates for etcd cluster.

[Shawyeok]

What this PR does / why we need it:
Support secure etcd cluster for centos provider, generate SSL certificates for etcd in default. Running it w/o SSL is exposing cluster data to everyone and is not recommended. #39462

/cc @jszczepkowski @zmerlynn

Release note:

Support secure etcd cluster for centos provider.

[k8s-ci-robot]

Hi @Shawyeok. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-reviewable]

This change is 

[eparis]

This seems a lot like https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/util.sh#L740

I wonder if @jszczepkowski would be interest in you moving that stuff up higher in the tree and making it reusable by more providers.

[Shawyeok]

Yes, it's a good suggestion. Download the cfssl binaries is duplicate at least https://github.com/kubernetes/kubernetes/blob/master/cluster/common.sh#L908.

[jszczepkowski]

It sound reasonable to move this up.

[jszczepkowski]

Why do you need it on node? Etcd peers are only on masters.

[Shawyeok]

Well, it's not a peer certfile for etcd(A peer certfile just like peer-*.pem). Because flannel needs to access the etcd cluster, so...

[jszczepkowski]

Why do you need client & server certs? Aren't peer certs enough?

[Shawyeok]

Suppose a pod running in a k8s cluster(peer certs only), the pod still can access the etcd service, so I think it's necessary.

[Shawyeok]

I've extracted generate-etcd-cert method to the cluster/common.sh, feel free to review, thanks a lot. @jszczepkowski

[jszczepkowski]

Is this section needed? If so, shouldn't we fill it with some reasonable values?

[Shawyeok]

Yes, it is. cfssl docs
I've changed the O (Organization) to kubernetes.io and deleted another unnecessary fields.

[Shawyeok]

Support defined ADMISSION_CONTROL outside by user, DefaultTolerationSeconds is not exists before cd427fa4. /cc @kevin-wangzefeng

[jszczepkowski]

Who creates ${KUBE_TEMP}/cfssl directory?

[Shawyeok]

The directory ${KUBE_TEMP}/cfssl will create in download-cfssl function, but it's not exists before call download in generate-etcd-cert function. It maybe cause error: the file or directory not exists. I'll fix it.

[jszczepkowski]

This seems to be unnecessary: function generate-etcd-cert does pushd.

[Shawyeok]

Actually, I need to check client.pem or client-key.pem exists in the ${cert_dir} directory. Use generate-etcd-cert "${cert_dir}" instead of generate-etcd-cert . seem could be better.

[jszczepkowski]

Isn't better to create ${cert_dir} inside generate-etcd-cert function (if the dir does not exist). Currently, generate-etcd-cert function has undocumented assumption that the directory already exists.

[Shawyeok]

Yes, it is.

[Shawyeok]

Check the client.pem and client-key.pem in the directory exists without cd.

[Shawyeok]

Create ${cert_dir} directory inside generate-etcd-cert function.

[jszczepkowski]

Can you please add a local variable with a meaningful name for "$1" (like here)?

[jszczepkowski]

@k8s-bot ok to test

[Shawyeok]

Use ${cfssl_dir} instead of $1.

[Shawyeok]

Use ${master} instead of $1.

[Shawyeok]

Use ${node} instead of $1.

[jszczepkowski]

/lgtm

[jszczepkowski]

FYI: I did manual tests of this patch for GCE and it is passing.

[jszczepkowski]

@zmerlynn
Zach, can you approve it?

[eparis]

/approve

[Shawyeok]

@k8s-bot cvm gce e2e test this

[Shawyeok]

It's strange. Why tests pull-kubernetes-e2e-gce, pull-kubernetes-e2e-gce-etcd3, pull-kubernetes-e2e-gce-gci failed after I force push ca4ea4e8 to replace 92997ee5?

The diff between two commits are:

$ git diff 92997ee5616670533bd188f02a262e6d256b5ea9 ca4ea4e88eea97982a9176f474bc70803dcb0228

diff --git a/cluster/centos/util.sh b/cluster/centos/util.sh
index 88302a3..f817759 100755
--- a/cluster/centos/util.sh
+++ b/cluster/centos/util.sh
@@ -197,38 +197,40 @@ function troubleshoot-node() {

 # Clean up on master
 function tear-down-master() {
-echo "[INFO] tear-down-master on $1"
+  local master="${1}"
+  echo "[INFO] tear-down-master on ${master}"
   for service_name in etcd kube-apiserver kube-controller-manager kube-scheduler ; do
       service_file="/usr/lib/systemd/system/${service_name}.service"
-      kube-ssh "$1" " \
+      kube-ssh "${master}" " \
         if [[ -f $service_file ]]; then \
           sudo systemctl stop $service_name; \
           sudo systemctl disable $service_name; \
           sudo rm -f $service_file; \
         fi"
   done
-  kube-ssh "${1}" "sudo rm -rf /opt/kubernetes"
-  kube-ssh "${1}" "sudo rm -rf /srv/kubernetes"
-  kube-ssh "${1}" "sudo rm -rf ${KUBE_TEMP}"
-  kube-ssh "${1}" "sudo rm -rf /var/lib/etcd"
+  kube-ssh "${master}" "sudo rm -rf /opt/kubernetes"
+  kube-ssh "${master}" "sudo rm -rf /srv/kubernetes"
+  kube-ssh "${master}" "sudo rm -rf ${KUBE_TEMP}"
+  kube-ssh "${master}" "sudo rm -rf /var/lib/etcd"
 }

 # Clean up on node
 function tear-down-node() {
-echo "[INFO] tear-down-node on $1"
+  local node="${1}"
+  echo "[INFO] tear-down-node on ${node}"
   for service_name in kube-proxy kubelet docker flannel ; do
       service_file="/usr/lib/systemd/system/${service_name}.service"
-      kube-ssh "$1" " \
+      kube-ssh "${node}" " \
         if [[ -f $service_file ]]; then \
           sudo systemctl stop $service_name; \
           sudo systemctl disable $service_name; \
           sudo rm -f $service_file; \
         fi"
   done
-  kube-ssh "$1" "sudo rm -rf /run/flannel"
-  kube-ssh "$1" "sudo rm -rf /opt/kubernetes"
-  kube-ssh "$1" "sudo rm -rf /srv/kubernetes"
-  kube-ssh "$1" "sudo rm -rf ${KUBE_TEMP}"
+  kube-ssh "${node}" "sudo rm -rf /run/flannel"
+  kube-ssh "${node}" "sudo rm -rf /opt/kubernetes"
+  kube-ssh "${node}" "sudo rm -rf /srv/kubernetes"
+  kube-ssh "${node}" "sudo rm -rf ${KUBE_TEMP}"
 }

 # Generate the CA certificates for k8s components
diff --git a/cluster/common.sh b/cluster/common.sh
index 656bfd1..e9e7fd1 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -903,11 +903,13 @@ function sha1sum-file() {
 # Downloads cfssl into $1 directory
 #
 # Assumed vars:
-#   $1 (cfssl directory)
+#   $1 (the directory that cfssl to save)
 #
 function download-cfssl {
-  mkdir -p "$1"
-  pushd "$1"
+  local cfssl_dir="${1}"
+
+  mkdir -p "${cfssl_dir}"
+  pushd "${cfssl_dir}"

   kernel=$(uname -s)
   case "${kernel}" in

Full PR test history: #42994
There are some layout problems, all failed test are under commit ca4ea4e8.

/cc @k8s-oncall @kubernetes/test-infra-maintainers

[Shawyeok]

This PR needs LGTM again after rebase, please. @jszczepkowski @zmerlynn

[jszczepkowski]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Shawyeok, eparis, jszczepkowski

Needs approval from an approver in each of these OWNERS Files:

• cluster/OWNERS [eparis]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue