-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/kubeadm 594 etcd TLS on init/upgrade #57415
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -60,8 +60,8 @@ var ( | |
apiServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` | ||
Generates the API server serving certificate and key and saves them into %s and %s files. | ||
|
||
The certificate includes default subject alternative names and additional sans eventually provided by the user; | ||
default sans are: <node-name>, <apiserver-advertise-address>, kubernetes, kubernetes.default, kubernetes.default.svc, | ||
The certificate includes default subject alternative names and additional SANs provided by the user; | ||
default SANs are: <node-name>, <apiserver-advertise-address>, kubernetes, kubernetes.default, kubernetes.default.svc, | ||
kubernetes.default.svc.<service-dns-domain>, <internalAPIServerVirtualIP> (that is the .10 address in <service-cidr> address space). | ||
|
||
If both files already exist, kubeadm skips the generation step and existing files will be used. | ||
|
@@ -74,6 +74,31 @@ var ( | |
If both files already exist, kubeadm skips the generation step and existing files will be used. | ||
`+cmdutil.AlphaDisclaimer), kubeadmconstants.APIServerKubeletClientCertName, kubeadmconstants.APIServerKubeletClientKeyName) | ||
|
||
etcdServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` | ||
Generates the etcd serving certificate and key and saves them into %s and %s files. | ||
|
||
The certificate includes default subject alternative names and additional SANs provided by the user; | ||
default SANs are: localhost, 127.0.0.1. | ||
|
||
If both files already exist, kubeadm skips the generation step and existing files will be used. | ||
`+cmdutil.AlphaDisclaimer), kubeadmconstants.EtcdServerCertName, kubeadmconstants.EtcdServerKeyName) | ||
|
||
etcdPeerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` | ||
Generates the etcd peer certificate and key and saves them into %s and %s files. | ||
|
||
The certificate includes default subject alternative names and additional SANs provided by the user; | ||
default SANs are: <node-name>, <apiserver-advertise-address>. | ||
|
||
If both files already exist, kubeadm skips the generation step and existing files will be used. | ||
`+cmdutil.AlphaDisclaimer), kubeadmconstants.EtcdPeerCertName, kubeadmconstants.EtcdPeerKeyName) | ||
|
||
apiServerEtcdServerCertLongDesc = fmt.Sprintf(normalizer.LongDesc(` | ||
Generates the client certificate for the API server to connect to etcd securely and the respective key, | ||
and saves them into %s and %s files. | ||
|
||
If both files already exist, kubeadm skips the generation step and existing files will be used. | ||
`+cmdutil.AlphaDisclaimer), kubeadmconstants.APIServerEtcdClientCertName, kubeadmconstants.APIServerEtcdClientKeyName) | ||
|
||
saKeyLongDesc = fmt.Sprintf(normalizer.LongDesc(` | ||
Generates the private key for signing service account tokens along with its public key, and saves them into | ||
%s and %s files. | ||
|
@@ -157,6 +182,24 @@ func getCertsSubCommands(defaultKubernetesVersion string) []*cobra.Command { | |
long: apiServerKubeletCertLongDesc, | ||
cmdFunc: certsphase.CreateAPIServerKubeletClientCertAndKeyFiles, | ||
}, | ||
{ | ||
use: "etcd-server", | ||
short: "Generates etcd serving certificate and key", | ||
long: etcdServerCertLongDesc, | ||
cmdFunc: certsphase.CreateEtcdServerCertAndKeyFiles, | ||
}, | ||
{ | ||
use: "etcd-peer", | ||
short: "Generates etcd peer certificate and key", | ||
long: etcdPeerCertLongDesc, | ||
cmdFunc: certsphase.CreateEtcdPeerCertAndKeyFiles, | ||
}, | ||
{ | ||
use: "apiserver-etcd-client", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. etcd-client-cert? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I made this match Do we want to flip this around? |
||
short: "Generates client certificate for the API server to connect to etcd securely", | ||
long: apiServerEtcdServerCertLongDesc, | ||
cmdFunc: certsphase.CreateAPIServerEtcdClientCertAndKeyFiles, | ||
}, | ||
{ | ||
use: "sa", | ||
short: "Generates a private key for signing service account tokens along with its public key", | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -65,6 +65,33 @@ const ( | |
// APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN) | ||
APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client" | ||
|
||
// EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name | ||
EtcdServerCertAndKeyBaseName = "etcd/server" | ||
// EtcdServerCertName defines etcd's server certificate name | ||
EtcdServerCertName = "etcd/server.crt" | ||
// EtcdServerKeyName defines etcd's server key name | ||
EtcdServerKeyName = "etcd/server.key" | ||
// EtcdServerCertCommonName defines etcd's server certificate common name (CN) | ||
EtcdServerCertCommonName = "kube-etcd" | ||
|
||
// EtcdPeerCertAndKeyBaseName defines etcd's peer certificate and key base name | ||
EtcdPeerCertAndKeyBaseName = "etcd/peer" | ||
// EtcdPeerCertName defines etcd's peer certificate name | ||
EtcdPeerCertName = "etcd/peer.crt" | ||
// EtcdPeerKeyName defines etcd's peer key name | ||
EtcdPeerKeyName = "etcd/peer.key" | ||
// EtcdPeerCertCommonName defines etcd's peer certificate common name (CN) | ||
EtcdPeerCertCommonName = "kube-etcd-peer" | ||
|
||
// APIServerEtcdClientCertAndKeyBaseName defines etcd client certificate and key base name | ||
APIServerEtcdClientCertAndKeyBaseName = "apiserver-etcd-client" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How about just There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not positive we should generalize the usage of a cert that allows access to the cluster's data. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
edit: I ended up not nesting this client cert under the new |
||
// APIServerEtcdClientCertName defines etcd client certificate name | ||
APIServerEtcdClientCertName = "apiserver-etcd-client.crt" | ||
// APIServerEtcdClientKeyName defines etcd client key name | ||
APIServerEtcdClientKeyName = "apiserver-etcd-client.key" | ||
// APIServerEtcdClientCertCommonName defines etcd client certificate common name (CN) | ||
APIServerEtcdClientCertCommonName = "kube-apiserver-etcd-client" | ||
|
||
// ServiceAccountKeyBaseName defines SA key base name | ||
ServiceAccountKeyBaseName = "sa" | ||
// ServiceAccountPublicKeyName defines SA public key base name | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe capitalize
Subject Alternative Names
so that it's more clear thatSAN
(used later) is abbreviating that (applies below too).