New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add mTLS encription between etcd and kube-apiserver in GCE #70144

Merged
merged 1 commit into from Jan 16, 2019

Conversation

@wenjiaswe
Copy link
Contributor

wenjiaswe commented Oct 23, 2018

What type of PR is this?

Uncomment only one, leave it on its own line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test

/kind feature

/kind flake

What this PR does / why we need it:
This PR adds mTLS to secure communication between etcd-client port and apiserver.
It generages CA cert and key, as well as corresponding server and client cert and key pairs, then uses them on the corresponding flags when start up apiserver and etcd as below.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #70143

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Enable mTLS encription between etcd and kube-apiserver in GCE

/sig api-machinery
/sig GCP

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Oct 23, 2018

/cc @yguo0905 @cjcullen @jpbetz add in here early so I get the necessary tests going. I will let you know when it's ready for review. Thanks!

@yguo0905

This comment has been minimized.

Copy link
Contributor

yguo0905 commented Oct 23, 2018

/ok-to-test

@@ -39,7 +39,7 @@ function create-master-instance {
create-master-instance-internal "${MASTER_NAME}" "${address}"
}

function replicate-master-instance() {
function q() {

This comment has been minimized.

@yguo0905

yguo0905 Oct 23, 2018

Contributor

Changed by accident?

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch from 19f6060 to 3f3e7c3 Oct 23, 2018

@wenjiaswe wenjiaswe changed the title Add mTLS encription between etcd and kube-apiserver in GCE [WIP] Add mTLS encription between etcd and kube-apiserver in GCE Oct 23, 2018

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch 2 times, most recently from 0692783 to 53cb24a Oct 24, 2018

@wenjiaswe wenjiaswe changed the title [WIP] Add mTLS encription between etcd and kube-apiserver in GCE Add mTLS encription between etcd and kube-apiserver in GCE Oct 24, 2018

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Oct 24, 2018

/cc @yguo0905 @cjcullen @jpbetz PTAL, it's ready for review. Thanks!

Show resolved Hide resolved cluster/gce/gci/configure-helper.sh Outdated
# Args:
# $1: host name
# $2: CA certificate
# $3: CA key

This comment has been minimized.

@jpbetz

jpbetz Oct 29, 2018

Contributor

$4 is expected below but not documented here.

This comment has been minimized.

@wenjiaswe

wenjiaswe Nov 3, 2018

Author Contributor

Added.

Show resolved Hide resolved cluster/gce/util.sh Outdated
Show resolved Hide resolved cluster/gce/util.sh
# If CA cert/key is empty, the function will also generate certs for CA.
#
# Vars set:
# ETCD_CA_KEY_BASE64

This comment has been minimized.

@jpbetz

jpbetz Oct 29, 2018

Contributor

This does not appear to match up with below list of vars actually set.

This comment has been minimized.

@wenjiaswe

wenjiaswe Nov 3, 2018

Author Contributor

Good catch! Thanks!

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Nov 30, 2018

/hold
check some setting

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch from 29063fd to 32df098 Dec 4, 2018

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Dec 5, 2018

/test pull-kubernetes-e2e-kops-aws

2 similar comments
@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Dec 5, 2018

/test pull-kubernetes-e2e-kops-aws

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Dec 6, 2018

/test pull-kubernetes-e2e-kops-aws

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch from 32df098 to 76dff6f Dec 29, 2018

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Dec 29, 2018

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Dec 29, 2018

/test pull-kubernetes-integration

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Dec 29, 2018

/hold cancel

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Jan 7, 2019

/test pull-kubernetes-e2e-gke

@caesarxuchao

This comment has been minimized.

Copy link
Member

caesarxuchao commented Jan 7, 2019

/hold cancel

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch from 76dff6f to 0c54378 Jan 7, 2019

@wenjiaswe wenjiaswe force-pushed the wenjiaswe:etcdKasTls branch from 0c54378 to c17233c Jan 7, 2019

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Jan 7, 2019

@gmarek @cjcullen would you please take another look and see if you could help lgtm and approve? I addressed all the comments and rebased the PR.

function create-etcd-apiserver-certs {
local hostServer=${1}
local hostClient=${2}
local etcd_apiserver_ca_cert=${3:-}

This comment has been minimized.

@gmarek

gmarek Jan 9, 2019

Member

I don't think you want to allow those variables to be unset, as you're depending on them in a line below.

This comment has been minimized.

@wenjiaswe

wenjiaswe Jan 9, 2019

Author Contributor

@gmarek I think it would be fine, as in generate-etcd-cert, "If GEN_ETCD_CA_CERT or GEN_ETCD_CA_KEY is not specified, it will generates certs for CA." The existing create-etcd-certs is set this way too. Is it OK?

@tpepper

This comment has been minimized.

Copy link
Contributor

tpepper commented Jan 9, 2019

Can folks comment on whether issue #70143 is being viewed as a feature or a bug? And then whether this PR is going to be intended to be a cherry pick candidate to prior branches? I ask because this PR is labeled feature, the issue is not labeled but has textual description as both bug and feature, and patch release managers were brought in early on cherry picks which were later closed. It feels a bit up in the air right now...

@wenjiaswe

This comment has been minimized.

Copy link
Contributor Author

wenjiaswe commented Jan 9, 2019

@tpepper I am sorry for the confusion. This is a feature. And #70143 was labeled as feature (uncommented /kind feature) but somehow the markdown didn't show up right. I corrected that one. I am not going to cherry pick this back to previous versions. Thanks!

@tpepper

This comment has been minimized.

Copy link
Contributor

tpepper commented Jan 14, 2019

/uncc

@k8s-ci-robot k8s-ci-robot removed the request for review from tpepper Jan 14, 2019

@gmarek

This comment has been minimized.

Copy link
Member

gmarek commented Jan 16, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 16, 2019

@gmarek

This comment has been minimized.

Copy link
Member

gmarek commented Jan 16, 2019

/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jan 16, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gmarek, wenjiaswe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit d95b9f1 into kubernetes:master Jan 16, 2019

19 checks passed

cla/linuxfoundation wenjiaswe authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Job succeeded.
Details
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-godeps Skipped
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment