Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add summary tables to tls asset docs #529

Merged
merged 2 commits into from
Jan 26, 2021
Merged

Add summary tables to tls asset docs #529

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
65c6d7e
Add summary tables to tls asset doc
marun Jan 19, 2021
62e955f
Minor cleanup of tls asset doc
marun Jan 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
37 changes: 32 additions & 5 deletions docs/etcd-tls-assets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,33 @@ See also the [user-facing
documentation](https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates)
for these certificates.

## etcd CA summary

All etcd CAs and their CA bundles are stored in the `openshift-config`
namespace.

| CA (secret) | CA bundle (configmap) | CA bundle also appearing in |
| ------------------ | -------------------------------- | -------------------------------------------- |
| etcd-signer | etcd-ca-bundle | openshift-etcd |
| | | openshift-etcd-operator |
| | | openshift-etcd/etcd-peer-client-ca |
| | etcd-serving-ca | openshift-etcd |
| etcd-metric-signer | etcd-metric-serving-ca | openshift-etcd/etcd-metrics-proxy-client-ca |
| | | openshift-etcd/etcd-metrics-proxy-serving-ca |

## etcd cert summary

All etcd certificates are stored in secrets.

| CA | Certificate | Purpose | Certifiate also appearing in |
| ------------------ | ----------------------------------------- | -------------------------------- | ------------------------------------------- |
| etcd-signer | openshift-config/etcd-client | authn kube api to etcd | openshift-etcd |
| | | | openshift-etcd-operator |
| | openshift-etcd/etcd-peer-$node | etcd peer communication | collected in etcd-all-peer |
| | openshift-etcd/etcd-serving-$node | etcd member serving | collected in etcd-all-serving |
| etcd-metric-signer | openshift-config/etcd-metric-client | authn prometheus to etcd metrics | openshift-monitoring/kube-etcd-client-certs |
| | openshift-etcd/etcd-serving-metrics-$node | etcd member metrics serving | collected in etcd-all-serving-metrics |

## etcd-signer and etcd-metric-signer CA certs

The cluster hosts two certificate authorities (CA) for etcd -
Expand Down Expand Up @@ -58,7 +85,7 @@ X509v3 Subject Key Identifier:
7E:88:6E:AB:ED:36:42:88:6D:99:BD:3F:C6:53:EB:7C:7B:FB:B6:14

$ oc get -n openshift-config configmap/etcd-serving-ca -o template='{{index .data "ca-bundle.crt"}}' | openssl x509 -noout -ext subjectKeyIdentifier
X509v3 Subject Key Identifier
X509v3 Subject Key Identifier
7E:88:6E:AB:ED:36:42:88:6D:99:BD:3F:C6:53:EB:7C:7B:FB:B6:14
```

Expand Down Expand Up @@ -488,7 +515,7 @@ use this list to iterate over all control plane nodes.

This controller watches a [set of config maps and
secrets](https://github.com/openshift/cluster-etcd-operator/blob/0ecd5d2b72df7648769b8625a35de5e792cf707d/pkg/operator/starter.go#L260-L277)
for changes. Any change to those resouces constitue a new numbered
for changes. Any change to those resources constitute a new numbered
"revision".

When a new revision is detected, copies of all these resources are
Expand All @@ -499,7 +526,7 @@ treated as an error.
The new revision is then recorded in the
`status.latestAvailableRevision` field and a `revision-$suffix`
configmap is created to record the status (`In Progress`, `Succeeded`,
`Failed`) of the installation of this revision.
`Failed`, `Abandoned`) of the installation of this revision.

### Installer controller

Expand All @@ -526,14 +553,14 @@ kubelet to launch this new revision of the pod.
A separate controller - the backing resource controller - is
responsible for ensuring the existence of an `installer-sa` service
account with the `cluster-admin` role. This is the service account
under which the installer (and prunder) pods runs.
under which the installer (and pruner) pods runs.

The revisioned resources destined for
`/etc/kubernetes/static-pod-resources/etcd-pod-$revision` for etcd
are:

* Config maps
- `etc-pod` - the first element in the list has a special meaning
- `etcd-pod` - the first element in the list has a special meaning
it is the static pod itself, and is to be installed in
`/etc/kubernetes/manifests`.
- `config` - an `EtcdConfig` file
Expand Down