From 809aa936348558c6f34d3ca8d6047656b18a861f Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Wed, 7 Oct 2020 22:35:36 +0200 Subject: [PATCH] Make use of kubelet service certificate --- cmd/kops-controller/pkg/server/server.go | 5 ++ nodeup/pkg/model/kubelet.go | 57 +++++++++++++++++++ upup/pkg/fi/cloudup/template_functions.go | 2 +- .../awsiamauthenticator/manifest.yaml | 2 +- ...ops-controller.addons.k8s.io-k8s-1.16.yaml | 2 +- .../simple/manifest.yaml | 2 +- 6 files changed, 66 insertions(+), 4 deletions(-) diff --git a/cmd/kops-controller/pkg/server/server.go b/cmd/kops-controller/pkg/server/server.go index 1f1335cbfe..db6f91f336 100644 --- a/cmd/kops-controller/pkg/server/server.go +++ b/cmd/kops-controller/pkg/server/server.go @@ -175,6 +175,11 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali CommonName: fmt.Sprintf("system:node:%s", id.NodeName), Organization: []string{rbac.NodesGroup}, } + case "kubelet-server": + issueReq.Subject = pkix.Name{ + CommonName: id.NodeName, + } + issueReq.Type = "server" case "kube-proxy": issueReq.Subject = pkix.Name{ CommonName: rbac.KubeProxy, diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go index 06252cde9c..e9a3990fc3 100644 --- a/nodeup/pkg/model/kubelet.go +++ b/nodeup/pkg/model/kubelet.go @@ -56,6 +56,12 @@ var _ fi.ModelBuilder = &KubeletBuilder{} // Build is responsible for building the kubelet configuration func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error { + + err := b.buildKubeletServingCertificate(c) + if err != nil { + return fmt.Errorf("error building kubelet server cert: %v", err) + } + kubeletConfig, err := b.buildKubeletConfig() if err != nil { return fmt.Errorf("error building kubelet config: %v", err) @@ -226,6 +232,11 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet } } + if b.UseKopsControllerForNodeBootstrap() { + flags += " --tls-cert-file " + b.PathSrvKubernetes() + "/kubelet-server.crt" + flags += " --tls-private-key-file " + b.PathSrvKubernetes() + "/kubelet-server.key" + } + sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n" // Makes kubelet read /root/.docker/config.json properly sysconfig = sysconfig + "HOME=\"/root" + "\"\n" @@ -538,3 +549,49 @@ func (b *KubeletBuilder) buildMasterKubeletKubeconfig(c *fi.ModelBuilderContext) return b.BuildIssuedKubeconfig("kubelet", certName, c), nil } + +func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.ModelBuilderContext) error { + + if b.UseKopsControllerForNodeBootstrap() { + name := "kubelet-server" + dir := b.PathSrvKubernetes() + signer := fi.CertificateIDCA + + nodeName, err := b.NodeName() + if err != nil { + return err + } + + if !b.IsMaster { + cert, key := b.GetBootstrapCert(name) + + c.AddTask(&nodetasks.File{ + Path: filepath.Join(dir, name+".crt"), + Contents: cert, + Type: nodetasks.FileType_File, + Mode: fi.String("0644"), + }) + + c.AddTask(&nodetasks.File{ + Path: filepath.Join(dir, name+".key"), + Contents: key, + Type: nodetasks.FileType_File, + Mode: fi.String("0400"), + }) + + } else { + issueCert := &nodetasks.IssueCert{ + Name: name, + Signer: signer, + Type: "server", + Subject: nodetasks.PKIXName{ + CommonName: nodeName, + }, + } + c.AddTask(issueCert) + return issueCert.AddFileTasks(c, dir, name, "", nil) + } + } + return nil + +} diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index 12ca5e036c..cc0d7947b5 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -392,7 +392,7 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) { } if tf.UseKopsControllerForNodeBootstrap() { - certNames := []string{"kubelet"} + certNames := []string{"kubelet", "kubelet-server"} signingCAs := []string{fi.CertificateIDCA} if apiModel.UseCiliumEtcd(cluster) { certNames = append(certNames, "etcd-client-cilium") diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml index 0c476831db..fd30a5c877 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml @@ -7,7 +7,7 @@ spec: - id: k8s-1.16 kubernetesVersion: '>=1.16.0-alpha.0' manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml - manifestHash: 95b29a87c7e7204fd7f36716d7f9f3187985c2af + manifestHash: 70b6d9eaba39f1ead46355e682e747257eb52b49 name: kops-controller.addons.k8s.io selector: k8s-addon: kops-controller.addons.k8s.io diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/kops-controller.addons.k8s.io-k8s-1.16.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/kops-controller.addons.k8s.io-k8s-1.16.yaml index 8497533d29..97301430c8 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/kops-controller.addons.k8s.io-k8s-1.16.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/kops-controller.addons.k8s.io-k8s-1.16.yaml @@ -1,7 +1,7 @@ apiVersion: v1 data: config.yaml: | - {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["kops-custom-node-role","nodes.minimal.example.com"],"Region":"us-east-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["ca"],"certNames":["kubelet","kube-proxy"]}} + {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["kops-custom-node-role","nodes.minimal.example.com"],"Region":"us-east-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}} kind: ConfigMap metadata: labels: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml index 6e11aced5d..86e0b57368 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml @@ -7,7 +7,7 @@ spec: - id: k8s-1.16 kubernetesVersion: '>=1.16.0-alpha.0' manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml - manifestHash: 95b29a87c7e7204fd7f36716d7f9f3187985c2af + manifestHash: 70b6d9eaba39f1ead46355e682e747257eb52b49 name: kops-controller.addons.k8s.io selector: k8s-addon: kops-controller.addons.k8s.io