kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactor kube-apiserver server certificate

This commit is contained in:
John Gardiner Myers 2021-07-16 22:42:23 -07:00
parent 9fa413d0dc
commit c8b1a586b8
2 changed files with 77 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
nodeup/pkg/model/kube_apiserver.go
View File

@ -26,6 +26,7 @@ import (
"k8s.io/kops/pkg/k8scodecs" "k8s.io/kops/pkg/k8scodecs"
"k8s.io/kops/pkg/kubeconfig" "k8s.io/kops/pkg/kubeconfig"
"k8s.io/kops/pkg/kubemanifest" "k8s.io/kops/pkg/kubemanifest"
"k8s.io/kops/pkg/model/components"
"k8s.io/kops/pkg/wellknownports" "k8s.io/kops/pkg/wellknownports"
"k8s.io/kops/pkg/wellknownusers" "k8s.io/kops/pkg/wellknownusers"
"k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi"
@ -39,17 +40,17 @@ import (
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
) )
// PathAuthnConfig is the path to the custom webhook authentication config // PathAuthnConfig is the path to the custom webhook authentication config.
const PathAuthnConfig = "/etc/kubernetes/authn.config" const PathAuthnConfig = "/etc/kubernetes/authn.config"
// KubeAPIServerBuilder install kube-apiserver (just the manifest at the moment) // KubeAPIServerBuilder installs kube-apiserver.
type KubeAPIServerBuilder struct { type KubeAPIServerBuilder struct {
*NodeupModelContext *NodeupModelContext
} }
var _ fi.ModelBuilder = &KubeAPIServerBuilder{} var _ fi.ModelBuilder = &KubeAPIServerBuilder{}
// Build is responsible for generating the configuration for the kube-apiserver // Build is responsible for generating the configuration for the kube-apiserver.
func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error { func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
if !b.HasAPIServer { if !b.HasAPIServer {
return nil return nil
@ -162,6 +163,10 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
kubeAPIServer.ProxyClientKeyFile = fi.String(filepath.Join(pathSrvKAPI, "apiserver-aggregator.key")) kubeAPIServer.ProxyClientKeyFile = fi.String(filepath.Join(pathSrvKAPI, "apiserver-aggregator.key"))
} }
if err := b.writeServerCertificate(c, &kubeAPIServer); err != nil {
return err
}
{ {
pod, err := b.buildPod(&kubeAPIServer) pod, err := b.buildPod(&kubeAPIServer)
if err != nil { if err != nil {
@ -349,15 +354,79 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte
return fmt.Errorf("unrecognized authentication config %v", b.Cluster.Spec.Authentication) return fmt.Errorf("unrecognized authentication config %v", b.Cluster.Spec.Authentication)
} }
// buildPod is responsible for generating the kube-apiserver pod and thus manifest file func (b *KubeAPIServerBuilder) writeServerCertificate(c *fi.ModelBuilderContext, kubeAPIServer *kops.KubeAPIServerConfig) error {
func (b *KubeAPIServerBuilder) buildPod(kubeAPIServer *kops.KubeAPIServerConfig) (*v1.Pod, error) { pathSrvKAPI := filepath.Join(b.PathSrvKubernetes(), "kube-apiserver")
{
// A few names used from inside the cluster, which all resolve the same based on our default suffixes
alternateNames := []string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc." + b.Cluster.Spec.ClusterDNSDomain,
}
// Names specified in the cluster spec
alternateNames = append(alternateNames, b.Cluster.Spec.MasterPublicName)
alternateNames = append(alternateNames, b.Cluster.Spec.MasterInternalName)
alternateNames = append(alternateNames, b.Cluster.Spec.AdditionalSANs...)
// Load balancer IPs passed in through NodeupConfig
alternateNames = append(alternateNames, b.NodeupConfig.ApiserverAdditionalIPs...)
// Referencing it by internal IP should work also
{
ip, err := components.WellKnownServiceIP(&b.Cluster.Spec, 1)
if err != nil {
return err
}
alternateNames = append(alternateNames, ip.String())
}
// We also want to be able to reference it locally via https://127.0.0.1
alternateNames = append(alternateNames, "127.0.0.1")
if b.Cluster.Spec.CloudProvider == "openstack" {
if b.Cluster.Spec.Topology != nil && b.Cluster.Spec.Topology.Masters == kops.TopologyPrivate {
instanceAddress, err := getInstanceAddress()
if err != nil {
return err
}
alternateNames = append(alternateNames, instanceAddress)
}
}
issueCert := &nodetasks.IssueCert{
Name: "master",
Signer: fi.CertificateIDCA,
KeypairID: b.NodeupConfig.KeypairIDs[fi.CertificateIDCA],
Type: "server",
Subject: nodetasks.PKIXName{CommonName: "kubernetes-master"},
AlternateNames: alternateNames,
}
// Including the CA certificate is more correct, and is needed for e.g. AWS WebIdentity federation
issueCert.IncludeRootCertificate = true
c.AddTask(issueCert)
err := issueCert.AddFileTasks(c, pathSrvKAPI, "server", "", nil)
if err != nil {
return err
}
}
// If clientCAFile is not specified, set it to the default value ${PathSrvKubernetes}/ca.crt // If clientCAFile is not specified, set it to the default value ${PathSrvKubernetes}/ca.crt
if kubeAPIServer.ClientCAFile == "" { if kubeAPIServer.ClientCAFile == "" {
kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
} }
kubeAPIServer.TLSCertFile = filepath.Join(b.PathSrvKubernetes(), "server.crt") kubeAPIServer.TLSCertFile = filepath.Join(pathSrvKAPI, "server.crt")
kubeAPIServer.TLSPrivateKeyFile = filepath.Join(b.PathSrvKubernetes(), "server.key") kubeAPIServer.TLSPrivateKeyFile = filepath.Join(pathSrvKAPI, "server.key")
return nil
}
// buildPod is responsible for generating the kube-apiserver pod and thus manifest file
func (b *KubeAPIServerBuilder) buildPod(kubeAPIServer *kops.KubeAPIServerConfig) (*v1.Pod, error) {
// Support for basic auth was deprecated 1.16 and removed in 1.19 // Support for basic auth was deprecated 1.16 and removed in 1.19
// https://github.com/kubernetes/kubernetes/pull/89069 // https://github.com/kubernetes/kubernetes/pull/89069
if b.IsKubernetesLT("1.18") { if b.IsKubernetesLT("1.18") {

64
nodeup/pkg/model/secrets.go
View File

@ -21,14 +21,10 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"k8s.io/kops/util/pkg/vfs"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/model/components"
"k8s.io/kops/pkg/tokens" "k8s.io/kops/pkg/tokens"
"k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
"k8s.io/kops/util/pkg/vfs"
) )
// SecretBuilder writes secrets // SecretBuilder writes secrets
@ -77,64 +73,6 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
return nil return nil
} }
{
// A few names used from inside the cluster, which all resolve the same based on our default suffixes
alternateNames := []string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc." + b.Cluster.Spec.ClusterDNSDomain,
}
// Names specified in the cluster spec
alternateNames = append(alternateNames, b.Cluster.Spec.MasterPublicName)
alternateNames = append(alternateNames, b.Cluster.Spec.MasterInternalName)
alternateNames = append(alternateNames, b.Cluster.Spec.AdditionalSANs...)
// Load balancer IPs passed in through NodeupConfig
alternateNames = append(alternateNames, b.NodeupConfig.ApiserverAdditionalIPs...)
// Referencing it by internal IP should work also
{
ip, err := components.WellKnownServiceIP(&b.Cluster.Spec, 1)
if err != nil {
return err
}
alternateNames = append(alternateNames, ip.String())
}
// We also want to be able to reference it locally via https://127.0.0.1
alternateNames = append(alternateNames, "127.0.0.1")
if b.Cluster.Spec.CloudProvider == "openstack" {
if b.Cluster.Spec.Topology != nil && b.Cluster.Spec.Topology.Masters == kops.TopologyPrivate {
instanceAddress, err := getInstanceAddress()
if err != nil {
return err
}
alternateNames = append(alternateNames, instanceAddress)
}
}
issueCert := &nodetasks.IssueCert{
Name: "master",
Signer: fi.CertificateIDCA,
KeypairID: b.NodeupConfig.KeypairIDs[fi.CertificateIDCA],
Type: "server",
Subject: nodetasks.PKIXName{CommonName: "kubernetes-master"},
AlternateNames: alternateNames,
}
// Including the CA certificate is more correct, and is needed for e.g. AWS WebIdentity federation
issueCert.IncludeRootCertificate = true
c.AddTask(issueCert)
err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "server", "", nil)
if err != nil {
return err
}
}
// Support for basic auth was deprecated 1.16 and removed in 1.19 // Support for basic auth was deprecated 1.16 and removed in 1.19
// https://github.com/kubernetes/kubernetes/pull/89069 // https://github.com/kubernetes/kubernetes/pull/89069
if b.IsKubernetesLT("1.19") && b.SecretStore != nil { if b.IsKubernetesLT("1.19") && b.SecretStore != nil {