kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5240 from nebril/etcd-tls 

Add etcd TLS support for Cilium
This commit is contained in:
k8s-ci-robot 2018-06-21 09:23:37 -07:00 committed by GitHub
parent 5313176a9d a72b9e4b38
commit f346efd290
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 24 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nodeup/pkg/model/BUILD.bazel
View File

@ -4,13 +4,13 @@ go_library(
name = "go_default_library",
srcs = [
"architecture.go",
"calico.go",
"cloudconfig.go",
"context.go",
"convenience.go",
"directories.go",
"docker.go",
"etcd.go",
"etcd_tls.go",
"file_assets.go",
"firewall.go",
"hooks.go",

10
nodeup/pkg/model/calico.go → nodeup/pkg/model/etcd_tls.go
View File

@ -22,15 +22,15 @@ import (
"k8s.io/kops/upup/pkg/fi"
)
// CalicoBuilder configures the calico CNI provider
type CalicoBuilder struct {
// EtcdTLSBuilder configures the etcd TLS support
type EtcdTLSBuilder struct {
*NodeupModelContext
}
var _ fi.ModelBuilder = &CalicoBuilder{}
var _ fi.ModelBuilder = &EtcdTLSBuilder{}
// Build is responsible for performing any setup to the calico CNI provider
func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
// Build is responsible for performing setup for CNIs that need etcd TLS support
func (b *EtcdTLSBuilder) Build(c *fi.ModelBuilderContext) error {
// @check if tls is enabled and if so, we need to download the client certificates
if b.UseEtcdTLS() {
name := "calico-client"

2
pkg/model/iam/iam_builder.go
View File

@ -377,7 +377,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
}
// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
if b.Cluster.Spec.Networking.Calico != nil {
if b.Cluster.Spec.Networking.Calico != nil || b.Cluster.Spec.Networking.Cilium != nil {
p.Statement = append(p.Statement, &Statement{
Effect: StatementEffectAllow,
Action: stringorslice.Slice([]string{"s3:Get*"}),

4
pkg/model/pki.go
View File

@ -142,8 +142,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Format: format,
})
// @check if calico is enabled as the CNI provider
if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
// @check if calico or Cilium is enabled as the CNI provider
if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil || b.KopsModelContext.Cluster.Spec.Networking.Cilium != nil {
c.AddTask(&fitasks.Keypair{
Name: fi.String("calico-client"),
Lifecycle: b.Lifecycle,

46
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template
View File

@ -1,29 +1,22 @@
{{- $etcd_scheme := EtcdScheme }}
kind: ConfigMap
apiVersion: v1
metadata:
name: cilium-config
namespace: kube-system
data:
# This etcd-config contains the etcd endpoints of your cluster. If you use
# TLS please make sure you uncomment the ca-file line and add the respective
# certificate has a k8s secret, see explanation bellow in the comment labeled
# "ETCD-CERT"
etcd-config: |-
---
endpoints: [{{ $cluster := index .EtcdClusters 0 -}}
{{- range $j, $member := $cluster.Members -}}
{{- if $j }},{{ end -}}
"http://etcd-{{ $member.Name }}.internal.{{ ClusterName }}:4001"
"{{ $etcd_scheme }}://etcd-{{ $member.Name }}.internal.{{ ClusterName }}:4001"
{{- end }}]
#
# In case you want to use TLS in etcd, uncomment the following line
# and add the certificate as explained in the comment labeled "ETCD-CERT"
#ca-file: '/var/lib/etcd-secrets/etcd-ca'
#
# In case you want client to server authentication, uncomment the following
# lines and add the certificate and key in cilium-etcd-secrets bellow
#key-file: '/var/lib/etcd-secrets/etcd-client-key'
#cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
{{- if eq $etcd_scheme "https" }}
ca-file: '/var/lib/etcd-secrets/ca.pem'
key-file: '/var/lib/etcd-secrets/calico-client-key.pem'
cert-file: '/var/lib/etcd-secrets/calico-client.pem'
{{- end }}
# If you want to run cilium in debug mode change this value to true
debug: "false"
@ -32,22 +25,6 @@ data:
# If you want to clean cilium state; change this value to true
clean-cilium-state: "false"
---
# The etcd secrets can be populated in kubernetes.
# For more information see: https://kubernetes.io/docs/concepts/configuration/secret
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: cilium-etcd-secrets
namespace: kube-system
data:
# ETCD-CERT: Each value should contain the whole certificate in base64, on a
# single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
# (the "-w 0" generates the output on a single line)
etcd-ca: ""
etcd-client-key: ""
etcd-client-crt: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
@ -365,9 +342,11 @@ spec:
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
{{- if eq $etcd_scheme "https" }}
- name: etcd-secrets
mountPath: /var/lib/etcd-secrets
readOnly: true
{{- end }}
securityContext:
capabilities:
add:
@ -402,10 +381,11 @@ spec:
items:
- key: etcd-config
path: etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
{{- if eq $etcd_scheme "https" }}
- name: etcd-secrets
secret:
secretName: cilium-etcd-secrets
hostPath:
path: /srv/kubernetes/calico
{{- end }}
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master

4
upup/pkg/fi/nodeup/command.go
View File

@ -241,8 +241,8 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
} else {
loader.Builders = append(loader.Builders, &model.KubeRouterBuilder{NodeupModelContext: modelContext})
}
if c.cluster.Spec.Networking.Calico != nil {
loader.Builders = append(loader.Builders, &model.CalicoBuilder{NodeupModelContext: modelContext})
if c.cluster.Spec.Networking.Calico != nil || c.cluster.Spec.Networking.Cilium != nil {
loader.Builders = append(loader.Builders, &model.EtcdTLSBuilder{NodeupModelContext: modelContext})
}
taskMap, err := loader.Build(c.ModelDir)