Merge pull request kubernetes#5240 from nebril/etcd-tls

Add etcd TLS support for Cilium

Author: k8s-ci-robot

nodeup/pkg/model/BUILD.bazel

@@ -4,13 +4,13 @@ go_library(
     name = "go_default_library",
     srcs = [
         "architecture.go",
-        "calico.go",
         "cloudconfig.go",
         "context.go",
         "convenience.go",
         "directories.go",
         "docker.go",
         "etcd.go",
+        "etcd_tls.go",
         "file_assets.go",
         "firewall.go",
         "hooks.go",

nodeup/pkg/model/calico.go nodeup/pkg/model/etcd_tls.go

@@ -22,15 +22,15 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 )
 
-// CalicoBuilder configures the calico CNI provider
-type CalicoBuilder struct {
+// EtcdTLSBuilder configures the etcd TLS support
+type EtcdTLSBuilder struct {
 	*NodeupModelContext
 }
 
-var _ fi.ModelBuilder = &CalicoBuilder{}
+var _ fi.ModelBuilder = &EtcdTLSBuilder{}
 
-// Build is responsible for performing any setup to the calico CNI provider
-func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
+// Build is responsible for performing setup for CNIs that need etcd TLS support
+func (b *EtcdTLSBuilder) Build(c *fi.ModelBuilderContext) error {
 	// @check if tls is enabled and if so, we need to download the client certificates
 	if b.UseEtcdTLS() {
 		name := "calico-client"

pkg/model/iam/iam_builder.go

@@ -377,7 +377,7 @@ func (b *PolicyBuilder) AddS3Permissions(p *Policy) (*Policy, error) {
 						}
 
 						// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
-						if b.Cluster.Spec.Networking.Calico != nil {
+						if b.Cluster.Spec.Networking.Calico != nil || b.Cluster.Spec.Networking.Cilium != nil {
 							p.Statement = append(p.Statement, &Statement{
 								Effect: StatementEffectAllow,
 								Action: stringorslice.Slice([]string{"s3:Get*"}),

pkg/model/pki.go

@@ -142,8 +142,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Format:    format,
 		})
 
-		// @check if calico is enabled as the CNI provider
-		if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil {
+		// @check if calico or Cilium is enabled as the CNI provider
+		if b.KopsModelContext.Cluster.Spec.Networking.Calico != nil || b.KopsModelContext.Cluster.Spec.Networking.Cilium != nil {
 			c.AddTask(&fitasks.Keypair{
 				Name:      fi.String("calico-client"),
 				Lifecycle: b.Lifecycle,

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.7.yaml.template

@@ -1,29 +1,22 @@
+{{- $etcd_scheme := EtcdScheme }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: cilium-config
   namespace: kube-system
 data:
-  # This etcd-config contains the etcd endpoints of your cluster. If you use
-  # TLS please make sure you uncomment the ca-file line and add the respective
-  # certificate has a k8s secret, see explanation bellow in the comment labeled
-  # "ETCD-CERT"
   etcd-config: |-
     ---
     endpoints: [{{ $cluster := index .EtcdClusters 0 -}}
                       {{- range $j, $member := $cluster.Members -}}
                           {{- if $j }},{{ end -}}
-                          "http://etcd-{{ $member.Name }}.internal.{{ ClusterName }}:4001"
+                          "{{ $etcd_scheme }}://etcd-{{ $member.Name }}.internal.{{ ClusterName }}:4001"
                       {{- end }}]
-    #
-    # In case you want to use TLS in etcd, uncomment the following line
-    # and add the certificate as explained in the comment labeled "ETCD-CERT"
-    #ca-file: '/var/lib/etcd-secrets/etcd-ca'
-    #
-    # In case you want client to server authentication, uncomment the following
-    # lines and add the certificate and key in cilium-etcd-secrets bellow
-    #key-file: '/var/lib/etcd-secrets/etcd-client-key'
-    #cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
+    {{- if eq $etcd_scheme "https" }}
+    ca-file: '/var/lib/etcd-secrets/ca.pem'
+    key-file: '/var/lib/etcd-secrets/calico-client-key.pem'
+    cert-file: '/var/lib/etcd-secrets/calico-client.pem'
+    {{- end }}
 
   # If you want to run cilium in debug mode change this value to true
   debug: "false"
@@ -32,22 +25,6 @@ data:
   # If you want to clean cilium state; change this value to true
   clean-cilium-state: "false"
 ---
-# The etcd secrets can be populated in kubernetes.
-# For more information see: https://kubernetes.io/docs/concepts/configuration/secret
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: cilium-etcd-secrets
-  namespace: kube-system
-data:
-  # ETCD-CERT: Each value should contain the whole certificate in base64, on a
-  # single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
-  # (the "-w 0" generates the output on a single line)
-  etcd-ca: ""
-  etcd-client-key: ""
-  etcd-client-crt: ""
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -365,9 +342,11 @@ spec:
           - name: etcd-config-path
             mountPath: /var/lib/etcd-config
             readOnly: true
+        {{- if eq $etcd_scheme "https" }}
           - name: etcd-secrets
             mountPath: /var/lib/etcd-secrets
             readOnly: true
+        {{- end }}
         securityContext:
           capabilities:
             add:
@@ -402,10 +381,11 @@ spec:
             items:
             - key: etcd-config
               path: etcd.config
-          # To read the k8s etcd secrets in case the user might want to use TLS
+        {{- if eq $etcd_scheme "https" }}
         - name: etcd-secrets
-          secret:
-            secretName: cilium-etcd-secrets
+          hostPath:
+            path: /srv/kubernetes/calico
+        {{- end }}
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master

upup/pkg/fi/nodeup/command.go

@@ -241,8 +241,8 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	} else {
 		loader.Builders = append(loader.Builders, &model.KubeRouterBuilder{NodeupModelContext: modelContext})
 	}
-	if c.cluster.Spec.Networking.Calico != nil {
-		loader.Builders = append(loader.Builders, &model.CalicoBuilder{NodeupModelContext: modelContext})
+	if c.cluster.Spec.Networking.Calico != nil || c.cluster.Spec.Networking.Cilium != nil {
+		loader.Builders = append(loader.Builders, &model.EtcdTLSBuilder{NodeupModelContext: modelContext})
 	}
 
 	taskMap, err := loader.Build(c.ModelDir)