• Kubernetes Submit Queue's avatar
    Merge pull request #57415 from stealthybox/feature/kubeadm_594-etcd_tls · b32e9c45
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue (batch tested with PRs 59159, 60318, 60079, 59371, 57415). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    Feature/kubeadm 594 etcd TLS on init/upgrade
    
    **What this PR does / why we need it**:
    On `kubeadm init`/`kubeadm upgrade`, this PR generates certificates for securing local etcd:
    - etcd serving cert
    - etcd peer cert
    - apiserver etcd client cert
    
    Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs.
    For connections to etcd, `https` is now used in favor of `http` and tests have been added/updated.
    
    Etcd only listens on localhost, so the serving cert SAN defaults to `DNS:localhost,IP:127.0.0.1`.
    The etcd peer cert has SANs for `<hostname>,<api-advertise-address>`, but is unused.
    
    New kubeadm config options, `Etcd.ServerCertSANs` and `Etcd.PeerCertSANs`, are used for user additions to the default certificate SANs for the etcd server and peer certs.
    
    This feature continues to utilize the existence of `MasterConfiguration.Etcd.Endpoints` as a feature gate for external-etcd.
    If the user passes flags to configure `Etcd.{CAFile,CertFile,KeyFile}` but they omit `Endpoints`, these flags will be unused, and a warning is printed.
    
    New phase commands:
    ```
    kubeadm alpha phase certs etcd-server
    kubeadm alpha phase certs etcd-peer
    kubeadm alpha phase certs apiserver-etcd-client 
    ```
    
    **Which issue(s) this PR fixes**
    Fixes https://github.com/kubernetes/kubeadm/issues/594
    
    **Special notes for your reviewer**:
    
    #### on the master
    these should fail:
    ```bash
    curl localhost:2379/v2/keys  # no output
    curl --cacert /etc/kubernetes/pki/ca.crt https://localhost:2379/v2/keys  # handshake error
    ```
    these should succeed:
    ```
    cd /etc/kubernetes/pki
    curl --cacert ca.crt --cert apiserver-etcd-client.crt --key apiserver-etcd-client.key https://localhost:2379/v2/keys
    ```
    
    **Release note**:
    ```release-note
    On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS.
    ```
    b32e9c45
Name
Last commit
Last update
.github Loading commit data...
Godeps Loading commit data...
api Loading commit data...
build Loading commit data...
cluster Loading commit data...
cmd Loading commit data...
docs Loading commit data...
examples Loading commit data...
hack Loading commit data...
logo Loading commit data...
pkg Loading commit data...
plugin Loading commit data...
staging Loading commit data...
test Loading commit data...
third_party Loading commit data...
translations Loading commit data...
vendor Loading commit data...
.bazelrc Loading commit data...
.generated_files Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
.kazelcfg.json Loading commit data...
BUILD.bazel Loading commit data...
CHANGELOG-1.10.md Loading commit data...
CHANGELOG-1.2.md Loading commit data...
CHANGELOG-1.3.md Loading commit data...
CHANGELOG-1.4.md Loading commit data...
CHANGELOG-1.5.md Loading commit data...
CHANGELOG-1.6.md Loading commit data...
CHANGELOG-1.7.md Loading commit data...
CHANGELOG-1.8.md Loading commit data...
CHANGELOG-1.9.md Loading commit data...
CHANGELOG.md Loading commit data...
CONTRIBUTING.md Loading commit data...
LICENSE Loading commit data...
Makefile Loading commit data...
Makefile.generated_files Loading commit data...
OWNERS Loading commit data...
OWNERS_ALIASES Loading commit data...
README.md Loading commit data...
SUPPORT.md Loading commit data...
WORKSPACE Loading commit data...
code-of-conduct.md Loading commit data...
labels.yaml Loading commit data...