add support for etcd over ssl
Change-Id: I3414147237b719831683b9afa9e56d873a504214
diff --git a/README.rst b/README.rst
index 7f38048..ab38671 100644
--- a/README.rst
+++ b/README.rst
@@ -311,6 +311,24 @@
- host: 10.0.175.103
port: 4001
+Running with secured etcd:
+
+.. code-block:: yaml
+
+ kubernetes:
+ pool:
+ network:
+ engine: calico
+ etcd:
+ ssl:
+ enabled: true
+ master:
+ network:
+ engine: calico
+ etcd:
+ ssl:
+ enabled: true
+
Post deployment configuration
.. code-block:: bash
diff --git a/kubernetes/files/calico/calico-node.service.master b/kubernetes/files/calico/calico-node.service.master
index 66acefd..afa34c5 100644
--- a/kubernetes/files/calico/calico-node.service.master
+++ b/kubernetes/files/calico/calico-node.service.master
@@ -1,6 +1,6 @@
{%- from "kubernetes/map.jinja" import master with context %}
[Unit]
-Description=calico-node
+Description=calico-node on master
After=docker.service
Requires=docker.service
@@ -15,16 +15,14 @@
-e CALICO_NETWORKING_BACKEND="{{ master.network.calico_network_backend }}"
{%- endif %}
-e AS={{ master.network.get('as', '64512') }} \
- -e NO_DEFAULT_masterS={{ master.network.get('no_default_masters', false ) }} \
+ -e NO_DEFAULT_MASTERS={{ master.network.get('no_default_masters') }} \
-e CALICO_LIBNETWORK_ENABLED={{ master.network.get('libnetwork_enabled', true ) }} \
- -e ETCD_ENDPOINTS={% for member in master.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %} \
- {%- if master.network.etcd.ssl is defined %}
- ##TO BE DONE
- -e ETCD_CA_CERT_FILE= \
- -e ETCD_CERT_FILE= \
- -e ETCD_KEY_FILE= \
- -v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
- {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
+ -e ETCD_ENDPOINTS={% for member in master.network.etcd.members %}http{% if master.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %} \
+ {%- if master.network.etcd.get('ssl', {}).get('enabled') %}
+ -e ETCD_CA_CERT_FILE=/var/lib/etcd/ca.pem \
+ -e ETCD_CERT_FILE=/var/lib/etcd/etcd-client.crt \
+ -e ETCD_KEY_FILE=/var/lib/etcd/etcd-client.key \
+ -v /var/lib/etcd/:/var/lib/etcd/:ro \
{%- endif %}
-v /var/log/calico:/var/log/calico \
-v /run/docker/plugins:/run/docker/plugins \
@@ -35,7 +33,7 @@
-v {{ volume }} \
{%- endfor %}
{%- endif %}
- {{ master.network.get('image', 'calico/node') }}:{{ master.network.get('image', 'latest') }}
+ {{ master.network.get('image', 'calico/node') }}
Restart=always
RestartSec=10s
@@ -43,4 +41,4 @@
ExecStop=-/usr/bin/docker stop calico-node
[Install]
-WantedBy=multi-user.target
\ No newline at end of file
+WantedBy=multi-user.target
diff --git a/kubernetes/files/calico/calico-node.service.pool b/kubernetes/files/calico/calico-node.service.pool
index 08424a0..eed75d0 100644
--- a/kubernetes/files/calico/calico-node.service.pool
+++ b/kubernetes/files/calico/calico-node.service.pool
@@ -1,6 +1,6 @@
{%- from "kubernetes/map.jinja" import pool with context %}
[Unit]
-Description=calico-node
+Description=calico-node on pool
After=docker.service
Requires=docker.service
@@ -15,16 +15,14 @@
-e CALICO_NETWORKING_BACKEND="{{ pool.network.calico_network_backend }}"
{%- endif %}
-e AS={{ pool.network.get('as', '64512') }} \
- -e NO_DEFAULT_POOLS={{ pool.network.get('no_default_pools', false ) }} \
+ -e NO_DEFAULT_POOLS={{ pool.network.get('no_default_pools') }} \
-e CALICO_LIBNETWORK_ENABLED={{ pool.network.get('libnetwork_enabled', true ) }} \
- -e ETCD_ENDPOINTS={% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %} \
- {%- if pool.network.etcd.ssl is defined %}
- ##TO BE DONE
- -e ETCD_CA_CERT_FILE= \
- -e ETCD_CERT_FILE= \
- -e ETCD_KEY_FILE= \
- -v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
- {{ calico_node_image_repo }}:{{ calico_node_image_tag }}
+ -e ETCD_ENDPOINTS={% for member in pool.network.etcd.members %}http{% if pool.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %} \
+ {%- if pool.network.etcd.get('ssl', {}).get('enabled') %}
+ -e ETCD_CA_CERT_FILE=/var/lib/etcd/ca.pem \
+ -e ETCD_CERT_FILE=/var/lib/etcd/etcd-client.crt \
+ -e ETCD_KEY_FILE=/var/lib/etcd/etcd-client.key \
+ -v /var/lib/etcd/:/var/lib/etcd/:ro \
{%- endif %}
-v /var/log/calico:/var/log/calico \
-v /run/docker/plugins:/run/docker/plugins \
diff --git a/kubernetes/files/calico/calico.conf b/kubernetes/files/calico/calico.conf
index 97810eb..119f638 100644
--- a/kubernetes/files/calico/calico.conf
+++ b/kubernetes/files/calico/calico.conf
@@ -2,7 +2,12 @@
{
"name": "calico-k8s-network",
"type": "calico",
- "etcd_endpoints": "{% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}",
+ "etcd_endpoints": "{% for member in pool.network.etcd.members %}http{% if pool.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}",
+{%- if pool.network.etcd.get('ssl', {}).get('enabled') %}
+ "etcd_key_file": "/var/lib/etcd/etcd-client.pem",
+ "etcd_cert_file": "/var/lib/etcd/etcd-client.pem",
+ "etcd_ca_cert_file": "/var/lib/etcd/ca.pem",
+{%- endif %}
"log_level": "info",
"ipam": {
"type": "calico-ipam"
@@ -10,4 +15,4 @@
"kubernetes": {
"kubeconfig": "/etc/kubernetes/kubelet.kubeconfig"
}
-}
\ No newline at end of file
+}
diff --git a/kubernetes/files/calico/calicoctl.cfg.master b/kubernetes/files/calico/calicoctl.cfg.master
index c500749..0a9fecd 100644
--- a/kubernetes/files/calico/calicoctl.cfg.master
+++ b/kubernetes/files/calico/calicoctl.cfg.master
@@ -4,4 +4,9 @@
metadata:
spec:
datastoreType: "etcdv2"
- etcdEndpoints: {% for member in master.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
+ etcdEndpoints: {% for member in master.network.etcd.members %}http{% if pool.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
+{%- if pool.network.etcd.get('ssl', {}).get('enabled') %}
+ etcdKeyFile: /var/lib/etcd/etcd-client.pem
+ etcdCertFile: /var/lib/etcd/etcd-client.pem
+ etcdCACertFile: /var/lib/etcd/ca.pem
+{%- endif %}
diff --git a/kubernetes/files/calico/calicoctl.cfg.pool b/kubernetes/files/calico/calicoctl.cfg.pool
index 73c437d..4d3c786 100644
--- a/kubernetes/files/calico/calicoctl.cfg.pool
+++ b/kubernetes/files/calico/calicoctl.cfg.pool
@@ -4,4 +4,9 @@
metadata:
spec:
datastoreType: "etcdv2"
- etcdEndpoints: {% for member in pool.network.etcd.members %}http://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
+ etcdEndpoints: {% for member in pool.network.etcd.members %}http{% if pool.network.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}
+{%- if pool.network.etcd.get('ssl', {}).get('enabled') %}
+ etcdKeyFile: /var/lib/etcd/etcd-client.pem
+ etcdCertFile: /var/lib/etcd/etcd-client.pem
+ etcdCACertFile: /var/lib/etcd/ca.pem
+{%- endif %}
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index a08cdcf..51737a9 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -76,7 +76,7 @@
- user: root
- group: root
- mode: 644
- - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --insecure-port={{ master.apiserver.get('insecure_port', '8080') }} --etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %} --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}{% for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %} --{{ key }}={{ value }}{% endfor %}"
+ - contents: DAEMON_ARGS=" --insecure-bind-address={{ master.apiserver.insecure_address }} --insecure-port={{ master.apiserver.get('insecure_port', '8080') }} --etcd-servers={% for member in master.etcd.members %}http{% if master.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}{% if master.etcd.get('ssl', {}).get('enabled') %} --etcd-cafile /var/lib/etcd/ca.pem --etcd-certfile /var/lib/etcd/etcd-client.crt --etcd-keyfile /var/lib/etcd/etcd-client.key {% endif %}--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range={{ master.service_addresses }} --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt --basic-auth-file=/srv/kubernetes/basic_auth.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key --secure-port={{ master.apiserver.get('secure_port', '443') }} --bind-address={{ master.apiserver.address }} --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=True --etcd-quorum-read=true {%- if master.apiserver.node_port_range is defined %} --service-node-port-range {{ master.apiserver.node_port_range }} {%- endif %}{% for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %} --{{ key }}={{ value }}{% endfor %}"
{% for component in ['scheduler', 'controller-manager'] %}