Merge "Separate CA for k8s and etcd"

playbookconfig/src/playbooks/host_vars/bootstrap/default.yml

@@ -222,6 +222,8 @@ docker_registries:
 #   - ssl_ca_cert
 #   - k8s_root_ca_cert
 #   - k8s_root_ca_key
+#   - etcd_root_ca_cert
+#   - etcd_root_ca_key
 #
 # ssl_ca_cert: /path/to/ssl_ca_cert_file
 

playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml

@@ -146,7 +146,6 @@
     path: "{{ hieradata_workdir }}/static.yaml"
     line: "{{ item }}"
   with_items:
-    - "platform::etcd::params::security_enabled: true"
     - "platform::etcd::params::bind_address: {{ cluster_floating_address }}"
     - "platform::etcd::params::bind_address_version: {{ etcd_listen_address_version }}"
 

playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/main.yml

@@ -120,6 +120,8 @@
     - "prev_k8s_root_ca_cert: {{ k8s_root_ca_cert }}"
     - "prev_k8s_root_ca_key: {{ k8s_root_ca_key }}"
     - "prev_apiserver_oidc: {{ apiserver_oidc | to_yaml }}"
+    - "prev_etcd_root_ca_cert: {{ etcd_root_ca_cert }}"
+    - "prev_etcd_root_ca_key: {{ etcd_root_ca_key }}"
     # Nested dictionaries are picky about having things on the same line
     - "prev_docker_registries: "
     - "{{ docker_registries | to_yaml }}"

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_kubemaster.yml

@@ -81,17 +81,47 @@
       - "apiserver-etcd-client.key"
   when: k8s_pki_files is defined
 
-- name: Copy ca, cert and key generated by etcd to kubeadm_pki_dir
+- block:
-  copy:
+  - name: Copy apiserver cert and key generated by etcd to kubeadm_pki_dir
-    src: "/etc/etcd/{{ item }}"
+    copy:
-    dest: "{{ kubeadm_pki_dir }}/{{ item }}"
+      src: "/etc/etcd/{{ item }}"
-    remote_src: yes
+      dest: "{{ kubeadm_pki_dir }}/{{ item }}"
-    force: yes
+      remote_src: yes
-  with_items:
+      force: yes
-    - "ca.crt"
+    with_items:
-    - "ca.key"
+      - "apiserver-etcd-client.crt"
-    - "apiserver-etcd-client.crt"
+      - "apiserver-etcd-client.key"
-    - "apiserver-etcd-client.key"
+
+  - name: Generate private key for kubernetes-ca
+    openssl_privatekey:
+      path: "{{ kubeadm_pki_dir }}/ca.key"
+      type: RSA
+      size: 4096
+      state: present
+      force: true
+
+  - name: Generate CSR for kubernetes-ca
+    openssl_csr:
+      path: "{{ kubeadm_pki_dir }}/ca.csr"
+      privatekey_path: "{{ kubeadm_pki_dir }}/ca.key"
+      common_name: kubernetes
+      basic_constraints:
+        - CA:true
+        - pathlen:1
+      basic_constraints_critical: True
+      key_usage:
+        - keyCertSign
+        - digitalSignature
+        - keyEncipherment
+      force: true
+
+  - name: Generate self-signed CA certificate for kubernetes-ca
+    openssl_certificate:
+      path: "{{ kubeadm_pki_dir }}/ca.crt"
+      privatekey_path: "{{ kubeadm_pki_dir }}/ca.key"
+      csr_path: "{{ kubeadm_pki_dir }}/ca.csr"
+      provider: selfsigned
+      force: true
   when: k8s_pki_files is undefined
 
 - name: Set kubelet node configuration

playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/main.yml

@@ -197,11 +197,13 @@
     docker_https_proxy: "{{ docker_https_proxy | default('undef') }}"
     docker_no_proxy: "{{ docker_no_proxy | default([]) }}"
 
-- name: Set default values for kubernetes certificate parameters if not defined
+- name: Define k8s/etcd certificate parameters if not defined
   set_fact:
     k8s_root_ca_cert: "{{ k8s_root_ca_cert | default('') }}"
     k8s_root_ca_key: "{{ k8s_root_ca_key | default('') }}"
     apiserver_cert_sans: "{{ apiserver_cert_sans | default([]) }}"
+    etcd_root_ca_cert: "{{ etcd_root_ca_cert | default('') }}"
+    etcd_root_ca_key: "{{ etcd_root_ca_key | default('') }}"
 
 # Give the bootstrap config output file on the host a generic name so the
 # same file is referenced if the host is bootstrapped locally and remotely
@@ -333,7 +335,9 @@
                 prev_docker_no_proxy != docker_no_proxy | sort)) or
               (prev_apiserver_cert_sans != apiserver_cert_sans) or
               (prev_k8s_root_ca_cert != k8s_root_ca_cert) or
-              (prev_k8s_root_ca_key != k8s_root_ca_key)
+              (prev_k8s_root_ca_key != k8s_root_ca_key) or
+              (prev_etcd_root_ca_cert != etcd_root_ca_cert) or
+              (prev_etcd_root_ca_key != etcd_root_ca_key)
 
       - name: Turn on service endpoints reconfiguration flag if management and/or oam network config is changed
         set_fact:

playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml

@@ -730,6 +730,22 @@
   include: validate_address.yml input_address={{ item }}
   with_items: "{{ apiserver_cert_sans }}"
 
+- name: Verify that either both etcd root ca cert and key are defined or not at all
+  fail:
+    msg: "etcd_root_ca_cert and etcd_root_ca_key must be provided as a pair"
+  when: (etcd_root_ca_cert and not etcd_root_ca_key) or
+        (not etcd_root_ca_cert and etcd_root_ca_key)
+
+- name: Check for etcd_root_ca_cert file
+  fail:
+    msg: "etcd_root_ca_cert file not found. ({{ etcd_root_ca_cert }})"
+  when: etcd_root_ca_cert and (not etcd_root_ca_cert is file)
+
+- name: Check for etcd_root_ca_key file
+  fail:
+    msg: "etcd_root_ca_key file not found. ({{ etcd_root_ca_key }})"
+  when: etcd_root_ca_key and (not etcd_root_ca_key is file)
+
 - name: Verify that either both Kubernetes root ca cert and key are defined or not at all
   fail:
     msg: "k8s_root_ca_cert and k8s_root_ca_key must be provided as a pair"

playbookconfig/src/playbooks/roles/common/create-etcd-certs/tasks/main.yml

@@ -54,36 +54,27 @@
   with_items:
     - "etcd-client"
 
-- name: Check if CA exists
+- name: Define values for etcd certificate and key
-  stat:
+  set_fact:
-    path: /etc/kubernetes/pki/ca.crt
+    etcd_root_ca_cert: "{{ etcd_root_ca_cert | default('') }}"
-  register: ca_file
+    etcd_root_ca_key: "{{ etcd_root_ca_key | default('') }}"
 
-- name: Copy existed CA
+- name: Setup dictionary of etcd certificates to install
-  copy:
+  set_fact:
-    src: "/etc/kubernetes/pki/{{ item }}"
+    etcd_ca_files: { ca.crt: "{{etcd_root_ca_cert}}", ca.key: "{{etcd_root_ca_key}}" }
-    dest: "/etc/etcd/{{ item }}"
+  when:
-    remote_src: yes
+    - (etcd_root_ca_cert)
-    force: yes
+    - (etcd_root_ca_key)
-  with_items:
-    - "ca.crt"
-    - "ca.key"
-  when: ca_file.stat.exists
 
-- name: copy user specified CA
+- name: Copy etcd root ca certificates
   copy:
-    src: "{{ item.src }}"
+    src: "{{ item.value }}"
-    dest: "{{ item.dest }}"
+    dest: "/etc/etcd/{{item.key}}"
-    force: yes
+  with_dict: "{{ etcd_ca_files }}"
-  with_items:
+  when: etcd_ca_files is defined
-    - { src: "{{ k8s_root_ca_cert }}", dest: "/etc/etcd/ca.crt" }
-    - { src: "{{ k8s_root_ca_key }}", dest: "/etc/etcd/ca.key" }
-  when: (k8s_root_ca_cert)
 
 - block:
-  - name: Generate private key for kubernetes-ca
+  - name: Generate private key for etcd-ca
-    # Reuse this kubernetes-ca for the etcd-ca,
-    # will copy to /etc/kubernetes/pki later
     openssl_privatekey:
       path: "/etc/etcd/ca.key"
       type: RSA
@@ -91,11 +82,11 @@
       state: present
       force: true
 
-  - name: Generate CSR for kubernetes-ca
+  - name: Generate CSR for etcd-ca
     openssl_csr:
       path: "/etc/etcd/ca.csr"
       privatekey_path: "/etc/etcd/ca.key"
-      common_name: kubernetes
+      common_name: etcd
       basic_constraints:
         - CA:TRUE
         - pathlen:1
@@ -103,19 +94,19 @@
       key_usage:
         - keyCertSign
         - digitalSignature
+        - keyEncipherment
       force: true
 
-  - name: Generate self-signed CA certificate
+  - name: Generate self-signed CA certificate for etcd-ca
     openssl_certificate:
       path: "/etc/etcd/ca.crt"
       privatekey_path: "/etc/etcd/ca.key"
       csr_path: "/etc/etcd/ca.csr"
       provider: selfsigned
       force: true
+  when: etcd_root_ca_cert == ''
 
-  when: not ca_file.stat.exists and k8s_root_ca_cert == ''
+- name: Generate certs signed with etcd CA certificate
-
-- name: Generate certs signed with kubernetes CA certificate"
   openssl_certificate:
     path: "/etc/etcd/{{ item }}.crt"
     csr_path: "/etc/etcd/{{ item }}.csr"

playbookconfig/src/playbooks/separate_etcd_ca.yml

@@ -0,0 +1,63 @@
+---
+# Copyright (c) 2021 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# ROLE DESCRIPTION:
+# Create a separate CA cert for etcd, separating from kubernetes
+# This file can be removed in the release after STX6.0
+- hosts: all
+  become: yes
+  become_user: root
+  tasks:
+    - name: Create cert for etcd server and client
+      import_role:
+        name: common/create-etcd-certs
+
+    - name: Create etcd cert permdir
+      file:
+        path: "{{ config_permdir + '/etcd' }}"
+        state: directory
+        mode: 0700
+
+    - name: Copy etcd certificates to config_permdir
+      copy:
+        src: "/etc/etcd/{{ item }}"
+        dest: "{{ config_permdir + '/etcd' }}/{{ item }}"
+        remote_src: yes
+        force: yes
+      with_items:
+        - "apiserver-etcd-client.crt"
+        - "apiserver-etcd-client.key"
+        - "etcd-server.crt"
+        - "etcd-server.key"
+        - "ca.crt"
+        - "ca.key"
+        - "etcd-client.crt"
+        - "etcd-client.key"
+
+    - name: Copy apiserver-etcd-client cert
+      copy:
+        src: "/etc/etcd/{{ item }}"
+        dest: "/etc/kubernetes/pki/{{ item }}"
+        remote_src: yes
+        force: yes
+      with_items:
+        - "apiserver-etcd-client.crt"
+        - "apiserver-etcd-client.key"
+
+    - name: Create list of etcd classes to pass to puppet
+      copy:
+        dest: "/tmp/etcd.yml"
+        content: |
+          classes:
+          - platform::etcd::upgrade::runtime
+
+    - name: Applying puppet for enabling etcd security
+      command: >
+        /usr/local/bin/puppet-manifest-apply.sh
+        {{ puppet_permdir }}/hieradata/
+        {{ ipaddress }}
+        controller runtime /tmp/etcd.yml
+      environment:
+        LC_ALL: "en_US.UTF-8"