Merge "Separate CA for k8s and etcd"

2021-10-22 16:14:55 +00:00
parent d481ce9ffe d907a06eff
commit 2a0711872a
8 changed files with 152 additions and 45 deletions
--- a/playbookconfig/src/playbooks/host_vars/bootstrap/default.yml
+++ b/playbookconfig/src/playbooks/host_vars/bootstrap/default.yml
@@ -222,6 +222,8 @@ docker_registries:
 #   - ssl_ca_cert
 #   - k8s_root_ca_cert
 #   - k8s_root_ca_key
 #   - etcd_root_ca_cert
 #   - etcd_root_ca_key
 #
 # ssl_ca_cert: /path/to/ssl_ca_cert_file
--- a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml
@@ -146,7 +146,6 @@
    path: "{{ hieradata_workdir }}/static.yaml"
    line: "{{ item }}"
  with_items:
    - "platform::etcd::params::security_enabled: true"
    - "platform::etcd::params::bind_address: {{ cluster_floating_address }}"
    - "platform::etcd::params::bind_address_version: {{ etcd_listen_address_version }}"
--- a/playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/bringup-bootstrap-applications/tasks/main.yml
@@ -120,6 +120,8 @@
    - "prev_k8s_root_ca_cert: {{ k8s_root_ca_cert }}"
    - "prev_k8s_root_ca_key: {{ k8s_root_ca_key }}"
    - "prev_apiserver_oidc: {{ apiserver_oidc | to_yaml }}"
    - "prev_etcd_root_ca_cert: {{ etcd_root_ca_cert }}"
    - "prev_etcd_root_ca_key: {{ etcd_root_ca_key }}"
    # Nested dictionaries are picky about having things on the same line
    - "prev_docker_registries: "
    - "{{ docker_registries | to_yaml }}"
--- a/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_kubemaster.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_kubemaster.yml
@@ -81,17 +81,47 @@
      - "apiserver-etcd-client.key"
  when: k8s_pki_files is defined
- name: Copy ca, cert and key generated by etcd to kubeadm_pki_dir
+- block:
-  copy:
+  - name: Copy apiserver cert and key generated by etcd to kubeadm_pki_dir
-    src: "/etc/etcd/{{ item }}"
+    copy:
-    dest: "{{ kubeadm_pki_dir }}/{{ item }}"
+      src: "/etc/etcd/{{ item }}"
-    remote_src: yes
+      dest: "{{ kubeadm_pki_dir }}/{{ item }}"
-    force: yes
+      remote_src: yes
-  with_items:
+      force: yes
-    - "ca.crt"
+    with_items:
-    - "ca.key"
+      - "apiserver-etcd-client.crt"
-    - "apiserver-etcd-client.crt"
+      - "apiserver-etcd-client.key"
-    - "apiserver-etcd-client.key"
+
  - name: Generate private key for kubernetes-ca
    openssl_privatekey:
      path: "{{ kubeadm_pki_dir }}/ca.key"
      type: RSA
      size: 4096
      state: present
      force: true
  - name: Generate CSR for kubernetes-ca
    openssl_csr:
      path: "{{ kubeadm_pki_dir }}/ca.csr"
      privatekey_path: "{{ kubeadm_pki_dir }}/ca.key"
      common_name: kubernetes
      basic_constraints:
        - CA:true
        - pathlen:1
      basic_constraints_critical: True
      key_usage:
        - keyCertSign
        - digitalSignature
        - keyEncipherment
      force: true
  - name: Generate self-signed CA certificate for kubernetes-ca
    openssl_certificate:
      path: "{{ kubeadm_pki_dir }}/ca.crt"
      privatekey_path: "{{ kubeadm_pki_dir }}/ca.key"
      csr_path: "{{ kubeadm_pki_dir }}/ca.csr"
      provider: selfsigned
      force: true
  when: k8s_pki_files is undefined
 - name: Set kubelet node configuration
--- a/playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/prepare-env/tasks/main.yml
@@ -197,11 +197,13 @@
    docker_https_proxy: "{{ docker_https_proxy | default('undef') }}"
    docker_no_proxy: "{{ docker_no_proxy | default([]) }}"
- name: Set default values for kubernetes certificate parameters if not defined
+- name: Define k8s/etcd certificate parameters if not defined
  set_fact:
    k8s_root_ca_cert: "{{ k8s_root_ca_cert | default('') }}"
    k8s_root_ca_key: "{{ k8s_root_ca_key | default('') }}"
    apiserver_cert_sans: "{{ apiserver_cert_sans | default([]) }}"
    etcd_root_ca_cert: "{{ etcd_root_ca_cert | default('') }}"
    etcd_root_ca_key: "{{ etcd_root_ca_key | default('') }}"
 # Give the bootstrap config output file on the host a generic name so the
 # same file is referenced if the host is bootstrapped locally and remotely
@@ -333,7 +335,9 @@
                prev_docker_no_proxy != docker_no_proxy | sort)) or
              (prev_apiserver_cert_sans != apiserver_cert_sans) or
              (prev_k8s_root_ca_cert != k8s_root_ca_cert) or
-              (prev_k8s_root_ca_key != k8s_root_ca_key)
+              (prev_k8s_root_ca_key != k8s_root_ca_key) or
              (prev_etcd_root_ca_cert != etcd_root_ca_cert) or
              (prev_etcd_root_ca_key != etcd_root_ca_key)
      - name: Turn on service endpoints reconfiguration flag if management and/or oam network config is changed
        set_fact:
--- a/playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/validate-config/tasks/main.yml
@@ -730,6 +730,22 @@
  include: validate_address.yml input_address={{ item }}
  with_items: "{{ apiserver_cert_sans }}"
 - name: Verify that either both etcd root ca cert and key are defined or not at all
  fail:
    msg: "etcd_root_ca_cert and etcd_root_ca_key must be provided as a pair"
  when: (etcd_root_ca_cert and not etcd_root_ca_key) or
        (not etcd_root_ca_cert and etcd_root_ca_key)
 - name: Check for etcd_root_ca_cert file
  fail:
    msg: "etcd_root_ca_cert file not found. ({{ etcd_root_ca_cert }})"
  when: etcd_root_ca_cert and (not etcd_root_ca_cert is file)
 - name: Check for etcd_root_ca_key file
  fail:
    msg: "etcd_root_ca_key file not found. ({{ etcd_root_ca_key }})"
  when: etcd_root_ca_key and (not etcd_root_ca_key is file)
 - name: Verify that either both Kubernetes root ca cert and key are defined or not at all
  fail:
    msg: "k8s_root_ca_cert and k8s_root_ca_key must be provided as a pair"
--- a/playbookconfig/src/playbooks/roles/common/create-etcd-certs/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/common/create-etcd-certs/tasks/main.yml
@@ -54,36 +54,27 @@
  with_items:
    - "etcd-client"
- name: Check if CA exists
+- name: Define values for etcd certificate and key
-  stat:
+  set_fact:
-    path: /etc/kubernetes/pki/ca.crt
+    etcd_root_ca_cert: "{{ etcd_root_ca_cert | default('') }}"
-  register: ca_file
+    etcd_root_ca_key: "{{ etcd_root_ca_key | default('') }}"
- name: Copy existed CA
+- name: Setup dictionary of etcd certificates to install
-  copy:
+  set_fact:
-    src: "/etc/kubernetes/pki/{{ item }}"
+    etcd_ca_files: { ca.crt: "{{etcd_root_ca_cert}}", ca.key: "{{etcd_root_ca_key}}" }
-    dest: "/etc/etcd/{{ item }}"
+  when:
-    remote_src: yes
+    - (etcd_root_ca_cert)
-    force: yes
+    - (etcd_root_ca_key)
  with_items:
    - "ca.crt"
    - "ca.key"
  when: ca_file.stat.exists
- name: copy user specified CA
+- name: Copy etcd root ca certificates
  copy:
-    src: "{{ item.src }}"
+    src: "{{ item.value }}"
-    dest: "{{ item.dest }}"
+    dest: "/etc/etcd/{{item.key}}"
-    force: yes
+  with_dict: "{{ etcd_ca_files }}"
-  with_items:
+  when: etcd_ca_files is defined
    - { src: "{{ k8s_root_ca_cert }}", dest: "/etc/etcd/ca.crt" }
    - { src: "{{ k8s_root_ca_key }}", dest: "/etc/etcd/ca.key" }
  when: (k8s_root_ca_cert)
 - block:
-  - name: Generate private key for kubernetes-ca
+  - name: Generate private key for etcd-ca
    # Reuse this kubernetes-ca for the etcd-ca,
    # will copy to /etc/kubernetes/pki later
    openssl_privatekey:
      path: "/etc/etcd/ca.key"
      type: RSA
@@ -91,11 +82,11 @@
      state: present
      force: true
-  - name: Generate CSR for kubernetes-ca
+  - name: Generate CSR for etcd-ca
    openssl_csr:
      path: "/etc/etcd/ca.csr"
      privatekey_path: "/etc/etcd/ca.key"
-      common_name: kubernetes
+      common_name: etcd
      basic_constraints:
        - CA:TRUE
        - pathlen:1
@@ -103,19 +94,19 @@
      key_usage:
        - keyCertSign
        - digitalSignature
        - keyEncipherment
      force: true
-  - name: Generate self-signed CA certificate
+  - name: Generate self-signed CA certificate for etcd-ca
    openssl_certificate:
      path: "/etc/etcd/ca.crt"
      privatekey_path: "/etc/etcd/ca.key"
      csr_path: "/etc/etcd/ca.csr"
      provider: selfsigned
      force: true
  when: etcd_root_ca_cert == ''
-  when: not ca_file.stat.exists and k8s_root_ca_cert == ''
+- name: Generate certs signed with etcd CA certificate
 - name: Generate certs signed with kubernetes CA certificate"
  openssl_certificate:
    path: "/etc/etcd/{{ item }}.crt"
    csr_path: "/etc/etcd/{{ item }}.csr"
--- a/playbookconfig/src/playbooks/separate_etcd_ca.yml
+++ b/playbookconfig/src/playbooks/separate_etcd_ca.yml
@@ -0,0 +1,63 @@
 ---
 # Copyright (c) 2021 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 # ROLE DESCRIPTION:
 # Create a separate CA cert for etcd, separating from kubernetes
 # This file can be removed in the release after STX6.0
 - hosts: all
  become: yes
  become_user: root
  tasks:
    - name: Create cert for etcd server and client
      import_role:
        name: common/create-etcd-certs
    - name: Create etcd cert permdir
      file:
        path: "{{ config_permdir + '/etcd' }}"
        state: directory
        mode: 0700
    - name: Copy etcd certificates to config_permdir
      copy:
        src: "/etc/etcd/{{ item }}"
        dest: "{{ config_permdir + '/etcd' }}/{{ item }}"
        remote_src: yes
        force: yes
      with_items:
        - "apiserver-etcd-client.crt"
        - "apiserver-etcd-client.key"
        - "etcd-server.crt"
        - "etcd-server.key"
        - "ca.crt"
        - "ca.key"
        - "etcd-client.crt"
        - "etcd-client.key"
    - name: Copy apiserver-etcd-client cert
      copy:
        src: "/etc/etcd/{{ item }}"
        dest: "/etc/kubernetes/pki/{{ item }}"
        remote_src: yes
        force: yes
      with_items:
        - "apiserver-etcd-client.crt"
        - "apiserver-etcd-client.key"
    - name: Create list of etcd classes to pass to puppet
      copy:
        dest: "/tmp/etcd.yml"
        content: |
          classes:
          - platform::etcd::upgrade::runtime
    - name: Applying puppet for enabling etcd security
      command: >
        /usr/local/bin/puppet-manifest-apply.sh
        {{ puppet_permdir }}/hieradata/
        {{ ipaddress }}
        controller runtime /tmp/etcd.yml
      environment:
        LC_ALL: "en_US.UTF-8"