Merge "Use separate CA for kubelet authorization"

charts/apiserver/templates/configmap-certs.yaml

@@ -28,4 +28,6 @@ data:
   etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
   etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
   service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
+  kubelet-client-ca.pem: {{ .Values.secrets.kubelet.tls.ca | default .Values.secrets.tls.ca | quote }}
+  kubelet-client.pem: {{ .Values.secrets.kubelet.tls.cert | default .Values.secrets.tls.cert | quote }}
 {{- end }}

charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl

@@ -54,8 +54,8 @@ spec:
         - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
-        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
-        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
+        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
         - --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
         - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
         - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem

charts/apiserver/templates/secret-apiserver.yaml

@@ -25,4 +25,5 @@ type: Opaque
 data:
   apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
   etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
+  kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }}
 {{- end }}

charts/apiserver/values.yaml

@@ -33,6 +33,10 @@ anchor:
   files_to_copy:
     - source: /certs/apiserver.pem
       dest: /etc/kubernetes/apiserver/pki/apiserver.pem
+    - source: /certs/kubelet-client.pem
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client.pem
+    - source: /certs/kubelet-client-ca.pem
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
     - source: /certs/cluster-ca.pem
       dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
     - source: /certs/etcd-client-ca.pem
@@ -43,6 +47,8 @@ anchor:
       dest: /etc/kubernetes/apiserver/pki/service-account.pub
     - source: /keys/apiserver-key.pem
       dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
+    - source: /keys/kubelet-client-key.pem
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client-key.pem
     - source: /keys/etcd-client-key.pem
       dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
     - source: /tmp/etc/kubernetes-apiserver.yaml
@@ -97,6 +103,12 @@ secrets:
       ca: placeholder
       cert: placeholder
       key: placeholder
+  kubelet:
+    tls:
+      ca: null
+      cert: null
+      key: null
+
 
 # typically overriden by environmental
 # values, but should include all endpoints

examples/basic/PKICatalog.yaml

@@ -63,6 +63,11 @@ data:
           common_name: armada
           groups:
             - system:masters
+    kubelet:
+      description: CA for Kubernetes node interactions
+      certificates:
+        - document_name: apiserver-kubelet-client
+          common_name: apiserver-kubelet-client
     kubernetes-etcd:
       description: Certificates for Kubernetes's etcd servers
       certificates:

examples/basic/armada-resources.yaml

@@ -664,7 +664,6 @@ metadata:
         path: .
       dest:
         path: .values.secrets.tls.ca
-
     -
       src:
         schema: deckhand/Certificate/v1
@@ -679,6 +678,29 @@ metadata:
         path: .
       dest:
         path: .values.secrets.tls.key
+
+    -
+      src:
+        schema: deckhand/CertificateAuthority/v1
+        name: kubelet
+        path: .
+      dest:
+        path: .values.secrets.kubelet.tls.ca
+    -
+      src:
+        schema: deckhand/Certificate/v1
+        name: apiserver-kubelet-client
+        path: .
+      dest:
+        path: .values.secrets.kubelet.tls.cert
+    -
+      src:
+        schema: deckhand/CertificateKey/v1
+        name: apiserver-kubelet-client
+        path: .
+      dest:
+        path: .values.secrets.kubelet.tls.key
+
     -
       src:
         schema: deckhand/CertificateAuthority/v1
@@ -731,18 +753,6 @@ data:
       tags:
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
         apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
-    secrets:
-      service_account:
-        public_key: placeholder
-      tls:
-        ca: placeholder
-        cert: placeholder
-        key: placeholder
-      etcd:
-        tls:
-          ca: placeholder
-          cert: placeholder
-          key: placeholder
     network:
       kubernetes_service_ip: 10.96.0.1
       pod_cidr: 10.97.0.0/16

examples/complete/PKICatalog.yaml

@@ -70,6 +70,11 @@ data:
           common_name: armada
           groups:
             - system:masters
+    kubelet:
+      description: CA for Kubernetes node interactions
+      certificates:
+        - document_name: apiserver-kubelet-client
+          common_name: apiserver-kubelet-client
     kubernetes-etcd:
       description: Certificates for Kubernetes's etcd servers
       certificates:

promenade/templates/roles/common/etc/kubernetes/pki/kubelet-client-ca.pem

@@ -0,0 +1 @@
+{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

promenade/templates/roles/common/etc/systemd/system/kubelet.service

@@ -7,7 +7,7 @@ After=network-online.target
 ExecStart=/opt/kubernetes/bin/kubelet \
     --allow-privileged=true \
     --anonymous-auth=false \
-    --client-ca-file=/etc/kubernetes/pki/cluster-ca.pem \
+    --client-ca-file=/etc/kubernetes/pki/kubelet-client-ca.pem \
     --cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \
     --cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \
     --hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \

promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-ca.pem

@@ -0,0 +1 @@
+{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-key.pem

@@ -0,0 +1 @@
+{{ config.get(schema='deckhand/CertificateKey/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/CertificateKey/v1', name='apiserver')) }}

promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client.pem

@@ -0,0 +1 @@
+{{ config.get(schema='deckhand/Certificate/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/Certificate/v1', name='apiserver')) }}

promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml

@@ -24,9 +24,9 @@ spec:
         - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
         - --anonymous-auth=false
         - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
-        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
-        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
-        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
+        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
+        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
         - --insecure-port=0
         - --bind-address=0.0.0.0
         - --secure-port=6443