Use dedicated front-proxy-ca for front-proxy-client

2026-05-07 09:27:38 -02:30 · 2018-04-05 14:32:12 -05:00
parent a6a47dbc96
commit d87b6fd9f3
12 changed files with 73 additions and 7 deletions
--- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -9,6 +9,10 @@
    - {src: apiserver-key.pem, dest: apiserver.key}
    - {src: ca.pem, dest: ca.crt}
    - {src: ca-key.pem, dest: ca.key}
+    - {src: front-proxy-ca.pem, dest: front-proxy-ca.crt}
+    - {src: front-proxy-ca-key.pem, dest: front-proxy-ca.key}
+    - {src: front-proxy-client.pem, dest: front-proxy-client.crt}
+    - {src: front-proxy-client-key.pem, dest: front-proxy-client.key}
    - {src: service-account-key.pem, dest: sa.pub}
    - {src: service-account-key.pem, dest: sa.key}
  register: kubeadm_copy_old_certs
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -111,7 +111,7 @@ spec:
    - --feature-gates={{ kube_feature_gates|join(',') }}
 {% endif %}
 {% if kube_version | version_compare('v1.9', '>=') %}
-    - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+    - --requestheader-client-ca-file={{ kube_cert_dir }}/front-proxy-ca.pem
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
--- a/roles/kubernetes/secrets/defaults/main.yml
+++ b/roles/kubernetes/secrets/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 kube_cert_group: kube-cert
 kube_vault_mount_path: kube
+front_proxy_vault_mount_path: front-proxy
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -72,6 +72,15 @@ else
    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi

+# Front proxy client CA
+if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
+    # Reuse existing front proxy CA
+    cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
+else
+    openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
+fi
+
 gen_key_and_cert() {
    local name=$1
    local subject=$2
@@ -80,6 +89,14 @@ gen_key_and_cert() {
    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
 }

+gen_key_and_cert_front_proxy() {
+    local name=$1
+    local subject=$2
+    openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+}
+
 # Admins
 if [ -n "$MASTERS" ]; then

@@ -105,7 +122,7 @@ if [ -n "$MASTERS" ]; then
    # kube-controller-manager
    gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
    # metrics aggregator
-    gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"
+    gen_key_and_cert_front_proxy "front-proxy-client" "/CN=front-proxy-client"

    for host in $MASTERS; do
        cn="${host%%.*}"
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -48,6 +48,8 @@
       '{{ kube_cert_dir }}/kube-scheduler-key.pem',
       '{{ kube_cert_dir }}/kube-controller-manager.pem',
       '{{ kube_cert_dir }}/kube-controller-manager-key.pem',
+       '{{ kube_cert_dir }}/front-proxy-ca.pem',
+       '{{ kube_cert_dir }}/front-proxy-ca-key.pem',
       '{{ kube_cert_dir }}/front-proxy-client.pem',
       '{{ kube_cert_dir }}/front-proxy-client-key.pem',
       '{{ kube_cert_dir }}/service-account-key.pem',
@@ -72,6 +74,7 @@
      {% for cert in ['apiserver.pem', 'apiserver-key.pem',
                      'kube-scheduler.pem','kube-scheduler-key.pem',
                      'kube-controller-manager.pem','kube-controller-manager-key.pem',
+                      'front-proxy-ca.pem','front-proxy-ca-key.pem',
                      'front-proxy-client.pem','front-proxy-client-key.pem',
                      'service-account-key.pem'] -%}
        {% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,6 +73,8 @@
                       'kube-scheduler-key.pem',
                       'kube-controller-manager.pem',
                       'kube-controller-manager-key.pem',
+                       'front-proxy-ca.pem',
+                       'front-proxy-ca-key.pem',
                       'front-proxy-client.pem',
                       'front-proxy-client-key.pem',
                       'service-account-key.pem',
@@ -85,6 +87,8 @@
                      'admin-{{ inventory_hostname }}-key.pem',
                      'apiserver.pem',
                      'apiserver-key.pem',
+                      'front-proxy-ca.pem',
+                      'front-proxy-ca-key.pem',
                      'front-proxy-client.pem',
                      'front-proxy-client-key.pem',
                      'service-account-key.pem',
--- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml
@@ -98,6 +98,8 @@
 - include_tasks: ../../../vault/tasks/shared/issue_cert.yml
  vars:
    issue_cert_common_name: "front-proxy-client"
+    issue_cert_copy_ca: "{{ item == kube_front_proxy_clients_certs_needed|first }}"
+    issue_cert_ca_filename: front-proxy-ca.pem
    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
    issue_cert_file_group: "{{ kube_cert_group }}"
    issue_cert_file_owner: kube
@@ -115,7 +117,7 @@
    issue_cert_path: "{{ item }}"
    issue_cert_role: front-proxy-client
    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
-    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
+    issue_cert_mount_path: "{{ front_proxy_vault_mount_path }}"
  with_items: "{{ kube_front_proxy_clients_certs_needed|d([]) }}"
  when: inventory_hostname in groups['kube-master']
  notify: set secret_changed
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -44,6 +44,18 @@
  set_fact:
    sync_file_results: []

+- include_tasks: ../../../vault/tasks/shared/sync_file.yml
+  vars:
+    sync_file: front-proxy-ca.pem
+    sync_file_dir: "{{ kube_cert_dir }}"
+    sync_file_group: "{{ kube_cert_group }}"
+    sync_file_hosts: "{{ groups['kube-master'] }}"
+    sync_file_owner: kube
+
+- name: sync_kube_master_certs | Unset sync_file_results after front-proxy-ca.pem
+  set_fact:
+    sync_file_results: []
+
 - include_tasks: ../../../vault/tasks/shared/sync_file.yml
  vars:
    sync_file: "{{ item }}"