Merge pull request #1948 from sgmitchell/secured-etcd
Enable etcd secure client to prevent etcdctl access without cert and key
This commit is contained in:
commit
c6e0fcea31
13 changed files with 39 additions and 0 deletions
|
@ -37,3 +37,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
|
||||||
etcd_compaction_retention: "8"
|
etcd_compaction_retention: "8"
|
||||||
|
|
||||||
etcd_vault_mount_path: etcd
|
etcd_vault_mount_path: etcd
|
||||||
|
|
||||||
|
# Force clients like etcdctl to use TLS certs (different than peer security)
|
||||||
|
etcd_secure_client: true
|
||||||
|
|
|
@ -48,5 +48,7 @@
|
||||||
snapshot save {{ etcd_backup_directory }}/snapshot.db
|
snapshot save {{ etcd_backup_directory }}/snapshot.db
|
||||||
environment:
|
environment:
|
||||||
ETCDCTL_API: 3
|
ETCDCTL_API: 3
|
||||||
|
ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
retries: 3
|
retries: 3
|
||||||
delay: "{{ retry_stagger | random + 3 }}"
|
delay: "{{ retry_stagger | random + 3 }}"
|
||||||
|
|
|
@ -22,6 +22,8 @@
|
||||||
uri:
|
uri:
|
||||||
url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
|
url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
|
client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
|
||||||
|
client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
|
||||||
register: result
|
register: result
|
||||||
until: result.status is defined and result.status == 200
|
until: result.status is defined and result.status == 200
|
||||||
retries: 10
|
retries: 10
|
||||||
|
|
|
@ -8,6 +8,9 @@
|
||||||
when: is_etcd_master
|
when: is_etcd_master
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
- name: Install etcd launch script
|
- name: Install etcd launch script
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -6,6 +6,9 @@
|
||||||
retries: 4
|
retries: 4
|
||||||
delay: "{{ retry_stagger | random + 3 }}"
|
delay: "{{ retry_stagger | random + 3 }}"
|
||||||
when: target_node == inventory_hostname
|
when: target_node == inventory_hostname
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
- include: refresh_config.yml
|
- include: refresh_config.yml
|
||||||
vars:
|
vars:
|
||||||
|
@ -39,3 +42,6 @@
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
when: target_node == inventory_hostname
|
when: target_node == inventory_hostname
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
|
@ -8,3 +8,6 @@
|
||||||
when: is_etcd_master
|
when: is_etcd_master
|
||||||
tags:
|
tags:
|
||||||
- facts
|
- facts
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
|
@ -18,6 +18,8 @@ ETCD_AUTO_COMPACTION_RETENTION={{ etcd_compaction_retention }}
|
||||||
ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
|
ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
|
||||||
ETCD_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
ETCD_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
||||||
ETCD_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
ETCD_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
||||||
|
ETCD_CLIENT_CERT_AUTH={{ etcd_secure_client | lower}}
|
||||||
|
|
||||||
ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
|
ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
|
||||||
ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
|
||||||
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
command: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} ls /registry/minions"
|
command: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} ls /registry/minions"
|
||||||
environment:
|
environment:
|
||||||
ETCDCTL_API: 2
|
ETCDCTL_API: 2
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
register: old_data_exists
|
register: old_data_exists
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
|
@ -57,6 +57,9 @@
|
||||||
retries: 4
|
retries: 4
|
||||||
delay: "{{ retry_stagger | random + 3 }}"
|
delay: "{{ retry_stagger | random + 3 }}"
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
|
|
@ -83,6 +83,8 @@
|
||||||
uri:
|
uri:
|
||||||
url: https://localhost:2379/health
|
url: https://localhost:2379/health
|
||||||
validate_certs: no
|
validate_certs: no
|
||||||
|
client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
register: result
|
register: result
|
||||||
until: result.status == 200 or result.status == 401
|
until: result.status == 200 or result.status == 401
|
||||||
retries: 10
|
retries: 10
|
||||||
|
|
|
@ -34,6 +34,9 @@
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
run_once: true
|
run_once: true
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
- name: Canal | Create canal node manifests
|
- name: Canal | Create canal node manifests
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -7,6 +7,9 @@
|
||||||
"delegate": {
|
"delegate": {
|
||||||
"type": "calico",
|
"type": "calico",
|
||||||
"etcd_endpoints": "{{ etcd_access_addresses }}",
|
"etcd_endpoints": "{{ etcd_access_addresses }}",
|
||||||
|
"etcd_key_file": "{{ canal_cert_dir }}/key.pem",
|
||||||
|
"etcd_cert_file": "{{ canal_cert_dir }}/cert.crt",
|
||||||
|
"etcd_ca_cert_file": "{{ canal_cert_dir }}/ca_cert.crt",
|
||||||
"log_level": "info",
|
"log_level": "info",
|
||||||
"policy": {
|
"policy": {
|
||||||
"type": "k8s"
|
"type": "k8s"
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
bin_dir: /usr/local/bin
|
bin_dir: /usr/local/bin
|
||||||
system_namespace: kube-system
|
system_namespace: kube-system
|
||||||
ansible_ssh_pipelining: true
|
ansible_ssh_pipelining: true
|
||||||
|
etcd_cert_dir: /etc/ssl/etcd/ssl
|
||||||
commands:
|
commands:
|
||||||
- name: timedate_info
|
- name: timedate_info
|
||||||
cmd: timedatectl status
|
cmd: timedatectl status
|
||||||
|
@ -85,6 +86,10 @@
|
||||||
- /var/log/calico/felix/current
|
- /var/log/calico/felix/current
|
||||||
- /var/log/calico/confd/current
|
- /var/log/calico/confd/current
|
||||||
|
|
||||||
|
environment:
|
||||||
|
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
||||||
|
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- set_fact:
|
- set_fact:
|
||||||
etcd_access_addresses: |-
|
etcd_access_addresses: |-
|
||||||
|
|
Loading…
Reference in a new issue