Merge pull request #1948 from sgmitchell/secured-etcd

Enable etcd secure client to prevent etcdctl access without cert and key
This commit is contained in:
Chad Swenson 2018-01-25 09:35:51 -06:00 committed by GitHub
commit c6e0fcea31
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 39 additions and 0 deletions

View file

@ -37,3 +37,6 @@ etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr',
etcd_compaction_retention: "8" etcd_compaction_retention: "8"
etcd_vault_mount_path: etcd etcd_vault_mount_path: etcd
# Force clients like etcdctl to use TLS certs (different than peer security)
etcd_secure_client: true

View file

@ -48,5 +48,7 @@
snapshot save {{ etcd_backup_directory }}/snapshot.db snapshot save {{ etcd_backup_directory }}/snapshot.db
environment: environment:
ETCDCTL_API: 3 ETCDCTL_API: 3
ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
retries: 3 retries: 3
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"

View file

@ -22,6 +22,8 @@
uri: uri:
url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health" url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
validate_certs: no validate_certs: no
client_cert: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
client_key: "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
register: result register: result
until: result.status is defined and result.status == 200 until: result.status is defined and result.status == 200
retries: 10 retries: 10

View file

@ -8,6 +8,9 @@
when: is_etcd_master when: is_etcd_master
tags: tags:
- facts - facts
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
- name: Install etcd launch script - name: Install etcd launch script
template: template:

View file

@ -6,6 +6,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
when: target_node == inventory_hostname when: target_node == inventory_hostname
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
- include: refresh_config.yml - include: refresh_config.yml
vars: vars:
@ -39,3 +42,6 @@
tags: tags:
- facts - facts
when: target_node == inventory_hostname when: target_node == inventory_hostname
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"

View file

@ -8,3 +8,6 @@
when: is_etcd_master when: is_etcd_master
tags: tags:
- facts - facts
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"

View file

@ -18,6 +18,8 @@ ETCD_AUTO_COMPACTION_RETENTION={{ etcd_compaction_retention }}
ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem ETCD_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
ETCD_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem ETCD_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
ETCD_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem ETCD_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
ETCD_CLIENT_CERT_AUTH={{ etcd_secure_client | lower}}
ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem

View file

@ -3,6 +3,8 @@
command: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} ls /registry/minions" command: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} ls /registry/minions"
environment: environment:
ETCDCTL_API: 2 ETCDCTL_API: 2
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
register: old_data_exists register: old_data_exists
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
changed_when: false changed_when: false

View file

@ -57,6 +57,9 @@
retries: 4 retries: 4
delay: "{{ retry_stagger | random + 3 }}" delay: "{{ retry_stagger | random + 3 }}"
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
environment:
ETCDCTL_CERT: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
- meta: flush_handlers - meta: flush_handlers

View file

@ -83,6 +83,8 @@
uri: uri:
url: https://localhost:2379/health url: https://localhost:2379/health
validate_certs: no validate_certs: no
client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
register: result register: result
until: result.status == 200 or result.status == 401 until: result.status == 200 or result.status == 401
retries: 10 retries: 10

View file

@ -34,6 +34,9 @@
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
changed_when: false changed_when: false
run_once: true run_once: true
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
- name: Canal | Create canal node manifests - name: Canal | Create canal node manifests
template: template:

View file

@ -7,6 +7,9 @@
"delegate": { "delegate": {
"type": "calico", "type": "calico",
"etcd_endpoints": "{{ etcd_access_addresses }}", "etcd_endpoints": "{{ etcd_access_addresses }}",
"etcd_key_file": "{{ canal_cert_dir }}/key.pem",
"etcd_cert_file": "{{ canal_cert_dir }}/cert.crt",
"etcd_ca_cert_file": "{{ canal_cert_dir }}/ca_cert.crt",
"log_level": "info", "log_level": "info",
"policy": { "policy": {
"type": "k8s" "type": "k8s"

View file

@ -8,6 +8,7 @@
bin_dir: /usr/local/bin bin_dir: /usr/local/bin
system_namespace: kube-system system_namespace: kube-system
ansible_ssh_pipelining: true ansible_ssh_pipelining: true
etcd_cert_dir: /etc/ssl/etcd/ssl
commands: commands:
- name: timedate_info - name: timedate_info
cmd: timedatectl status cmd: timedatectl status
@ -85,6 +86,10 @@
- /var/log/calico/felix/current - /var/log/calico/felix/current
- /var/log/calico/confd/current - /var/log/calico/confd/current
environment:
ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
tasks: tasks:
- set_fact: - set_fact:
etcd_access_addresses: |- etcd_access_addresses: |-