Fix support for ca-bundle (#399)

* Fix support for ca-bundle Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Add support for custom ca-bundle in all the OSPs Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> --------- Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com>
kubermatic · Jul 4, 2024 · 65ba1eb · 65ba1eb
1 parent 57e5476
commit 65ba1eb
Show file tree

Hide file tree

Showing 12 changed files with 140 additions and 52 deletions.
diff --git a/cmd/osm-controller/main.go b/cmd/osm-controller/main.go
@@ -89,6 +89,7 @@ type options struct {
 
 	overrideBootstrapKubeletAPIServer string
 	bootstrapTokenServiceAccountName  string
+	kubernetesCABundleFile            string
 	caBundleFile                      string
 }
 
@@ -142,7 +143,12 @@ func main() {
 	flag.BoolVar(&opt.enableLeaderElection, "leader-elect", true, "Enable leader election for controller manager.")
 	flag.StringVar(&opt.overrideBootstrapKubeletAPIServer, "override-bootstrap-kubelet-apiserver", "", "Override for the API server address used in worker nodes bootstrap-kubelet.conf")
 	flag.StringVar(&opt.bootstrapTokenServiceAccountName, "bootstrap-token-service-account-name", "", "When set use the service account token from this SA as bootstrap token instead of creating a temporary one. Passed in namespace/name format")
-	flag.StringVar(&opt.caBundleFile, "ca-bundle", "", "Path to a file containing all PEM-encoded CA certificates. Will be used for Kubernetes CA certificates.")
+
+	flag.StringVar(&opt.kubernetesCABundleFile, "kubernetes-ca-bundle", "", "Path to a file containing all PEM-encoded CA certificates. Will be used for Kubernetes CA certificates.")
+	flag.StringVar(&opt.caBundleFile, "host-ca-bundle", "", "Path to a file containing all PEM-encoded CA certificates. Will be propagated to the machine and used instead of the host's certificates if set.")
+
+	var noopFlag string
+	flag.StringVar(&noopFlag, "ca-bundle", "", "DEPRECATED: This flag is no-op and will have no effect. Use `host-ca-bundle` or `kubernetes-ca-bundle` instead.")
 
 	flag.Parse()
 
@@ -165,14 +171,22 @@ func main() {
 	}
 
 	var (
-		err          error
-		customCACert string
+		err                    error
+		kubernetesCustomCACert string
+		hostCACert             string
 	)
 
+	if len(opt.kubernetesCABundleFile) > 0 {
+		kubernetesCustomCACert, err = retrieveCustomCACertificate(opt.kubernetesCABundleFile)
+		if err != nil {
+			log.Fatalf("-kubernetes-ca-bundle is invalid: %s", err.Error())
+		}
+	}
+
 	if len(opt.caBundleFile) > 0 {
-		customCACert, err = retrieveCustomCACertificate(opt.caBundleFile)
+		hostCACert, err = retrieveCustomCACertificate(opt.caBundleFile)
 		if err != nil {
-			log.Fatalf("-ca-bundle is invalid: %s", err.Error())
+			log.Fatalf("-host-ca-bundle is invalid: %s", err.Error())
 		}
 	}
 
@@ -262,8 +276,8 @@ func main() {
 		}
 	}
 
-	caCert := customCACert
-	if opt.caBundleFile == "" {
+	caCert := kubernetesCustomCACert
+	if opt.kubernetesCABundleFile == "" {
 		caCert, err = certificate.GetCACert(opt.kubeconfig, mgr.GetConfig())
 		if err != nil {
 			log.Fatal("failed to load CA certificate", zap.Error(err))
@@ -289,6 +303,7 @@ func main() {
 		mgr.GetClient(),
 		bootstrappingManager,
 		caCert,
+		hostCACert,
 		opt.namespace,
 		opt.workerCount,
 		parsedClusterDNSIPs,

diff --git a/deploy/osps/default/osp-amzn2.yaml b/deploy/osps/default/osp-amzn2.yaml
@@ -46,6 +46,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /usr/local/share/ca-certificates/custom.crt
+        {{ .HostCACert }}
+        EOF
+        update-ca-certificates
+        {{- end }}
+
     files:
       - path: /opt/bin/supervise.sh
         permissions: 755
@@ -76,6 +84,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               yum install -y curl jq
 

diff --git a/deploy/osps/default/osp-centos.yaml b/deploy/osps/default/osp-centos.yaml
@@ -55,6 +55,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /etc/pki/ca-trust/source/anchors/custom.crt
+        {{ .HostCACert }}
+        EOF
+        update-ca-trust
+        {{- end }}
+
     files:
       - path: /opt/bin/supervise.sh
         permissions: 755
@@ -85,6 +93,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               source /etc/os-release
               if [ "$ID" == "centos" ] && [ "$VERSION_ID" == "8" ]; then

diff --git a/deploy/osps/default/osp-flatcar-cloud-init.yaml b/deploy/osps/default/osp-flatcar-cloud-init.yaml
@@ -47,6 +47,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /etc/ssl/certs/custom.pem
+        {{ .HostCACert }}
+        EOF
+        update-ca-certificates
+        {{- end }}
+
       safeDownloadBinariesScript: |-
         {{- /* setup some common directories */}}
         opt_bin=/opt/bin
@@ -225,6 +233,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               {{- if not .FlatcarConfig.DisableAutoUpdate }}
               cat << EOF | tee /etc/polkit-1/rules.d/60-noreboot_norestart.rules

diff --git a/deploy/osps/default/osp-flatcar.yaml b/deploy/osps/default/osp-flatcar.yaml
@@ -53,6 +53,7 @@ spec:
         {{- end }}
 
         source /etc/environment
+
       configureVCloudNetworkStatic: |-
         function query_ovf () {
           PATH=$PATH:/usr/share/oem/bin/
@@ -103,6 +104,14 @@ spec:
 
         fi
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /etc/ssl/certs/custom.pem
+        {{ .HostCACert }}
+        EOF
+        update-ca-certificates
+        {{- end }}
+
     units:
       - name: bootstrap.service
         enable: true
@@ -149,6 +158,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               curl -s -k -v --header 'Authorization: Bearer {{ .Token }}'	{{ .ServerURL }}/api/v1/namespaces/cloud-init-settings/secrets/{{ .SecretName }} | jq '.data["cloud-config"]' -r| base64 -d > /usr/share/oem/config.ign
 

diff --git a/deploy/osps/default/osp-rhel.yaml b/deploy/osps/default/osp-rhel.yaml
@@ -50,6 +50,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /etc/pki/ca-trust/source/whitelist/custom.crt
+        {{ .HostCACert }}
+        EOF
+        update-ca-trust
+        {{- end }}
+
     files:
       - path: /opt/bin/supervise.sh
         permissions: 755
@@ -80,6 +88,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               yum install -y curl jq
 

diff --git a/deploy/osps/default/osp-rockylinux.yaml b/deploy/osps/default/osp-rockylinux.yaml
@@ -54,6 +54,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | tee /etc/pki/ca-trust/source/anchors/custom.crt
+        {{ .HostCACert }}
+        EOF
+        update-ca-trust
+        {{- end }}
+
     files:
       - path: /opt/bin/supervise.sh
         permissions: 755
@@ -84,6 +92,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               yum install -y curl jq
 

diff --git a/deploy/osps/default/osp-ubuntu.yaml b/deploy/osps/default/osp-ubuntu.yaml
@@ -67,6 +67,14 @@ spec:
 
         source /etc/environment
 
+      configureHostCABundle: |-
+        {{- if .HostCACert }}
+        cat <<EOF | sudo tee /usr/local/share/ca-certificates/custom.crt
+        {{ .HostCACert }}
+        EOF
+        sudo update-ca-certificates
+        {{- end }}
+
     files:
       - path: /opt/bin/supervise.sh
         permissions: 755
@@ -97,6 +105,7 @@ spec:
 
               {{- /* Configure proxy as the first step to ensure that all the phases of provisioning respect the proxy environment. */}}
               {{- template "configureProxyScript" }}
+              {{- template "configureHostCABundle" }}
 
               export DEBIAN_FRONTEND=noninteractive
               apt update && apt install -y curl jq

diff --git a/go.mod b/go.mod
@@ -10,8 +10,8 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/flatcar/container-linux-config-transpiler v0.9.4
 	github.com/go-logr/zapr v1.3.0
-	github.com/go-test/deep v1.1.0
-	github.com/kubermatic/machine-controller v1.59.1-0.20240606085204-d62ab03c71af
+	github.com/go-test/deep v1.1.1
+	github.com/kubermatic/machine-controller v1.59.1-0.20240627060120-8f3166ae03b0
 	github.com/onsi/ginkgo/v2 v2.19.0
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/sethvargo/go-password v0.3.0
@@ -20,11 +20,11 @@ require (
 	gopkg.in/gcfg.v1 v1.2.3
 	gopkg.in/yaml.v3 v3.0.1
 	k8c.io/reconciler v0.5.0
-	k8s.io/api v0.30.1
-	k8s.io/apimachinery v0.30.1
-	k8s.io/client-go v0.30.1
-	k8s.io/code-generator v0.30.1
-	k8s.io/klog/v2 v2.120.1
+	k8s.io/api v0.30.2
+	k8s.io/apimachinery v0.30.2
+	k8s.io/client-go v0.30.2
+	k8s.io/code-generator v0.30.2
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
 	sigs.k8s.io/controller-runtime v0.18.4
 	sigs.k8s.io/controller-tools v0.14.0
@@ -34,7 +34,7 @@ require (
 require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/ajeddeloh/go-json v0.0.0-20231102161613-e49c8866685a // indirect
-	github.com/alecthomas/units v0.0.0-20231202071711-9a357b53e9c9 // indirect
+	github.com/alecthomas/units v0.0.0-20240626203959-61d1e3462e30 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
@@ -58,7 +58,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea // indirect
-	github.com/google/pprof v0.0.0-20240528025155-186aa0362fba // indirect
+	github.com/google/pprof v0.0.0-20240625030939-27f56978b8b0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
@@ -77,7 +77,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.54.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
@@ -86,7 +86,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
@@ -97,16 +97,16 @@ require (
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.22.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.30.1 // indirect
+	k8s.io/apiextensions-apiserver v0.30.2 // indirect
 	k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 // indirect
 	k8s.io/klog v1.0.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20240521193020-835d969ad83a // indirect
+	k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
 
-replace github.com/ajeddeloh/go-json => github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb
+replace github.com/ajeddeloh/go-json => github.com/coreos/go-json v0.0.0-20231102161613-e49c8866685a