Skip to content
This repository has been archived by the owner on Mar 2, 2022. It is now read-only.

Secure etcd deployment with TLS assets generated by kubeadm #112

Closed
wants to merge 4 commits into from
Closed

Secure etcd deployment with TLS assets generated by kubeadm #112

wants to merge 4 commits into from

Conversation

alexbrand
Copy link
Contributor

Fixes #40

The following PR deploys a secure etcd cluster (listening on HTTPS for clients and peers).

The etcd role now:

  1. Downloads the kubeadm binary directly from the kubernetes release "bucket". The kubeadm version is configurable via a variable.
  2. Uses kubeadm to generate the keys and certificates required for secure etcd on the first etcd node.
  3. Slurps and distributes generated certs to the rest of the etcd nodes

The kubernetes-masters role now:

  1. Slurps the etcd certificates from the first etcd node and copies them to the master nodes
  2. The etcd client endpoints variable now uses HTTPS instead of HTTP

Notes for reviewer:

  1. Not sure if there's a way to avoid defining the kubernetes version in multiple roles. With this PR, we are adding one more place where the kubernetes (really kubeadm) version must be specified.

@scottslowe
Copy link
Contributor

scottslowe commented Feb 25, 2019
edited
Loading

@alexbrand Can you have a look at this PR and see if you can resolve any merge conflicts?

@detiber
Copy link
Contributor

detiber commented Feb 25, 2019

@chuckha ptal

@alexbrand
Add secure-etcd role
f91f758 
Created a secure-etcd role which uses kubeadm to generate all TLS assets
required to bootstrap a secure etcd cluster.

Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
@alexbrand
Replace existing etcd role with secure-etcd role
1cfbd61 
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
@alexbrand
Update master role to talk to etcd over HTTPS
e6f3727 
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
@alexbrand
Copy link
Contributor Author

@scottslowe all set 👍

chuckha
chuckha reviewed Feb 26, 2019
View reviewed changes
Copy link
Contributor

@chuckha chuckha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one tiny nit since I don't know much about Ansible's syntax.

from a kubeadm perspective this looks 💯! Super excited to have this change in wardroom. I think this unblocks standing up a multi-node control plane cluster with the Quickstart.

ansible/roles/etcd/tasks/main.yml Outdated
- ca.crt
- ca.key
register: etcd_ca_pki
delegate_to: "{{ groups['etcd'][0] }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the [0] in a few places here and |first later on, should these be consistent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. I've updated to |first

@alexbrand
etcd/tasks: use first filter instead of zero index
77a4459 
Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
chuckha
chuckha approved these changes Feb 26, 2019
View reviewed changes
Copy link
Contributor

@chuckha chuckha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@alexbrand
Copy link
Contributor Author

Closing as this is superseded by #181

@alexbrand alexbrand closed this May 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@chuckha chuckha chuckha approved these changes

@craigtracey craigtracey Awaiting requested review from craigtracey

Assignees

@chuckha chuckha

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alexbrand @scottslowe @detiber @chuckha