From 0d77f62c02cbf2e88547cd3d114e948a1fdb3371 Mon Sep 17 00:00:00 2001 From: Wojciech Tyczynski Date: Sat, 27 Apr 2019 06:50:20 +0200 Subject: [PATCH] Revert "override ETCD_SERVER with https instead http when mTLS is enabled" --- cluster/common.sh | 3 +-- cluster/gce/gci/configure-helper.sh | 30 +++++++---------------------- cluster/gce/manifests/etcd.manifest | 4 ++-- 3 files changed, 10 insertions(+), 27 deletions(-) diff --git a/cluster/common.sh b/cluster/common.sh index d7b19b01cf6..052f2e1fa02 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -376,8 +376,7 @@ function generate-etcd-cert() { "usages": [ "signing", "key encipherment", - "server auth", - "client auth" + "server auth" ] }, "client": { diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 70ebda6e04e..f16d156f8b2 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1400,12 +1400,9 @@ function prepare-etcd-manifest { local etcd_cluster="" local cluster_state="new" local etcd_protocol="http" - local etcd_apiserver_protocol="http" local etcd_creds="" local etcd_apiserver_creds="${ETCD_APISERVER_CREDS:-}" local etcd_extra_args="${ETCD_EXTRA_ARGS:-}" - local suffix="$1" - local etcd_livenessprobe_port="$2" if [[ -n "${INITIAL_ETCD_CLUSTER_STATE:-}" ]]; then cluster_state="${INITIAL_ETCD_CLUSTER_STATE}" @@ -1415,12 +1412,8 @@ function prepare-etcd-manifest { etcd_protocol="https" fi - # mTLS should only be enabled for etcd server but not etcd-events. if $1 suffix is empty, it's etcd server. - if [[ -z "${suffix}" && -n "${ETCD_APISERVER_CA_KEY:-}" && -n "${ETCD_APISERVER_CA_CERT:-}" && -n "${ETCD_APISERVER_SERVER_KEY:-}" && -n "${ETCD_APISERVER_SERVER_CERT:-}" && -n "${ETCD_APISERVER_CLIENT_KEY:-}" && -n "${ETCD_APISERVER_CLIENT_CERT:-}" ]]; then + if [[ -n "${ETCD_APISERVER_CA_KEY:-}" && -n "${ETCD_APISERVER_CA_CERT:-}" && -n "${ETCD_APISERVER_SERVER_KEY:-}" && -n "${ETCD_APISERVER_SERVER_CERT:-}" ]]; then etcd_apiserver_creds=" --client-cert-auth --trusted-ca-file ${ETCD_APISERVER_CA_CERT_PATH} --cert-file ${ETCD_APISERVER_SERVER_CERT_PATH} --key-file ${ETCD_APISERVER_SERVER_KEY_PATH} " - etcd_apiserver_protocol="https" - etcd_livenessprobe_port="2382" - etcd_extra_args+=" --listen-metrics-urls=http://127.0.0.1:${etcd_livenessprobe_port} " fi for host in $(echo "${INITIAL_ETCD_CLUSTER:-${host_name}}" | tr "," "\n"); do @@ -1467,11 +1460,9 @@ function prepare-etcd-manifest { sed -i -e "s@{{ *pillar\.get('etcd_docker_repository', '\(.*\)') *}}@\1@g" "${temp_file}" fi sed -i -e "s@{{ *etcd_protocol *}}@$etcd_protocol@g" "${temp_file}" - sed -i -e "s@{{ *etcd_apiserver_protocol *}}@$etcd_apiserver_protocol@g" "${temp_file}" sed -i -e "s@{{ *etcd_creds *}}@$etcd_creds@g" "${temp_file}" sed -i -e "s@{{ *etcd_apiserver_creds *}}@$etcd_apiserver_creds@g" "${temp_file}" sed -i -e "s@{{ *etcd_extra_args *}}@$etcd_extra_args@g" "${temp_file}" - sed -i -e "s@{{ *etcd_livenessprobe_port *}}@$etcd_livenessprobe_port@g" "${temp_file}" if [[ -n "${ETCD_VERSION:-}" ]]; then sed -i -e "s@{{ *pillar\.get('etcd_version', '\(.*\)') *}}@${ETCD_VERSION}@g" "${temp_file}" else @@ -1574,24 +1565,17 @@ function start-kube-apiserver { params+=" --allow-privileged=true" params+=" --cloud-provider=gce" params+=" --client-ca-file=${CA_CERT_BUNDLE_PATH}" - - if [[ -n "${ETCD_APISERVER_CA_KEY:-}" && -n "${ETCD_APISERVER_CA_CERT:-}" && -n "${ETCD_APISERVER_SERVER_KEY:-}" && -n "${ETCD_APISERVER_SERVER_CERT:-}" && -n "${ETCD_APISERVER_CLIENT_KEY:-}" && -n "${ETCD_APISERVER_CLIENT_CERT:-}" ]]; then - params+=" --etcd-servers=${ETCD_SERVERS:-https://127.0.0.1:2379}" - params+=" --etcd-cafile=${ETCD_APISERVER_CA_CERT_PATH}" - params+=" --etcd-certfile=${ETCD_APISERVER_CLIENT_CERT_PATH}" - params+=" --etcd-keyfile=${ETCD_APISERVER_CLIENT_KEY_PATH}" - elif [[ -z "${ETCD_APISERVER_CA_KEY:-}" && -z "${ETCD_APISERVER_CA_CERT:-}" && -z "${ETCD_APISERVER_SERVER_KEY:-}" && -z "${ETCD_APISERVER_SERVER_CERT:-}" && -z "${ETCD_APISERVER_CLIENT_KEY:-}" && -z "${ETCD_APISERVER_CLIENT_CERT:-}" ]]; then - echo "WARNING: ALL of ETCD_APISERVER_CA_KEY, ETCD_APISERVER_CA_CERT, ETCD_APISERVER_SERVER_KEY, ETCD_APISERVER_SERVER_CERT, ETCD_APISERVER_CLIENT_KEY and ETCD_APISERVER_CLIENT_CERT are missing, mTLS between etcd server and kube-apiserver is not enabled." - else - echo "ERROR: Some of ETCD_APISERVER_CA_KEY, ETCD_APISERVER_CA_CERT, ETCD_APISERVER_SERVER_KEY, ETCD_APISERVER_SERVER_CERT, ETCD_APISERVER_CLIENT_KEY and ETCD_APISERVER_CLIENT_CERT are missing, mTLS between etcd server and kube-apiserver cannot be enabled. Please provide all mTLS credential." - exit 1 - fi - + params+=" --etcd-servers=${ETCD_SERVERS:-http://127.0.0.1:2379}" if [[ -z "${ETCD_SERVERS:-}" ]]; then params+=" --etcd-servers-overrides=${ETCD_SERVERS_OVERRIDES:-/events#http://127.0.0.1:4002}" elif [[ -n "${ETCD_SERVERS_OVERRIDES:-}" ]]; then params+=" --etcd-servers-overrides=${ETCD_SERVERS_OVERRIDES:-}" fi + if [[ -n "${ETCD_APISERVER_CA_KEY:-}" && -n "${ETCD_APISERVER_CA_CERT:-}" && -n "${ETCD_APISERVER_CLIENT_KEY:-}" && -n "${ETCD_APISERVER_CLIENT_CERT:-}" ]]; then + params+=" --etcd-cafile=${ETCD_APISERVER_CA_CERT_PATH}" + params+=" --etcd-certfile=${ETCD_APISERVER_CLIENT_CERT_PATH}" + params+=" --etcd-keyfile=${ETCD_APISERVER_CLIENT_KEY_PATH}" + fi params+=" --secure-port=443" if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then # Default is :8080 diff --git a/cluster/gce/manifests/etcd.manifest b/cluster/gce/manifests/etcd.manifest index 9523d9e3199..0211aa1dbb2 100644 --- a/cluster/gce/manifests/etcd.manifest +++ b/cluster/gce/manifests/etcd.manifest @@ -23,7 +23,7 @@ "command": [ "/bin/sh", "-c", - "if [ -e /usr/local/bin/migrate-if-needed.sh ]; then /usr/local/bin/migrate-if-needed.sh 1>>/var/log/etcd{{ suffix }}.log 2>&1; fi; exec /usr/local/bin/etcd --name etcd-{{ hostname }} --listen-peer-urls {{ etcd_protocol }}://{{ host_ip }}:{{ server_port }} --initial-advertise-peer-urls {{ etcd_protocol }}://{{ hostname }}:{{ server_port }} --advertise-client-urls {{ etcd_apiserver_protocol }}://127.0.0.1:{{ port }} --listen-client-urls {{ etcd_apiserver_protocol }}://127.0.0.1:{{ port }} {{ quota_bytes }} --data-dir /var/etcd/data{{ suffix }} --initial-cluster-state {{ cluster_state }} --initial-cluster {{ etcd_cluster }} {{ etcd_creds }} {{ etcd_apiserver_creds }} {{ etcd_extra_args }} 1>>/var/log/etcd{{ suffix }}.log 2>&1" + "if [ -e /usr/local/bin/migrate-if-needed.sh ]; then /usr/local/bin/migrate-if-needed.sh 1>>/var/log/etcd{{ suffix }}.log 2>&1; fi; exec /usr/local/bin/etcd --name etcd-{{ hostname }} --listen-peer-urls {{ etcd_protocol }}://{{ host_ip }}:{{ server_port }} --initial-advertise-peer-urls {{ etcd_protocol }}://{{ hostname }}:{{ server_port }} --advertise-client-urls http://127.0.0.1:{{ port }} --listen-client-urls http://127.0.0.1:{{ port }} {{ quota_bytes }} --data-dir /var/etcd/data{{ suffix }} --initial-cluster-state {{ cluster_state }} --initial-cluster {{ etcd_cluster }} {{ etcd_creds }} {{ etcd_apiserver_creds }} {{ etcd_extra_args }} 1>>/var/log/etcd{{ suffix }}.log 2>&1" ], "env": [ { "name": "TARGET_STORAGE", @@ -57,7 +57,7 @@ "livenessProbe": { "httpGet": { "host": "127.0.0.1", - "port": {{ etcd_livenessprobe_port }}, + "port": {{ port }}, "path": "/health" }, "initialDelaySeconds": {{ liveness_probe_initial_delay }},