diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 8889ceb75ad..0bd7b201c8d 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -522,16 +522,6 @@ function create-node-pki { KUBELET_KEY_PATH="${pki_dir}/kubelet.key" write-pki-data "${KUBELET_KEY}" "${KUBELET_KEY_PATH}" fi - - if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then - mkdir -p "${pki_dir}/konnectivity-agent" - KONNECTIVITY_AGENT_CA_CERT_PATH="${pki_dir}/konnectivity-agent/ca.crt" - KONNECTIVITY_AGENT_CLIENT_KEY_PATH="${pki_dir}/konnectivity-agent/client.key" - KONNECTIVITY_AGENT_CLIENT_CERT_PATH="${pki_dir}/konnectivity-agent/client.crt" - write-pki-data "${KONNECTIVITY_AGENT_CA_CERT}" "${KONNECTIVITY_AGENT_CA_CERT_PATH}" - write-pki-data "${KONNECTIVITY_AGENT_CLIENT_KEY}" "${KONNECTIVITY_AGENT_CLIENT_KEY_PATH}" - write-pki-data "${KONNECTIVITY_AGENT_CLIENT_CERT}" "${KONNECTIVITY_AGENT_CLIENT_CERT_PATH}" - fi } function create-master-pki { @@ -599,42 +589,6 @@ function create-master-pki { PROXY_CLIENT_CERT_PATH="${pki_dir}/proxy_client.crt" write-pki-data "${PROXY_CLIENT_CERT}" "${PROXY_CLIENT_CERT_PATH}" fi - - if [[ ! -z "${KONNECTIVITY_SERVER_CA_CERT:-}" ]]; then - mkdir -p "${pki_dir}"/konnectivity-server - #KONNECTIVITY_SERVER_CA_KEY_PATH="${pki_dir}/konnectivity-server/ca.key" - #write-pki-data "${KONNECTIVITY_SERVER_CA_KEY}" "${KONNECTIVITY_SERVER_CA_KEY_PATH}" - - KONNECTIVITY_SERVER_CA_CERT_PATH="${pki_dir}/konnectivity-server/ca.crt" - write-pki-data "${KONNECTIVITY_SERVER_CA_CERT}" "${KONNECTIVITY_SERVER_CA_CERT_PATH}" - - KONNECTIVITY_SERVER_KEY_PATH="${pki_dir}/konnectivity-server/server.key" - write-pki-data "${KONNECTIVITY_SERVER_KEY}" "${KONNECTIVITY_SERVER_KEY_PATH}" - - KONNECTIVITY_SERVER_CERT_PATH="${pki_dir}/konnectivity-server/server.crt" - write-pki-data "${KONNECTIVITY_SERVER_CERT}" "${KONNECTIVITY_SERVER_CERT_PATH}" - - KONNECTIVITY_SERVER_CLIENT_KEY_PATH="${pki_dir}/konnectivity-server/client.key" - write-pki-data "${KONNECTIVITY_SERVER_CLIENT_KEY}" "${KONNECTIVITY_SERVER_CLIENT_KEY_PATH}" - - KONNECTIVITY_SERVER_CLIENT_CERT_PATH="${pki_dir}/konnectivity-server/client.crt" - write-pki-data "${KONNECTIVITY_SERVER_CLIENT_CERT}" "${KONNECTIVITY_SERVER_CLIENT_CERT_PATH}" - fi - - if [[ ! -z "${KONNECTIVITY_AGENT_CA_CERT:-}" ]]; then - mkdir -p "${pki_dir}"/konnectivity-agent - KONNECTIVITY_AGENT_CA_KEY_PATH="${pki_dir}/konnectivity-agent/ca.key" - write-pki-data "${KONNECTIVITY_AGENT_CA_KEY}" "${KONNECTIVITY_AGENT_CA_KEY_PATH}" - - KONNECTIVITY_AGENT_CA_CERT_PATH="${pki_dir}/konnectivity-agent/ca.crt" - write-pki-data "${KONNECTIVITY_AGENT_CA_CERT}" "${KONNECTIVITY_AGENT_CA_CERT_PATH}" - - KONNECTIVITY_AGENT_KEY_PATH="${pki_dir}/konnectivity-agent/server.key" - write-pki-data "${KONNECTIVITY_AGENT_KEY}" "${KONNECTIVITY_AGENT_KEY_PATH}" - - KONNECTIVITY_AGENT_CERT_PATH="${pki_dir}/konnectivity-agent/server.crt" - write-pki-data "${KONNECTIVITY_AGENT_CERT}" "${KONNECTIVITY_AGENT_CERT_PATH}" - fi } # After the first boot and on upgrade, these files exist on the master-pd @@ -1347,10 +1301,6 @@ function create-master-etcd-apiserver-auth { fi } -function create-master-konnectivity-server-apiserver-auth { - echo TODO: implement create-master-konnectivity-server-apiserver-auth -} - function assemble-docker-flags { echo "Assemble docker command line flags" local docker_opts="-p /var/run/docker.pid --iptables=false --ip-masq=false" @@ -2887,9 +2837,6 @@ function main() { create-master-pki create-master-auth ensure-master-bootstrap-kubectl-auth - if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then - create-master-konnectivity-server-apiserver-auth - fi create-master-kubelet-auth create-master-etcd-auth create-master-etcd-apiserver-auth diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 14517c5da25..2c9fc2b8926 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1093,18 +1093,6 @@ ETCD_APISERVER_SERVER_KEY: $(yaml-quote ${ETCD_APISERVER_SERVER_KEY_BASE64:-}) ETCD_APISERVER_SERVER_CERT: $(yaml-quote ${ETCD_APISERVER_SERVER_CERT_BASE64:-}) ETCD_APISERVER_CLIENT_KEY: $(yaml-quote ${ETCD_APISERVER_CLIENT_KEY_BASE64:-}) ETCD_APISERVER_CLIENT_CERT: $(yaml-quote ${ETCD_APISERVER_CLIENT_CERT_BASE64:-}) -KONNECTIVITY_SERVER_CA_KEY: $(yaml-quote ${KONNECTIVITY_SERVER_CA_KEY_BASE64:-}) -KONNECTIVITY_SERVER_CA_CERT: $(yaml-quote ${KONNECTIVITY_SERVER_CA_CERT_BASE64:-}) -KONNECTIVITY_SERVER_CERT: $(yaml-quote ${KONNECTIVITY_SERVER_CERT_BASE64:-}) -KONNECTIVITY_SERVER_KEY: $(yaml-quote ${KONNECTIVITY_SERVER_KEY_BASE64:-}) -KONNECTIVITY_SERVER_CLIENT_CERT: $(yaml-quote ${KONNECTIVITY_SERVER_CLIENT_CERT_BASE64:-}) -KONNECTIVITY_SERVER_CLIENT_KEY: $(yaml-quote ${KONNECTIVITY_SERVER_CLIENT_KEY_BASE64:-}) -KONNECTIVITY_AGENT_CA_KEY: $(yaml-quote ${KONNECTIVITY_AGENT_CA_KEY_BASE64:-}) -KONNECTIVITY_AGENT_CA_CERT: $(yaml-quote ${KONNECTIVITY_AGENT_CA_CERT_BASE64:-}) -KONNECTIVITY_AGENT_CERT: $(yaml-quote ${KONNECTIVITY_AGENT_CERT_BASE64:-}) -KONNECTIVITY_AGENT_KEY: $(yaml-quote ${KONNECTIVITY_AGENT_KEY_BASE64:-}) -KONNECTIVITY_AGENT_CLIENT_CERT: $(yaml-quote ${KONNECTIVITY_AGENT_CLIENT_CERT_BASE64:-}) -KONNECTIVITY_AGENT_CLIENT_KEY: $(yaml-quote ${KONNECTIVITY_AGENT_CLIENT_KEY_BASE64:-}) EOF } @@ -1254,9 +1242,6 @@ EOF fi if [[ "${master}" == "false" ]]; then cat >>$file <${cert_create_debug_output} || true + cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/aggregator) &>${cert_create_debug_output} || true CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3" AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/aggregator" - KONNECTIVITY_SERVER_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-server" - KONNECTIVITY_AGENT_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-agent" if [ ! -x "${CERT_DIR}/easyrsa" -o ! -x "${AGGREGATOR_CERT_DIR}/easyrsa" ]; then # TODO(roberthbailey,porridge): add better error handling here, # see https://github.com/kubernetes/kubernetes/issues/55229 @@ -1822,92 +1784,6 @@ function generate-aggregator-certs { fi } -# Runs the easy RSA commands to generate server side certificate files -# for the konnectivity server. This includes both server side to both -# konnectivity-server and konnectivity-agent. -# The generated files are in ${KONNECTIVITY_SERVER_CERT_DIR} and -# ${KONNECTIVITY_AGENT_CERT_DIR} -# -# Assumed vars -# KUBE_TEMP -# KONNECTIVITY_SERVER_CERT_DIR -# KONNECTIVITY_SERVER_PRIMARY_CN: Primary canonical name -# KONNECTIVITY_SERVER_SANS: Subject alternate names -# -function generate-konnectivity-server-certs { - local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX") - # Note: This was heavily cribbed from make-ca-cert.sh - (set -x - # Make the client <-> konnectivity server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-server" - ./easyrsa init-pki - # this puts the cert into pki/ca.crt and the key into pki/private/ca.key - ./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="IP:127.0.0.1,${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass - - kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" - - # make the config for the signer - echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json" - # create the konnectivity server cert with the correct groups - echo '{"CN":"konnectivity-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-server - rm -f "konnectivity-server.csr" - - # Make the agent <-> konnectivity server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-agent" - ./easyrsa init-pki - # this puts the cert into pki/ca.crt and the key into pki/private/ca.key - ./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass - - kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" - - # make the config for the signer - echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","agent auth"]}}}' > "ca-config.json" - # create the konnectivity server cert with the correct groups - echo '{"CN":"koonectivity-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-agent - rm -f "konnectivity-agent.csr" - - echo `ls ${KONNECTIVITY_SERVER_CERT_DIR}/pki/` - echo `ls ${KONNECTIVITY_SERVER_CERT_DIR}/pki/private/` - echo `ls ${KONNECTIVITY_SERVER_CERT_DIR}/pki/issued/` - echo `ls ${KONNECTIVITY_AGENT_CERT_DIR}/pki/` - echo `ls ${KONNECTIVITY_AGENT_CERT_DIR}/pki/private/` - echo `ls ${KONNECTIVITY_AGENT_CERT_DIR}/pki/issued/` - echo "completed main certificate section") &>${cert_create_debug_output} || true - - local output_file_missing=0 - local output_file - for output_file in \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/private/ca.key" \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/ca.crt" \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/issued/server.crt" \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/private/server.key" \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/issued/client.crt" \ - "${KONNECTIVITY_SERVER_CERT_DIR}/pki/private/client.key" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/private/ca.key" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/ca.crt" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/issued/server.crt" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/private/server.key" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/issued/client.crt" \ - "${KONNECTIVITY_AGENT_CERT_DIR}/pki/private/client.key" - do - if [[ ! -s "${output_file}" ]]; then - echo "Expected file ${output_file} not created" >&2 - output_file_missing=1 - fi - done - if (( $output_file_missing )); then - # TODO(roberthbailey,porridge): add better error handling here, - # see https://github.com/kubernetes/kubernetes/issues/55229 - cat "${cert_create_debug_output}" >&2 - echo "=== Failed to generate konnectivity-server certificates: Aborting ===" >&2 - exit 2 - fi -} - # Using provided master env, extracts value from provided key. # # Args: @@ -1947,16 +1823,6 @@ function parse-master-env() { ETCD_APISERVER_SERVER_CERT_BASE64=$(get-env-val "${master_env}" "ETCD_APISERVER_SERVER_CERT") ETCD_APISERVER_CLIENT_KEY_BASE64=$(get-env-val "${master_env}" "ETCD_APISERVER_CLIENT_KEY") ETCD_APISERVER_CLIENT_CERT_BASE64=$(get-env-val "${master_env}" "ETCD_APISERVER_CLIENT_CERT") - KONNECTIVITY_SERVER_CA_KEY_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_CA_KEY") - KONNECTIVITY_SERVER_CA_CERT_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_CA_CERT") - KONNECTIVITY_SERVER_CERT_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_CERT") - KONNECTIVITY_SERVER_KEY_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_KEY") - KONNECTIVITY_SERVER_CLIENT_CERT_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_CLIENT_CERT") - KONNECTIVITY_SERVER_CLIENT_KEY_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_SERVER_CLIENT_KEY") - KONNECTIVITY_AGENT_CA_KEY_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_AGENT_CA_KEY") - KONNECTIVITY_AGENT_CA_CERT_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_AGENT_CA_CERT") - KONNECTIVITY_AGENT_CERT_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_AGENT_CERT") - KONNECTIVITY_AGENT_KEY_BASE64=$(get-env-val "${master_env}" "KONNECTIVITY_AGENT_KEY") } # Update or verify required gcloud components are installed