Alexandros Kosiaris has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/352860 )
Change subject: Use a service cert for kubernetes masters ...................................................................... Use a service cert for kubernetes masters Populate and use a service certificate for kubemaster.svc.$site.wmnet Change-Id: Iaf4ddf2fa6933c9231c24856853fa0ffeb45469f --- A files/ssl/kubemaster.svc.codfw.wmnet.crt A files/ssl/kubemaster.svc.eqiad.wmnet.crt M hieradata/role/common/kubernetes/master.yaml M modules/profile/manifests/kubernetes/master.pp 4 files changed, 66 insertions(+), 7 deletions(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/files/ssl/kubemaster.svc.codfw.wmnet.crt b/files/ssl/kubemaster.svc.codfw.wmnet.crt new file mode 100644 index 0000000..62c3c2c --- /dev/null +++ b/files/ssl/kubemaster.svc.codfw.wmnet.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXzCCAkegAwIBAgICCyowDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgUHVw +cGV0IENBOiBwYWxsYWRpdW0uZXFpYWQud21uZXQwHhcNMTcwNTA4MTUwMjMxWhcN +MjIwNTA4MTUwMjMxWjCBhDEjMCEGA1UEAwwaa3ViZW1hc3Rlci5zdmMuY29kZncu +d21uZXQxIzAhBgNVBAoMGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j +aXNjbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFFQlgvBQZB20xQTnmbZndr4 +SSgMmpfDaLEwyJ32KsJccbfh+ITE+dXlPmUd5X3+eXa5YoHkb/6gsM+d1eioNqCj +gf0wgfowNQYJYIZIAYb4QgENBChQdXBwZXQgUnVieS9PcGVuU1NMIEludGVybmFs +IENlcnRpZmljYXRlMEEGA1UdEQQ6MDiCGmt1YmVtYXN0ZXIuc3ZjLmNvZGZ3Lndt +bmV0ghprdWJlbWFzdGVyLnN2Yy5jb2Rmdy53bW5ldDAOBgNVHQ8BAf8EBAMCBaAw +IAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw +HQYDVR0OBBYEFIPb4LnJWsala8/4Cua/0nOiDIPMMB8GA1UdIwQYMBaAFFnkhjB+ +Aq8NAKZ07Zr2DheubK66MA0GCSqGSIb3DQEBCwUAA4ICAQAqwtjL2B/yBnN0rmxT +UtA+HGBJ/hOk4eWIIiSpeuDPlvx84e+E7F5GtxJSVd7l5Y1v2dEmi/Rw2dPkXTgI +COLC519Sg0b1cAkjn01A14FWqpx26ujl/CZEyImPHrSueRvTmjhGuoBMvrnEvZnV +YL9doO5Svga8+4rXf/zztP+wWzkOt8/HfGpbkA/fuA7aNGS+oSpu6jzsHV0nru9v +kGa9mMgbowh9P3KbqpRANXQtvFvzAUZLbIo17VJc30MLvcTgepakRhGqL3j3godJ +jIQduReus+jAFkLts3xD1Jfq8o0Ra6QUxqDnLRkEyntqvwcpcPIMYhhdstfyL1cy +3gAXbkK6m+gwMjTzKTn3ul4BcsmD2v+pW2/j7cPb0Io9LyoDtOJb0itVYMPqBD27 +BWifyjUuM/A/QCcffam6Mhkb94J+2W9Z+KAkhRD5dNzWLLOOK6LXv5Gza+5MjKpT +V1fyL+Nxb3AMGbSjmXLdlOIZatE4mmhhMzyBRHNeovstejZqA7xSkG9nQnjJnBR7 +csuWCIPIIpReKQlRj8K962xry7e7BYPs7oXYoZob7MjvkFliOL5hytEGbZ1P8Moo +aYpNBXYh1mPWc6uBoCnd2ziVKXRnQTm4qWHotVDttR7z71IcQ3BAawH4R0bQjy/o +a/Ki4Gdu8dOIwLKvdr60nbbYjg== +-----END CERTIFICATE----- diff --git a/files/ssl/kubemaster.svc.eqiad.wmnet.crt b/files/ssl/kubemaster.svc.eqiad.wmnet.crt new file mode 100644 index 0000000..9c01629 --- /dev/null +++ b/files/ssl/kubemaster.svc.eqiad.wmnet.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXzCCAkegAwIBAgICCykwDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgUHVw +cGV0IENBOiBwYWxsYWRpdW0uZXFpYWQud21uZXQwHhcNMTcwNTA4MTUwMjEwWhcN +MjIwNTA4MTUwMjEwWjCBhDEjMCEGA1UEAwwaa3ViZW1hc3Rlci5zdmMuZXFpYWQu +d21uZXQxIzAhBgNVBAoMGldpa2ltZWRpYSBGb3VuZGF0aW9uLCBJbmMuMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j +aXNjbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABK1gPQp9xahsCIOf+wgrs62+ ++qKasSl3LqHpXcu7tFO+Nsrcw/d0Vh9Evd30yvNb1np/V8zr2waHqN73b2dCHlej +gf0wgfowNQYJYIZIAYb4QgENBChQdXBwZXQgUnVieS9PcGVuU1NMIEludGVybmFs +IENlcnRpZmljYXRlMEEGA1UdEQQ6MDiCGmt1YmVtYXN0ZXIuc3ZjLmVxaWFkLndt +bmV0ghprdWJlbWFzdGVyLnN2Yy5lcWlhZC53bW5ldDAOBgNVHQ8BAf8EBAMCBaAw +IAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw +HQYDVR0OBBYEFCtxdvawz7kapyqA8QzyP8J5pfYZMB8GA1UdIwQYMBaAFFnkhjB+ +Aq8NAKZ07Zr2DheubK66MA0GCSqGSIb3DQEBCwUAA4ICAQAIsEBn0hl2j+dHmfH6 +kX3a1VwkQpgu/qk5T8F56Xz2I1P4oYYbrMbnVrVqH508y/ftGtdG/chwyHcXOq+M +5LRpkvS1GAxEyIs22RFEZSnWNiKjUbLZu6+B0uzOWnOqw/5X39tI7jTAH0YLgIxo +yNxgHztk/PgUyiEy5NB0uDm3bU8zVAkjTYuQ3/rROiMfmjhJkq2zpZ4LKAVQnwKF +Jm6KPZiJUMf8i5GPNmwy+db/gpUJBNi3b03uyFOTXf0X7qGqUd/BpRrqwhQjNyGU ++PSq7QmbYSHaM/P4xV8eKfjoeY2R2OvSay+zllBZBUUvp8RmDzonmmDAse0Q3iVe +HwrF7iCDHe7WwkzZ9uXNqriia18zJSGb11c2eajeltLJXw6LwK+b4yi8fxp9mYd3 +Uandq3y6/ScKJqJELespCJH6g6AIDt8I9hacj2fERpLVTM5sLnqOKiDg5sja2uYS +nZEiDYxvQfKcrogNO1KuyGsghWIfQQ1MiONkdAoRwfGzq2h6dvJQABfta6vgkqwz +yxuRkK5Oux43Wg5GRNTrVwp/9DLyEYJqy3cwLPnIwfaJwdNzOTpFCq7RSRUle6Yj +wq9yKCZXLJPJIGvMLU0RxrpCqhDgU+c2oqpf/1deBBQEAi6V9C6igOtdr3mlpEcr +E6P/vhntFrAMakTQ809JMMea3A== +-----END CERTIFICATE----- diff --git a/hieradata/role/common/kubernetes/master.yaml b/hieradata/role/common/kubernetes/master.yaml index 2b7a66c..f7cf51c 100644 --- a/hieradata/role/common/kubernetes/master.yaml +++ b/hieradata/role/common/kubernetes/master.yaml @@ -7,11 +7,7 @@ - https://etcd1002.eqiad.wmnet:2379 - https://etcd1003.eqiad.wmnet:2379 profile::kubernetes::master::docker_registry: darmstadtium.eqiad.wmnet -profile::kubernetes::master::accessible_to: - - kubernetes1001.eqiad.wmnet - - kubernetes1002.eqiad.wmnet - - kubernetes1003.eqiad.wmnet - - kubernetes1004.eqiad.wmnet +profile::kubernetes::master::accessible_to: all profile::kubernetes::master::service_cluster_ip_range: 192.168.30.0/24 profile::kubernetes::master::apiserver_count: 2 profile::kubernetes::master::admission_controllers: @@ -21,8 +17,9 @@ - RegistryEnforcer - DefaultStorageClass profile::kubernetes::master::expose_puppet_certs: true -profile::kubernetes::master::ssl_cert_path: /etc/kubernetes/ssl/cert.pem -profile::kubernetes::master::ssl_key_path: /etc/kubernetes/ssl/server.key +profile::kubernetes::master::service_cert: "kubemaster.svc.%{::site}.wmnet" +profile::kubernetes::master::ssl_cert_path: "/etc/ssl/localcerts/kubemaster.svc.%{::site}.wmnet.crt" +profile::kubernetes::master::ssl_key_path: "/etc/ssl/localcerts/kubemaster.svc.%{::site}.wmnet.key" profile::kubernetes::master::authz_mode: '' profile::kubernetes::master::host_automounts: [] profile::kubernetes::master::host_path_prefixes_allowed: [] diff --git a/modules/profile/manifests/kubernetes/master.pp b/modules/profile/manifests/kubernetes/master.pp index 1fa3071..a666a1d 100644 --- a/modules/profile/manifests/kubernetes/master.pp +++ b/modules/profile/manifests/kubernetes/master.pp @@ -8,6 +8,7 @@ $apiserver_count=hiera('profile::kubernetes::master::apiserver_count'), $admission_controllers=hiera('profile::kubernetes::master::admission_controllers'), $expose_puppet_certs=hiera('profile::kubernetes::master::expose_puppet_certs'), + $service_cert=hiera('profile::kubernetes::master::service_cert', undef), $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'), $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'), $authz_mode=hiera('profile::kubernetes::master::authz_mode'), @@ -22,6 +23,15 @@ } } + if $service_cert { + sslcert::certificate { $service_cert: + ensure => present, + group => 'kube', + skip_private => false, + before => Class['::k8s::apiserver'], + } + } + $etcd_servers = join($etcd_urls, ',') class { '::k8s::apiserver': etcd_servers => $etcd_servers, -- To view, visit https://gerrit.wikimedia.org/r/352860 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Iaf4ddf2fa6933c9231c24856853fa0ffeb45469f Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris <[email protected]> Gerrit-Reviewer: Alexandros Kosiaris <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
