feature: Enable configuration of Kubelet TLS certs #2536
Conversation
stmcginnis
force-pushed
the
kubelet-certs
branch
from
9707c9f to
cdbab0e
Compare
sources/api/migration/migrations/v1.11.0/kubelet-tls-config/Cargo.toml
Outdated
Show resolved
Hide resolved
stmcginnis
force-pushed
the
kubelet-certs
branch
from
cdbab0e to
735bccb
Compare
sources/api/migration/migrations/v1.11.0/kubelet-tls-config-files/src/main.rs
Outdated
Show resolved
Hide resolved
| install -m 0644 %{S:11} %{buildroot}%{_cross_templatedir}/kubernetes-tls-crt | ||
| install -m 0644 %{S:12} %{buildroot}%{_cross_templatedir}/kubernetes-tls-private-crt |
There was a problem hiding this comment.
You might also consider rendering both the certificate and the key to a single templated file, e.g. /etc/kubernetes/pki/kubelet-server-current.pem, the way that the combined client / server files are today under /var/lib/kubelet/pki.
stmcginnis
force-pushed
the
kubelet-certs
branch
2 times, most recently
from
7d184a4 to
cbc16f3
Compare
| @@ -113,7 +113,12 @@ featureGates: | |||
| CSIMigration: false | |||
| protectKernelDefaults: true | |||
| serializeImagePulls: false | |||
| {{#if (and (default "" settings.kubernetes.tls-certificate) (default "" settings.kubernetes.tls-private-key))}} | |||
There was a problem hiding this comment.
I'm not too happy about this, but without the defaults in there the rendering of the file blows up with a handlebars error:
helper: Couldn't read parameter x
If anyone knows of a better way, please let me know.
There was a problem hiding this comment.
You could also do nested unless, e.g.
| {{#if (and (default "" settings.kubernetes.tls-certificate) (default "" settings.kubernetes.tls-private-key))}} | |
| {{#unless settings.kubernetes.tls-certificate}} | |
| {{#unless settings.kubernetes.tls-private-key}} | |
| serverTLSBootstrap: {{settings.kubernetes.server-tls-bootstrap}} | |
| {{/unless}} | |
| {{/unless}} |
I wouldn't call it "better", just "different" - and reminiscent of C ifdef nesting, which is probably why it comes to mind.
There was a problem hiding this comment.
We would still need the if conditional to determine whether to write out of the tlsCert and tlsPrivateKeyFile though, right? So the double unless would work to determine if we need to write out serverTLSBootstrap, but we also need to know when to do the inverse.
stmcginnis
force-pushed
the
kubelet-certs
branch
from
cbc16f3 to
67ce51f
Compare
|
Rebased on |
stmcginnis
force-pushed
the
kubelet-certs
branch
from
67ce51f to
f599289
Compare
This enables the ability to provide a TLS public and private key to be used by the kubelet process for HTTPS communication. This corresponds to the `--tls-cert-file` and `--tls-key-file` arguments (or the `tlsCertFile` and `tlsPrivateKeyFile` config settings). Signed-off-by: Sean McGinnis <stmcg@amazon.com>
stmcginnis
force-pushed
the
kubelet-certs
branch
from
f599289 to
e7b18d6
Compare
Issue number:
Closes #2481
Description of changes:
This enables the ability to provide a TLS public and private key to be used by the kubelet process for HTTPS communication.
It adds
settings.kubernetes.server-certificateandsettings.kubernetes.server-key.This corresponds to the
--tls-cert-fileand--tls-key-filearguments (or thetlsCertFileandtlsPrivateKeyFileconfig settings).Testing done:
Generated an x509 public and private pair.
Used sample eksctl yaml and added the two new settings with the base64 contents of the generated certs.
Deployed cluster and verified creation successful.
Checked contents of generated
/etc/kubernetes/kubelet/configfile were correct.cat'd contents of the two certificate files written out and made sure they matched my local copies of them.Checked
systemctl status kubeletand verified service was running and happy.Checked
journalctl -u kubeletto check if there were any errors.Checked output from
kubectl get pods -Aandkubectl get nodesto make sure cluster was functional.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.