Skip to content
This repository was archived by the owner on Feb 5, 2020. It is now read-only.

Adds support for tectonic_etcd_scheme #2273

Closed
coresolve wants to merge 2 commits into from
Closed

Adds support for tectonic_etcd_scheme #2273

coresolve wants to merge 2 commits into from

Conversation

@coresolve
Copy link
Contributor

@coresolve coresolve commented Nov 1, 2017

This adds support for specifying the scheme that will be used for the
external etcd cluster. it retains the default https

I have tested bare metal azure and aws. @squat @kyoto

@coreosbot
Copy link

coreosbot commented Nov 1, 2017

Can one of the admins verify this patch?

squat
squat suggested changes Nov 1, 2017
View reviewed changes
Copy link
Contributor

@squat squat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will suffice as a temporary fix. We really need to infer the scheme from the certs but we cannot do this until we allow certificates for external etcd clusters. Please also add configuration for openstack clusters.

config.tf Outdated
default = "https"

description = <<EOF
(optional) Can be either "http" or "https" When set this scheme will be used for all provided etcd endpoints.
Copy link
Contributor

@squat squat Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a “.” between the two sentences and add a “,” after “When set” so it reads better.

platforms/gcp/main.tf
master_subnetwork_name = "${module.network.master_subnetwork_name}"
external_endpoints = ["${compact(var.tectonic_etcd_servers)}"]

etcd_scheme = "${var.tectonic_etcd_scheme}"
Copy link
Contributor

@squat squat Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to declare “etcd” in platforms/gcp/etcd otherwise GCP will fail to build.

Copy link
Contributor Author

@coresolve coresolve Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

platforms/vmware/main.tf
container_image = "${var.tectonic_container_images["etcd"]}"
base_domain = "${var.tectonic_base_domain}"
external_endpoints = ["${compact(var.tectonic_etcd_servers)}"]
etcd_scheme = "${var.tectonic_etcd_scheme}"
Copy link
Contributor

@squat squat Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, let’s declare etcd in platforms/vmware/etcd so as to not break this platform.

Copy link
Contributor Author

@coresolve coresolve Nov 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@mxinden
Copy link
Contributor

mxinden commented Nov 1, 2017

We did some changes (#2082) to the testing process. Please rebase on to current master, so that the basic-tests PR status is reported correctly.

@coresolve
Adds support for tectonic_etcd_scheme
980bd71 
This adds support for specifying the scheme that will be used for the
external etcd cluster. it retains the default `https`

I have tested bare metal azure and aws.
@coresolve
Review
970e463
@coresolve coresolve force-pushed the support_etcd_schema branch from 5c21492 to 970e463 Compare November 1, 2017 15:19
@coresolve
Copy link
Contributor Author

coresolve commented Nov 1, 2017

We can't infer https only from certs. There are a few ways to configure etcd.

  1. etcd non tls.
  2. etcd tls but no client certs and no ca crt.
    This means that we the apiservers will be able to trust the etcd endpoints with the ca cert bundle they already have (/usr/share/ca-certificates)
  3. etcd tls with etcd ca crt but not mtls
    This means the etcd cluster is signed by a CA that isn't represented in /usr/share/ca-certificates
    For example an Corp CA.
  4. etcd with mtls
    This means that we provide client cert, key and optionally ca cert. In this case it's expected that the etcd servers are configured for mtls (and will assert that the client is signed by a cert that it knows)

@coresolve
Copy link
Contributor Author

coresolve commented Nov 1, 2017

closed in favor of #2288

@coresolve coresolve closed this Nov 1, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@squat squat squat requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@coresolve @coreosbot @mxinden @squat