tls: add aggregated apiserver certs.

[diegs]

This adds a new CA and certificate pair to support running aggregated
api-servers in the cluster. This is required for deploying
metrics-server (heapster replacement) and other aggregated api-server
components that will start to appear in 1.9+.

In the self-signed scenario these are derived from the kube_ca, which
happens to also be the apiserver serving ca. In practice the kube_ca
should be the parent of both this CA and the one that is used by the
--tls-ca-file flag in the apiserver. I added a TODO to fix that when
we implement the "single CA is the parent of all generated certs" change
for track 2.

[diegs]

cc @brancz

[ericchiang]

I don't think this should be used as a serving cert, just a client cert.

[diegs]

So, remove the dns names and ip addresses?

[ericchiang]

Yes. Allowed usages bellow should also drop "server_auth"

[diegs]

Done

[ericchiang]

Common name has to match the value specified by:

--requestheader-allowed-names

[diegs]

Ah, I thought that was the CN in the CA. The docs are very unclear, and the metrics server appeared to be working. But I'll change the flag to this one in the operators-PR.

[diegs]

@cpanato @enxebre any hints on how to debug the failed custom_tls tests? Do I need to generate the new certs somehow? The user_provided_tls stuff in the smoke test directory doesn't have much documentation.

[diegs]

Ah, think I found the change I needed to make for smoke tests.

[diegs]

zomg ruby linter doesn't like methods with more than 30 lines?

[diegs]

I think azure flaked.

[diegs]

In azure it looks like some of the pods never came up, not sure if this is typical:

        	smoke_test.go:119: retrying in 3s
        	cluster_test.go:99: pod tectonic-system/alm-operator-56d954fc68-77b9q not running
        	cluster_test.go:99: pod tectonic-system/catalog-operator-78d4cdb8db-ksj4x not running
        	cluster_test.go:99: pod tectonic-system/prometheus-k8s-0 not running
        	cluster_test.go:99: pod tectonic-system/prometheus-operator-7445bc9f7f-gtml6 not running
        	cluster_test.go:99: pod tectonic-system/tectonic-monitoring-auth-prometheus-7746db47d8-qzt9j not running
        	smoke_test.go:118: failed with error: pods are not all ready
        	smoke_test.go:119: retrying in 3s
        	cluster_test.go:83: Timed out waiting for pods to be ready.

[brancz]

On a high level this looks good to me. I'm wondering how aggregated APIs are going to get their server certs, seems like we want something like the certificates API, but for multi CA (kubernetes components, etcd, aggregated APIs,...). Do we have a solid idea how to solve that?

[ericchiang]

On a high level this looks good to me. I'm wondering how aggregated APIs are going to get their server certs, seems like we want something like the certificates API, but for multi CA (kubernetes components, etcd, aggregated APIs,...). Do we have a solid idea how to solve that?

Aggregated API servers get to advertise their own CA, which the API server then trusts https://github.com/kubernetes/kubernetes/blob/v1.9.2/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/types.go#L56

So the metrics server can generate a self-signed one and that should be fine.

[brancz]

lgtm

[diegs]

@brancz @ericchiang plot twist: apparently we don't want the metrics server to generate self-signed certs?

kubernetes-sigs/metrics-server#37 (comment)

[diegs]

retest this please. azure and bare metal.

[diegs]

All tests passed!

[diegs]

May I please get a review on the installer side? @enxebre? @squat?

[ericchiang]

We probably want to provide the self-signed certs through a secret.

Mentioned this on JIRA, but I'm going to follow up on kubernetes/kubernetes#54960 to see if there are any specific concerns around this strategy. I'm not familiar with the subtitles.

[enxebre]

wouldn't this need to be module.kube_certs.apiserver_proxy_cert_pem and module.kube_certs.apiserver_proxy_key_pem? same question for all platforms

[diegs]

Great catch, thank you! Changed to the correct value.

[enxebre]

shall we add same todo in contrib module?

[diegs]

Done

[diegs]

retest this please. govcloud and azure.

[diegs]

govcloud:

Error: Error applying plan:

1 error(s) occurred:

* aws_vpn_gateway.vpg (destroy): 1 error(s) occurred:

* aws_vpn_gateway.vpg: IncorrectState: The VPN gateway is in use.
	status code: 400, request id: 1d88c56e-d27f-4c6f-a01e-7f6e83624ab8

azure:

some pods never came up.

[diegs]

retest this please.

[diegs]

I give up.

[cpanato]

all green now @diegs

[squat]

I'm curious: why does this module output an aggregator_ca_key but not the tls/kube/user-provided?

It seems like this output is not consumed anywhere either.

[diegs]

You're right, it's not a required output. Got copy-paste happy. Removed.

[squat]

Should this module also create local files for the aggregated ca key and crt just like modules/tls/kube/self-signed does? i.e.:

resource "local_file" "aggregator_ca_key" {
...
}
resource "local_file" "aggregator_ca_crt" {
...
}

[diegs]

Done

[diegs]

@squat thanks for catching those mistakes, should be fixed now.

[diegs]

You're right, it's not a required output. Got copy-paste happy. Removed.

[diegs]

Done

[squat]

dang, we have some merge conflicts. Conflicts are only on markdown files. All tests have passed for TF. I'm removing the labels and pushing an extra commit to fix the conflicts with the docs.

[cpanato]

ok

[squat]

@diegs: the tls module docs you wrote have been PRd to coreos/tectonic-docs#135 now that they no longer exist in this repo since #2678

[diegs]

@squat thanks!