diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template index 27770bff2ce..9346f4b5fe7 100755 --- a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template +++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template @@ -96,7 +96,7 @@ then --volume "$PWD:/assets:z" \ "${KUBE_APISERVER_OPERATOR_IMAGE}" \ /usr/bin/cluster-kube-apiserver-operator render \ - --manifest-etcd-serving-ca=etcd-client-ca.crt \ + --manifest-etcd-serving-ca=etcd-ca-bundle.crt \ --manifest-etcd-server-urls={{.EtcdCluster}} \ --manifest-image=${OPENSHIFT_HYPERSHIFT_IMAGE} \ --asset-input-dir=/assets/tls \ @@ -173,7 +173,7 @@ then --volume "$PWD:/assets:z" \ "${MACHINE_CONFIG_OPERATOR_IMAGE}" \ bootstrap \ - --etcd-ca=/assets/tls/etcd-client-ca.crt \ + --etcd-ca=/assets/tls/etcd-ca-bundle.crt \ --etcd-metric-ca=/assets/tls/etcd-metric-ca-bundle.crt \ --root-ca=/assets/tls/root-ca.crt \ --kube-ca=/assets/tls/kube-apiserver-complete-client-ca-bundle.crt \ @@ -228,8 +228,8 @@ podman run \ --network host \ "${KUBE_ETCD_SIGNER_SERVER_IMAGE}" \ serve \ - --cacrt=/opt/openshift/tls/etcd-client-ca.crt \ - --cakey=/opt/openshift/tls/etcd-client-ca.key \ + --cacrt=/opt/openshift/tls/etcd-signer.crt \ + --cakey=/opt/openshift/tls/etcd-signer.key \ --metric-cacrt=/opt/openshift/tls/etcd-metric-signer.crt \ --metric-cakey=/opt/openshift/tls/etcd-metric-signer.key \ --servcrt=/opt/openshift/tls/kube-apiserver-lb-server.crt \ @@ -256,7 +256,7 @@ until podman run \ --entrypoint etcdctl \ "${MACHINE_CONFIG_ETCD_IMAGE}" \ --dial-timeout=10m \ - --cacert=/opt/openshift/tls/etcd-client-ca.crt \ + --cacert=/opt/openshift/tls/etcd-ca-bundle.crt \ --cert=/opt/openshift/tls/etcd-client.crt \ --key=/opt/openshift/tls/etcd-client.key \ --endpoints={{.EtcdCluster}} \ diff --git a/data/data/manifests/bootkube/etcd-client-secret.yaml.template b/data/data/manifests/bootkube/etcd-client-secret.yaml.template index 0159a49f6c6..6e7bfe7366f 100644 --- a/data/data/manifests/bootkube/etcd-client-secret.yaml.template +++ b/data/data/manifests/bootkube/etcd-client-secret.yaml.template @@ -5,5 +5,5 @@ metadata: namespace: openshift-config type: SecretTypeTLS data: - tls.crt: {{ .EtcdClientCert }} - tls.key: {{ .EtcdClientKey }} + tls.crt: {{ .EtcdSignerClientCert }} + tls.key: {{ .EtcdSignerClientKey }} diff --git a/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template b/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template index 1e7f3cf84a9..4d7f30bd048 100644 --- a/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template +++ b/data/data/manifests/bootkube/etcd-serving-ca-configmap.yaml.template @@ -5,4 +5,4 @@ metadata: namespace: openshift-config data: ca-bundle.crt: | - {{.EtcdCaCert | indent 4}} + {{.EtcdCaBundle | indent 4}} diff --git a/data/data/manifests/bootkube/etcd-signer-client-secret.yaml.template b/data/data/manifests/bootkube/etcd-signer-client-secret.yaml.template deleted file mode 100644 index a1dac260085..00000000000 --- a/data/data/manifests/bootkube/etcd-signer-client-secret.yaml.template +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: etcd-signer-client - namespace: openshift-config -type: SecretTypeTLS -data: - tls.crt: {{ .EtcdSignerClientCert }} - tls.key: {{ .EtcdSignerClientKey }} diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go index 23d8041377b..ef55eb7d5dc 100644 --- a/pkg/asset/ignition/bootstrap/bootstrap.go +++ b/pkg/asset/ignition/bootstrap/bootstrap.go @@ -66,9 +66,7 @@ func (a *Bootstrap) Dependencies() []asset.Asset { &tls.AggregatorClientCertKey{}, &tls.AggregatorSignerCertKey{}, &tls.APIServerProxyCertKey{}, - &tls.EtcdCA{}, &tls.EtcdCABundle{}, - &tls.EtcdClientCertKey{}, &tls.EtcdMetricCABundle{}, &tls.EtcdMetricSignerCertKey{}, &tls.EtcdMetricSignerClientCertKey{}, @@ -384,9 +382,7 @@ func (a *Bootstrap) addParentFiles(dependencies asset.Parents) { &tls.AggregatorClientCertKey{}, &tls.AggregatorSignerCertKey{}, &tls.APIServerProxyCertKey{}, - &tls.EtcdCA{}, &tls.EtcdCABundle{}, - &tls.EtcdClientCertKey{}, &tls.EtcdMetricCABundle{}, &tls.EtcdMetricSignerCertKey{}, &tls.EtcdMetricSignerClientCertKey{}, diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go index 104eefed790..5ebfb6d6174 100644 --- a/pkg/asset/manifests/operators.go +++ b/pkg/asset/manifests/operators.go @@ -60,11 +60,9 @@ func (m *Manifests) Dependencies() []asset.Asset { &Infrastructure{}, &Networking{}, &tls.RootCA{}, - &tls.EtcdCA{}, &tls.EtcdSignerCertKey{}, &tls.EtcdCABundle{}, &tls.EtcdSignerClientCertKey{}, - &tls.EtcdClientCertKey{}, &tls.EtcdMetricCABundle{}, &tls.EtcdMetricSignerCertKey{}, &tls.EtcdMetricSignerClientCertKey{}, @@ -80,7 +78,6 @@ func (m *Manifests) Dependencies() []asset.Asset { &bootkube.EtcdMetricSignerSecret{}, &bootkube.EtcdNamespace{}, &bootkube.EtcdService{}, - &bootkube.EtcdSignerClientSecret{}, &bootkube.EtcdSignerSecret{}, &bootkube.KubeCloudConfig{}, &bootkube.EtcdServingCAConfigMap{}, @@ -139,9 +136,7 @@ func (m *Manifests) Files() []*asset.File { func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*asset.File { clusterID := &installconfig.ClusterID{} installConfig := &installconfig.InstallConfig{} - etcdCA := &tls.EtcdCA{} mcsCertKey := &tls.MCSCertKey{} - etcdClientCertKey := &tls.EtcdClientCertKey{} etcdMetricCABundle := &tls.EtcdMetricCABundle{} etcdMetricSignerClientCertKey := &tls.EtcdMetricSignerClientCertKey{} etcdMetricSignerCertKey := &tls.EtcdMetricSignerCertKey{} @@ -152,11 +147,9 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass dependencies.Get( clusterID, installConfig, - etcdCA, etcdSignerCertKey, etcdCABundle, etcdSignerClientCertKey, - etcdClientCertKey, etcdMetricCABundle, etcdMetricSignerClientCertKey, etcdMetricSignerCertKey, @@ -171,12 +164,7 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass templateData := &bootkubeTemplateData{ CVOClusterID: clusterID.UUID, - EtcdCaBundle: base64.StdEncoding.EncodeToString(etcdCABundle.Cert()), - EtcdCaCert: string(etcdCA.Cert()), - EtcdClientCaCert: base64.StdEncoding.EncodeToString(etcdCA.Cert()), - EtcdClientCaKey: base64.StdEncoding.EncodeToString(etcdCA.Key()), - EtcdClientCert: base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()), - EtcdClientKey: base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()), + EtcdCaBundle: string(etcdCABundle.Cert()), EtcdEndpointDNSSuffix: installConfig.Config.ClusterDomain(), EtcdEndpointHostnames: etcdEndpointHostnames, EtcdMetricCaCert: string(etcdMetricCABundle.Cert()), @@ -208,7 +196,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass &bootkube.EtcdService{}, &bootkube.EtcdServingCAConfigMap{}, &bootkube.EtcdSignerSecret{}, - &bootkube.EtcdSignerClientSecret{}, &bootkube.KubeCloudConfig{}, &bootkube.KubeSystemConfigmapRootCA{}, &bootkube.MachineConfigServerTLSSecret{}, diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go index 6aa908b97bb..68372bb698d 100644 --- a/pkg/asset/manifests/template.go +++ b/pkg/asset/manifests/template.go @@ -39,11 +39,6 @@ type cloudCredsSecretData struct { type bootkubeTemplateData struct { CVOClusterID string EtcdCaBundle string - EtcdCaCert string - EtcdClientCaCert string - EtcdClientCaKey string - EtcdClientCert string - EtcdClientKey string EtcdEndpointDNSSuffix string EtcdEndpointHostnames []string EtcdMetricCaCert string diff --git a/pkg/asset/templates/content/bootkube/etcd-client-secret.go b/pkg/asset/templates/content/bootkube/etcd-client-secret.go index c20b745a1da..9b0f933f2e9 100644 --- a/pkg/asset/templates/content/bootkube/etcd-client-secret.go +++ b/pkg/asset/templates/content/bootkube/etcd-client-secret.go @@ -12,11 +12,9 @@ const ( etcdClientSecretFileName = "etcd-client-secret.yaml.template" ) -var etcdClientCertFiles = []string{etcdClientSecretFileName} - var _ asset.WritableAsset = (*EtcdClientSecret)(nil) -// EtcdClientSecret is an asset for the etcd client secret +// EtcdClientSecret is an asset for the etcd client signer type EtcdClientSecret struct { FileList []*asset.File } @@ -33,18 +31,17 @@ func (t *EtcdClientSecret) Name() string { // Generate generates the actual files by this asset func (t *EtcdClientSecret) Generate(parents asset.Parents) error { - t.FileList = []*asset.File{} - for _, fileName := range etcdClientCertFiles { - data, err := content.GetBootkubeTemplate(fileName) - if err != nil { - return err - } - t.FileList = append(t.FileList, &asset.File{ + fileName := etcdClientSecretFileName + data, err := content.GetBootkubeTemplate(fileName) + if err != nil { + return err + } + t.FileList = []*asset.File{ + { Filename: filepath.Join(content.TemplateDir, fileName), Data: []byte(data), - }) + }, } - return nil } @@ -55,17 +52,13 @@ func (t *EtcdClientSecret) Files() []*asset.File { // Load returns the asset from disk. func (t *EtcdClientSecret) Load(f asset.FileFetcher) (bool, error) { - t.FileList = []*asset.File{} - for _, fileName := range etcdClientCertFiles { - file, err := f.FetchByName(filepath.Join(content.TemplateDir, fileName)) - if err != nil { - if os.IsNotExist(err) { - return false, nil - } - return false, err + file, err := f.FetchByName(filepath.Join(content.TemplateDir, etcdClientSecretFileName)) + if err != nil { + if os.IsNotExist(err) { + return false, nil } - t.FileList = append(t.FileList, file) + return false, err } - + t.FileList = []*asset.File{file} return true, nil } diff --git a/pkg/asset/templates/content/bootkube/etcd-signer-client-secret.go b/pkg/asset/templates/content/bootkube/etcd-signer-client-secret.go deleted file mode 100644 index 1668956bc80..00000000000 --- a/pkg/asset/templates/content/bootkube/etcd-signer-client-secret.go +++ /dev/null @@ -1,64 +0,0 @@ -package bootkube - -import ( - "os" - "path/filepath" - - "github.com/openshift/installer/pkg/asset" - "github.com/openshift/installer/pkg/asset/templates/content" -) - -const ( - etcdSignerClientSecretFileName = "etcd-signer-client-secret.yaml.template" -) - -var _ asset.WritableAsset = (*EtcdSignerClientSecret)(nil) - -// EtcdSignerClientSecret is an asset for the etcd client signer -type EtcdSignerClientSecret struct { - FileList []*asset.File -} - -// Dependencies returns all of the dependencies directly needed by the asset -func (t *EtcdSignerClientSecret) Dependencies() []asset.Asset { - return []asset.Asset{} -} - -// Name returns the human-friendly name of the asset. -func (t *EtcdSignerClientSecret) Name() string { - return "EtcdSignerClientSecret" -} - -// Generate generates the actual files by this asset -func (t *EtcdSignerClientSecret) Generate(parents asset.Parents) error { - fileName := etcdSignerClientSecretFileName - data, err := content.GetBootkubeTemplate(fileName) - if err != nil { - return err - } - t.FileList = []*asset.File{ - { - Filename: filepath.Join(content.TemplateDir, fileName), - Data: []byte(data), - }, - } - return nil -} - -// Files returns the files generated by the asset. -func (t *EtcdSignerClientSecret) Files() []*asset.File { - return t.FileList -} - -// Load returns the asset from disk. -func (t *EtcdSignerClientSecret) Load(f asset.FileFetcher) (bool, error) { - file, err := f.FetchByName(filepath.Join(content.TemplateDir, etcdSignerClientSecretFileName)) - if err != nil { - if os.IsNotExist(err) { - return false, nil - } - return false, err - } - t.FileList = []*asset.File{file} - return true, nil -} diff --git a/pkg/asset/tls/etcd.go b/pkg/asset/tls/etcd.go index 3929d9ccd8f..b98270b624e 100644 --- a/pkg/asset/tls/etcd.go +++ b/pkg/asset/tls/etcd.go @@ -7,75 +7,6 @@ import ( "github.com/openshift/installer/pkg/asset" ) -// EtcdCA is the asset that generates the etcd-ca key/cert pair. -// [DEPRECATED] -type EtcdCA struct { - SelfSignedCertKey -} - -var _ asset.Asset = (*EtcdCA)(nil) - -// Dependencies returns the dependency of the the cert/key pair, which includes -// the parent CA, and install config if it depends on the install config for -// DNS names, etc. -func (a *EtcdCA) Dependencies() []asset.Asset { - return []asset.Asset{} -} - -// Generate generates the cert/key pair based on its dependencies. -func (a *EtcdCA) Generate(dependencies asset.Parents) error { - cfg := &CertCfg{ - Subject: pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}}, - KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - Validity: ValidityTenYears, - IsCA: true, - } - - return a.SelfSignedCertKey.Generate(cfg, "etcd-client-ca") -} - -// Name returns the human-friendly name of the asset. -func (a *EtcdCA) Name() string { - return "Certificate (etcd)" -} - -// EtcdClientCertKey is the asset that generates the etcd client key/cert pair. -// [DEPRECATED] -type EtcdClientCertKey struct { - SignedCertKey -} - -var _ asset.Asset = (*EtcdClientCertKey)(nil) - -// Dependencies returns the dependency of the the cert/key pair, which includes -// the parent CA, and install config if it depends on the install config for -// DNS names, etc. -func (a *EtcdClientCertKey) Dependencies() []asset.Asset { - return []asset.Asset{ - &EtcdCA{}, - } -} - -// Generate generates the cert/key pair based on its dependencies. -func (a *EtcdClientCertKey) Generate(dependencies asset.Parents) error { - etcdCA := &EtcdCA{} - dependencies.Get(etcdCA) - - cfg := &CertCfg{ - Subject: pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}}, - KeyUsages: x509.KeyUsageKeyEncipherment, - ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, - Validity: ValidityTenYears, - } - - return a.SignedCertKey.Generate(cfg, etcdCA, "etcd-client", DoNotAppendParent) -} - -// Name returns the human-friendly name of the asset. -func (a *EtcdClientCertKey) Name() string { - return "Certificate (etcd)" -} - // EtcdSignerCertKey is a key/cert pair that signs the etcd client and peer certs. type EtcdSignerCertKey struct { SelfSignedCertKey @@ -163,10 +94,10 @@ func (a *EtcdSignerClientCertKey) Generate(dependencies asset.Parents) error { Validity: ValidityTenYears, } - return a.SignedCertKey.Generate(cfg, ca, "etcd-signer-client", DoNotAppendParent) + return a.SignedCertKey.Generate(cfg, ca, "etcd-client", DoNotAppendParent) } // Name returns the human-friendly name of the asset. func (a *EtcdSignerClientCertKey) Name() string { - return "Certificate (etcd-signer-client)" + return "Certificate (etcd-client)" }