diff --git a/installer/cmd/tectonic/main.go b/installer/cmd/tectonic/main.go index fc37d53bb43..1e00390eaa1 100644 --- a/installer/cmd/tectonic/main.go +++ b/installer/cmd/tectonic/main.go @@ -14,8 +14,7 @@ var ( clusterInitConfigFlag = clusterInitCommand.Flag("config", "Cluster specification file").Required().ExistingFile() clusterInstallCommand = kingpin.Command("install", "Create a new Tectonic cluster") - clusterInstallTLSCommand = clusterInstallCommand.Command("tls", "Generate TLS Certificates.") - clusterInstallTLSNewCommand = clusterInstallCommand.Command("newtls", "Generate TLS Certificates, using a new engine (experimental)") + clusterInstallTLSNewCommand = clusterInstallCommand.Command("tls", "Generate TLS Certificates.") clusterInstallAssetsCommand = clusterInstallCommand.Command("assets", "Generate Tectonic assets.") clusterInstallBootstrapCommand = clusterInstallCommand.Command("bootstrap", "Create a single bootstrap node Tectonic cluster.") clusterInstallFullCommand = clusterInstallCommand.Command("full", "Create a new Tectonic cluster").Default() @@ -39,8 +38,6 @@ func main() { w = workflow.InitWorkflow(*clusterInitConfigFlag) case clusterInstallFullCommand.FullCommand(): w = workflow.InstallFullWorkflow(*clusterInstallDirFlag) - case clusterInstallTLSCommand.FullCommand(): - w = workflow.InstallTLSWorkflow(*clusterInstallDirFlag) case clusterInstallTLSNewCommand.FullCommand(): w = workflow.InstallTLSNewWorkflow(*clusterInstallDirFlag) case clusterInstallAssetsCommand.FullCommand(): diff --git a/installer/pkg/config-generator/generator_test.go b/installer/pkg/config-generator/generator_test.go index c244ec49974..3e41dd244aa 100644 --- a/installer/pkg/config-generator/generator_test.go +++ b/installer/pkg/config-generator/generator_test.go @@ -131,7 +131,7 @@ func TestGenerateCert(t *testing.T) { CommonName: "test-self-signed-ca", OrganizationalUnit: []string{"openshift"}, }, - Validity: validityThreeYears, + Validity: validityTenYears, } caCert, err := tls.SelfSignedCACert(caCfg, caKey) if err != nil { @@ -151,7 +151,7 @@ func TestGenerateCert(t *testing.T) { KeyUsages: x509.KeyUsageKeyEncipherment, DNSNames: []string{"test-api.kubernetes.default"}, ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: false, }, clusterDir: "./", @@ -159,7 +159,7 @@ func TestGenerateCert(t *testing.T) { }, } for i, c := range cases { - _, _, err := generateCert(c.clusterDir, caKey, caCert, keyPath, certPath, c.cfg) + _, _, err := generateCert(c.clusterDir, caKey, caCert, keyPath, certPath, c.cfg, false) if err != nil { no := "no" if c.err { diff --git a/installer/pkg/config-generator/tls.go b/installer/pkg/config-generator/tls.go index 03e0cee245a..3147ca8d842 100644 --- a/installer/pkg/config-generator/tls.go +++ b/installer/pkg/config-generator/tls.go @@ -17,35 +17,36 @@ import ( ) const ( - adminCertPath = "generated/newTLS/admin.crt" - adminKeyPath = "generated/newTLS/admin.key" - aggregatorCACertPath = "generated/newTLS/aggregator-ca.crt" - aggregatorCAKeyPath = "generated/newTLS/aggregator-ca.key" - apiServerCertPath = "generated/newTLS/apiserver.crt" - apiServerKeyPath = "generated/newTLS/apiserver.key" - apiServerProxyCertPath = "generated/newTLS/apiserver-proxy.crt" - apiServerProxyKeyPath = "generated/newTLS/apiserver-proxy.key" - etcdCACertPath = "generated/newTLS/etcd-ca.crt" - etcdCAKeyPath = "generated/newTLS/etcd-ca.key" - etcdClientCertPath = "generated/newTLS/etcd-client.crt" - etcdClientKeyPath = "generated/newTLS/etcd-client.key" - ingressCACertPath = "generated/newTLS/ingress-ca.crt" - ingressCertPath = "generated/newTLS/ingress.crt" - ingressKeyPath = "generated/newTLS/ingress.key" - kubeCACertPath = "generated/newTLS/kube-ca.crt" - kubeCAKeyPath = "generated/newTLS/kube-ca.key" - kubeletCertPath = "generated/newTLS/kubelet.crt" - kubeletKeyPath = "generated/newTLS/kubelet.key" - osAPIServerCertPath = "generated/newTLS/openshift-apiserver.crt" - osAPIServerKeyPath = "generated/newTLS/openshift-apiserver.key" - rootCACertPath = "generated/newTLS/root-ca.crt" - rootCAKeyPath = "generated/newTLS/root-ca.key" - serviceServingCACertPath = "generated/newTLS/service-serving-ca.crt" - serviceServingCAKeyPath = "generated/newTLS/service-serving-ca.key" - tncCertPath = "generated/newTLS/tnc.crt" - tncKeyPath = "generated/newTLS/tnc.key" - - validityThreeYears = time.Hour * 24 * 365 * 3 + adminCertPath = "generated/tls/admin.crt" + adminKeyPath = "generated/tls/admin.key" + aggregatorCACertPath = "generated/tls/aggregator-ca.crt" + aggregatorCAKeyPath = "generated/tls/aggregator-ca.key" + apiServerCertPath = "generated/tls/apiserver.crt" + apiServerKeyPath = "generated/tls/apiserver.key" + apiServerProxyCertPath = "generated/tls/apiserver-proxy.crt" + apiServerProxyKeyPath = "generated/tls/apiserver-proxy.key" + etcdCACertPath = "generated/tls/etcd-ca.crt" + etcdCAKeyPath = "generated/tls/etcd-ca.key" + etcdClientCertPath = "generated/tls/etcd-client.crt" + etcdClientKeyPath = "generated/tls/etcd-client.key" + ingressCACertPath = "generated/tls/ingress-ca.crt" + ingressCertPath = "generated/tls/ingress.crt" + ingressKeyPath = "generated/tls/ingress.key" + kubeCACertPath = "generated/tls/kube-ca.crt" + kubeCAKeyPath = "generated/tls/kube-ca.key" + kubeletCertPath = "generated/tls/kubelet.crt" + kubeletKeyPath = "generated/tls/kubelet.key" + osAPIServerCertPath = "generated/tls/openshift-apiserver.crt" + osAPIServerKeyPath = "generated/tls/openshift-apiserver.key" + rootCACertPath = "generated/tls/root-ca.crt" + rootCAKeyPath = "generated/tls/root-ca.key" + serviceServingCACertPath = "generated/tls/service-serving-ca.crt" + serviceServingCAKeyPath = "generated/tls/service-serving-ca.key" + tncCertPath = "generated/tls/tnc.crt" + tncKeyPath = "generated/tls/tnc.key" + + validityTenYears = time.Hour * 24 * 365 * 10 + validityThirtyMinutes = time.Minute * 30 ) // GenerateTLSConfig fetches and validates the TLS cert files @@ -72,10 +73,10 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { cfg := &tls.CertCfg{ Subject: pkix.Name{CommonName: "kube-ca", OrganizationalUnit: []string{"bootkube"}}, KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: true, } - kubeCAKey, kubeCACert, err := generateCert(clusterDir, caKey, caCert, kubeCAKeyPath, kubeCACertPath, cfg) + kubeCAKey, kubeCACert, err := generateCert(clusterDir, caKey, caCert, kubeCAKeyPath, kubeCACertPath, cfg, false) if err != nil { return fmt.Errorf("failed to generate kubernetes CA: %v", err) } @@ -85,19 +86,28 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { Subject: pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}}, KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, IsCA: true, + Validity: validityTenYears, } - etcdCAKey, etcdCACert, err := generateCert(clusterDir, caKey, caCert, etcdCAKeyPath, etcdCACertPath, cfg) + etcdCAKey, etcdCACert, err := generateCert(clusterDir, caKey, caCert, etcdCAKeyPath, etcdCACertPath, cfg, false) if err != nil { return fmt.Errorf("failed to generate etcd CA: %v", err) } + if err := copy.Copy(filepath.Join(clusterDir, etcdCAKeyPath), filepath.Join(clusterDir, "generated/tls/etcd-client-ca.key")); err != nil { + return fmt.Errorf("failed to import kube CA cert into ingress-ca.crt: %v", err) + } + if err := copy.Copy(filepath.Join(clusterDir, etcdCACertPath), filepath.Join(clusterDir, "generated/tls/etcd-client-ca.crt")); err != nil { + return fmt.Errorf("failed to import kube CA cert into ingress-ca.crt: %v", err) + } + // generate etcd client certificate cfg = &tls.CertCfg{ Subject: pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}}, KeyUsages: x509.KeyUsageKeyEncipherment, ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + Validity: validityTenYears, } - if _, _, err := generateCert(clusterDir, etcdCAKey, etcdCACert, etcdClientKeyPath, etcdClientCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, etcdCAKey, etcdCACert, etcdClientKeyPath, etcdClientCertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate etcd client certificate: %v", err) } @@ -105,10 +115,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { cfg = &tls.CertCfg{ Subject: pkix.Name{CommonName: "aggregator", OrganizationalUnit: []string{"bootkube"}}, KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: true, } - if _, _, err := generateCert(clusterDir, caKey, caCert, aggregatorCAKeyPath, aggregatorCACertPath, cfg); err != nil { + aggregatorCAKey, aggregatorCACert, err := generateCert(clusterDir, caKey, caCert, aggregatorCAKeyPath, aggregatorCACertPath, cfg, false) + if err != nil { return fmt.Errorf("failed to generate aggregator CA: %v", err) } @@ -116,15 +127,15 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { cfg = &tls.CertCfg{ Subject: pkix.Name{CommonName: "service-serving", OrganizationalUnit: []string{"bootkube"}}, KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: true, } - if _, _, err := generateCert(clusterDir, caKey, caCert, serviceServingCAKeyPath, serviceServingCACertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, caKey, caCert, serviceServingCAKeyPath, serviceServingCACertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate service-serving CA: %v", err) } // Ingress certs - if copy.Copy(kubeCACertPath, ingressCACertPath); err != nil { + if err := copy.Copy(filepath.Join(clusterDir, kubeCACertPath), filepath.Join(clusterDir, ingressCACertPath)); err != nil { return fmt.Errorf("failed to import kube CA cert into ingress-ca.crt: %v", err) } @@ -137,11 +148,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { fmt.Sprintf("%s.%s", "*", baseAddress), }, Subject: pkix.Name{CommonName: baseAddress, Organization: []string{"ingress"}}, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: false, } - if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, ingressKeyPath, ingressCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, ingressKeyPath, ingressCertPath, cfg, true); err != nil { return fmt.Errorf("failed to generate ingress CA: %v", err) } @@ -150,11 +161,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, Subject: pkix.Name{CommonName: "system:admin", Organization: []string{"system:masters"}}, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: false, } - if _, _, err = generateCert(clusterDir, kubeCAKey, kubeCACert, adminKeyPath, adminCertPath, cfg); err != nil { + if _, _, err = generateCert(clusterDir, kubeCAKey, kubeCACert, adminKeyPath, adminCertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate kube admin certificate: %v", err) } @@ -173,12 +184,12 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { "kubernetes.default.svc", "kubernetes.default.svc.cluster.local", }, - Validity: validityThreeYears, + Validity: validityTenYears, IPAddresses: []net.IP{net.ParseIP(apiServerAddress)}, IsCA: false, } - if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, apiServerKeyPath, apiServerCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, apiServerKeyPath, apiServerCertPath, cfg, true); err != nil { return fmt.Errorf("failed to generate kube api server certificate: %v", err) } @@ -194,12 +205,12 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { "openshift-apiserver.kube-system.svc", "openshift-apiserver.kube-system.svc.cluster.local", "localhost", "127.0.0.1"}, - Validity: validityThreeYears, + Validity: validityTenYears, IPAddresses: []net.IP{net.ParseIP(apiServerAddress)}, IsCA: false, } - if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, osAPIServerKeyPath, osAPIServerCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, aggregatorCAKey, aggregatorCACert, osAPIServerKeyPath, osAPIServerCertPath, cfg, true); err != nil { return fmt.Errorf("failed to generate openshift api server certificate: %v", err) } @@ -208,11 +219,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Subject: pkix.Name{CommonName: "kube-apiserver-proxy", Organization: []string{"kube-master"}}, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: false, } - if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, apiServerProxyKeyPath, apiServerProxyCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, aggregatorCAKey, aggregatorCACert, apiServerProxyKeyPath, apiServerProxyCertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate kube api proxy certificate: %v", err) } @@ -221,11 +232,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Subject: pkix.Name{CommonName: "system:serviceaccount:kube-system:default", Organization: []string{"system:serviceaccounts:kube-system"}}, - Validity: validityThreeYears, + Validity: validityThirtyMinutes, IsCA: false, } - if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, kubeletKeyPath, kubeletCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, kubeCAKey, kubeCACert, kubeletKeyPath, kubeletCertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate kubelet certificate: %v", err) } @@ -235,11 +246,11 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, DNSNames: []string{tncDomain}, Subject: pkix.Name{CommonName: tncDomain}, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: false, } - if _, _, err := generateCert(clusterDir, caKey, caCert, tncKeyPath, tncCertPath, cfg); err != nil { + if _, _, err := generateCert(clusterDir, caKey, caCert, tncKeyPath, tncCertPath, cfg, false); err != nil { return fmt.Errorf("failed to generate tnc certificate: %v", err) } return nil @@ -308,12 +319,16 @@ func getCertFiles(clusterDir string, certPath string, keyPath string) (*x509.Cer } // generateCert creates a key, csr & a signed cert +// If appendCA is true, then also append the CA cert into the result cert. +// This is useful for apiserver and openshift-apiser cert which will be +// authenticated by the kubeconfig using root-ca. func generateCert(clusterDir string, caKey *rsa.PrivateKey, caCert *x509.Certificate, keyPath string, certPath string, - cfg *tls.CertCfg) (*rsa.PrivateKey, *x509.Certificate, error) { + cfg *tls.CertCfg, + appendCA bool) (*rsa.PrivateKey, *x509.Certificate, error) { // create a private key key, err := generatePrivateKey(clusterDir, keyPath) @@ -333,7 +348,7 @@ func generateCert(clusterDir string, } // create a cert - cert, err := generateSignedCert(cfg, csr, key, caKey, caCert, clusterDir, certPath) + cert, err := generateSignedCert(cfg, csr, key, caKey, caCert, clusterDir, certPath, appendCA) if err != nil { return nil, nil, fmt.Errorf("failed to create a certificate: %v", err) } @@ -349,7 +364,7 @@ func generateRootCA(path string, key *rsa.PrivateKey) (*x509.Certificate, error) OrganizationalUnit: []string{"openshift"}, }, KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - Validity: validityThreeYears, + Validity: validityTenYears, IsCA: true, } cert, err := tls.SelfSignedCACert(cfg, key) @@ -368,13 +383,20 @@ func generateSignedCert(cfg *tls.CertCfg, caKey *rsa.PrivateKey, caCert *x509.Certificate, clusterDir string, - path string) (*x509.Certificate, error) { + path string, + appendCA bool) (*x509.Certificate, error) { cert, err := tls.SignedCertificate(cfg, csr, key, caCert, caKey) if err != nil { return nil, fmt.Errorf("error signing certificate: %v", err) } fileTargetPath := filepath.Join(clusterDir, path) - if err := ioutil.WriteFile(fileTargetPath, []byte(tls.CertToPem(cert)), 0666); err != nil { + + content := []byte(tls.CertToPem(cert)) + if appendCA { + content = append(content, '\n') + content = append(content, []byte(tls.CertToPem(caCert))...) + } + if err := ioutil.WriteFile(fileTargetPath, content, 0666); err != nil { return nil, err } return cert, nil diff --git a/installer/pkg/workflow/destroy.go b/installer/pkg/workflow/destroy.go index dbaa9b46409..a3d78b8770a 100644 --- a/installer/pkg/workflow/destroy.go +++ b/installer/pkg/workflow/destroy.go @@ -15,15 +15,10 @@ func DestroyWorkflow(clusterDir string) Workflow { destroyTNCDNSStep, destroyTopologyStep, destroyAssetsStep, - destroyTLSAssetsStep, }, } } -func destroyTLSAssetsStep(m *metadata) error { - return runDestroyStep(m, tlsStep) -} - func destroyAssetsStep(m *metadata) error { return runDestroyStep(m, assetsStep) } diff --git a/installer/pkg/workflow/init.go b/installer/pkg/workflow/init.go index 35603f2f3a2..fe0a5c0571a 100644 --- a/installer/pkg/workflow/init.go +++ b/installer/pkg/workflow/init.go @@ -21,7 +21,7 @@ const ( kubeSystemPath = "generated/manifests" kubeSystemFileName = "cluster-config.yaml" tectonicSystemPath = "generated/tectonic" - newTLSPath = "generated/newTLS" + tlsPath = "generated/tls" tectonicSystemFileName = "cluster-config.yaml" terraformVariablesFileName = "terraform.tfvars" ) diff --git a/installer/pkg/workflow/install.go b/installer/pkg/workflow/install.go index 5d3f9903c98..10dad1438ca 100644 --- a/installer/pkg/workflow/install.go +++ b/installer/pkg/workflow/install.go @@ -17,7 +17,7 @@ func InstallFullWorkflow(clusterDir string) Workflow { refreshConfigStep, generateClusterConfigMaps, readClusterConfigStep, - installTLSAssetsStep, + generateTLSConfigStep, generateClusterConfigMaps, installAssetsStep, generateIgnConfigStep, @@ -44,18 +44,6 @@ func InstallTLSNewWorkflow(clusterDir string) Workflow { } } -// InstallTLSWorkflow creates the TLS assets, previously created by the -// "assets" step -func InstallTLSWorkflow(clusterDir string) Workflow { - return Workflow{ - metadata: metadata{clusterDir: clusterDir}, - steps: []Step{ - refreshConfigStep, - installTLSAssetsStep, - }, - } -} - // InstallAssetsWorkflow creates new instances of the 'assets' workflow, // responsible for running the actions necessary to generate cluster assets. func InstallAssetsWorkflow(clusterDir string) Workflow { @@ -106,11 +94,6 @@ func refreshConfigStep(m *metadata) error { return generateTerraformVariablesStep(m) } -func installTLSAssetsStep(m *metadata) error { - return runInstallStep(m, tlsStep) - -} - func installAssetsStep(m *metadata) error { return runInstallStep(m, assetsStep) } @@ -166,8 +149,8 @@ func generateIgnConfigStep(m *metadata) error { } func generateTLSConfigStep(m *metadata) error { - if err := os.MkdirAll(filepath.Join(m.clusterDir, newTLSPath), os.ModeDir|0755); err != nil { - return fmt.Errorf("failed to create TLS directory at %s", newTLSPath) + if err := os.MkdirAll(filepath.Join(m.clusterDir, tlsPath), os.ModeDir|0755); err != nil { + return fmt.Errorf("failed to create TLS directory at %s", tlsPath) } c := configgenerator.New(m.cluster) diff --git a/installer/pkg/workflow/utils.go b/installer/pkg/workflow/utils.go index ec4b7d739f6..b52a32d0124 100644 --- a/installer/pkg/workflow/utils.go +++ b/installer/pkg/workflow/utils.go @@ -22,9 +22,8 @@ const ( internalFileName = "internal.yaml" joinWorkersStep = "joining_workers" mastersStep = "masters" - newTLSStep = "newtls" + newTLSStep = "tls" stepsBaseDir = "steps" - tlsStep = "tls" tncDNSStep = "tnc_dns" topologyStep = "topology" ) diff --git a/modules/tls/ca/assets.tf b/modules/tls/ca/assets.tf deleted file mode 100644 index 8ff5c6c9781..00000000000 --- a/modules/tls/ca/assets.tf +++ /dev/null @@ -1,49 +0,0 @@ -resource "local_file" "root_ca_cert" { - content = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : file(local._root_ca_cert_pem_path )}" - filename = "./generated/tls/root-ca.crt" -} - -resource "local_file" "root_ca_key" { - content = "${var.root_ca_key_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : file(local._root_ca_key_pem_path )}" - filename = "./generated/tls/root-ca.key" -} - -resource "local_file" "kube_ca_key" { - content = "${var.kube_ca_key_pem_path == "" ? join("", tls_private_key.kube_ca.*.private_key_pem) : file(local._kube_ca_key_pem_path)}" - filename = "./generated/tls/kube-ca.key" -} - -resource "local_file" "kube_ca_cert" { - content = "${var.kube_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.kube_ca.*.cert_pem) : file(local._kube_ca_cert_pem_path )}" - filename = "./generated/tls/kube-ca.crt" -} - -resource "local_file" "aggregator_ca_key" { - content = "${var.aggregator_ca_key_pem_path == "" ? join("", tls_private_key.aggregator_ca.*.private_key_pem) : file(local._aggregator_ca_key_pem_path)}" - filename = "./generated/tls/aggregator-ca.key" -} - -resource "local_file" "aggregator_ca_cert" { - content = "${var.aggregator_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.aggregator_ca.*.cert_pem) : file(local._aggregator_ca_cert_pem_path)}" - filename = "./generated/tls/aggregator-ca.crt" -} - -resource "local_file" "service_serving_ca_key" { - content = "${var.service_serving_ca_key_pem_path == "" ? join("", tls_private_key.service_serving_ca.*.private_key_pem) : file(local._service_serving_ca_key_pem_path)}" - filename = "./generated/tls/service-serving-ca.key" -} - -resource "local_file" "service_serving_ca_cert" { - content = "${var.service_serving_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.service_serving_ca.*.cert_pem) : file(local._service_serving_ca_cert_pem_path)}" - filename = "./generated/tls/service-serving-ca.crt" -} - -resource "local_file" "etcd_ca_key" { - content = "${var.etcd_ca_key_pem_path == "" ? join("", tls_private_key.etcd_ca.*.private_key_pem) : file(local._etcd_ca_key_pem_path)}" - filename = "./generated/tls/etcd-client-ca.key" -} - -resource "local_file" "etcd_ca_cert" { - content = "${var.etcd_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.etcd_ca.*.cert_pem) : file(local._etcd_ca_cert_pem_path)}" - filename = "./generated/tls/etcd-client-ca.crt" -} diff --git a/modules/tls/ca/main.tf b/modules/tls/ca/main.tf deleted file mode 100644 index 326f6be3786..00000000000 --- a/modules/tls/ca/main.tf +++ /dev/null @@ -1,220 +0,0 @@ -# Root CA (resources/generated/tls/{root-ca.crt}) -locals { - _root_ca_cert_pem_path = "${var.root_ca_cert_pem_path == "" ? "/dev/null" : var.root_ca_cert_pem_path}" - _root_ca_key_pem_path = "${var.root_ca_key_pem_path == "" ? "/dev/null" : var.root_ca_key_pem_path}" - _etcd_ca_cert_pem_path = "${var.etcd_ca_cert_pem_path == "" ? "/dev/null" : var.etcd_ca_cert_pem_path}" - _etcd_ca_key_pem_path = "${var.etcd_ca_key_pem_path == "" ? "/dev/null" : var.etcd_ca_key_pem_path}" - _kube_ca_cert_pem_path = "${var.kube_ca_cert_pem_path == "" ? "/dev/null" : var.kube_ca_cert_pem_path}" - _kube_ca_key_pem_path = "${var.kube_ca_key_pem_path == "" ? "/dev/null" : var.kube_ca_key_pem_path}" - _aggregator_ca_cert_pem_path = "${var.aggregator_ca_cert_pem_path == "" ? "/dev/null" : var.aggregator_ca_cert_pem_path}" - _aggregator_ca_key_pem_path = "${var.aggregator_ca_key_pem_path == "" ? "/dev/null" : var.aggregator_ca_key_pem_path}" - _service_serving_ca_cert_pem_path = "${var.service_serving_ca_cert_pem_path == "" ? "/dev/null" : var.service_serving_ca_cert_pem_path}" - _service_serving_ca_key_pem_path = "${var.service_serving_ca_key_pem_path == "" ? "/dev/null" : var.service_serving_ca_key_pem_path}" -} - -resource "tls_private_key" "root_ca" { - count = "${var.root_ca_key_pem_path == "" ? 1 : 0}" - - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_self_signed_cert" "root_ca" { - count = "${var.root_ca_cert_pem_path == "" ? 1 : 0}" - - key_algorithm = "${tls_private_key.root_ca.algorithm}" - private_key_pem = "${tls_private_key.root_ca.private_key_pem}" - - subject { - common_name = "root-ca" - organization = "${uuid()}" - organizational_unit = "tectonic" - } - - is_ca_certificate = true - - # root ca defaults to being valid for 10 years. - validity_period_hours = "87600" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "cert_signing", - ] - - lifecycle { - ignore_changes = ["subject"] - } -} - -# Intermediate etcd CA (resources/generated/tls/{etcd-ca.crt}) -resource "tls_private_key" "etcd_ca" { - count = "${var.etcd_ca_key_pem_path == "" ? 1 : 0}" - - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "etcd_ca" { - count = "${var.etcd_ca_cert_pem_path == "" ? 1 : 0}" - - key_algorithm = "${tls_private_key.etcd_ca.algorithm}" - private_key_pem = "${tls_private_key.etcd_ca.private_key_pem}" - - subject { - common_name = "etcd-ca" - organization = "${uuid()}" - organizational_unit = "etcd" - } - - lifecycle { - ignore_changes = ["subject"] - } -} - -resource "tls_locally_signed_cert" "etcd_ca" { - count = "${var.etcd_ca_cert_pem_path == "" ? 1 : 0}" - - cert_request_pem = "${tls_cert_request.etcd_ca.cert_request_pem}" - ca_key_algorithm = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}" - ca_private_key_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : var.root_ca_key_pem_path}" - ca_cert_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : var.root_ca_cert_pem_path}" - is_ca_certificate = true - - # intermediate certs are valid for 3 years. - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "cert_signing", - ] -} - -# Intermediate kube CA (resources/generated/tls/{kube-ca.crt,kube-ca.key}) -resource "tls_private_key" "kube_ca" { - count = "${var.kube_ca_key_pem_path == "" ? 1 : 0}" - - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "kube_ca" { - count = "${var.kube_ca_cert_pem_path == "" ? 1 : 0}" - - key_algorithm = "${tls_private_key.kube_ca.algorithm}" - private_key_pem = "${tls_private_key.kube_ca.private_key_pem}" - - subject { - common_name = "kube-ca" - organization = "${uuid()}" - organizational_unit = "bootkube" - } - - lifecycle { - ignore_changes = ["subject"] - } -} - -resource "tls_locally_signed_cert" "kube_ca" { - count = "${var.kube_ca_cert_pem_path == "" ? 1 : 0}" - - cert_request_pem = "${tls_cert_request.kube_ca.cert_request_pem}" - - ca_key_algorithm = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}" - ca_private_key_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : var.root_ca_key_pem_path}" - ca_cert_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : var.root_ca_cert_pem_path}" - is_ca_certificate = true - - # intermediate certs are valid for 3 years. - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "cert_signing", - ] -} - -# Intermediate aggregator CA (resources/generated/tls/{aggregator-ca.crt,aggregator-ca.key}) -resource "tls_private_key" "aggregator_ca" { - count = "${var.aggregator_ca_key_pem_path == "" ? 1 : 0}" - - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "aggregator_ca" { - count = "${var.aggregator_ca_cert_pem_path == "" ? 1 : 0}" - - key_algorithm = "${tls_private_key.aggregator_ca.algorithm}" - private_key_pem = "${tls_private_key.aggregator_ca.private_key_pem}" - - subject { - common_name = "aggregator" - organization = "${uuid()}" - organizational_unit = "bootkube" - } - - lifecycle { - ignore_changes = ["subject"] - } -} - -resource "tls_locally_signed_cert" "aggregator_ca" { - count = "${var.aggregator_ca_cert_pem_path == "" ? 1 : 0}" - - cert_request_pem = "${tls_cert_request.aggregator_ca.cert_request_pem}" - ca_key_algorithm = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}" - ca_private_key_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : var.root_ca_key_pem_path}" - ca_cert_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : var.root_ca_cert_pem_path}" - is_ca_certificate = true - - # intermediate certs are valid for 3 years. - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "cert_signing", - ] -} - -# Intermediate service serving CA (resources/generated/tls/{service-serving-ca.crt,service-serving-ca.key}) -resource "tls_private_key" "service_serving_ca" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "service_serving_ca" { - key_algorithm = "${tls_private_key.service_serving_ca.algorithm}" - private_key_pem = "${tls_private_key.service_serving_ca.private_key_pem}" - - subject { - common_name = "service-serving" - organization = "${uuid()}" - organizational_unit = "bootkube" - } - - lifecycle { - ignore_changes = ["subject"] - } -} - -resource "tls_locally_signed_cert" "service_serving_ca" { - cert_request_pem = "${tls_cert_request.service_serving_ca.cert_request_pem}" - - ca_key_algorithm = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}" - ca_private_key_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : var.root_ca_key_pem_path}" - ca_cert_pem = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : var.root_ca_cert_pem_path}" - is_ca_certificate = true - - # intermediate certs are valid for 3 years. - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "cert_signing", - ] -} diff --git a/modules/tls/ca/outputs.tf b/modules/tls/ca/outputs.tf deleted file mode 100644 index c63bc7f64f1..00000000000 --- a/modules/tls/ca/outputs.tf +++ /dev/null @@ -1,74 +0,0 @@ -output "root_ca_cert_pem" { - value = "${var.root_ca_cert_pem_path == "" ? join("", tls_self_signed_cert.root_ca.*.cert_pem) : file(local._root_ca_cert_pem_path)}" -} - -output "root_ca_key_alg" { - value = "${var.root_ca_key_alg == "" ? join("", tls_self_signed_cert.root_ca.*.key_algorithm) : var.root_ca_key_alg}" -} - -output "root_ca_key_pem" { - value = "${var.root_ca_key_pem_path == "" ? join("", tls_private_key.root_ca.*.private_key_pem) : file(local._root_ca_key_pem_path)}" -} - -output "kube_ca_cert_pem" { - value = "${var.kube_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.kube_ca.*.cert_pem) : file(local._kube_ca_cert_pem_path)}" -} - -output "kube_ca_key_alg" { - value = "${var.kube_ca_key_alg == "" ? join("", tls_locally_signed_cert.kube_ca.*.ca_key_algorithm) : var.kube_ca_key_alg}" -} - -output "kube_ca_key_pem" { - value = "${var.kube_ca_key_pem_path == "" ? join("", tls_private_key.kube_ca.*.private_key_pem) : file(local._kube_ca_key_pem_path)}" -} - -output "aggregator_ca_cert_pem" { - value = "${var.aggregator_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.aggregator_ca.*.cert_pem) : file(local._aggregator_ca_cert_pem_path)}" -} - -output "aggregator_ca_key_alg" { - value = "${var.aggregator_ca_key_alg == "" ? join("", tls_locally_signed_cert.aggregator_ca.*.ca_key_algorithm) : var.aggregator_ca_key_alg}" -} - -output "aggregator_ca_key_pem" { - value = "${var.aggregator_ca_key_pem_path == "" ? join("", tls_private_key.aggregator_ca.*.private_key_pem) : file(local._aggregator_ca_key_pem_path)}" -} - -output "service_serving_ca_cert_pem" { - value = "${var.service_serving_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.service_serving_ca.*.cert_pem) : file(local._service_serving_ca_cert_pem_path)}" -} - -output "service_serving_ca_key_alg" { - value = "${var.service_serving_ca_key_alg == "" ? join("", tls_locally_signed_cert.service_serving_ca.*.ca_key_algorithm) : var.service_serving_ca_key_alg}" -} - -output "service_serving_ca_key_pem" { - value = "${var.service_serving_ca_key_pem_path == "" ? join("", tls_private_key.service_serving_ca.*.private_key_pem) : file(local._service_serving_ca_key_pem_path)}" -} - -output "etcd_ca_cert_pem" { - value = "${var.etcd_ca_cert_pem_path == "" ? join("", tls_locally_signed_cert.etcd_ca.*.cert_pem) : file(local._etcd_ca_cert_pem_path)}" -} - -output "etcd_ca_key_alg" { - value = "${var.etcd_ca_key_alg == "" ? join("", tls_locally_signed_cert.etcd_ca.*.ca_key_algorithm) : var.etcd_ca_key_alg}" -} - -output "etcd_ca_key_pem" { - value = "${var.etcd_ca_key_pem_path == "" ? join("", tls_private_key.etcd_ca.*.private_key_pem) : file(local._etcd_ca_key_pem_path)}" -} - -output "id" { - value = "${sha1(" - ${join(" ", - list(local_file.root_ca_cert.id, - local_file.root_ca_key.id, - local_file.kube_ca_key.id, - local_file.kube_ca_cert.id, - local_file.aggregator_ca_key.id, - local_file.aggregator_ca_cert.id, - local_file.etcd_ca_key.id, - local_file.etcd_ca_cert.id) - )} - ")}" -} diff --git a/modules/tls/ca/variables.tf b/modules/tls/ca/variables.tf deleted file mode 100644 index e98fcf1c103..00000000000 --- a/modules/tls/ca/variables.tf +++ /dev/null @@ -1,79 +0,0 @@ -variable "root_ca_key_alg" { - description = "Algorithm used to generate root_ca_key (required if root_ca_cert is specified)" - type = "string" - default = "RSA" -} - -variable "kube_ca_key_alg" { - description = "Algorithm used to generate kube_ca_key (required if root_ca_cert is specified)" - type = "string" - default = "RSA" -} - -variable "aggregator_ca_key_alg" { - description = "Algorithm used to generate aggregator_ca_key (required if root_ca_cert is specified)" - type = "string" - default = "RSA" -} - -variable "service_serving_ca_key_alg" { - description = "Algorithm used to generate service_serving_ca_key (required if root_ca_cert is specified)" - type = "string" - default = "RSA" -} - -variable "etcd_ca_key_alg" { - description = "Algorithm used to generate etcd_ca_key (required if root_ca_cert is specified)" - type = "string" - default = "RSA" -} - -variable "root_ca_cert_pem_path" { - type = "string" - default = "" -} - -variable "root_ca_key_pem_path" { - type = "string" - default = "" -} - -variable "etcd_ca_cert_pem_path" { - type = "string" - default = "" -} - -variable "etcd_ca_key_pem_path" { - type = "string" - default = "" -} - -variable "kube_ca_cert_pem_path" { - type = "string" - default = "" -} - -variable "kube_ca_key_pem_path" { - type = "string" - default = "" -} - -variable "aggregator_ca_cert_pem_path" { - type = "string" - default = "" -} - -variable "aggregator_ca_key_pem_path" { - type = "string" - default = "" -} - -variable "service_serving_ca_cert_pem_path" { - type = "string" - default = "" -} - -variable "service_serving_ca_key_pem_path" { - type = "string" - default = "" -} diff --git a/modules/tls/etcd/assets.tf b/modules/tls/etcd/assets.tf deleted file mode 100644 index 921da25c587..00000000000 --- a/modules/tls/etcd/assets.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "local_file" "etcd_client_cert" { - content = "${tls_locally_signed_cert.etcd_client.cert_pem}" - filename = "./generated/tls/etcd-client.crt" -} - -resource "local_file" "etcd_client_key" { - content = "${tls_private_key.etcd_client.private_key_pem}" - filename = "./generated/tls/etcd-client.key" -} diff --git a/modules/tls/etcd/main.tf b/modules/tls/etcd/main.tf deleted file mode 100644 index d4f9a1a1fbf..00000000000 --- a/modules/tls/etcd/main.tf +++ /dev/null @@ -1,30 +0,0 @@ -# client keys -# These are used for "api server"-to-etcd and "etcd operator"-to-etcd client communication -resource "tls_private_key" "etcd_client" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "etcd_client" { - key_algorithm = "${tls_private_key.etcd_client.algorithm}" - private_key_pem = "${tls_private_key.etcd_client.private_key_pem}" - - subject { - common_name = "etcd" - organization = "etcd" - } -} - -resource "tls_locally_signed_cert" "etcd_client" { - cert_request_pem = "${tls_cert_request.etcd_client.cert_request_pem}" - - ca_key_algorithm = "${var.etcd_ca_key_alg}" - ca_private_key_pem = "${var.etcd_ca_key_pem}" - ca_cert_pem = "${var.etcd_ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "client_auth", - ] -} diff --git a/modules/tls/etcd/outputs.tf b/modules/tls/etcd/outputs.tf deleted file mode 100644 index 41b2abcf541..00000000000 --- a/modules/tls/etcd/outputs.tf +++ /dev/null @@ -1,16 +0,0 @@ -output "etcd_client_cert_pem" { - value = "${tls_locally_signed_cert.etcd_client.cert_pem}" -} - -output "etcd_client_key_pem" { - value = "${tls_private_key.etcd_client.private_key_pem}" -} - -output "id" { - value = "${sha1(" - ${join(" ", - list(local_file.etcd_client_cert.id, - local_file.etcd_client_key.id) - )} - ")}" -} diff --git a/modules/tls/etcd/variables.tf b/modules/tls/etcd/variables.tf deleted file mode 100644 index a5aef97464c..00000000000 --- a/modules/tls/etcd/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "etcd_ca_cert_pem" { - type = "string" -} - -variable "etcd_ca_key_alg" { - type = "string" -} - -variable "etcd_ca_key_pem" { - type = "string" -} diff --git a/modules/tls/ingress/assets.tf b/modules/tls/ingress/assets.tf deleted file mode 100644 index 709c4dc119b..00000000000 --- a/modules/tls/ingress/assets.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "local_file" "ca_cert" { - content = "${var.ca_cert_pem_path == "" ? var.ca_cert_pem : file(local._ca_cert_pem_path)}" - filename = "./generated/tls/ingress-ca.crt" -} - -resource "local_file" "cert" { - content = "${var.cert_pem_path == "" ? join("", tls_locally_signed_cert.ingress.*.cert_pem) : file(local._cert_pem_path)}" - filename = "./generated/tls/ingress.crt" -} - -resource "local_file" "key" { - content = "${var.key_pem_path == "" ? join("", tls_private_key.ingress.*.private_key_pem) : file(local._key_pem_path)}" - filename = "./generated/tls/ingress.key" -} diff --git a/modules/tls/ingress/main.tf b/modules/tls/ingress/main.tf deleted file mode 100644 index d74f9a80eff..00000000000 --- a/modules/tls/ingress/main.tf +++ /dev/null @@ -1,48 +0,0 @@ -# Workaround for https://github.com/hashicorp/hil/issues/50 -locals { - _ca_cert_pem_path = "${var.ca_cert_pem_path == "" ? "/dev/null" : var.ca_cert_pem_path}" - _key_pem_path = "${var.key_pem_path == "" ? "/dev/null" : var.key_pem_path}" - _cert_pem_path = "${var.cert_pem_path == "" ? "/dev/null" : var.cert_pem_path}" -} - -resource "tls_private_key" "ingress" { - count = "${var.key_pem_path == "" ? 1 : 0}" - - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "ingress" { - count = "${var.key_pem_path == "" ? 1 : 0}" - key_algorithm = "${tls_private_key.ingress.algorithm}" - private_key_pem = "${tls_private_key.ingress.private_key_pem}" - - subject { - common_name = "${element(split(":", var.base_address), 0)}" - organization = "ingress" - } - - # subject commonName is deprecated per RFC2818 in favor of - # subjectAltName - dns_names = [ - "${element(split(":", var.base_address), 0)}", - "*.${element(split(":", var.base_address), 0)}", - ] -} - -resource "tls_locally_signed_cert" "ingress" { - count = "${var.cert_pem_path == "" ? 1 : 0}" - cert_request_pem = "${tls_cert_request.ingress.cert_request_pem}" - - ca_key_algorithm = "${var.ca_key_alg}" - ca_private_key_pem = "${var.ca_key_pem}" - ca_cert_pem = "${var.ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth", - "client_auth", - ] -} diff --git a/modules/tls/ingress/output.tf b/modules/tls/ingress/output.tf deleted file mode 100644 index e83f20037e1..00000000000 --- a/modules/tls/ingress/output.tf +++ /dev/null @@ -1,11 +0,0 @@ -output "ca_cert_pem" { - value = "${var.ca_cert_pem_path == "" ? var.ca_cert_pem : file(local._ca_cert_pem_path)}" -} - -output "key_pem" { - value = "${var.key_pem_path == "" ? join("", tls_private_key.ingress.*.private_key_pem) : file(local._key_pem_path)}" -} - -output "cert_pem" { - value = "${var.cert_pem_path == "" ? join("", tls_locally_signed_cert.ingress.*.cert_pem) : file(local._cert_pem_path)}" -} diff --git a/modules/tls/ingress/variables.tf b/modules/tls/ingress/variables.tf deleted file mode 100644 index 883c5b890ec..00000000000 --- a/modules/tls/ingress/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "base_address" { - type = "string" -} - -variable "ca_cert_pem" { - type = "string" -} - -variable "ca_key_pem" { - type = "string" -} - -variable "ca_key_alg" { - type = "string" -} - -variable "ca_cert_pem_path" { - type = "string" - default = "" - description = "The path to the public CA certificate used to sign the ingress certificates below." -} - -variable "key_pem_path" { - type = "string" - default = "" - description = "The path to the private ingress key." -} - -variable "cert_pem_path" { - type = "string" - default = "" - description = "The path to the signed public ingress certificate." -} diff --git a/modules/tls/kube/admin.tf b/modules/tls/kube/admin.tf deleted file mode 100644 index 3f333d65a4d..00000000000 --- a/modules/tls/kube/admin.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Admin (generated/tls/{admin.key,admin.crt}) -# Used to create kubeconfig (generated/auth/kubeconfig) with admin level privileges. -resource "tls_private_key" "admin" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "admin" { - key_algorithm = "${tls_private_key.admin.algorithm}" - private_key_pem = "${tls_private_key.admin.private_key_pem}" - - subject { - common_name = "system:admin" - organization = "system:masters" - } -} - -resource "tls_locally_signed_cert" "admin" { - cert_request_pem = "${tls_cert_request.admin.cert_request_pem}" - - ca_key_algorithm = "${var.kube_ca_key_alg}" - ca_private_key_pem = "${var.kube_ca_key_pem}" - ca_cert_pem = "${var.kube_ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth", - "client_auth", - ] -} diff --git a/modules/tls/kube/api.tf b/modules/tls/kube/api.tf deleted file mode 100644 index 6103111b0cf..00000000000 --- a/modules/tls/kube/api.tf +++ /dev/null @@ -1,89 +0,0 @@ -# Kubernetes API Server (resources/generated/tls/{apiserver.key,apiserver.crt}) -resource "tls_private_key" "apiserver" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "apiserver" { - key_algorithm = "${tls_private_key.apiserver.algorithm}" - private_key_pem = "${tls_private_key.apiserver.private_key_pem}" - - subject { - common_name = "kube-apiserver" - organization = "kube-master" - } - - dns_names = [ - "${replace(element(split(":", var.kube_apiserver_url), 1), "/", "")}", - "kubernetes", - "kubernetes.default", - "kubernetes.default.svc", - "kubernetes.default.svc.cluster.local", - ] - - ip_addresses = [ - "${cidrhost(var.service_cidr, 1)}", - ] -} - -resource "tls_locally_signed_cert" "apiserver" { - cert_request_pem = "${tls_cert_request.apiserver.cert_request_pem}" - - ca_key_algorithm = "${var.kube_ca_key_alg}" - ca_private_key_pem = "${var.kube_ca_key_pem}" - ca_cert_pem = "${var.kube_ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth", - "client_auth", - ] -} - -# Openshift API Server (resources/generated/tls/{openshift-apiserver.key,openshift-apiserver.crt}) -resource "tls_private_key" "openshift_apiserver" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "openshift_apiserver" { - key_algorithm = "${tls_private_key.openshift_apiserver.algorithm}" - private_key_pem = "${tls_private_key.openshift_apiserver.private_key_pem}" - - subject { - common_name = "openshift-apiserver" - organization = "kube-master" - } - - dns_names = [ - "${replace(element(split(":", var.kube_apiserver_url), 1), "/", "")}", - "openshift-apiserver", - "openshift-apiserver.kube-system", - "openshift-apiserver.kube-system.svc", - "openshift-apiserver.kube-system.svc.cluster.local", - "localhost", - "127.0.0.1", - ] - - ip_addresses = [ - "${cidrhost(var.service_cidr, 1)}", - ] -} - -resource "tls_locally_signed_cert" "openshift_apiserver" { - cert_request_pem = "${tls_cert_request.openshift_apiserver.cert_request_pem}" - - ca_key_algorithm = "${var.aggregator_ca_key_alg}" - ca_private_key_pem = "${var.aggregator_ca_key_pem}" - ca_cert_pem = "${var.aggregator_ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth", - "client_auth", - ] -} diff --git a/modules/tls/kube/api_proxy.tf b/modules/tls/kube/api_proxy.tf deleted file mode 100644 index 3ad5c2e7ea2..00000000000 --- a/modules/tls/kube/api_proxy.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Kubernetes API Server Proxy (resources/generated/tls/{apiserver-proxy.key,apiserver-proxy.crt}) -resource "tls_private_key" "apiserver_proxy" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "apiserver_proxy" { - key_algorithm = "${tls_private_key.apiserver_proxy.algorithm}" - private_key_pem = "${tls_private_key.apiserver_proxy.private_key_pem}" - - subject { - common_name = "kube-apiserver-proxy" - organization = "kube-master" - } -} - -resource "tls_locally_signed_cert" "apiserver_proxy" { - cert_request_pem = "${tls_cert_request.apiserver_proxy.cert_request_pem}" - - ca_key_algorithm = "${var.aggregator_ca_key_alg}" - ca_private_key_pem = "${var.aggregator_ca_key_pem}" - ca_cert_pem = "${var.aggregator_ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "client_auth", - ] -} diff --git a/modules/tls/kube/assets.tf b/modules/tls/kube/assets.tf deleted file mode 100644 index 583b491dd30..00000000000 --- a/modules/tls/kube/assets.tf +++ /dev/null @@ -1,57 +0,0 @@ -resource "local_file" "apiserver_key" { - content = "${tls_private_key.apiserver.private_key_pem}" - filename = "./generated/tls/apiserver.key" -} - -data "template_file" "apiserver_cert" { - template = "${join("", list(tls_locally_signed_cert.apiserver.cert_pem, var.kube_ca_cert_pem))}" -} - -resource "local_file" "apiserver_cert" { - content = "${data.template_file.apiserver_cert.rendered}" - filename = "./generated/tls/apiserver.crt" -} - -resource "local_file" "openshift_apiserver_key" { - content = "${tls_private_key.openshift_apiserver.private_key_pem}" - filename = "./generated/tls/openshift-apiserver.key" -} - -data "template_file" "openshift_apiserver_cert" { - template = "${join("", list(tls_locally_signed_cert.openshift_apiserver.cert_pem, var.aggregator_ca_cert_pem))}" -} - -resource "local_file" "openshift_apiserver_cert" { - content = "${data.template_file.openshift_apiserver_cert.rendered}" - filename = "./generated/tls/openshift-apiserver.crt" -} - -resource "local_file" "apiserver_proxy_key" { - content = "${tls_private_key.apiserver_proxy.private_key_pem}" - filename = "./generated/tls/apiserver-proxy.key" -} - -resource "local_file" "apiserver_proxy_cert" { - content = "${tls_locally_signed_cert.apiserver_proxy.cert_pem}" - filename = "./generated/tls/apiserver-proxy.crt" -} - -resource "local_file" "admin_key" { - content = "${tls_private_key.admin.private_key_pem}" - filename = "./generated/tls/admin.key" -} - -resource "local_file" "admin_cert" { - content = "${tls_locally_signed_cert.admin.cert_pem}" - filename = "./generated/tls/admin.crt" -} - -resource "local_file" "kubelet_key" { - content = "${tls_private_key.kubelet.private_key_pem}" - filename = "./generated/tls/kubelet.key" -} - -resource "local_file" "kubelet_cert" { - content = "${tls_locally_signed_cert.kubelet.cert_pem}" - filename = "./generated/tls/kubelet.crt" -} diff --git a/modules/tls/kube/kubelet.tf b/modules/tls/kube/kubelet.tf deleted file mode 100644 index 64d645292cf..00000000000 --- a/modules/tls/kube/kubelet.tf +++ /dev/null @@ -1,33 +0,0 @@ -# kubelet (generated/tls/{kubelet.key,kubelet.crt}) -# Used to create kubeconfig (generated/auth/kubeconfig-kubelet) with CSR only privileges. -resource "tls_private_key" "kubelet" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "kubelet" { - key_algorithm = "${tls_private_key.kubelet.algorithm}" - private_key_pem = "${tls_private_key.kubelet.private_key_pem}" - - subject { - common_name = "system:serviceaccount:kube-system:default" - organization = "system:serviceaccounts:kube-system" - } -} - -resource "tls_locally_signed_cert" "kubelet" { - cert_request_pem = "${tls_cert_request.kubelet.cert_request_pem}" - - ca_key_algorithm = "${var.kube_ca_key_alg}" - ca_private_key_pem = "${var.kube_ca_key_pem}" - ca_cert_pem = "${var.kube_ca_cert_pem}" - - # want bootstrap node to rotate certificate as soon as possible for the first time - validity_period_hours = "1" - - allowed_uses = [ - "key_encipherment", - "digital_signature", - "client_auth", - ] -} diff --git a/modules/tls/kube/outputs.tf b/modules/tls/kube/outputs.tf deleted file mode 100644 index 3104fca5875..00000000000 --- a/modules/tls/kube/outputs.tf +++ /dev/null @@ -1,56 +0,0 @@ -output "admin_cert_pem" { - value = "${tls_locally_signed_cert.admin.cert_pem}" -} - -output "admin_key_pem" { - value = "${tls_private_key.admin.private_key_pem}" -} - -output "kubelet_cert_pem" { - value = "${tls_locally_signed_cert.kubelet.cert_pem}" -} - -output "kubelet_key_pem" { - value = "${tls_private_key.kubelet.private_key_pem}" -} - -output "apiserver_cert_pem" { - value = "${data.template_file.apiserver_cert.rendered}" -} - -output "apiserver_key_pem" { - value = "${tls_private_key.apiserver.private_key_pem}" -} - -output "openshift_apiserver_cert_pem" { - value = "${data.template_file.openshift_apiserver_cert.rendered}" -} - -output "openshift_apiserver_key_pem" { - value = "${tls_private_key.openshift_apiserver.private_key_pem}" -} - -output "apiserver_proxy_cert_pem" { - value = "${tls_locally_signed_cert.apiserver_proxy.cert_pem}" -} - -output "apiserver_proxy_key_pem" { - value = "${tls_private_key.apiserver_proxy.private_key_pem}" -} - -output "id" { - value = "${sha1(" - ${join(" ", - list(local_file.apiserver_key.id, - local_file.apiserver_cert.id, - local_file.openshift_apiserver_key.id, - local_file.openshift_apiserver_cert.id, - local_file.apiserver_proxy_key.id, - local_file.apiserver_proxy_cert.id, - local_file.admin_key.id, - local_file.admin_cert.id, - local_file.kubelet_key.id, - local_file.kubelet_cert.id,) - )} - ")}" -} diff --git a/modules/tls/kube/variables.tf b/modules/tls/kube/variables.tf deleted file mode 100644 index fac0b1451c9..00000000000 --- a/modules/tls/kube/variables.tf +++ /dev/null @@ -1,52 +0,0 @@ -variable "kube_ca_cert_pem" { - description = "PEM-encoded CA certificate" - type = "string" -} - -variable "kube_ca_key_alg" { - description = "Algorithm used to generate kube_ca_key" - type = "string" -} - -variable "kube_ca_key_pem" { - description = "PEM-encoded CA key" - type = "string" -} - -variable "aggregator_ca_cert_pem" { - description = "PEM-encoded CA certificate" - type = "string" -} - -variable "aggregator_ca_key_alg" { - description = "Algorithm used to generate aggregator_ca_key" - type = "string" -} - -variable "aggregator_ca_key_pem" { - description = "PEM-encoded CA key" - type = "string" -} - -variable "service_serving_ca_cert_pem" { - description = "PEM-encoded CA certificate" - type = "string" -} - -variable "service_serving_ca_key_alg" { - description = "Algorithm used to generate service_serving_ca_key" - type = "string" -} - -variable "service_serving_ca_key_pem" { - description = "PEM-encoded CA key" - type = "string" -} - -variable "kube_apiserver_url" { - type = "string" -} - -variable "service_cidr" { - type = "string" -} diff --git a/modules/tls/tnc/assets.tf b/modules/tls/tnc/assets.tf deleted file mode 100644 index 69a871a5030..00000000000 --- a/modules/tls/tnc/assets.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "local_file" "tnc_cert" { - content = "${tls_locally_signed_cert.tnc.cert_pem}" - filename = "./generated/tls/tnc.crt" -} - -resource "local_file" "tnc_key" { - content = "${tls_private_key.tnc.private_key_pem}" - filename = "./generated/tls/tnc.key" -} diff --git a/modules/tls/tnc/main.tf b/modules/tls/tnc/main.tf deleted file mode 100644 index e464eac152b..00000000000 --- a/modules/tls/tnc/main.tf +++ /dev/null @@ -1,31 +0,0 @@ -# These are used for Ignition-to-TNC communication -resource "tls_private_key" "tnc" { - algorithm = "RSA" - rsa_bits = "2048" -} - -resource "tls_cert_request" "tnc" { - key_algorithm = "${tls_private_key.tnc.algorithm}" - private_key_pem = "${tls_private_key.tnc.private_key_pem}" - - subject { - common_name = "${var.domain}" - } - - dns_names = [ - "${var.domain}", - ] -} - -resource "tls_locally_signed_cert" "tnc" { - cert_request_pem = "${tls_cert_request.tnc.cert_request_pem}" - - ca_key_algorithm = "${var.ca_key_alg}" - ca_private_key_pem = "${var.ca_key_pem}" - ca_cert_pem = "${var.ca_cert_pem}" - validity_period_hours = "26280" - - allowed_uses = [ - "server_auth", - ] -} diff --git a/modules/tls/tnc/outputs.tf b/modules/tls/tnc/outputs.tf deleted file mode 100644 index 10b413c86fb..00000000000 --- a/modules/tls/tnc/outputs.tf +++ /dev/null @@ -1,16 +0,0 @@ -output "tnc_cert_pem" { - value = "${tls_locally_signed_cert.tnc.cert_pem}" -} - -output "tnc_key_pem" { - value = "${tls_private_key.tnc.private_key_pem}" -} - -output "id" { - value = "${sha1(" - ${join(" ", - list(local_file.tnc_cert.id, - local_file.tnc_key.id) - )} - ")}" -} diff --git a/modules/tls/tnc/variables.tf b/modules/tls/tnc/variables.tf deleted file mode 100644 index 3de918997b0..00000000000 --- a/modules/tls/tnc/variables.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "domain" { - type = "string" -} - -variable "ca_cert_pem" { - type = "string" -} - -variable "ca_key_alg" { - type = "string" -} - -variable "ca_key_pem" { - type = "string" -} diff --git a/steps/tls/config.tf b/steps/tls/config.tf deleted file mode 120000 index a040ec375dc..00000000000 --- a/steps/tls/config.tf +++ /dev/null @@ -1 +0,0 @@ -../../config.tf \ No newline at end of file diff --git a/steps/tls/main.tf b/steps/tls/main.tf deleted file mode 100644 index 65c97bf4ec5..00000000000 --- a/steps/tls/main.tf +++ /dev/null @@ -1,55 +0,0 @@ -locals { - api_internal_fqdn = "${var.tectonic_cluster_name}-api.${var.tectonic_base_domain}" - ingress_internal_fqdn = "${var.tectonic_cluster_name}.${var.tectonic_base_domain}" - tnc_fqdn = "${var.tectonic_cluster_name}-tnc.${var.tectonic_base_domain}" -} - -module "ca_certs" { - source = "../../modules/tls/ca" - - root_ca_cert_pem_path = "${var.tectonic_ca_cert}" - root_ca_key_alg = "${var.tectonic_ca_key_alg}" - root_ca_key_pem_path = "${var.tectonic_ca_key}" -} - -module "kube_certs" { - source = "../../modules/tls/kube" - - kube_ca_cert_pem = "${module.ca_certs.kube_ca_cert_pem}" - kube_ca_key_alg = "${module.ca_certs.kube_ca_key_alg}" - kube_ca_key_pem = "${module.ca_certs.kube_ca_key_pem}" - aggregator_ca_cert_pem = "${module.ca_certs.aggregator_ca_cert_pem}" - aggregator_ca_key_alg = "${module.ca_certs.aggregator_ca_key_alg}" - aggregator_ca_key_pem = "${module.ca_certs.aggregator_ca_key_pem}" - service_serving_ca_cert_pem = "${module.ca_certs.service_serving_ca_cert_pem}" - service_serving_ca_key_alg = "${module.ca_certs.service_serving_ca_key_alg}" - service_serving_ca_key_pem = "${module.ca_certs.service_serving_ca_key_pem}" - kube_apiserver_url = "https://${local.api_internal_fqdn}:6443" - service_cidr = "${var.tectonic_service_cidr}" -} - -module "etcd_certs" { - source = "../../modules/tls/etcd" - - etcd_ca_cert_pem = "${module.ca_certs.etcd_ca_cert_pem}" - etcd_ca_key_alg = "${module.ca_certs.etcd_ca_key_alg}" - etcd_ca_key_pem = "${module.ca_certs.etcd_ca_key_pem}" -} - -module "ingress_certs" { - source = "../../modules/tls/ingress" - - base_address = "${local.ingress_internal_fqdn}" - ca_cert_pem = "${module.ca_certs.kube_ca_cert_pem}" - ca_key_alg = "${module.ca_certs.kube_ca_key_alg}" - ca_key_pem = "${module.ca_certs.kube_ca_key_pem}" -} - -module "tnc_certs" { - source = "../../modules/tls/tnc" - - domain = "${local.tnc_fqdn}" - ca_cert_pem = "${module.ca_certs.root_ca_cert_pem}" - ca_key_alg = "${module.ca_certs.root_ca_key_alg}" - ca_key_pem = "${module.ca_certs.root_ca_key_pem}" -}