Add TLS support for backup-restore server

Signed-off-by: Shreyas Rao <[email protected]>
gardener · Oct 16, 2019 · 1255967 · 1255967
1 parent d183b99
commit 1255967
Show file tree

Hide file tree

Showing 12 changed files with 495 additions and 68 deletions.
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ Etcd-backup-restore is collection of components to backup and restore the [etcd]
 * [Getting started](doc/usage/getting_started.md)
 * [Manual restoration](doc/usage/manual_restoration.md)
 * [Monitoring](doc/usage/metrics.md)
+* [Generating SSL certificates](doc/usage/generating_ssl_certificates.md)
 
 ### Design and Proposals
 

diff --git a/chart/etcd-backup-restore/templates/etcd-bootstrap-configmap.yaml b/chart/etcd-backup-restore/templates/etcd-bootstrap-configmap.yaml
@@ -13,6 +13,13 @@ data:
     #!/bin/sh
     VALIDATION_MARKER=/var/etcd/data/validation_marker
 
+{{- if .Values.backupRestoreTLS }}
+    # install wget from apk in order to pass --ca-certificate flag because
+    # busybox wget only has bare minimum features, without --ca-certificate option
+    apk update
+    apk add wget
+{{- end }}
+
     trap_and_propagate() {
         PID=$1
         shift
@@ -35,11 +42,11 @@ data:
     check_and_start_etcd(){
           while true;
           do
-            wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
+            wget {{ if .Values.backupRestoreTLS }}--ca-certificate=/var/etcdbr/ssl/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
             STATUS=`cat status`;
             case $STATUS in
             "New")
-                  wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
+                  wget {{ if .Values.backupRestoreTLS }}--ca-certificate=/var/etcdbr/ssl/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
             "Progress")
                   sleep 1;
                   continue;;
@@ -95,19 +102,19 @@ data:
     {{- end }}
 
     # List of comma separated URLs to listen on for client traffic.
-    listen-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
+    listen-client-urls: {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
 
     # List of this member's client URLs to advertise to the public.
     # The URLs needed to be a comma-separated list.
-    advertise-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
+    advertise-client-urls: {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
 
     # Initial cluster token for the etcd cluster during bootstrap.
     initial-cluster-token: 'new'
 
     # Initial cluster state ('new' or 'existing').
     initial-cluster-state: 'new'
 
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
     client-transport-security:
       # Path to the client server TLS cert file.
       cert-file: /var/etcd/ssl/tls/tls.crt

diff --git a/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml
@@ -1,5 +1,6 @@
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
 apiVersion: v1
+kind: Secret
 metadata:
   name: {{ .Release.Name }}-etcd-ca
   namespace: {{ .Release.Namespace }}
@@ -9,6 +10,5 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
 type: Opaque
 data:
-  ca.crt: {{ .Values.tls.caBundle | b64enc }}
-kind: Secret
+  ca.crt: {{ .Values.etcdTLS.caBundle | b64enc }}
 {{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcd-statefulset.yaml b/chart/etcd-backup-restore/templates/etcd-statefulset.yaml
@@ -35,6 +35,9 @@ spec:
         - /var/etcd/bin/bootstrap.sh
         readinessProbe:
           httpGet:
+{{- if .Values.backupRestoreTLS }}
+            scheme: HTTPS
+{{- end }}
             path: /healthz
             port: {{ .Values.servicePorts.backupRestore }}
           initialDelaySeconds: 5
@@ -46,10 +49,12 @@ spec:
             - -ec
             - ETCDCTL_API=3
             - etcdctl
+{{ if .Values.etcdTLS }}
             - --cert=/var/etcd/ssl/tls/tls.crt
             - --key=/var/etcd/ssl/tls/tls.key
             - --cacert=/var/etcd/ssl/ca/ca.crt
-            - --endpoints={{ if .Values.tls }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
+{{ end }}
+            - --endpoints={{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
 {{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
             - --user={{ .Values.etcdAuth.username }}:{{ .Values.etcdAuth.password }}
 {{- end }}
@@ -73,11 +78,15 @@ spec:
           mountPath: /var/etcd/bin/
         - name: etcd-config-file
           mountPath: /var/etcd/config/
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
         - name: ca-etcd
           mountPath: /var/etcd/ssl/ca
         - name: etcd-tls
           mountPath: /var/etcd/ssl/tls
+{{- end }}
+{{- if .Values.backupRestoreTLS }}
+        - name: ca-etcdbr
+          mountPath: /var/etcdbr/ssl/ca
 {{- end }}
       - name: backup-restore
         command:
@@ -94,7 +103,7 @@ spec:
 {{- if .Values.backup.etcdQuotaBytes }}
         - --embedded-etcd-quota-bytes={{ int $.Values.backup.etcdQuotaBytes }}
 {{- end }}
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
         - --cert=/var/etcd/ssl/tls/tls.crt
         - --key=/var/etcd/ssl/tls/tls.key
         - --cacert=/var/etcd/ssl/ca/ca.crt
@@ -115,6 +124,10 @@ spec:
 {{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
         - --etcd-username={{ .Values.etcdAuth.username }}
         - --etcd-password={{ .Values.etcdAuth.password }}
+{{- end }}
+{{- if .Values.backupRestoreTLS }}
+        - --server-cert=/var/etcdbr/ssl/tls/tls.crt
+        - --server-key=/var/etcdbr/ssl/tls/tls.key
 {{- end }}
         image: {{ .Values.images.etcdBackupRestore.repository }}:{{ .Values.images.etcdBackupRestore.tag }}
         imagePullPolicy: {{ .Values.images.etcdBackupRestore.pullPolicy }}
@@ -205,12 +218,18 @@ spec:
           mountPath: /var/etcd/data/
         - name: etcd-config-file
           mountPath: /var/etcd/config/
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
         - name: ca-etcd
           mountPath: /var/etcd/ssl/ca
         - name: etcd-tls
           mountPath: /var/etcd/ssl/tls
 {{- end }}
+{{- if .Values.backupRestoreTLS }}
+        - name: ca-etcdbr
+          mountPath: /var/etcdbr/ssl/ca
+        - name: etcdbr-tls
+          mountPath: /var/etcdbr/ssl/tls
+{{- end }}
 {{- if eq .Values.backup.storageProvider "GCS" }}
         - name: etcd-backup
           mountPath: "/root/.gcp/"
@@ -230,13 +249,21 @@ spec:
           items:
           - key: etcd.conf.yaml
             path: etcd.conf.yaml
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
+      - name: ca-etcd
+        secret:
+          secretName: {{ .Release.Name }}-etcd-ca
       - name: etcd-tls
         secret:
           secretName: {{ .Release.Name }}-etcd-tls
-      - name: ca-etcd
+{{- end }}
+{{- if .Values.backupRestoreTLS }}
+      - name: ca-etcdbr
         secret:
-          secretName: {{ .Release.Name }}-etcd-ca
+          secretName: {{ .Release.Name }}-etcdbr-ca
+      - name: etcdbr-tls
+        secret:
+          secretName: {{ .Release.Name }}-etcdbr-tls
 {{- end }}
 {{- if and .Values.backup.storageProvider (not (eq .Values.backup.storageProvider "Local")) }}
       - name: etcd-backup

diff --git a/chart/etcd-backup-restore/templates/etcd-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcd-tls-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.tls }}
+{{- if .Values.etcdTLS }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,6 +10,6 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Values.tls.crt | b64enc }}
-  tls.key: {{ .Values.tls.key | b64enc }}
+  tls.crt: {{ .Values.etcdTLS.crt | b64enc }}
+  tls.key: {{ .Values.etcdTLS.key | b64enc }}
 {{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.backupRestoreTLS }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-etcdbr-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: Opaque
+data:
+  ca.crt: {{ .Values.backupRestoreTLS.caBundle | b64enc }}
+{{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcdbr-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-tls-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.backupRestoreTLS }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-etcdbr-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.backupRestoreTLS.crt | b64enc }}
+  tls.key: {{ .Values.backupRestoreTLS.key | b64enc }}
+{{- end }}