Add TLS support for backup-restore server

Signed-off-by: Shreyas Rao <[email protected]>
gardener · Sep 3, 2019 · 63b25a7 · 63b25a7
1 parent 8639d21
commit 63b25a7
Show file tree

Hide file tree

Showing 10 changed files with 193 additions and 64 deletions.
diff --git a/chart/etcd-backup-restore/templates/etcd-bootstrap-configmap.yaml b/chart/etcd-backup-restore/templates/etcd-bootstrap-configmap.yaml
@@ -13,6 +13,13 @@ data:
     #!/bin/sh
     VALIDATION_MARKER=/var/etcd/data/validation_marker
 
+{{- if .Values.backupRestoreTls }}
+    # install wget from apk to pass backup-restore server CA cert via --ca-certificate flag
+    # because busybox wget only has bare minimum features, without --ca-certificate option
+    apk update
+    apk add wget
+{{- end }}
+
     trap_and_propagate() {
         PID=$1
         shift
@@ -35,11 +42,11 @@ data:
     check_and_start_etcd(){
           while true;
           do
-            wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
+            wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
             STATUS=`cat status`;
             case $STATUS in
             "New")
-                  wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
+                  wget {{ if .Values.backupRestoreTls }}--ca-certificate /var/etcdbr/tls/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
             "Progress")
                   sleep 1;
                   continue;;
@@ -91,19 +98,19 @@ data:
     {{- end }}
 
     # List of comma separated URLs to listen on for client traffic.
-    listen-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
+    listen-client-urls: {{ if .Values.etcdTls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
 
     # List of this member's client URLs to advertise to the public.
     # The URLs needed to be a comma-separated list.
-    advertise-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
+    advertise-client-urls: {{ if .Values.etcdTls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
 
     # Initial cluster token for the etcd cluster during bootstrap.
     initial-cluster-token: 'new'
 
     # Initial cluster state ('new' or 'existing').
     initial-cluster-state: 'new'
 
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
     client-transport-security:
       # Path to the client server TLS cert file.
       cert-file: /var/etcd/ssl/tls/tls.crt

diff --git a/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml
@@ -1,5 +1,6 @@
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
 apiVersion: v1
+kind: Secret
 metadata:
   name: {{ .Release.Name }}-etcd-ca
   namespace: {{ .Release.Namespace }}
@@ -9,6 +10,5 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
 type: Opaque
 data:
-  ca.crt: {{ .Values.tls.caBundle | b64enc }}
-kind: Secret
+  ca.crt: {{ .Values.etcdTls.caBundle | b64enc }}
 {{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcd-statefulset.yaml b/chart/etcd-backup-restore/templates/etcd-statefulset.yaml
@@ -35,6 +35,9 @@ spec:
         - /var/etcd/bin/bootstrap.sh
         readinessProbe:
           httpGet:
+{{- if .Values.backupRestoreTls }}
+            scheme: HTTPS
+{{- end }}
             path: /healthz
             port: {{ .Values.servicePorts.backupRestore }}
           initialDelaySeconds: 5
@@ -46,10 +49,12 @@ spec:
             - -ec
             - ETCDCTL_API=3
             - etcdctl
+{{ if .Values.etcdTls }}
             - --cert=/var/etcd/ssl/tls/tls.crt
             - --key=/var/etcd/ssl/tls/tls.key
             - --cacert=/var/etcd/ssl/ca/ca.crt
-            - --endpoints={{ if .Values.tls }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
+{{ end }}
+            - --endpoints={{ if .Values.etcdTls }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
 {{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
             - --user={{ .Values.etcdAuth.username }}:{{ .Values.etcdAuth.password }}
 {{- end }}            
@@ -73,11 +78,15 @@ spec:
           mountPath: /var/etcd/bin/
         - name: etcd-config-file
           mountPath: /var/etcd/config/
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
         - name: ca-etcd
           mountPath: /var/etcd/ssl/ca
         - name: etcd-tls
           mountPath: /var/etcd/ssl/tls
+{{- end }}
+{{- if .Values.backupRestoreTls }}
+        - name: ca-etcdbr-server
+          mountPath: /var/etcdbr/tls/ca
 {{- end }}
       - name: backup-restore
         command:
@@ -94,7 +103,7 @@ spec:
 {{- if .Values.backup.etcdQuotaBytes }}
         - --embedded-etcd-quota-bytes={{ int $.Values.backup.etcdQuotaBytes }}
 {{- end }}
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
         - --cert=/var/etcd/ssl/tls/tls.crt
         - --key=/var/etcd/ssl/tls/tls.key
         - --cacert=/var/etcd/ssl/ca/ca.crt
@@ -112,7 +121,12 @@ spec:
 {{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
         - --etcd-username={{ .Values.etcdAuth.username }}
         - --etcd-password={{ .Values.etcdAuth.password }}
-{{- end }}           
+{{- end }}
+{{- if .Values.backupRestoreTls }}
+        - --enable-tls
+        - --server-tls-cert=/var/etcdbr/tls/server/tls.crt
+        - --server-tls-key=/var/etcdbr/tls/server/tls.key
+{{- end }}
         image: {{ .Values.images.etcdBackupRestore.repository }}:{{ .Values.images.etcdBackupRestore.tag }}
         imagePullPolicy: {{ .Values.images.etcdBackupRestore.pullPolicy }}
         ports:
@@ -202,12 +216,18 @@ spec:
           mountPath: /var/etcd/data/
         - name: etcd-config-file
           mountPath: /var/etcd/config/
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
         - name: ca-etcd
           mountPath: /var/etcd/ssl/ca
         - name: etcd-tls
           mountPath: /var/etcd/ssl/tls
 {{- end }}
+{{- if .Values.backupRestoreTls }}
+        - name: ca-etcdbr-server
+          mountPath: /var/etcdbr/tls/ca
+        - name: etcdbr-server-tls
+          mountPath: /var/etcdbr/tls/server
+{{- end }}
 {{- if eq .Values.backup.storageProvider "GCS" }}
         - name: etcd-backup
           mountPath: "/root/.gcp/"
@@ -227,14 +247,22 @@ spec:
           items:
           - key: etcd.conf.yaml
             path: etcd.conf.yaml
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
       - name: etcd-tls
         secret:
           secretName: {{ .Release.Name }}-etcd-tls
       - name: ca-etcd
         secret:
           secretName: {{ .Release.Name }}-etcd-ca
 {{- end }}
+{{- if .Values.backupRestoreTls }}
+      - name: etcdbr-server-tls
+        secret:
+          secretName: {{ .Release.Name }}-etcdbr-server-tls
+      - name: ca-etcdbr-server
+        secret:
+          secretName: {{ .Release.Name }}-etcdbr-server-ca
+{{- end }}
 {{- if and .Values.backup.storageProvider (not (eq .Values.backup.storageProvider "Local")) }}
       - name: etcd-backup
         secret:

diff --git a/chart/etcd-backup-restore/templates/etcd-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcd-tls-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.tls }}
+{{- if .Values.etcdTls }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,6 +10,6 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
 type: kubernetes.io/tls
 data:
-  tls.crt: {{ .Values.tls.crt | b64enc }}
-  tls.key: {{ .Values.tls.key | b64enc }}
+  tls.crt: {{ .Values.etcdTls.crt | b64enc }}
+  tls.key: {{ .Values.etcdTls.key | b64enc }}
 {{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcdbr-server-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-server-ca-secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.backupRestoreTls }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-etcdbr-server-ca
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: Opaque
+data:
+  ca.crt: {{ .Values.backupRestoreTls.caBundle | b64enc }}
+{{- end }}
diff --git a/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.backupRestoreTls }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-etcdbr-server-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.backupRestoreTls.serverCrt | b64enc }}
+  tls.key: {{ .Values.backupRestoreTls.serverKey | b64enc }}
+{{- end }}
diff --git a/chart/etcd-backup-restore/values.yaml b/chart/etcd-backup-restore/values.yaml
@@ -2,12 +2,12 @@ images:
   # etcd image to use
   etcd:
     repository: quay.io/coreos/etcd
-    tag: v3.3.12
+    tag: v3.3.13
     pullPolicy: IfNotPresent
   # etcd-backup-restore image to use
   etcdBackupRestore:
-    repository: eu.gcr.io/gardener-project/gardener/etcdbrctl
-    tag: 0.7.0
+    repository:  eu.gcr.io/gardener-project/gardener/etcdbrctl
+    tag: 0.7.2
     pullPolicy: IfNotPresent
 
 resources:
@@ -32,11 +32,10 @@ servicePorts:
   backupRestore: 8080
 
 etcdAuth: {}
-   #username: username
-   #password: password
+  # username: username
+  # password: password
 
 backup:
-
   # schedule is cron standard schedule to take full snapshots.
   schedule: "0 */1 * * *"
 
@@ -90,23 +89,37 @@ backup:
   #   accessKeySecret: secret-access-key-with-object-storage-privileges
   #   accessKeyID: access-key-id-with-object-storage-privileges
 
-metrics: basic
-
-# tls field contains the pre-created secrets for etcd. Uncomment the
-# whole tls section if you dont want to use tls for the etcd.
-tls: {}
+# etcdTls field contains the pre-created secrets for etcd. Comment this
+# whole section if you dont want to use tls for the etcd.
+etcdTls: {}
   # caBundle: |
-      #   -----BEGIN CERTIFICATE-----
-      #   ...
-      #   -----END CERTIFICATE-----
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
   # crt: |
-      #     -----BEGIN CERTIFICATE-----
-      #     ...
-      #     -----END CERTIFICATE-----
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
   # key: |
-      #     -----BEGIN RSA PRIVATE KEY-----
-      #     ...
-      #     -----END RSA PRIVATE KEY-----
+  #       -----BEGIN RSA PRIVATE KEY-----
+  #       ...
+  #       -----END RSA PRIVATE KEY-----
 
-# podAnnotations will be placed to the resulting etcd pod
+# backupRestoreTls field contains the pre-created secrets for backup-restore sidecar.
+# Comment this whole section if you dont want to use tls for the backup-restore sidecar.
+backupRestoreTls: {}
+  # caBundle: |
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
+  # serverCrt: |
+  #       -----BEGIN CERTIFICATE-----
+  #       ...
+  #       -----END CERTIFICATE-----
+  # serverKey: |
+  #       -----BEGIN RSA PRIVATE KEY-----
+  #       ...
+  #       -----END RSA PRIVATE KEY-----
+
+# podAnnotations that will be passed to the resulting etcd pod
 podAnnotations: {}