Skip to content

Commit

Permalink
Merge pull request #196 from shreyas-s-rao/add-tls-support
Browse files Browse the repository at this point in the history
Add TLS support for backup-restore server
  • Loading branch information
Swapnil Mhamane authored Oct 22, 2019
2 parents d183b99 + 9df523c commit dd26b65
Show file tree
Hide file tree
Showing 12 changed files with 361 additions and 71 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Etcd-backup-restore is collection of components to backup and restore the [etcd]
* [Getting started](doc/usage/getting_started.md)
* [Manual restoration](doc/usage/manual_restoration.md)
* [Monitoring](doc/usage/metrics.md)
* [Generating SSL certificates](doc/usage/generating_ssl_certificates.md)

### Design and Proposals

Expand Down
19 changes: 13 additions & 6 deletions chart/etcd-backup-restore/templates/etcd-bootstrap-configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,13 @@ data:
#!/bin/sh
VALIDATION_MARKER=/var/etcd/data/validation_marker
{{- if .Values.backupRestoreTLS }}
# install wget from apk in order to pass --ca-certificate flag because
# busybox wget only has bare minimum features, without --ca-certificate option
apk update
apk add wget
{{- end }}

trap_and_propagate() {
PID=$1
shift
Expand All @@ -35,11 +42,11 @@ data:
check_and_start_etcd(){
while true;
do
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
wget {{ if .Values.backupRestoreTLS }}--ca-certificate=/var/etcdbr/ssl/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/status" -S -O status;
STATUS=`cat status`;
case $STATUS in
"New")
wget "http://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
wget {{ if .Values.backupRestoreTLS }}--ca-certificate=/var/etcdbr/ssl/ca/ca.crt "https{{ else }}"http{{ end }}://localhost:{{ .Values.servicePorts.backupRestore }}/initialization/start?mode=$1{{- if .Values.backup.failBelowRevision }}&failbelowrevision={{ int $.Values.backup.failBelowRevision }}{{- end }}" -S -O - ;;
"Progress")
sleep 1;
continue;;
Expand Down Expand Up @@ -83,7 +90,7 @@ data:
data-dir: /var/etcd/data/new.etcd
# metrics configuration
metrics: {{ .Values.metrics }}
metrics: basic
# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 75000
Expand All @@ -95,19 +102,19 @@ data:
{{- end }}
# List of comma separated URLs to listen on for client traffic.
listen-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
listen-client-urls: {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: {{ if .Values.tls }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
advertise-client-urls: {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }}
# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'new'
# Initial cluster state ('new' or 'existing').
initial-cluster-state: 'new'
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
client-transport-security:
# Path to the client server TLS cert file.
cert-file: /var/etcd/ssl/tls/tls.crt
Expand Down
6 changes: 3 additions & 3 deletions chart/etcd-backup-restore/templates/etcd-ca-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-etcd-ca
namespace: {{ .Release.Namespace }}
Expand All @@ -9,6 +10,5 @@ metadata:
app.kubernetes.io/instance: {{ .Release.Name }}
type: Opaque
data:
ca.crt: {{ .Values.tls.caBundle | b64enc }}
kind: Secret
ca.crt: {{ .Values.etcdTLS.caBundle | b64enc }}
{{- end }}
41 changes: 34 additions & 7 deletions chart/etcd-backup-restore/templates/etcd-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ spec:
- /var/etcd/bin/bootstrap.sh
readinessProbe:
httpGet:
{{- if .Values.backupRestoreTLS }}
scheme: HTTPS
{{- end }}
path: /healthz
port: {{ .Values.servicePorts.backupRestore }}
initialDelaySeconds: 5
Expand All @@ -46,10 +49,12 @@ spec:
- -ec
- ETCDCTL_API=3
- etcdctl
{{ if .Values.etcdTLS }}
- --cert=/var/etcd/ssl/tls/tls.crt
- --key=/var/etcd/ssl/tls/tls.key
- --cacert=/var/etcd/ssl/ca/ca.crt
- --endpoints={{ if .Values.tls }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
{{ end }}
- --endpoints={{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }}
{{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
- --user={{ .Values.etcdAuth.username }}:{{ .Values.etcdAuth.password }}
{{- end }}
Expand All @@ -73,11 +78,15 @@ spec:
mountPath: /var/etcd/bin/
- name: etcd-config-file
mountPath: /var/etcd/config/
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
- name: ca-etcd
mountPath: /var/etcd/ssl/ca
- name: etcd-tls
mountPath: /var/etcd/ssl/tls
{{- end }}
{{- if .Values.backupRestoreTLS }}
- name: ca-etcdbr
mountPath: /var/etcdbr/ssl/ca
{{- end }}
- name: backup-restore
command:
Expand All @@ -94,7 +103,7 @@ spec:
{{- if .Values.backup.etcdQuotaBytes }}
- --embedded-etcd-quota-bytes={{ int $.Values.backup.etcdQuotaBytes }}
{{- end }}
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
- --cert=/var/etcd/ssl/tls/tls.crt
- --key=/var/etcd/ssl/tls/tls.key
- --cacert=/var/etcd/ssl/ca/ca.crt
Expand All @@ -115,6 +124,10 @@ spec:
{{- if and .Values.etcdAuth.username .Values.etcdAuth.password }}
- --etcd-username={{ .Values.etcdAuth.username }}
- --etcd-password={{ .Values.etcdAuth.password }}
{{- end }}
{{- if .Values.backupRestoreTLS }}
- --server-cert=/var/etcdbr/ssl/tls/tls.crt
- --server-key=/var/etcdbr/ssl/tls/tls.key
{{- end }}
image: {{ .Values.images.etcdBackupRestore.repository }}:{{ .Values.images.etcdBackupRestore.tag }}
imagePullPolicy: {{ .Values.images.etcdBackupRestore.pullPolicy }}
Expand Down Expand Up @@ -205,12 +218,18 @@ spec:
mountPath: /var/etcd/data/
- name: etcd-config-file
mountPath: /var/etcd/config/
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
- name: ca-etcd
mountPath: /var/etcd/ssl/ca
- name: etcd-tls
mountPath: /var/etcd/ssl/tls
{{- end }}
{{- if .Values.backupRestoreTLS }}
- name: ca-etcdbr
mountPath: /var/etcdbr/ssl/ca
- name: etcdbr-tls
mountPath: /var/etcdbr/ssl/tls
{{- end }}
{{- if eq .Values.backup.storageProvider "GCS" }}
- name: etcd-backup
mountPath: "/root/.gcp/"
Expand All @@ -230,13 +249,21 @@ spec:
items:
- key: etcd.conf.yaml
path: etcd.conf.yaml
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
- name: ca-etcd
secret:
secretName: {{ .Release.Name }}-etcd-ca
- name: etcd-tls
secret:
secretName: {{ .Release.Name }}-etcd-tls
- name: ca-etcd
{{- end }}
{{- if .Values.backupRestoreTLS }}
- name: ca-etcdbr
secret:
secretName: {{ .Release.Name }}-etcd-ca
secretName: {{ .Release.Name }}-etcdbr-ca
- name: etcdbr-tls
secret:
secretName: {{ .Release.Name }}-etcdbr-tls
{{- end }}
{{- if and .Values.backup.storageProvider (not (eq .Values.backup.storageProvider "Local")) }}
- name: etcd-backup
Expand Down
6 changes: 3 additions & 3 deletions chart/etcd-backup-restore/templates/etcd-tls-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.tls }}
{{- if .Values.etcdTLS }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -10,6 +10,6 @@ metadata:
app.kubernetes.io/instance: {{ .Release.Name }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.tls.crt | b64enc }}
tls.key: {{ .Values.tls.key | b64enc }}
tls.crt: {{ .Values.etcdTLS.crt | b64enc }}
tls.key: {{ .Values.etcdTLS.key | b64enc }}
{{- end }}
14 changes: 14 additions & 0 deletions chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if .Values.backupRestoreTLS }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-etcdbr-ca
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: etcd
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
type: Opaque
data:
ca.crt: {{ .Values.backupRestoreTLS.caBundle | b64enc }}
{{- end }}
15 changes: 15 additions & 0 deletions chart/etcd-backup-restore/templates/etcdbr-tls-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.backupRestoreTLS }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-etcdbr-tls
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: etcd
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.backupRestoreTLS.crt | b64enc }}
tls.key: {{ .Values.backupRestoreTLS.key | b64enc }}
{{- end }}
66 changes: 40 additions & 26 deletions chart/etcd-backup-restore/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ images:
# etcd image to use
etcd:
repository: quay.io/coreos/etcd
tag: v3.3.12
tag: v3.3.13
pullPolicy: IfNotPresent
# etcd-backup-restore image to use
etcdBackupRestore:
repository: eu.gcr.io/gardener-project/gardener/etcdbrctl
tag: 0.7.0
tag: 0.8.0
pullPolicy: IfNotPresent

resources:
Expand All @@ -31,12 +31,7 @@ servicePorts:
server: 2380
backupRestore: 8080

etcdAuth: {}
#username: username
#password: password

backup:

# schedule is cron standard schedule to take full snapshots.
schedule: "0 */1 * * *"

Expand Down Expand Up @@ -90,23 +85,42 @@ backup:
# accessKeySecret: secret-access-key-with-object-storage-privileges
# accessKeyID: access-key-id-with-object-storage-privileges

metrics: basic

# tls field contains the pre-created secrets for etcd. Uncomment the
# whole tls section if you dont want to use tls for the etcd.
tls: {}
# caBundle: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# crt: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----

# podAnnotations will be placed to the resulting etcd pod
# etcdAuth field contains the pre-created username-password pair
# for etcd. Comment this whole section if you dont want to use
# password-based authentication for the etcd.
etcdAuth: {}
# username: username
# password: password

etcdTLS: {}
# caBundle: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# crt: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----

# backupRestoreTLS field contains the pre-created secrets for backup-restore server.
# Comment this whole section if you dont want to use tls for the backup-restore server.
backupRestoreTLS: {}
# caBundle: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# crt: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----

# podAnnotations that will be passed to the resulting etcd pod
podAnnotations: {}
Loading

0 comments on commit dd26b65

Please sign in to comment.