Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Commit be3d8d2

Browse files
Cecile Robert-Michonjackfrancis
Cecile Robert-Michon
authored andcommitted
Keyvault etcd certs (#2155)
* Use single values for etcdpeer key params * fixed param logic and added logic to vars * remove unused code * only add master certs/keys to params and vars if master is not hosted * move apiserver cert * add master profile != nil check * undo move api server key
1 parent 52d568a commit be3d8d2

File tree

3 files changed

+129
-48
lines changed

3 files changed

+129
-48
lines changed

parts/k8s/kubernetesmastervars.t

+37-3
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,46 @@
55
"apiServerCertificate": "[parameters('apiServerCertificate')]",
66
{{ if not IsHostedMaster }}
77
"apiServerPrivateKey": "[parameters('apiServerPrivateKey')]",
8-
{{end}}
98
"etcdServerCertificate": "[parameters('etcdServerCertificate')]",
109
"etcdServerPrivateKey": "[parameters('etcdServerPrivateKey')]",
1110
"etcdClientPrivateKey": "[parameters('etcdClientPrivateKey')]",
1211
"etcdClientCertificate": "[parameters('etcdClientCertificate')]",
13-
"etcdPeerPrivateKeys": "[parameters('etcdPeerPrivateKeys')]",
14-
"etcdPeerCertificates": "[parameters('etcdPeerCertificates')]",
12+
{{if eq .MasterProfile.Count 1}}
13+
"etcdPeerPrivateKeys": [
14+
"[parameters('etcdPeerPrivateKey0')]"
15+
],
16+
"etcdPeerCertificates": [
17+
"[parameters('etcdPeerCertificate0')]"
18+
],
19+
{{end}}
20+
{{if eq .MasterProfile.Count 3}}
21+
"etcdPeerPrivateKeys": [
22+
"[parameters('etcdPeerPrivateKey0')]",
23+
"[parameters('etcdPeerPrivateKey1')]",
24+
"[parameters('etcdPeerPrivateKey2')]"
25+
],
26+
"etcdPeerCertificates": [
27+
"[parameters('etcdPeerCertificate0')]",
28+
"[parameters('etcdPeerCertificate1')]",
29+
"[parameters('etcdPeerCertificate2')]"
30+
],
31+
{{end}}
32+
{{if eq .MasterProfile.Count 5}}
33+
"etcdPeerPrivateKeys": [
34+
"[parameters('etcdPeerPrivateKey0')]",
35+
"[parameters('etcdPeerPrivateKey1')]",
36+
"[parameters('etcdPeerPrivateKey2')]",
37+
"[parameters('etcdPeerPrivateKey3')]",
38+
"[parameters('etcdPeerPrivateKey4')]"
39+
],
40+
"etcdPeerCertificates": [
41+
"[parameters('etcdPeerCertificate0')]",
42+
"[parameters('etcdPeerCertificate1')]",
43+
"[parameters('etcdPeerCertificate2')]",
44+
"[parameters('etcdPeerCertificate3')]",
45+
"[parameters('etcdPeerCertificate4')]"
46+
],
47+
{{end}}
1548
"etcdPeerCertFilepath":[
1649
"/etc/kubernetes/certs/etcdpeer0.crt",
1750
"/etc/kubernetes/certs/etcdpeer1.crt",
@@ -31,6 +64,7 @@
3164
"etcdClientKeyFilepath": "/etc/kubernetes/certs/etcdclient.key",
3265
"etcdServerCertFilepath": "/etc/kubernetes/certs/etcdserver.crt",
3366
"etcdServerKeyFilepath": "/etc/kubernetes/certs/etcdserver.key",
67+
{{end}}
3468
"caCertificate": "[parameters('caCertificate')]",
3569
"caPrivateKey": "[parameters('caPrivateKey')]",
3670
"clientCertificate": "[parameters('clientCertificate')]",

parts/k8s/kubernetesparams.t

+74-21
Original file line numberDiff line numberDiff line change
@@ -14,18 +14,14 @@
1414
"type": "string"
1515
},
1616
{{end}}
17-
"apiServerCertificate": {
17+
{{if IsHostedMaster}}
18+
"kubernetesEndpoint": {
1819
"metadata": {
19-
"description": "The base 64 server certificate used on the master"
20+
"description": "The Kubernetes API endpoint https://<kubernetesEndpoint>:443"
2021
},
2122
"type": "string"
2223
},
23-
"apiServerPrivateKey": {
24-
"metadata": {
25-
"description": "The base 64 server private key used on the master."
26-
},
27-
"type": "securestring"
28-
},
24+
{{else}}
2925
"etcdServerCertificate": {
3026
"metadata": {
3127
"description": "The base 64 server certificate used on the master"
@@ -50,17 +46,82 @@
5046
},
5147
"type": "securestring"
5248
},
53-
"etcdPeerCertificates": {
49+
"etcdPeerCertificate0": {
5450
"metadata": {
5551
"description": "The base 64 server certificates used on the master"
5652
},
57-
"type": "array"
58-
},
59-
"etcdPeerPrivateKeys": {
53+
"type": "string"
54+
},
55+
"etcdPeerPrivateKey0": {
6056
"metadata": {
6157
"description": "The base 64 server private keys used on the master."
6258
},
63-
"type": "array"
59+
"type": "securestring"
60+
},
61+
{{if ge .MasterProfile.Count 3}}
62+
"etcdPeerCertificate1": {
63+
"metadata": {
64+
"description": "The base 64 server certificates used on the master"
65+
},
66+
"type": "string"
67+
},
68+
"etcdPeerCertificate2": {
69+
"metadata": {
70+
"description": "The base 64 server certificates used on the master"
71+
},
72+
"type": "string"
73+
},
74+
"etcdPeerPrivateKey1": {
75+
"metadata": {
76+
"description": "The base 64 server private keys used on the master."
77+
},
78+
"type": "securestring"
79+
},
80+
"etcdPeerPrivateKey2": {
81+
"metadata": {
82+
"description": "The base 64 server private keys used on the master."
83+
},
84+
"type": "securestring"
85+
},
86+
{{if ge .MasterProfile.Count 5}}
87+
"etcdPeerCertificate3": {
88+
"metadata": {
89+
"description": "The base 64 server certificates used on the master"
90+
},
91+
"type": "string"
92+
},
93+
"etcdPeerCertificate4": {
94+
"metadata": {
95+
"description": "The base 64 server certificates used on the master"
96+
},
97+
"type": "string"
98+
},
99+
"etcdPeerPrivateKey3": {
100+
"metadata": {
101+
"description": "The base 64 server private keys used on the master."
102+
},
103+
"type": "securestring"
104+
},
105+
"etcdPeerPrivateKey4": {
106+
"metadata": {
107+
"description": "The base 64 server private keys used on the master."
108+
},
109+
"type": "securestring"
110+
},
111+
{{end}}
112+
{{end}}
113+
{{end}}
114+
"apiServerCertificate": {
115+
"metadata": {
116+
"description": "The base 64 server certificate used on the master"
117+
},
118+
"type": "string"
119+
},
120+
"apiServerPrivateKey": {
121+
"metadata": {
122+
"description": "The base 64 server private key used on the master."
123+
},
124+
"type": "securestring"
64125
},
65126
"caCertificate": {
66127
"metadata": {
@@ -75,14 +136,6 @@
75136
},
76137
"type": "securestring"
77138
},
78-
{{if IsHostedMaster}}
79-
"kubernetesEndpoint": {
80-
"metadata": {
81-
"description": "The Kubernetes API endpoint https://<kubernetesEndpoint>:443"
82-
},
83-
"type": "string"
84-
},
85-
{{end}}
86139
"clientCertificate": {
87140
"metadata": {
88141
"description": "The base 64 client certificate used to communicate with the master"

pkg/acsengine/engine.go

+18-24
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,12 @@ var swarmModeTemplateFiles = []string{swarmBaseFile, swarmParams, swarmAgentReso
114114
- kubeConfigCertificate
115115
- kubeConfigPrivateKey
116116
- servicePrincipalClientSecret
117+
- etcdClientCertificate
118+
- etcdClientPrivateKey
119+
- etcdServerCertificate
120+
- etcdServerPrivateKey
121+
- etcdPeerCertificates
122+
- etcdPeerPrivateKeys
117123
118124
To refer to a keyvault secret, the value of the parameter in the api model file should be formatted as:
119125
@@ -502,12 +508,18 @@ func getParameters(cs *api.ContainerService, isClassicMode bool, generatorCode s
502508
addSecret(parametersMap, "clientPrivateKey", properties.CertificateProfile.ClientPrivateKey, true)
503509
addSecret(parametersMap, "kubeConfigCertificate", properties.CertificateProfile.KubeConfigCertificate, true)
504510
addSecret(parametersMap, "kubeConfigPrivateKey", properties.CertificateProfile.KubeConfigPrivateKey, true)
505-
addSecret(parametersMap, "etcdServerCertificate", properties.CertificateProfile.EtcdServerCertificate, true)
506-
addSecret(parametersMap, "etcdServerPrivateKey", properties.CertificateProfile.EtcdServerPrivateKey, true)
507-
addSecret(parametersMap, "etcdClientCertificate", properties.CertificateProfile.EtcdClientCertificate, true)
508-
addSecret(parametersMap, "etcdClientPrivateKey", properties.CertificateProfile.EtcdClientPrivateKey, true)
509-
addArraySecret(parametersMap, "etcdPeerCertificates", properties.CertificateProfile.EtcdPeerCertificates, true)
510-
addArraySecret(parametersMap, "etcdPeerPrivateKeys", properties.CertificateProfile.EtcdPeerPrivateKeys, true)
511+
if properties.MasterProfile != nil {
512+
addSecret(parametersMap, "etcdServerCertificate", properties.CertificateProfile.EtcdServerCertificate, true)
513+
addSecret(parametersMap, "etcdServerPrivateKey", properties.CertificateProfile.EtcdServerPrivateKey, true)
514+
addSecret(parametersMap, "etcdClientCertificate", properties.CertificateProfile.EtcdClientCertificate, true)
515+
addSecret(parametersMap, "etcdClientPrivateKey", properties.CertificateProfile.EtcdClientPrivateKey, true)
516+
for i, pc := range properties.CertificateProfile.EtcdPeerCertificates {
517+
addSecret(parametersMap, "etcdPeerCertificate"+strconv.Itoa(i), pc, true)
518+
}
519+
for i, pk := range properties.CertificateProfile.EtcdPeerPrivateKeys {
520+
addSecret(parametersMap, "etcdPeerPrivateKey"+strconv.Itoa(i), pk, true)
521+
}
522+
}
511523
}
512524

513525
if properties.HostedMasterProfile != nil && properties.HostedMasterProfile.FQDN != "" {
@@ -773,24 +785,6 @@ func addSecret(m paramsMap, k string, v interface{}, encode bool) {
773785
addKeyvaultReference(m, k, parts[1], parts[2], parts[4])
774786
}
775787

776-
func addArraySecret(m paramsMap, k string, v interface{}, encode bool) {
777-
arr, ok := v.([]string)
778-
if !ok {
779-
addValue(m, k, v)
780-
return
781-
}
782-
values := make([]string, len(arr))
783-
for i := 0; i < len(arr); i++ {
784-
if encode {
785-
values[i] = base64.StdEncoding.EncodeToString([]byte(arr[i]))
786-
} else {
787-
values[i] = arr[i]
788-
}
789-
790-
}
791-
addValue(m, k, values)
792-
}
793-
794788
// getStorageAccountType returns the support managed disk storage tier for a give VM size
795789
func getStorageAccountType(sizeName string) (string, error) {
796790
spl := strings.Split(sizeName, "_")

0 commit comments

Comments
 (0)