Skip to content

Commit

Permalink
Create controller CA ConfigMap in the controller deployement Namespace
Browse files Browse the repository at this point in the history
Stop using the fixed "kube-system" Namespace for the CA ConfigMap.
Also update the deployment YAML and docs/securing-control-plane.md
about the descriptions about CA ConfigMap and TLS Secret Namespace.

Fixes: antrea-io#876
  • Loading branch information
jianjuns committed Jun 28, 2020
1 parent 9d42485 commit 4c3df0e
Show file tree
Hide file tree
Showing 14 changed files with 133 additions and 74 deletions.
10 changes: 6 additions & 4 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -428,17 +428,19 @@ data:
#enablePrometheusMetrics: false
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-fktddbgbt9
name: antrea-config-6kd8dg2mdc
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -543,7 +545,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-fktddbgbt9
name: antrea-config-6kd8dg2mdc
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -757,7 +759,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-fktddbgbt9
name: antrea-config-6kd8dg2mdc
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
10 changes: 6 additions & 4 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -428,17 +428,19 @@ data:
#enablePrometheusMetrics: false
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-9bkbtgd8tf
name: antrea-config-df75dft74m
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -543,7 +545,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-9bkbtgd8tf
name: antrea-config-df75dft74m
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -755,7 +757,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-9bkbtgd8tf
name: antrea-config-df75dft74m
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
10 changes: 6 additions & 4 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -428,17 +428,19 @@ data:
#enablePrometheusMetrics: false
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-576575d7g8
name: antrea-config-6fg7ftb7c2
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -552,7 +554,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-576575d7g8
name: antrea-config-6fg7ftb7c2
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -799,7 +801,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-576575d7g8
name: antrea-config-6fg7ftb7c2
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
10 changes: 6 additions & 4 deletions build/yamls/antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -428,17 +428,19 @@ data:
#enablePrometheusMetrics: false
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
kind: ConfigMap
metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-d4b44mm2k6
name: antrea-config-g9c588t985
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -543,7 +545,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-d4b44mm2k6
name: antrea-config-g9c588t985
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -755,7 +757,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-d4b44mm2k6
name: antrea-config-g9c588t985
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
4 changes: 3 additions & 1 deletion build/yamls/base/conf/antrea-controller.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@
#enablePrometheusMetrics: false

# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
#selfSignedCert: true
4 changes: 3 additions & 1 deletion cmd/antrea-controller/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,12 @@ type ControllerConfig struct {
// Defaults to false.
EnablePrometheusMetrics bool `yaml:"enablePrometheusMetrics,omitempty"`
// Indicates whether to use auto-generated self-signed TLS certificate.
// If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
// If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
// ca.crt: <CA certificate>
// tls.crt: <TLS certificate>
// tls.key: <TLS private key>
// Defaults to true.
// And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
// antrea-controller container.
SelfSignedCert bool `yaml:"selfSignedCert,omitempty"`
}
4 changes: 3 additions & 1 deletion docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,13 @@ clientConnection:
#apiPort: 10349

# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, A secret named "kube-system/antrea-controller-tls" must be provided with the following keys:
# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
#selfSignedCert: true
# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
# antrea-controller container.
```

## CNI configuration
Expand Down
19 changes: 11 additions & 8 deletions docs/securing-control-plane.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,23 @@ for client authentication.
By default, antrea-controller generates a self-signed certificate. You can
override the behavior by [providing your own certificates](#providing-your-own-certificates).
Either way, the antrea-controller will distribute the CA certificate as a
ConfigMap named `antrea-ca` in the `kube-system` Namespace and inject it into
the APIServices resources created by Antrea in order to allow its clients (i.e.
antrea-agent, kube-apiserver) to perform authentication.
ConfigMap named `antrea-ca` in the Antrea deployment Namespace and inject it
into the APIServices resources created by Antrea in order to allow its clients
(i.e. antrea-agent, kube-apiserver) to perform authentication.

Typically, clients that wish to access the antrea-controller API can
authenticate the server by validating against the CA certificate published in
the `kube-system/antrea-ca` ConfigMap.
the `antrea-ca` ConfigMap.

## Providing your own certificates

Since Antrea v0.7.0, you can provide your own certificates to Antrea. To do so,
you must set the `selfSignedCert` field of `antrea-controller.conf` to `false`,
so that the antrea-controller will read the certificate key pair from the
`kube-system/antrea-controller-tls` Secret.
`antrea-controller-tls` Secret. The example manifests and descriptions below
assume Antrea is deployed in the `kube-system` Namespace. If you deploy Antrea
in a different Namepace, please update the Namespace name in the manifests
accordingly.

```yaml
apiVersion: v1
Expand Down Expand Up @@ -77,8 +80,8 @@ DNS names:
**Note: It assumes you are using `cluster.local` as the cluster domain, you
should replace it with the actual one of your Kubernetes cluster.**

You can then create the `kube-system/antrea-controller-tls` Secret with the
certificate key pair and the CA certificate in the following form:
You can then create the `antrea-controller-tls` Secret with the certificate key
pair and the CA certificate in the following form:
```yaml
apiVersion: v1
kind: Secret
Expand Down Expand Up @@ -147,7 +150,7 @@ to the antrea-controller Pod if the Pod starts before the Secret is created.**
## Certificate rotation

Antrea v0.7.0 and higher supports certificate rotation. It can be achieved by
simply updating the `kube-system/antrea-controller-tls` Secret. The
simply updating the `antrea-controller-tls` Secret. The
antrea-controller will react to the change, updating its serving certificate and
re-distributing the latest CA certificate (if applicable).

Expand Down
9 changes: 7 additions & 2 deletions pkg/agent/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,12 @@ func NewAntreaClientProvider(config config.ClientConnectionConfiguration, kubeCl
// The key "ca.crt" may not exist at the beginning, no need to fail as the CA provider will watch the ConfigMap
// and notify antreaClientProvider of any update. The consumers of antreaClientProvider are supposed to always
// call GetAntreaClient() to get a client and not cache it.
antreaCAProvider, _ := dynamiccertificates.NewDynamicCAFromConfigMapController("antrea-ca", cert.CAConfigMapNamespace, cert.CAConfigMapName, cert.CAConfigMapKey, kubeClient)
antreaCAProvider, _ := dynamiccertificates.NewDynamicCAFromConfigMapController(
"antrea-ca",
cert.GetCAConfigMapNamespace(),
cert.CAConfigMapName,
cert.CAConfigMapKey,
kubeClient)
antreaClientProvider := &antreaClientProvider{
config: config,
caContentProvider: antreaCAProvider,
Expand Down Expand Up @@ -145,7 +150,7 @@ func inClusterConfig(caBundle []byte) (*rest.Config, error) {

tlsClientConfig := rest.TLSClientConfig{
CAData: caBundle,
ServerName: cert.AntreaServerNames[0],
ServerName: cert.GetAntreaServerNames()[0],
}

return &rest.Config{
Expand Down
28 changes: 21 additions & 7 deletions pkg/apiserver/certificate/cacert_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,21 @@ import (
"k8s.io/client-go/util/workqueue"
"k8s.io/klog"
"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

"github.com/vmware-tanzu/antrea/pkg/util/env"
)

const (
// The namespace and name of the ConfigMap that will hold the CA certificate
// that signs the TLS certificate of antrea-controller.
CAConfigMapNamespace = "kube-system"
CAConfigMapName = "antrea-ca"
CAConfigMapKey = "ca.crt"
// Name of the ConfigMap that will hold the CA certificate that signs the TLS
// certificate of antrea-controller.
CAConfigMapName = "antrea-ca"
CAConfigMapKey = "ca.crt"
)

var (
// Use the Antrea Pod Namespace for the CA cert ConfigMap.
caConfigMapNamespace = GetCAConfigMapNamespace()

// apiServiceNames contains all the APIServices backed by antrea-controller.
apiServiceNames = []string{
"v1beta1.networking.antrea.tanzu.vmware.com",
Expand All @@ -59,6 +63,16 @@ type CACertController struct {

var _ dynamiccertificates.Listener = &CACertController{}

func GetCAConfigMapNamespace() string {
namespace := env.GetPodNamespace()
if namespace != "" {
return namespace
}

klog.Warningf("Failed to get Pod Namespace from environment. Using \"%s\" as the CA ConfigMap Namespace", defaultAntreaNamespace)
return defaultAntreaNamespace
}

func newCACertController(caContentProvider dynamiccertificates.CAContentProvider,
client kubernetes.Interface,
aggregatorClient clientset.Interface,
Expand Down Expand Up @@ -116,7 +130,7 @@ func (c *CACertController) syncAPIServices(caCert []byte) error {
// syncConfigMap updates the ConfigMap that holds the CA bundle, which will be read by API clients, e.g. antrea-agent.
func (c *CACertController) syncConfigMap(caCert []byte) error {
klog.Info("Syncing CA certificate with ConfigMap")
caConfigMap, err := c.client.CoreV1().ConfigMaps(CAConfigMapNamespace).Get(context.TODO(), CAConfigMapName, v1.GetOptions{})
caConfigMap, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Get(context.TODO(), CAConfigMapName, v1.GetOptions{})
if err != nil {
return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
}
Expand All @@ -126,7 +140,7 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
caConfigMap.Data = map[string]string{
CAConfigMapKey: string(caCert),
}
if _, err := c.client.CoreV1().ConfigMaps(CAConfigMapNamespace).Update(context.TODO(), caConfigMap, v1.UpdateOptions{}); err != nil {
if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, v1.UpdateOptions{}); err != nil {
return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
}
return nil
Expand Down
Loading

0 comments on commit 4c3df0e

Please sign in to comment.