1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-15 04:57:56 +00:00

Merge pull request #712 from dbaker-rh/helm-certs

Enable TLS and cert-manager created certs for helm chart
This commit is contained in:
Kubernetes Prow Robot 2022-01-04 06:24:52 -08:00 committed by GitHub
commit ec15f4f24c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 179 additions and 47 deletions

View file

@ -0,0 +1,64 @@
{{- if .Values.tls.certManager }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-master-cert
spec:
secretName: nfd-master-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-master
dnsNames:
# must match the service name
- {{ include "node-feature-discovery.fullname" . }}-master
# first one is configured for use by the worker; below are for completeness
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc.cluster.local
# localhost needed for grpc_health_probe
- localhost
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-worker-cert
spec:
secretName: nfd-worker-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-worker
dnsNames:
- {{ include "node-feature-discovery.fullname" . }}-worker.{{ $.Release.Namespace }}.svc.cluster.local
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
{{- if .Values.topologyUpdater.enable }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-topology-updater-cert
spec:
secretName: nfd-topology-updater-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-topology-updater
dnsNames:
- {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ $.Release.Namespace }}.svc.cluster.local
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
{{- end }}
{{- end }}

View file

@ -0,0 +1,39 @@
{{- if .Values.tls.certManager }}
# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
# - Create a self signed issuer
# - Use this to create a CA cert
# - Use this to now create a CA issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nfd-ca-bootstrap
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-ca-cert
spec:
isCA: true
secretName: nfd-ca-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-ca-cert
issuerRef:
name: nfd-ca-bootstrap
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nfd-ca-issuer
spec:
ca:
secretName: nfd-ca-cert
{{- end }}

View file

@ -34,12 +34,28 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
livenessProbe: livenessProbe:
exec: exec:
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"] command:
- "/usr/bin/grpc_health_probe"
- "-addr=:8080"
{{- if .Values.tls.enable }}
- "-tls"
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 10 periodSeconds: 10
readinessProbe: readinessProbe:
exec: exec:
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"] command:
- "/usr/bin/grpc_health_probe"
- "-addr=:8080"
{{- if .Values.tls.enable }}
- "-tls"
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 10 periodSeconds: 10
failureThreshold: 10 failureThreshold: 10
@ -63,30 +79,20 @@ spec:
- "--extra-label-ns={{- join "," .Values.master.extraLabelNs }}" - "--extra-label-ns={{- join "," .Values.master.extraLabelNs }}"
{{- end }} {{- end }}
- "-featurerules-controller={{ .Values.master.featureRulesController }}" - "-featurerules-controller={{ .Values.master.featureRulesController }}"
## Enable TLS authentication {{- if .Values.tls.enable }}
## The example below assumes having the root certificate named ca.crt stored in - "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
## in a TLS Secret named nfd-master-cert. - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
## Additional hardening can be enabled by specifying --verify-node-name in volumeMounts:
## args, in which case node name will be checked against the worker's - name: nfd-master-cert
## TLS certificate. mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt" readOnly: true
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" volumes:
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" - name: nfd-master-cert
# volumeMounts: secret:
# - name: nfd-ca-cert secretName: nfd-master-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/trust" ## /TLS ##
# readOnly: true {{- end }}
# - name: nfd-master-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# readOnly: true
# volumes:
# - name: nfd-ca-cert
# configMap:
# name: nfd-ca-cert
# - name: nfd-master-cert
# secret:
# secretName: nfd-master-cert
{{- with .Values.master.nodeSelector }} {{- with .Values.master.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}

View file

@ -50,6 +50,11 @@ spec:
{{- else }} {{- else }}
- "--watch-namespace=*" - "--watch-namespace=*"
{{- end }} {{- end }}
{{- if .Values.tls.enable }}
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
volumeMounts: volumeMounts:
- name: kubelet-config - name: kubelet-config
mountPath: /host-var/lib/kubelet/config.yaml mountPath: /host-var/lib/kubelet/config.yaml
@ -57,6 +62,12 @@ spec:
mountPath: /host-var/lib/kubelet/pod-resources/kubelet.sock mountPath: /host-var/lib/kubelet/pod-resources/kubelet.sock
- name: host-sys - name: host-sys
mountPath: /host-sys mountPath: /host-sys
{{- if .Values.tls.enable }}
- name: nfd-topology-updater-cert
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
readOnly: true
{{- end }}
resources: resources:
{{- toYaml .Values.topologyUpdater.resources | nindent 12 }} {{- toYaml .Values.topologyUpdater.resources | nindent 12 }}
securityContext: securityContext:
@ -79,6 +90,12 @@ spec:
{{- else }} {{- else }}
path: /var/lib/kubelet/pod-resources/kubelet.sock path: /var/lib/kubelet/pod-resources/kubelet.sock
{{- end }} {{- end }}
{{- if .Values.tls.enable }}
- name: nfd-topology-updater-cert
secret:
secretName: nfd-topology-updater-cert
{{- end }}
{{- with .Values.topologyUpdater.nodeSelector }} {{- with .Values.topologyUpdater.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}

View file

@ -42,13 +42,11 @@ spec:
- "nfd-worker" - "nfd-worker"
args: args:
- "--server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" - "--server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}"
## Enable TLS authentication (1/3) {{- if .Values.tls.enable }}
## The example below assumes having the root certificate named ca.crt stored in - "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
## in a TLS Secret named nfd-worker-cert - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt" {{- end }}
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
volumeMounts: volumeMounts:
- name: host-boot - name: host-boot
mountPath: "/host-boot" mountPath: "/host-boot"
@ -76,13 +74,11 @@ spec:
- name: nfd-worker-conf - name: nfd-worker-conf
mountPath: "/etc/kubernetes/node-feature-discovery" mountPath: "/etc/kubernetes/node-feature-discovery"
readOnly: true readOnly: true
## Enable TLS authentication (2/3) {{- if .Values.tls.enable }}
# - name: nfd-ca-cert - name: nfd-worker-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/trust" mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# readOnly: true readOnly: true
# - name: nfd-worker-cert {{- end }}
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# readOnly: true
volumes: volumes:
- name: host-boot - name: host-boot
hostPath: hostPath:
@ -113,13 +109,11 @@ spec:
items: items:
- key: nfd-worker.conf - key: nfd-worker.conf
path: nfd-worker.conf path: nfd-worker.conf
## Enable TLS authentication (3/3) {{- if .Values.tls.enable }}
# - name: nfd-ca-cert - name: nfd-worker-cert
# configMap: secret:
# name: nfd-ca-cert secretName: nfd-worker-cert
# - name: nfd-worker-cert {{- end }}
# secret:
# secretName: nfd-worker-cert
{{- with .Values.worker.nodeSelector }} {{- with .Values.worker.nodeSelector }}
nodeSelector: nodeSelector:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}

View file

@ -429,3 +429,13 @@ rbac:
## Annotations for the Service Account ## Annotations for the Service Account
## ##
serviceAccountAnnotations: {} serviceAccountAnnotations: {}
# Optionally use encryption for worker <--> master comms
# TODO: verify hostname is not yet supported
#
# If you do not enable certManager (and have it installed) you will
# need to manually, or otherwise, provision the TLS certs as secrets
tls:
enable: false
certManager: false

View file

@ -291,6 +291,8 @@ We have introduced the following Chart parameters.
| `nameOverride` | string | | Override the name of the chart | | `nameOverride` | string | | Override the name of the chart |
| `fullnameOverride` | string | | Override a default fully qualified app name | | `fullnameOverride` | string | | Override a default fully qualified app name |
| `nodeFeatureRule.createCRD` | bool | true | Specifies whether to create the NodeFeatureRule CRD | | `nodeFeatureRule.createCRD` | bool | true | Specifies whether to create the NodeFeatureRule CRD |
| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components |
| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates |
##### Master pod parameters ##### Master pod parameters