1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-15 04:57:56 +00:00

Merge pull request #712 from dbaker-rh/helm-certs

Enable TLS and cert-manager created certs for helm chart
This commit is contained in:
Kubernetes Prow Robot 2022-01-04 06:24:52 -08:00 committed by GitHub
commit ec15f4f24c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 179 additions and 47 deletions

View file

@ -0,0 +1,64 @@
{{- if .Values.tls.certManager }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-master-cert
spec:
secretName: nfd-master-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-master
dnsNames:
# must match the service name
- {{ include "node-feature-discovery.fullname" . }}-master
# first one is configured for use by the worker; below are for completeness
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc
- {{ include "node-feature-discovery.fullname" . }}-master.{{ $.Release.Namespace }}.svc.cluster.local
# localhost needed for grpc_health_probe
- localhost
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-worker-cert
spec:
secretName: nfd-worker-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-worker
dnsNames:
- {{ include "node-feature-discovery.fullname" . }}-worker.{{ $.Release.Namespace }}.svc.cluster.local
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
{{- if .Values.topologyUpdater.enable }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-topology-updater-cert
spec:
secretName: nfd-topology-updater-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-topology-updater
dnsNames:
- {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ $.Release.Namespace }}.svc.cluster.local
issuerRef:
name: nfd-ca-issuer
kind: Issuer
group: cert-manager.io
{{- end }}
{{- end }}

View file

@ -0,0 +1,39 @@
{{- if .Values.tls.certManager }}
# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
# - Create a self signed issuer
# - Use this to create a CA cert
# - Use this to now create a CA issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nfd-ca-bootstrap
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nfd-ca-cert
spec:
isCA: true
secretName: nfd-ca-cert
subject:
organizations:
- node-feature-discovery
commonName: nfd-ca-cert
issuerRef:
name: nfd-ca-bootstrap
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nfd-ca-issuer
spec:
ca:
secretName: nfd-ca-cert
{{- end }}

View file

@ -34,12 +34,28 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }}
livenessProbe:
exec:
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"]
command:
- "/usr/bin/grpc_health_probe"
- "-addr=:8080"
{{- if .Values.tls.enable }}
- "-tls"
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
exec:
command: ["/usr/bin/grpc_health_probe", "-addr=:8080"]
command:
- "/usr/bin/grpc_health_probe"
- "-addr=:8080"
{{- if .Values.tls.enable }}
- "-tls"
- "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 10
@ -63,30 +79,20 @@ spec:
- "--extra-label-ns={{- join "," .Values.master.extraLabelNs }}"
{{- end }}
- "-featurerules-controller={{ .Values.master.featureRulesController }}"
## Enable TLS authentication
## The example below assumes having the root certificate named ca.crt stored in
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
## in a TLS Secret named nfd-master-cert.
## Additional hardening can be enabled by specifying --verify-node-name in
## args, in which case node name will be checked against the worker's
## TLS certificate.
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
# volumeMounts:
# - name: nfd-ca-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
# readOnly: true
# - name: nfd-master-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# readOnly: true
# volumes:
# - name: nfd-ca-cert
# configMap:
# name: nfd-ca-cert
# - name: nfd-master-cert
# secret:
# secretName: nfd-master-cert
{{- if .Values.tls.enable }}
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
volumeMounts:
- name: nfd-master-cert
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
readOnly: true
volumes:
- name: nfd-master-cert
secret:
secretName: nfd-master-cert
## /TLS ##
{{- end }}
{{- with .Values.master.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

View file

@ -50,6 +50,11 @@ spec:
{{- else }}
- "--watch-namespace=*"
{{- end }}
{{- if .Values.tls.enable }}
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
volumeMounts:
- name: kubelet-config
mountPath: /host-var/lib/kubelet/config.yaml
@ -57,6 +62,12 @@ spec:
mountPath: /host-var/lib/kubelet/pod-resources/kubelet.sock
- name: host-sys
mountPath: /host-sys
{{- if .Values.tls.enable }}
- name: nfd-topology-updater-cert
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.topologyUpdater.resources | nindent 12 }}
securityContext:
@ -79,6 +90,12 @@ spec:
{{- else }}
path: /var/lib/kubelet/pod-resources/kubelet.sock
{{- end }}
{{- if .Values.tls.enable }}
- name: nfd-topology-updater-cert
secret:
secretName: nfd-topology-updater-cert
{{- end }}
{{- with .Values.topologyUpdater.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

View file

@ -42,13 +42,11 @@ spec:
- "nfd-worker"
args:
- "--server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}"
## Enable TLS authentication (1/3)
## The example below assumes having the root certificate named ca.crt stored in
## a ConfigMap named nfd-ca-cert, and, the TLS authentication credentials stored
## in a TLS Secret named nfd-worker-cert
# - "--ca-file=/etc/kubernetes/node-feature-discovery/trust/ca.crt"
# - "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
# - "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- if .Values.tls.enable }}
- "--ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt"
- "--key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key"
- "--cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt"
{{- end }}
volumeMounts:
- name: host-boot
mountPath: "/host-boot"
@ -76,13 +74,11 @@ spec:
- name: nfd-worker-conf
mountPath: "/etc/kubernetes/node-feature-discovery"
readOnly: true
## Enable TLS authentication (2/3)
# - name: nfd-ca-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/trust"
# readOnly: true
# - name: nfd-worker-cert
# mountPath: "/etc/kubernetes/node-feature-discovery/certs"
# readOnly: true
{{- if .Values.tls.enable }}
- name: nfd-worker-cert
mountPath: "/etc/kubernetes/node-feature-discovery/certs"
readOnly: true
{{- end }}
volumes:
- name: host-boot
hostPath:
@ -113,13 +109,11 @@ spec:
items:
- key: nfd-worker.conf
path: nfd-worker.conf
## Enable TLS authentication (3/3)
# - name: nfd-ca-cert
# configMap:
# name: nfd-ca-cert
# - name: nfd-worker-cert
# secret:
# secretName: nfd-worker-cert
{{- if .Values.tls.enable }}
- name: nfd-worker-cert
secret:
secretName: nfd-worker-cert
{{- end }}
{{- with .Values.worker.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

View file

@ -429,3 +429,13 @@ rbac:
## Annotations for the Service Account
##
serviceAccountAnnotations: {}
# Optionally use encryption for worker <--> master comms
# TODO: verify hostname is not yet supported
#
# If you do not enable certManager (and have it installed) you will
# need to manually, or otherwise, provision the TLS certs as secrets
tls:
enable: false
certManager: false

View file

@ -291,6 +291,8 @@ We have introduced the following Chart parameters.
| `nameOverride` | string | | Override the name of the chart |
| `fullnameOverride` | string | | Override a default fully qualified app name |
| `nodeFeatureRule.createCRD` | bool | true | Specifies whether to create the NodeFeatureRule CRD |
| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components |
| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates |
##### Master pod parameters