Make use of kubelet service certificate

Author: Ole Markus With

cmd/kops-controller/pkg/server/server.go

@@ -175,6 +175,11 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 			CommonName:   fmt.Sprintf("system:node:%s", id.NodeName),
 			Organization: []string{rbac.NodesGroup},
 		}
+	case "kubelet-server":
+		issueReq.Subject = pkix.Name{
+			CommonName: id.NodeName,
+		}
+		issueReq.Type = "server"
 	case "kube-proxy":
 		issueReq.Subject = pkix.Name{
 			CommonName: rbac.KubeProxy,

nodeup/pkg/model/kubelet.go

@@ -56,6 +56,12 @@ var _ fi.ModelBuilder = &KubeletBuilder{}
 
 // Build is responsible for building the kubelet configuration
 func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
+
+	err := b.buildKubeletServingCertificate(c)
+	if err != nil {
+		return fmt.Errorf("error building kubelet server cert: %v", err)
+	}
+
 	kubeletConfig, err := b.buildKubeletConfig()
 	if err != nil {
 		return fmt.Errorf("error building kubelet config: %v", err)
@@ -226,6 +232,11 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 		}
 	}
 
+	if b.UseKopsControllerForNodeBootstrap() {
+		flags += " --tls-cert-file " + b.PathSrvKubernetes() + "/kubelet-server.crt"
+		flags += " --tls-private-key-file " + b.PathSrvKubernetes() + "/kubelet-server.key"
+	}
+
 	sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n"
 	// Makes kubelet read /root/.docker/config.json properly
 	sysconfig = sysconfig + "HOME=\"/root" + "\"\n"
@@ -538,3 +549,49 @@ func (b *KubeletBuilder) buildMasterKubeletKubeconfig(c *fi.ModelBuilderContext)
 
 	return b.BuildIssuedKubeconfig("kubelet", certName, c), nil
 }
+
+func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.ModelBuilderContext) error {
+
+	if b.UseKopsControllerForNodeBootstrap() {
+		name := "kubelet-server"
+		dir := b.PathSrvKubernetes()
+		signer := fi.CertificateIDCA
+
+		nodeName, err := b.NodeName()
+		if err != nil {
+			return err
+		}
+
+		if !b.IsMaster {
+			cert, key := b.GetBootstrapCert(name)
+
+			c.AddTask(&nodetasks.File{
+				Path:     filepath.Join(dir, name+".crt"),
+				Contents: cert,
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0644"),
+			})
+
+			c.AddTask(&nodetasks.File{
+				Path:     filepath.Join(dir, name+".key"),
+				Contents: key,
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0400"),
+			})
+
+		} else {
+			issueCert := &nodetasks.IssueCert{
+				Name:   name,
+				Signer: signer,
+				Type:   "server",
+				Subject: nodetasks.PKIXName{
+					CommonName: nodeName,
+				},
+			}
+			c.AddTask(issueCert)
+			return issueCert.AddFileTasks(c, dir, name, "", nil)
+		}
+	}
+	return nil
+
+}

upup/pkg/fi/cloudup/template_functions.go

@@ -392,7 +392,7 @@ func (tf *TemplateFunctions) KopsControllerConfig() (string, error) {
 	}
 
 	if tf.UseKopsControllerForNodeBootstrap() {
-		certNames := []string{"kubelet"}
+		certNames := []string{"kubelet", "kubelet-server"}
 		signingCAs := []string{fi.CertificateIDCA}
 		if apiModel.UseCiliumEtcd(cluster) {
 			certNames = append(certNames, "etcd-client-cilium")

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awsiamauthenticator/manifest.yaml

@@ -7,7 +7,7 @@ spec:
   - id: k8s-1.16
     kubernetesVersion: '>=1.16.0-alpha.0'
     manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: 95b29a87c7e7204fd7f36716d7f9f3187985c2af
+    manifestHash: 70b6d9eaba39f1ead46355e682e747257eb52b49
     name: kops-controller.addons.k8s.io
     selector:
       k8s-addon: kops-controller.addons.k8s.io

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/kops-controller.addons.k8s.io-k8s-1.16.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 data:
   config.yaml: |
-    {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["kops-custom-node-role","nodes.minimal.example.com"],"Region":"us-east-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["ca"],"certNames":["kubelet","kube-proxy"]}}
+    {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["kops-custom-node-role","nodes.minimal.example.com"],"Region":"us-east-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}}
 kind: ConfigMap
 metadata:
   labels:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml

@@ -7,7 +7,7 @@ spec:
   - id: k8s-1.16
     kubernetesVersion: '>=1.16.0-alpha.0'
     manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: 95b29a87c7e7204fd7f36716d7f9f3187985c2af
+    manifestHash: 70b6d9eaba39f1ead46355e682e747257eb52b49
     name: kops-controller.addons.k8s.io
     selector:
       k8s-addon: kops-controller.addons.k8s.io