2022-09-01 03:40:29 +02:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
|
|
|
package resources
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
2022-09-21 13:47:57 +02:00
|
|
|
"github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/versions"
|
2022-09-01 03:40:29 +02:00
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/util/intstr"
|
|
|
|
"k8s.io/apiserver/pkg/apis/apiserver"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// KonnectivityCertificateFilename is the path to the kubelets certificate.
|
|
|
|
KonnectivityCertificateFilename = "/etc/kubernetes/konnectivity.crt"
|
|
|
|
// KonnectivityKeyFilename is the path to the kubelets private key.
|
|
|
|
KonnectivityKeyFilename = "/etc/kubernetes/konnectivity.key"
|
|
|
|
)
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// KonnectivityServerStaticPod deployment.
|
2022-10-05 15:02:46 +02:00
|
|
|
type KonnectivityServerStaticPod struct {
|
2022-09-01 03:40:29 +02:00
|
|
|
StaticPod corev1.Pod
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// EgressSelectorConfiguration deployment.
|
2022-10-05 15:02:46 +02:00
|
|
|
type EgressSelectorConfiguration struct {
|
2022-09-01 03:40:29 +02:00
|
|
|
EgressSelectorConfiguration apiserver.EgressSelectorConfiguration
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// NewKonnectivityServerStaticPod create a new KonnectivityServerStaticPod.
|
2022-10-05 15:02:46 +02:00
|
|
|
func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod {
|
2022-09-01 03:40:29 +02:00
|
|
|
udsHostPathType := corev1.HostPathDirectoryOrCreate
|
2022-10-05 15:02:46 +02:00
|
|
|
return &KonnectivityServerStaticPod{
|
2022-09-01 03:40:29 +02:00
|
|
|
StaticPod: corev1.Pod{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
APIVersion: "v1",
|
|
|
|
Kind: "Pod",
|
|
|
|
},
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "konnectivity-server",
|
|
|
|
Namespace: "kube-system",
|
|
|
|
},
|
|
|
|
Spec: corev1.PodSpec{
|
|
|
|
PriorityClassName: "system-cluster-critical",
|
|
|
|
HostNetwork: true,
|
|
|
|
Containers: []corev1.Container{
|
|
|
|
{
|
|
|
|
Name: "konnectivity-server-container",
|
|
|
|
Image: versions.KonnectivityServerImage,
|
|
|
|
Command: []string{"/proxy-server"},
|
|
|
|
Args: []string{
|
|
|
|
"--logtostderr=true",
|
|
|
|
// This needs to be consistent with the value set in egressSelectorConfiguration.
|
2022-12-21 11:38:58 +01:00
|
|
|
"--uds-name=/run/konnectivity-server/konnectivity-server.socket",
|
2022-12-23 06:59:29 +01:00
|
|
|
// Clean up existing UDS file before starting the server in case the server crashed at some point.
|
|
|
|
"--delete-existing-uds-file=true",
|
2022-09-01 03:40:29 +02:00
|
|
|
// The following two lines assume the Konnectivity server is
|
|
|
|
// deployed on the same machine as the apiserver, and the certs and
|
|
|
|
// key of the API Server are at the specified location.
|
|
|
|
"--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
|
|
|
|
"--cluster-key=/etc/kubernetes/pki/apiserver.key",
|
|
|
|
// This needs to be consistent with the value set in egressSelectorConfiguration.
|
|
|
|
"--mode=grpc",
|
|
|
|
"--server-port=0",
|
|
|
|
"--agent-port=8132",
|
|
|
|
"--admin-port=8133",
|
|
|
|
"--health-port=8134",
|
|
|
|
"--v=5",
|
|
|
|
"--agent-namespace=kube-system",
|
|
|
|
"--agent-service-account=konnectivity-agent",
|
|
|
|
"--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
|
|
|
|
"--authentication-audience=system:konnectivity-server",
|
2022-09-28 10:49:13 +02:00
|
|
|
"--proxy-strategies=default",
|
2022-09-01 03:40:29 +02:00
|
|
|
},
|
|
|
|
LivenessProbe: &corev1.Probe{
|
|
|
|
ProbeHandler: corev1.ProbeHandler{
|
|
|
|
HTTPGet: &corev1.HTTPGetAction{
|
|
|
|
Path: "/healthz",
|
|
|
|
Port: intstr.FromInt(8134),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
InitialDelaySeconds: 30,
|
|
|
|
TimeoutSeconds: 60,
|
|
|
|
},
|
|
|
|
Ports: []corev1.ContainerPort{
|
|
|
|
{
|
|
|
|
Name: "agent-port",
|
|
|
|
ContainerPort: 8132,
|
|
|
|
HostPort: 8132,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "admin-port",
|
|
|
|
ContainerPort: 8133,
|
|
|
|
HostPort: 8133,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "health-port",
|
|
|
|
ContainerPort: 8134,
|
|
|
|
HostPort: 8134,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
VolumeMounts: []corev1.VolumeMount{
|
|
|
|
{
|
|
|
|
Name: "k8s-certs",
|
|
|
|
MountPath: "/etc/kubernetes/pki",
|
|
|
|
ReadOnly: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "kubeconfig",
|
|
|
|
MountPath: "/etc/kubernetes/konnectivity-server.conf",
|
|
|
|
ReadOnly: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "konnectivity-uds",
|
2022-12-21 11:38:58 +01:00
|
|
|
MountPath: "/run/konnectivity-server",
|
2022-09-01 03:40:29 +02:00
|
|
|
ReadOnly: false,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Volumes: []corev1.Volume{
|
|
|
|
{
|
|
|
|
Name: "k8s-certs",
|
|
|
|
VolumeSource: corev1.VolumeSource{
|
|
|
|
HostPath: &corev1.HostPathVolumeSource{
|
|
|
|
Path: "/etc/kubernetes/pki",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "kubeconfig",
|
|
|
|
VolumeSource: corev1.VolumeSource{
|
|
|
|
HostPath: &corev1.HostPathVolumeSource{
|
|
|
|
Path: "/etc/kubernetes/konnectivity-server.conf",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "konnectivity-uds",
|
|
|
|
VolumeSource: corev1.VolumeSource{
|
|
|
|
HostPath: &corev1.HostPathVolumeSource{
|
2022-12-21 11:38:58 +01:00
|
|
|
Path: "/run/konnectivity-server",
|
2022-09-01 03:40:29 +02:00
|
|
|
Type: &udsHostPathType,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// NewEgressSelectorConfiguration creates a new EgressSelectorConfiguration.
|
2022-10-05 15:02:46 +02:00
|
|
|
func NewEgressSelectorConfiguration() *EgressSelectorConfiguration {
|
|
|
|
return &EgressSelectorConfiguration{
|
2022-09-01 03:40:29 +02:00
|
|
|
EgressSelectorConfiguration: apiserver.EgressSelectorConfiguration{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
APIVersion: "apiserver.k8s.io/v1beta1",
|
|
|
|
Kind: "EgressSelectorConfiguration",
|
|
|
|
},
|
|
|
|
EgressSelections: []apiserver.EgressSelection{
|
|
|
|
{
|
|
|
|
Name: "cluster",
|
|
|
|
Connection: apiserver.Connection{
|
|
|
|
ProxyProtocol: "GRPC",
|
|
|
|
Transport: &apiserver.Transport{
|
|
|
|
UDS: &apiserver.UDSTransport{
|
2022-12-21 11:38:58 +01:00
|
|
|
UDSName: "/run/konnectivity-server/konnectivity-server.socket",
|
2022-09-01 03:40:29 +02:00
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// Marshal to Kubernetes YAML.
|
2022-10-05 15:02:46 +02:00
|
|
|
func (v *KonnectivityServerStaticPod) Marshal() ([]byte, error) {
|
2022-09-01 03:40:29 +02:00
|
|
|
return kubernetes.MarshalK8SResources(v)
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// Marshal to Kubernetes YAML.
|
2022-10-05 15:02:46 +02:00
|
|
|
func (v *EgressSelectorConfiguration) Marshal() ([]byte, error) {
|
2022-09-01 03:40:29 +02:00
|
|
|
return kubernetes.MarshalK8SResources(v)
|
|
|
|
}
|
|
|
|
|
2022-11-09 15:57:54 +01:00
|
|
|
// GetKonnectivityCertificateRequest returns a certificate request and matching private key for the konnectivity server.
|
2022-09-01 03:40:29 +02:00
|
|
|
func GetKonnectivityCertificateRequest() (certificateRequest []byte, privateKey []byte, err error) {
|
|
|
|
csrTemplate := &x509.CertificateRequest{
|
|
|
|
Subject: pkix.Name{
|
|
|
|
CommonName: "system:konnectivity-server",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
return certificate.GetCertificateRequest(csrTemplate)
|
|
|
|
}
|