Generate TLS certs for calico typha (#5258)

* Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69
2026-03-06 18:17:47 +03:00 · 2019-10-17 17:02:38 +03:00
parent 81d57fe658
commit a1fff30bd9
12 changed files with 249 additions and 5 deletions
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -155,14 +155,24 @@ spec:
            # Use Kubernetes API as the backing datastore.
            - name: DATASTORE_TYPE
              value: "kubernetes"
-  {% if typha_enabled == "true" %}
+{% if typha_enabled %}
            # Typha support: controlled by the ConfigMap.
            - name: FELIX_TYPHAK8SSERVICENAME
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: typha_service_name
-  {% endif %}
+{% if typha_secure %}
+            - name: FELIX_TYPHACN
+              value: typha-server
+            - name: FELIX_TYPHACAFILE
+              value: /etc/typha-ca/ca.crt
+            - name: FELIX_TYPHACERTFILE
+              value: /etc/typha-client/typha-client.crt
+            - name: FELIX_TYPHAKEYFILE
+              value: /etc/typha-client/typha-client.key
+{% endif %}
+{% endif %}
            # Wait for the datastore.
            - name: WAIT_FOR_DATASTORE
              value: "true"
@@ -296,6 +306,16 @@ spec:
            - name: xtables-lock
              mountPath: /run/xtables.lock
              readOnly: false
+{% if typha_secure %}
+            - name: typha-client
+              mountPath: /etc/typha-client
+              readOnly: true
+            - name: typha-cacert
+              subPath: ca.crt
+              mountPath: /etc/typha-ca/ca.crt
+              readOnly: true
+{% endif %}
+
      volumes:
        # Used by calico/node.
        - name: lib-modules
@@ -332,6 +352,19 @@ spec:
        - name: host-local-net-dir
          hostPath:
            path: /var/lib/cni/networks
+{% endif %}
+{% if typha_enabled and typha_secure %}
+        - name: typha-client
+          secret:
+            secretName: typha-client
+            items:
+               - key: tls.crt
+                 path: typha-client.crt
+               - key: tls.key
+                 path: typha-client.key
+        - name: typha-cacert
+          hostPath:
+            path: "/etc/kubernetes/ssl/"
 {% endif %}
  updateStrategy:
    rollingUpdate: