feat: added proposal and code for vault PKI for cloudcore and edgecore

Hashicorp vault is used as PKI Cloudcore and Edgecore retrieve their certificates and perform rotation For cloudcore initial certificate retrieval is done via init container Rotation is done for both using sidecar Signed-off-by: Armin Schlegel <[email protected]> fix: edgetunnel re-reads certs on reconnect
edgefarm · Oct 19, 2022 · 3dacfaf · 3dacfaf
1 parent 6ccb68f
commit 3dacfaf
Showing 668 changed files with 88,400 additions and 654 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+.vscode
+
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,6 @@ keadm/keadm
 _output
 _tmp
 build/edge/tmp
+.history
+
+patch
diff --git a/LICENSES/vendor/github.com/edgefarm/vault-integration/LICENSE b/LICENSES/vendor/github.com/edgefarm/vault-integration/LICENSE
diff --git a/build/cloud/kustomization.yaml b/build/cloud/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- 07-deployment.yaml
diff --git a/build/overlays/vault/ca-configmap.yaml b/build/overlays/vault/ca-configmap.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cacert
+  namespace: kubeedge
+data:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MIID8zCCAtugAwIBAgIUOZfA+XxWW/zLqzjLgKRtMPgpLrowDQYJKoZIhvcNAQEL
+    BQAwHDEaMBgGA1UEAxMRY2Eucml2ZW5kZWxsLmhvbWUwHhcNMjIwMTI0MTYxNzE1
+    WhcNMzIwMTIyMTYxNzQ1WjAcMRowGAYDVQQDExFjYS5yaXZlbmRlbGwuaG9tZTCC
+    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxoCcOLaeCIP7+fxTNXt4nU
+    /Z6YQQVb76elqOjN+yP7mUpLsvWRrSzN3LNaQ/1ju4sJhXSHbTlYqprgElBIi5e0
+    aD0uY+0ZLX4dsUGmXmgLsNRm1WTncXogp8Z+mwUpZQP/oei8Vtp/Z4xxQsdFvijy
+    t4JbMAQDKswdkj8wEjT4y1YEt/iecw+WnFzOg0TKvRbEenvOllLdx8G+ZwGWedWx
+    IGyFPemz1F9sIO6CK5xMeCxBnrIalVRn2/5UlxVyXwFWIq6xLrP16vSzCR2v2HbX
+    JL77VJzKaU9w20njhrBajBnRrFNUiqQ2LpE4I75PuASIrimzqH+3nzA3CEPRpdMC
+    AwEAAaOCASswggEnMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
+    A1UdDgQWBBQAGPXtl5KoPkWIBZe89MhVaQU3KDAfBgNVHSMEGDAWgBQAGPXtl5Ko
+    PkWIBZe89MhVaQU3KDBsBggrBgEFBQcBAQRgMF4wLQYIKwYBBQUHMAGGIWh0dHBz
+    Oi8vdmF1bHQucml2ZW5kZWxsLmhvbWUvb2NzcDAtBggrBgEFBQcwAoYhaHR0cHM6
+    Ly92YXVsdC5yaXZlbmRlbGwuaG9tZS9jZXJ0MBwGA1UdEQQVMBOCEWNhLnJpdmVu
+    ZGVsbC5ob21lMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHBzOi8vdmF1bHQucml2ZW5k
+    ZWxsLmhvbWUvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAmhpWgI3iSnEI
+    5EjmXGe9fxKRX5eQ8fzMESptRmHI98pTBxVeaSp2PNYNHnE8xW/K+4mOm1OEX9pw
+    bChTH8syJGqMYMMRBZgF9rqDRhDH+LiSwic8PbhXSAWp67ioBb7DIraU3z9zSgPl
+    P6UpAls5f2aAK/E623JlV3xgfEWB2DZWZ03dezWtSP5f1qU5Ml7Hw3ByOkGHc9dP
+    NO4qpST9F5w0YVQgLlNhxyxhY6ZO/NS3GWSPw9GuRUBz2CL/8VK5GTaHcKzNOcsx
+    LnioYw089jdG63GjBS5DscOMxi4aDm/HniYIotMJi0Ak440FiTyebYD84DVrA8qS
+    1TK78QCsCQ==
+    -----END CERTIFICATE-----
diff --git a/build/overlays/vault/certretrieval.config b/build/overlays/vault/certretrieval.config
@@ -0,0 +1,10 @@
+authrole=cloudcore
+force=false
+name=cloudcore.ci4rail.com
+ca=/etc/kubeedge/certs/rootCA.crt
+cert=/etc/kubeedge/certs/edge.crt
+key=/etc/kubeedge/certs/edge.key
+role=server
+serverca=/opt/certretrieval/cert/ca.crt
+ttl=24h
+vault=https://vault.ci4rail.com
diff --git a/build/overlays/vault/cloudhub-configmap.yaml b/build/overlays/vault/cloudhub-configmap.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cloudcore
+  namespace: kubeedge
+data:
+  cloudcore.yaml: |
+    apiVersion: cloudcore.config.kubeedge.io/v1alpha2
+    kind: CloudCore
+    kubeAPIConfig:
+      kubeConfig: ""
+      master: ""
+    modules:
+      cloudHub:
+        nodeLimit: 10
+        tlsCAFile: /etc/kubeedge/certs/rootCA.crt
+        tlsCertFile: /etc/kubeedge/certs/edge.crt
+        tlsPrivateKeyFile: /etc/kubeedge/certs/edge.key
+        unixsocket:
+          address: unix:///var/lib/kubeedge/kubeedge.sock
+          enable: true
+        websocket:
+          address: 0.0.0.0
+          enable: true
+          port: 10000
diff --git a/build/overlays/vault/kustomization.yaml b/build/overlays/vault/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+  - ../../cloud
+
+resources:
+  - ca-configmap.yaml
+  - cloudhub-configmap.yaml
+
+patches:
+  - patch.yaml
+
+configMapGenerator:
+  - name: certretrieval.config
+    namespace: kubeedge
+    files:
+      - certretrieval.config
+
+patchesJson6902:
+  - path: patch-volumes.json
+    target:
+      kind: Deployment
+      name: cloudcore
+      version: v1
+      group: apps
+      namespace: kubeedge
diff --git a/build/overlays/vault/patch-volumes.json b/build/overlays/vault/patch-volumes.json
@@ -0,0 +1,18 @@
+[
+    {
+        "op": "replace",
+        "path": "/spec/template/spec/volumes/3",
+        "value": {
+            "name": "certs",
+            "emptyDir": {}
+        }
+    },
+    {
+        "op": "replace",
+        "path": "/spec/template/spec/containers/0/volumeMounts/1",
+        "value": {
+            "name": "certs",
+            "mountPath": "/etc/kubeedge/certs"
+        }
+    }
+]
-Original file line number
+Diff line change
@@ @@ -18,3 +18,6 @@ keadm/keadm @@
     _output
     _tmp
     build/edge/tmp
+    .history
+    patch