Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 6e8f69c53a2c82f5a760ab2e8152218cc86f3430^! / . / core / internal / consensus / consensus.go
commit6e8f69c53a2c82f5a760ab2e8152218cc86f3430[log] [tgz]
authorLorenz Brun <lorenz@nexantic.com>Mon Nov 18 10:44:24 2019 +0100
committerLorenz Brun <lorenz@nexantic.com>Mon Nov 18 10:44:24 2019 +0100
tree1556b56e0a0cdb5108c301dc88710b5b2d74ba1b
parentb7a18fd9be7732e9ed9b29f33b7f545916da207b [diff] [blame]
Initial Kubernetes Control Plane

This adds a minimum viable Kubernetes Control Plane consisting of a
kube-apiserver, kube-controller-manager and kube-scheduler. It contains
two small CAs for Kubernetes Identity management based on shared
certificates and contains changes for exposing etcd via UNIX socket
so that the apiserver can talk to it.

Test Plan:
Tested by manually calling Setup() and observing subsequent logs and
connecting to the API server.

Bug: T485

X-Origin-Diff: phab/D271
GitOrigin-RevId: e56f3e50eb9d33ea291289faa1aac3bebdeb3346

diff --git a/core/internal/consensus/consensus.go b/core/internal/consensus/consensus.go
index f5ee949..6fa6210 100644
--- a/core/internal/consensus/consensus.go
+++ b/core/internal/consensus/consensus.go

@@ -24,7 +24,6 @@
 	"encoding/hex"
 	"encoding/pem"
 	"fmt"
-	"git.monogon.dev/source/nexantic.git/core/internal/common/service"
 	"io/ioutil"
 	"math/rand"
 	"net/url"
@@ -34,7 +33,10 @@
 	"strings"
 	"time"
 
+	"git.monogon.dev/source/nexantic.git/core/internal/common/service"
+
 	"git.monogon.dev/source/nexantic.git/core/generated/api"
+
 	"git.monogon.dev/source/nexantic.git/core/internal/consensus/ca"
 	"github.com/pkg/errors"
 	"go.etcd.io/etcd/clientv3"
@@ -60,6 +62,10 @@
 	CRLSwapPath = "ca-crl.der.swp"
 )
 
+const (
+	LocalListenerURL = "unix:///consensus/listener.sock:0"
+)
+
 type (
 	Service struct {
 		*service.BaseService
@@ -126,8 +132,15 @@
 	}
 	s.lastCRL = lastCRL
 
-	// Reset Listen Client URLs because we don't want to expose any client
-	cfg.LCUrls = nil
+	// Expose etcd to local processes
+	if err := os.MkdirAll("/consensus", 0700); err != nil {
+		return fmt.Errorf("Failed to create consensus runtime state directory: %w", err)
+	}
+	listenerURL, err := url.Parse(LocalListenerURL)
+	if err != nil {
+		panic(err)
+	}
+	cfg.LCUrls = []url.URL{*listenerURL}
 
 	// Advertise Peer URLs
 	apURL, err := url.Parse(fmt.Sprintf("https://%s:%d", s.config.ExternalHost, s.config.ListenPort))
@@ -235,9 +248,9 @@
 }
 
 const (
-	caPathEtcd     = "/etcd-ca/ca.der"
-	caKeyPathEtcd  = "/etcd-ca/ca-key.der"
-	crlPathEtcd    = "/etcd-ca/crl.der"
+	caPathEtcd    = "/etcd-ca/ca.der"
+	caKeyPathEtcd = "/etcd-ca/ca-key.der"
+	crlPathEtcd   = "/etcd-ca/crl.der"
 
 	// This prefix stores the individual certs the etcd CA has issued.
 	certPrefixEtcd = "/etcd-ca/certs"