mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #40152 from liggitt/sign-cert-org
Automatic merge from submit-queue (batch tested with PRs 40187, 40231, 40152) Update client/server cert generation utilities Limit generated cert usage to client or server use.
This commit is contained in:
commit
0efee9a67e
@ -51,6 +51,7 @@ func newServerKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey, altNam
|
|||||||
config := certutil.Config{
|
config := certutil.Config{
|
||||||
CommonName: "kube-apiserver",
|
CommonName: "kube-apiserver",
|
||||||
AltNames: altNames,
|
AltNames: altNames,
|
||||||
|
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||||
}
|
}
|
||||||
cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
|
cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -65,8 +66,10 @@ func NewClientKeyAndCert(config *certutil.Config, caCert *x509.Certificate, caKe
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
|
return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
|
||||||
}
|
}
|
||||||
|
// force usage to client usage
|
||||||
cert, err := certutil.NewSignedCert(*config, key, caCert, caKey)
|
configCopy := *config
|
||||||
|
configCopy.Usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
|
||||||
|
cert, err := certutil.NewSignedCert(configCopy, key, caCert, caKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
|
return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
|
||||||
}
|
}
|
||||||
|
@ -334,11 +334,11 @@ func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnam
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
|
return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
|
||||||
}
|
}
|
||||||
cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN)
|
cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
|
return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
|
||||||
}
|
}
|
||||||
admin, err := triple.NewClientKeyPair(ca, AdminCN)
|
admin, err := triple.NewClientKeyPair(ca, AdminCN, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
|
return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -25,6 +25,7 @@ import (
|
|||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"math"
|
"math"
|
||||||
"math/big"
|
"math/big"
|
||||||
@ -42,6 +43,7 @@ type Config struct {
|
|||||||
CommonName string
|
CommonName string
|
||||||
Organization []string
|
Organization []string
|
||||||
AltNames AltNames
|
AltNames AltNames
|
||||||
|
Usages []x509.ExtKeyUsage
|
||||||
}
|
}
|
||||||
|
|
||||||
// AltNames contains the domain names and IP addresses that will be added
|
// AltNames contains the domain names and IP addresses that will be added
|
||||||
@ -86,6 +88,12 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
if len(cfg.CommonName) == 0 {
|
||||||
|
return nil, errors.New("must specify a CommonName")
|
||||||
|
}
|
||||||
|
if len(cfg.Usages) == 0 {
|
||||||
|
return nil, errors.New("must specify at least one ExtKeyUsage")
|
||||||
|
}
|
||||||
|
|
||||||
certTmpl := x509.Certificate{
|
certTmpl := x509.Certificate{
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
@ -98,7 +106,7 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
|
|||||||
NotBefore: caCert.NotBefore,
|
NotBefore: caCert.NotBefore,
|
||||||
NotAfter: time.Now().Add(duration365d).UTC(),
|
NotAfter: time.Now().Add(duration365d).UTC(),
|
||||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
ExtKeyUsage: cfg.Usages,
|
||||||
}
|
}
|
||||||
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
|
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -80,6 +80,7 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
|
|||||||
config := certutil.Config{
|
config := certutil.Config{
|
||||||
CommonName: commonName,
|
CommonName: commonName,
|
||||||
AltNames: altNames,
|
AltNames: altNames,
|
||||||
|
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||||
}
|
}
|
||||||
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
|
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -92,14 +93,16 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewClientKeyPair(ca *KeyPair, commonName string) (*KeyPair, error) {
|
func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) {
|
||||||
key, err := certutil.NewPrivateKey()
|
key, err := certutil.NewPrivateKey()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create a client private key: %v", err)
|
return nil, fmt.Errorf("unable to create a client private key: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
config := certutil.Config{
|
config := certutil.Config{
|
||||||
CommonName: commonName,
|
CommonName: commonName,
|
||||||
|
Organization: organizations,
|
||||||
|
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
|
||||||
}
|
}
|
||||||
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
|
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user