From 494fbd7bf7056cf1fd785fcaf5f6568f11fa3b09 Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 20 Aug 2024 16:32:23 +0100 Subject: [PATCH 1/2] use easyrsa from Github and remove deprecated options --- cluster/gce/util.sh | 75 ++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 38 deletions(-) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index f6ecf40e679..1b663cdd4fa 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1781,23 +1781,22 @@ function setup-easyrsa { # Note: This was heavily cribbed from make-ca-cert.sh (set -x cd "${KUBE_TEMP}" - curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz - tar xzf easy-rsa.tar.gz - mkdir easy-rsa-master/kubelet - cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/kubelet - mkdir easy-rsa-master/aggregator - cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/aggregator - mkdir easy-rsa-master/cloud-pvl-admission - cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/cloud-pvl-admission - mkdir easy-rsa-master/konnectivity-server - cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/konnectivity-server - mkdir easy-rsa-master/konnectivity-agent - cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/konnectivity-agent) &>"${cert_create_debug_output}" || true - CERT_DIR="${KUBE_TEMP}/easy-rsa-master/easyrsa3" - AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/aggregator" - CLOUD_PVL_ADMISSION_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission" - KONNECTIVITY_SERVER_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-server" - KONNECTIVITY_AGENT_CERT_DIR="${KUBE_TEMP}/easy-rsa-master/konnectivity-agent" + curl -L -o easy-rsa.tar.gz --connect-timeout 20 --retry 6 --retry-delay 2 https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz + mkdir -p easy-rsa && tar xzf easy-rsa.tar.gz -C easy-rsa --strip-components 1 + local -r files_to_copy=(easyrsa openssl-easyrsa.cnf x509-types vars.example) + mkdir easy-rsa/aggregator + cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/aggregator + mkdir easy-rsa/cloud-pvl-admission + cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/cloud-pvl-admission + mkdir easy-rsa/konnectivity-server + cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-server + mkdir easy-rsa/konnectivity-agent + cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-agent) &>"${cert_create_debug_output}" || true + CERT_DIR="${KUBE_TEMP}/easy-rsa" + AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa/aggregator" + CLOUD_PVL_ADMISSION_CERT_DIR="${KUBE_TEMP}/easy-rsa/cloud-pvl-admission" + KONNECTIVITY_SERVER_CERT_DIR="${KUBE_TEMP}/easy-rsa/konnectivity-server" + KONNECTIVITY_AGENT_CERT_DIR="${KUBE_TEMP}/easy-rsa/konnectivity-agent" if [ ! -x "${CERT_DIR}/easyrsa" ] || [ ! -x "${AGGREGATOR_CERT_DIR}/easyrsa" ]; then # TODO(roberthbailey,porridge): add better error handling here, # see https://github.com/kubernetes/kubernetes/issues/55229 @@ -1830,8 +1829,8 @@ function generate-certs { ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass # SANS (expected to be) defined by caller # shellcheck disable=SC2153 - ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass - ./easyrsa build-client-full kube-apiserver nopass + ./easyrsa --batch --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass + ./easyrsa --batch build-client-full kube-apiserver nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" @@ -1844,8 +1843,8 @@ function generate-certs { rm -f "kubelet.csr" # Make a superuser client cert with subject "O=system:masters, CN=kubecfg" - ./easyrsa --dn-mode=org \ - --req-cn=kubecfg --req-org=system:masters \ + ./easyrsa --batch --dn-mode=org \ + --req-org=system:masters \ --req-c= --req-st= --req-city= --req-email= --req-ou= \ build-client-full kubecfg nopass) &>"${cert_create_debug_output}" || true local output_file_missing=0 @@ -1891,12 +1890,12 @@ function generate-aggregator-certs { local -r cert_create_debug_output=$(mktemp "${KUBE_TEMP}/cert_create_debug_output.XXX") # Note: This was heavily cribbed from make-ca-cert.sh (set -x - cd "${KUBE_TEMP}/easy-rsa-master/aggregator" + cd "${KUBE_TEMP}/easy-rsa/aggregator" ./easyrsa init-pki # this puts the cert into pki/ca.crt and the key into pki/private/ca.key ./easyrsa --batch "--req-cn=${AGGREGATOR_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="${AGGREGATOR_SANS}" build-server-full "${AGGREGATOR_MASTER_NAME}" nopass - ./easyrsa build-client-full aggregator-apiserver nopass + ./easyrsa --batch --subject-alt-name="${AGGREGATOR_SANS}" build-server-full "${AGGREGATOR_MASTER_NAME}" nopass + ./easyrsa --batch build-client-full aggregator-apiserver nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" @@ -1909,8 +1908,8 @@ function generate-aggregator-certs { rm -f "proxy-client.csr" # Make a superuser client cert with subject "O=system:masters, CN=kubecfg" - ./easyrsa --dn-mode=org \ - --req-cn=proxy-clientcfg --req-org=system:aggregator \ + ./easyrsa --batch --dn-mode=org \ + --req-org=system:aggregator \ --req-c= --req-st= --req-city= --req-email= --req-ou= \ build-client-full proxy-clientcfg nopass) &>"${cert_create_debug_output}" || true local output_file_missing=0 @@ -1952,12 +1951,12 @@ function generate-konnectivity-server-certs { # Note: This was heavily cribbed from make-ca-cert.sh (set -x # Make the client <-> konnectivity server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-server" + cd "${KUBE_TEMP}/easy-rsa/konnectivity-server" ./easyrsa init-pki # this puts the cert into pki/ca.crt and the key into pki/private/ca.key ./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="IP:127.0.0.1,${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass + ./easyrsa --batch --subject-alt-name="IP:127.0.0.1,${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass + ./easyrsa --batch build-client-full client nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" @@ -1968,12 +1967,12 @@ function generate-konnectivity-server-certs { rm -f "konnectivity-server.csr" # Make the agent <-> konnectivity server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/konnectivity-agent" + cd "${KUBE_TEMP}/easy-rsa/konnectivity-agent" ./easyrsa init-pki # this puts the cert into pki/ca.crt and the key into pki/private/ca.key ./easyrsa --batch "--req-cn=${KONNECTIVITY_SERVER_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass + ./easyrsa --batch --subject-alt-name="${KONNECTIVITY_SERVER_SANS}" build-server-full server nopass + ./easyrsa --batch build-client-full client nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" @@ -2030,12 +2029,12 @@ function generate-cloud-pvl-admission-certs { # Note: This was heavily cribbed from make-ca-cert.sh (set -x # Make the client <-> cloud-pvl-admission server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission" + cd "${KUBE_TEMP}/easy-rsa/cloud-pvl-admission" ./easyrsa init-pki # this puts the cert into pki/ca.crt and the key into pki/private/ca.key ./easyrsa --batch "--req-cn=${CLOUD_PVL_ADMISSION_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="IP:127.0.0.1,${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass + ./easyrsa --batch --subject-alt-name="IP:127.0.0.1,${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass + ./easyrsa --batch build-client-full client nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" @@ -2046,12 +2045,12 @@ function generate-cloud-pvl-admission-certs { rm -f "cloud-pvl-admission.csr" # Make the cloud-pvl-admission server side certificates. - cd "${KUBE_TEMP}/easy-rsa-master/cloud-pvl-admission" + cd "${KUBE_TEMP}/easy-rsa/cloud-pvl-admission" ./easyrsa init-pki # this puts the cert into pki/ca.crt and the key into pki/private/ca.key ./easyrsa --batch "--req-cn=${CLOUD_PVL_ADMISSION_PRIMARY_CN}@$(date +%s)" build-ca nopass - ./easyrsa --subject-alt-name="${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass - ./easyrsa build-client-full client nopass + ./easyrsa --batch --subject-alt-name="${CLOUD_PVL_ADMISSION_SANS}" build-server-full server nopass + ./easyrsa --batch build-client-full client nopass kube::util::ensure-cfssl "${KUBE_TEMP}/cfssl" From 16b18c0eeb06daf0e83697af06cb0e39fa723f06 Mon Sep 17 00:00:00 2001 From: upodroid Date: Tue, 20 Aug 2024 23:03:43 +0100 Subject: [PATCH 2/2] appease the linter --- cluster/gce/util.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 1b663cdd4fa..715648c4f08 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1785,12 +1785,16 @@ function setup-easyrsa { mkdir -p easy-rsa && tar xzf easy-rsa.tar.gz -C easy-rsa --strip-components 1 local -r files_to_copy=(easyrsa openssl-easyrsa.cnf x509-types vars.example) mkdir easy-rsa/aggregator + # shellcheck disable=SC2145 cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/aggregator mkdir easy-rsa/cloud-pvl-admission + # shellcheck disable=SC2145 cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/cloud-pvl-admission mkdir easy-rsa/konnectivity-server + # shellcheck disable=SC2145 cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-server mkdir easy-rsa/konnectivity-agent + # shellcheck disable=SC2145 cp -r easy-rsa/"${files_to_copy[@]}" easy-rsa/konnectivity-agent) &>"${cert_create_debug_output}" || true CERT_DIR="${KUBE_TEMP}/easy-rsa" AGGREGATOR_CERT_DIR="${KUBE_TEMP}/easy-rsa/aggregator"