From 12f8c979ba39e5c423bc339c44f919862f5ac991 Mon Sep 17 00:00:00 2001 From: Evgeny L Date: Thu, 29 Sep 2016 18:33:04 +0000 Subject: [PATCH] kubeadm: user-friendly certificates formatting --- cmd/kubeadm/app/master/pki.go | 23 ++++++++++++++++------- cmd/kubeadm/app/node/csr.go | 11 ++++++----- pkg/util/cert/cert.go | 28 ++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 12 deletions(-) diff --git a/cmd/kubeadm/app/master/pki.go b/cmd/kubeadm/app/master/pki.go index c65b0eb0598..d4c7f617350 100644 --- a/cmd/kubeadm/app/master/pki.go +++ b/cmd/kubeadm/app/master/pki.go @@ -96,11 +96,7 @@ func newClientKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey) (*rsa. } func writeKeysAndCert(pkiPath string, name string, key *rsa.PrivateKey, cert *x509.Certificate) error { - var ( - publicKeyPath = path.Join(pkiPath, fmt.Sprintf("%s-pub.pem", name)) - privateKeyPath = path.Join(pkiPath, fmt.Sprintf("%s-key.pem", name)) - certificatePath = path.Join(pkiPath, fmt.Sprintf("%s.pem", name)) - ) + publicKeyPath, privateKeyPath, certificatePath := pathsKeysCerts(pkiPath, name) if key != nil { if err := certutil.WriteKey(privateKeyPath, certutil.EncodePrivateKeyPEM(key)); err != nil { @@ -124,6 +120,12 @@ func writeKeysAndCert(pkiPath string, name string, key *rsa.PrivateKey, cert *x5 return nil } +func pathsKeysCerts(pkiPath, name string) (string, string, string) { + return path.Join(pkiPath, fmt.Sprintf("%s-pub.pem", name)), + path.Join(pkiPath, fmt.Sprintf("%s-key.pem", name)), + path.Join(pkiPath, fmt.Sprintf("%s.pem", name)) +} + func newServiceAccountKey() (*rsa.PrivateKey, error) { key, err := certutil.NewPrivateKey() if err != nil { @@ -155,6 +157,9 @@ func CreatePKIAssets(s *kubeadmapi.KubeadmConfig) (*rsa.PrivateKey, *x509.Certif if err := writeKeysAndCert(pkiPath, "ca", caKey, caCert); err != nil { return nil, nil, fmt.Errorf(" failure while saving CA keys and certificate - %v", err) } + fmt.Printf(" generated Certificate Authority key and certificate:\n%s\n", certutil.FormatCert(caCert)) + pub, prv, cert := pathsKeysCerts(pkiPath, "ca") + fmt.Printf("Public: %s\nPrivate: %s\nCert: %s\n", pub, prv, cert) apiKey, apiCert, err := newServerKeyAndCert(s, caCert, caKey, altNames) if err != nil { @@ -164,17 +169,21 @@ func CreatePKIAssets(s *kubeadmapi.KubeadmConfig) (*rsa.PrivateKey, *x509.Certif if err := writeKeysAndCert(pkiPath, "apiserver", apiKey, apiCert); err != nil { return nil, nil, fmt.Errorf(" failure while saving API server keys and certificate - %v", err) } + fmt.Printf(" generated API Server key and certificate:\n%s\n", certutil.FormatCert(apiCert)) + pub, prv, cert = pathsKeysCerts(pkiPath, "apiserver") + fmt.Printf("Public: %s\nPrivate: %s\nCert: %s\n", pub, prv, cert) saKey, err := newServiceAccountKey() if err != nil { return nil, nil, fmt.Errorf(" failure while creating service account signing keys [%v]", err) } - if err := writeKeysAndCert(pkiPath, "sa", saKey, nil); err != nil { return nil, nil, fmt.Errorf(" failure while saving service account signing keys - %v", err) } + fmt.Printf(" generated Service Account Signing keys:\n") + pub, prv, _ = pathsKeysCerts(pkiPath, "sa") + fmt.Printf("Public: %s\nPrivate: %s\n", pub, prv) - // TODO(phase1+) print a summary of SANs used and checksums (signatures) of each of the certificates fmt.Printf(" created keys and certificates in %q\n", pkiPath) return caKey, caCert, nil } diff --git a/cmd/kubeadm/app/node/csr.go b/cmd/kubeadm/app/node/csr.go index 843bc97d207..1da8aad0fb4 100644 --- a/cmd/kubeadm/app/node/csr.go +++ b/cmd/kubeadm/app/node/csr.go @@ -74,15 +74,16 @@ func PerformTLSBootstrap(s *kubeadmapi.KubeadmConfig, apiEndpoint string, caCert if err != nil { return nil, fmt.Errorf(" failed to generating private key [%v]", err) } - cert, err := csr.RequestNodeCertificate(csrClient, key, nodeName) if err != nil { return nil, fmt.Errorf(" failed to request signed certificate from the API server [%v]", err) } - - // TODO(phase1+) https://github.com/kubernetes/kubernetes/issues/33642 - fmt.Println(" received signed certificate from the API server, generating kubelet configuration") - + fmtCert, err := certutil.FormatBytesCert(cert) + if err != nil { + return nil, fmt.Errorf(" failed to format certificate [%v]", err) + } + fmt.Printf(" received signed certificate from the API server:\n%s\n", fmtCert) + fmt.Println(" generating kubelet configuration") finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), key, cert, diff --git a/pkg/util/cert/cert.go b/pkg/util/cert/cert.go index 8617744a732..32e968bb60e 100644 --- a/pkg/util/cert/cert.go +++ b/pkg/util/cert/cert.go @@ -188,3 +188,31 @@ func GenerateSelfSignedCert(host, certPath, keyPath string, alternateIPs []net.I return nil } + +// FormatBytesCert receives byte array certificate and formats in human-readable format +func FormatBytesCert(cert []byte) (string, error) { + block, _ := pem.Decode(cert) + c, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return "", fmt.Errorf("failed to parse certificate [%v]", err) + } + return FormatCert(c), nil +} + +// FormatCert receives certificate and formats in human-readable format +func FormatCert(c *x509.Certificate) string { + var ips []string + for _, ip := range c.IPAddresses { + ips = append(ips, ip.String()) + } + altNames := append(ips, c.DNSNames...) + res := fmt.Sprintf( + "Issuer: CN=%s | Subject: CN=%s | CA: %t\n", + c.Issuer.CommonName, c.Subject.CommonName, c.IsCA, + ) + res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter) + if len(altNames) > 0 { + res += fmt.Sprintf("\nAlternate Names: %v", altNames) + } + return res +}