mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-02-21 22:57:15 +00:00
Remove invalid SAN certificate construction
This commit is contained in:
Jordan Liggitt
committed by
Benjamin Elder
Benjamin Elder
parent
ced2a40b9e
commit
39d37a1e92
@@ -481,13 +481,13 @@ EOF
|
||||
;;
|
||||
server)
|
||||
echo "Generate server certificates..."
|
||||
echo '{"CN":"'"${member_ip}"'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
|
||||
echo '{"CN":"'"${member_ip}"'","hosts":[],"key":{"algo":"ecdsa","size":256}}' \
|
||||
| ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="${member_ip},127.0.0.1" - \
|
||||
| ${CFSSLJSON_BIN} -bare "${prefix}"
|
||||
;;
|
||||
peer)
|
||||
echo "Generate peer certificates..."
|
||||
echo '{"CN":"'"${member_ip}"'","hosts":[""],"key":{"algo":"ecdsa","size":256}}' \
|
||||
echo '{"CN":"'"${member_ip}"'","hosts":[],"key":{"algo":"ecdsa","size":256}}' \
|
||||
| ${CFSSL_BIN} gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="${member_ip},127.0.0.1" - \
|
||||
| ${CFSSLJSON_BIN} -bare "${prefix}"
|
||||
;;
|
||||
|
||||
@@ -1817,7 +1817,7 @@ function generate-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
|
||||
# create the kubelet client cert with the correct groups
|
||||
echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet
|
||||
echo '{"CN":"kubelet","names":[{"O":"system:nodes"}],"hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare kubelet
|
||||
mv "kubelet-key.pem" "pki/private/kubelet.key"
|
||||
mv "kubelet.pem" "pki/issued/kubelet.crt"
|
||||
rm -f "kubelet.csr"
|
||||
@@ -1882,7 +1882,7 @@ function generate-aggregator-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
|
||||
# create the aggregator client cert with the correct groups
|
||||
echo '{"CN":"aggregator","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare proxy-client
|
||||
echo '{"CN":"aggregator","hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare proxy-client
|
||||
mv "proxy-client-key.pem" "pki/private/proxy-client.key"
|
||||
mv "proxy-client.pem" "pki/issued/proxy-client.crt"
|
||||
rm -f "proxy-client.csr"
|
||||
@@ -1943,7 +1943,7 @@ function generate-konnectivity-server-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
|
||||
# create the konnectivity server cert with the correct groups
|
||||
echo '{"CN":"konnectivity-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-server
|
||||
echo '{"CN":"konnectivity-server","hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-server
|
||||
rm -f "konnectivity-server.csr"
|
||||
|
||||
# Make the agent <-> konnectivity server side certificates.
|
||||
@@ -1959,7 +1959,7 @@ function generate-konnectivity-server-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","agent auth"]}}}' > "ca-config.json"
|
||||
# create the konnectivity server cert with the correct groups
|
||||
echo '{"CN":"koonectivity-server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-agent
|
||||
echo '{"CN":"koonectivity-server","hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-agent
|
||||
rm -f "konnectivity-agent.csr"
|
||||
|
||||
echo "completed main certificate section") &>"${cert_create_debug_output}" || true
|
||||
@@ -2021,7 +2021,7 @@ function generate-cloud-pvl-admission-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","client auth"]}}}' > "ca-config.json"
|
||||
# create the cloud-pvl-admission cert with the correct groups
|
||||
echo '{"CN":"cloud-pvl-admission","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare cloud-pvl-admission
|
||||
echo '{"CN":"cloud-pvl-admission","hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare cloud-pvl-admission
|
||||
rm -f "cloud-pvl-admission.csr"
|
||||
|
||||
# Make the cloud-pvl-admission server side certificates.
|
||||
@@ -2037,7 +2037,7 @@ function generate-cloud-pvl-admission-certs {
|
||||
# make the config for the signer
|
||||
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","agent auth"]}}}' > "ca-config.json"
|
||||
# create the cloud-pvl-admission server cert with the correct groups
|
||||
echo '{"CN":"cloud-pvl-admission","hosts":[""],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-agent
|
||||
echo '{"CN":"cloud-pvl-admission","hosts":[],"key":{"algo":"rsa","size":2048}}' | "${CFSSL_BIN}" gencert -ca=pki/ca.crt -ca-key=pki/private/ca.key -config=ca-config.json - | "${CFSSLJSON_BIN}" -bare konnectivity-agent
|
||||
rm -f "konnectivity-agent.csr"
|
||||
|
||||
echo "completed main certificate section") &>"${cert_create_debug_output}" || true
|
||||
|
||||
@@ -385,15 +385,18 @@ func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames
|
||||
return nil, errors.Wrapf(err, "unable to get first IP address from the given CIDR: %v", cfg.Networking.ServiceSubnet)
|
||||
}
|
||||
|
||||
var dnsNames []string
|
||||
if len(cfg.NodeRegistration.Name) > 0 {
|
||||
dnsNames = append(dnsNames, cfg.NodeRegistration.Name)
|
||||
}
|
||||
dnsNames = append(dnsNames, "kubernetes", "kubernetes.default", "kubernetes.default.svc")
|
||||
if len(cfg.Networking.DNSDomain) > 0 {
|
||||
dnsNames = append(dnsNames, fmt.Sprintf("kubernetes.default.svc.%s", cfg.Networking.DNSDomain))
|
||||
}
|
||||
|
||||
// create AltNames with defaults DNSNames/IPs
|
||||
altNames := &certutil.AltNames{
|
||||
DNSNames: []string{
|
||||
cfg.NodeRegistration.Name,
|
||||
"kubernetes",
|
||||
"kubernetes.default",
|
||||
"kubernetes.default.svc",
|
||||
fmt.Sprintf("kubernetes.default.svc.%s", cfg.Networking.DNSDomain),
|
||||
},
|
||||
DNSNames: dnsNames,
|
||||
IPs: []net.IP{
|
||||
internalAPIServerVirtualIP,
|
||||
advertiseAddress,
|
||||
@@ -441,9 +444,16 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil.
|
||||
cfg.LocalAPIEndpoint.AdvertiseAddress)
|
||||
}
|
||||
|
||||
var dnsNames []string
|
||||
if len(cfg.NodeRegistration.Name) > 0 {
|
||||
dnsNames = []string{cfg.NodeRegistration.Name, "localhost"}
|
||||
} else {
|
||||
dnsNames = []string{"localhost"}
|
||||
}
|
||||
|
||||
// create AltNames with defaults DNSNames/IPs
|
||||
altNames := &certutil.AltNames{
|
||||
DNSNames: []string{cfg.NodeRegistration.Name, "localhost"},
|
||||
DNSNames: dnsNames,
|
||||
IPs: []net.IP{advertiseAddress, net.IPv4(127, 0, 0, 1), net.IPv6loopback},
|
||||
}
|
||||
|
||||
@@ -665,13 +675,15 @@ func NewSelfSignedCACert(cfg *CertConfig, key crypto.Signer) (*x509.Certificate,
|
||||
CommonName: cfg.CommonName,
|
||||
Organization: cfg.Organization,
|
||||
},
|
||||
DNSNames: []string{cfg.CommonName},
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
KeyUsage: keyUsage,
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
}
|
||||
if len(cfg.CommonName) > 0 {
|
||||
tmpl.DNSNames = []string{cfg.CommonName}
|
||||
}
|
||||
|
||||
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
|
||||
if err != nil {
|
||||
|
||||
@@ -478,7 +478,7 @@ function kube::util::create_client_certkey {
|
||||
done
|
||||
${sudo} /usr/bin/env bash -e <<EOF
|
||||
cd ${dest_dir}
|
||||
echo '{"CN":"${cn}","names":[${groups}],"hosts":[""],"key":{"algo":"rsa","size":2048}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare client-${id}
|
||||
echo '{"CN":"${cn}","names":[${groups}],"hosts":[],"key":{"algo":"rsa","size":2048}}' | ${CFSSL_BIN} gencert -ca=${ca}.crt -ca-key=${ca}.key -config=${ca}-config.json - | ${CFSSLJSON_BIN} -bare client-${id}
|
||||
mv "client-${id}-key.pem" "client-${id}.key"
|
||||
mv "client-${id}.pem" "client-${id}.crt"
|
||||
rm -f "client-${id}.csr"
|
||||
|
||||
@@ -86,7 +86,7 @@ func TestIsKubeletServingCSR(t *testing.T) {
|
||||
exp: false,
|
||||
},
|
||||
"does not default to kubelet-serving if it specifies an emailAddress SAN": {
|
||||
req: newCSR(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something"}}),
|
||||
req: newCSR(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something@example.com"}}),
|
||||
usages: kubeletServerUsages,
|
||||
exp: false,
|
||||
},
|
||||
@@ -131,7 +131,7 @@ func TestIsKubeletClientCSR(t *testing.T) {
|
||||
exp: false,
|
||||
},
|
||||
"does not default to kube-apiserver-client-kubelet if an emailAddress is set": {
|
||||
req: newCSR(kubeletClientPEMOptions, pemOptions{emailAddresses: []string{"something"}}),
|
||||
req: newCSR(kubeletClientPEMOptions, pemOptions{emailAddresses: []string{"something@example.com"}}),
|
||||
usages: kubeletClientUsages,
|
||||
exp: false,
|
||||
},
|
||||
@@ -326,7 +326,7 @@ func TestSetDefaults_CertificateSigningRequestSpec_KubeletServing(t *testing.T)
|
||||
},
|
||||
"does not default to kubelet-serving if it specifies an emailAddress SAN": {
|
||||
csr: capi.CertificateSigningRequestSpec{
|
||||
Request: csrWithOpts(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something"}}),
|
||||
Request: csrWithOpts(kubeletServerPEMOptions, pemOptions{emailAddresses: []string{"something@example.com"}}),
|
||||
Usages: kubeletServerUsages,
|
||||
Username: kubeletServerPEMOptions.cn,
|
||||
},
|
||||
|
||||
@@ -75,13 +75,15 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
|
||||
CommonName: cfg.CommonName,
|
||||
Organization: cfg.Organization,
|
||||
},
|
||||
DNSNames: []string{cfg.CommonName},
|
||||
NotBefore: notBefore,
|
||||
NotAfter: now.Add(duration365d * 10).UTC(),
|
||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
}
|
||||
if len(cfg.CommonName) > 0 {
|
||||
tmpl.DNSNames = []string{cfg.CommonName}
|
||||
}
|
||||
|
||||
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user