diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD index 8744422e8f8..85bcffab74e 100644 --- a/cmd/kubelet/app/BUILD +++ b/cmd/kubelet/app/BUILD @@ -107,7 +107,6 @@ go_library( "//vendor/github.com/spf13/cobra:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library", "//vendor/golang.org/x/exp/inotify:go_default_library", - "//vendor/k8s.io/api/certificates/v1beta1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 82898919efc..07cfe30a497 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -19,8 +19,6 @@ package app import ( "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" "errors" "fmt" "math/rand" @@ -37,7 +35,6 @@ import ( "github.com/spf13/cobra" "github.com/spf13/pflag" - certificates "k8s.io/api/certificates/v1beta1" "k8s.io/api/core/v1" clientv1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" @@ -457,7 +454,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) { if err != nil { return err } - clientCertificateManager, err = initializeClientCertificateManager(s.CertDirectory, nodeName, clientConfig.CertData, clientConfig.KeyData, clientConfig.CertFile, clientConfig.KeyFile) + clientCertificateManager, err = certificate.NewKubeletClientCertificateManager(s.CertDirectory, nodeName, clientConfig.CertData, clientConfig.KeyData, clientConfig.CertFile, clientConfig.KeyFile) if err != nil { return err } @@ -660,52 +657,6 @@ func updateTransport(clientConfig *restclient.Config, clientCertificateManager c return nil } -// initializeClientCertificateManager sets up a certificate manager without a -// client that can be used to sign new certificates (or rotate). It answers with -// whatever certificate it is initialized with. If a CSR client is set later, it -// may begin rotating/renewing the client cert -func initializeClientCertificateManager(certDirectory string, nodeName types.NodeName, certData []byte, keyData []byte, certFile string, keyFile string) (certificate.Manager, error) { - certificateStore, err := certificate.NewFileStore( - "kubelet-client", - certDirectory, - certDirectory, - certFile, - keyFile) - if err != nil { - return nil, fmt.Errorf("failed to initialize certificate store: %v", err) - } - clientCertificateManager, err := certificate.NewManager(&certificate.Config{ - Template: &x509.CertificateRequest{ - Subject: pkix.Name{ - Organization: []string{"system:nodes"}, - CommonName: fmt.Sprintf("system:node:%s", nodeName), - }, - }, - Usages: []certificates.KeyUsage{ - // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - // - // DigitalSignature allows the certificate to be used to verify - // digital signatures including signatures used during TLS - // negotiation. - certificates.UsageDigitalSignature, - // KeyEncipherment allows the cert/key pair to be used to encrypt - // keys, including the symetric keys negotiated during TLS setup - // and used for data transfer.. - certificates.UsageKeyEncipherment, - // ClientAuth allows the cert to be used by a TLS client to - // authenticate itself to the TLS server. - certificates.UsageClientAuth, - }, - CertificateStore: certificateStore, - BootstrapCertificatePEM: certData, - BootstrapKeyPEM: keyData, - }) - if err != nil { - return nil, fmt.Errorf("failed to initialize certificate manager: %v", err) - } - return clientCertificateManager, nil -} - // getNodeName returns the node name according to the cloud provider // if cloud provider is specified. Otherwise, returns the hostname of the node. func getNodeName(cloud cloudprovider.Interface, hostname string) (types.NodeName, error) { diff --git a/pkg/kubelet/BUILD b/pkg/kubelet/BUILD index 2f9d71700e0..09a34307520 100644 --- a/pkg/kubelet/BUILD +++ b/pkg/kubelet/BUILD @@ -46,7 +46,6 @@ go_library( "//pkg/apis/componentconfig/v1alpha1:go_default_library", "//pkg/capabilities:go_default_library", "//pkg/client/clientset_generated/clientset:go_default_library", - "//pkg/client/clientset_generated/clientset/typed/certificates/v1beta1:go_default_library", "//pkg/client/listers/core/v1:go_default_library", "//pkg/cloudprovider:go_default_library", "//pkg/features:go_default_library", @@ -118,7 +117,6 @@ go_library( "//vendor/github.com/google/cadvisor/events:go_default_library", "//vendor/github.com/google/cadvisor/info/v1:go_default_library", "//vendor/github.com/google/cadvisor/info/v2:go_default_library", - "//vendor/k8s.io/api/certificates/v1beta1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", diff --git a/pkg/kubelet/certificate/BUILD b/pkg/kubelet/certificate/BUILD index c2d62856b98..48dc8fc8fb2 100644 --- a/pkg/kubelet/certificate/BUILD +++ b/pkg/kubelet/certificate/BUILD @@ -13,15 +13,19 @@ go_library( srcs = [ "certificate_manager.go", "certificate_store.go", + "kubelet.go", ], tags = ["automanaged"], deps = [ + "//pkg/apis/componentconfig:go_default_library", + "//pkg/client/clientset_generated/clientset:go_default_library", "//pkg/client/clientset_generated/clientset/typed/certificates/v1beta1:go_default_library", "//pkg/util:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/api/certificates/v1beta1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/fields:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/types:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library", "//vendor/k8s.io/client-go/util/cert:go_default_library", diff --git a/pkg/kubelet/certificate/kubelet.go b/pkg/kubelet/certificate/kubelet.go new file mode 100644 index 00000000000..a0a76b52df1 --- /dev/null +++ b/pkg/kubelet/certificate/kubelet.go @@ -0,0 +1,124 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certificate + +import ( + "crypto/x509" + "crypto/x509/pkix" + "fmt" + "net" + + certificates "k8s.io/api/certificates/v1beta1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/kubernetes/pkg/apis/componentconfig" + "k8s.io/kubernetes/pkg/client/clientset_generated/clientset" + clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1" +) + +// NewKubeletServerCertificateManager creates a certificate manager for the kubelet when retrieving a server certificate +// or returns an error. +func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg *componentconfig.KubeletConfiguration, nodeName types.NodeName, ips []net.IP, hostnames []string) (Manager, error) { + var certSigningRequestClient clientcertificates.CertificateSigningRequestInterface + if kubeClient != nil && kubeClient.Certificates() != nil { + certSigningRequestClient = kubeClient.Certificates().CertificateSigningRequests() + } + certificateStore, err := NewFileStore( + "kubelet-server", + kubeCfg.CertDirectory, + kubeCfg.CertDirectory, + kubeCfg.TLSCertFile, + kubeCfg.TLSPrivateKeyFile) + if err != nil { + return nil, fmt.Errorf("failed to initialize server certificate store: %v", err) + } + m, err := NewManager(&Config{ + CertificateSigningRequestClient: certSigningRequestClient, + Template: &x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: fmt.Sprintf("system:node:%s", nodeName), + Organization: []string{"system:nodes"}, + }, + DNSNames: hostnames, + IPAddresses: ips, + }, + Usages: []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // Digital signature allows the certificate to be used to verify + // digital signatures used during TLS negotiation. + certificates.UsageDigitalSignature, + // KeyEncipherment allows the cert/key pair to be used to encrypt + // keys, including the symetric keys negotiated during TLS setup + // and used for data transfer. + certificates.UsageKeyEncipherment, + // ServerAuth allows the cert to be used by a TLS server to + // authenticate itself to a TLS client. + certificates.UsageServerAuth, + }, + CertificateStore: certificateStore, + }) + if err != nil { + return nil, fmt.Errorf("failed to initialize server certificate manager: %v", err) + } + return m, nil +} + +// NewKubeletClientCertificateManager sets up a certificate manager without a +// client that can be used to sign new certificates (or rotate). It answers with +// whatever certificate it is initialized with. If a CSR client is set later, it +// may begin rotating/renewing the client cert +func NewKubeletClientCertificateManager(certDirectory string, nodeName types.NodeName, certData []byte, keyData []byte, certFile string, keyFile string) (Manager, error) { + certificateStore, err := NewFileStore( + "kubelet-client", + certDirectory, + certDirectory, + certFile, + keyFile) + if err != nil { + return nil, fmt.Errorf("failed to initialize client certificate store: %v", err) + } + m, err := NewManager(&Config{ + Template: &x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: fmt.Sprintf("system:node:%s", nodeName), + Organization: []string{"system:nodes"}, + }, + }, + Usages: []certificates.KeyUsage{ + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + // + // DigitalSignature allows the certificate to be used to verify + // digital signatures including signatures used during TLS + // negotiation. + certificates.UsageDigitalSignature, + // KeyEncipherment allows the cert/key pair to be used to encrypt + // keys, including the symetric keys negotiated during TLS setup + // and used for data transfer.. + certificates.UsageKeyEncipherment, + // ClientAuth allows the cert to be used by a TLS client to + // authenticate itself to the TLS server. + certificates.UsageClientAuth, + }, + CertificateStore: certificateStore, + BootstrapCertificatePEM: certData, + BootstrapKeyPEM: keyData, + }) + if err != nil { + return nil, fmt.Errorf("failed to initialize client certificate manager: %v", err) + } + return m, nil +} diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index b969f7830b9..766af05eb41 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -18,8 +18,6 @@ package kubelet import ( "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" "fmt" "net" "net/http" @@ -38,7 +36,6 @@ import ( cadvisorapi "github.com/google/cadvisor/info/v1" cadvisorapiv2 "github.com/google/cadvisor/info/v2" - certificates "k8s.io/api/certificates/v1beta1" "k8s.io/api/core/v1" clientv1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -60,7 +57,6 @@ import ( "k8s.io/kubernetes/pkg/apis/componentconfig" componentconfigv1alpha1 "k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1" "k8s.io/kubernetes/pkg/client/clientset_generated/clientset" - clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1" corelisters "k8s.io/kubernetes/pkg/client/listers/core/v1" "k8s.io/kubernetes/pkg/cloudprovider" "k8s.io/kubernetes/pkg/features" @@ -710,7 +706,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub } ips = append(ips, cloudIPs...) names := append([]string{klet.GetHostname(), hostnameOverride}, cloudNames...) - klet.serverCertificateManager, err = initializeServerCertificateManager(klet.kubeClient, kubeCfg, klet.nodeName, ips, names) + klet.serverCertificateManager, err = certificate.NewKubeletServerCertificateManager(klet.kubeClient, kubeCfg, klet.nodeName, ips, names) if err != nil { return nil, fmt.Errorf("failed to initialize certificate manager: %v", err) } @@ -1111,48 +1107,6 @@ type Kubelet struct { dockerLegacyService dockershim.DockerLegacyService } -func initializeServerCertificateManager(kubeClient clientset.Interface, kubeCfg *componentconfig.KubeletConfiguration, nodeName types.NodeName, ips []net.IP, hostnames []string) (certificate.Manager, error) { - var certSigningRequestClient clientcertificates.CertificateSigningRequestInterface - if kubeClient != nil && kubeClient.Certificates() != nil { - certSigningRequestClient = kubeClient.Certificates().CertificateSigningRequests() - } - certificateStore, err := certificate.NewFileStore( - "kubelet-server", - kubeCfg.CertDirectory, - kubeCfg.CertDirectory, - kubeCfg.TLSCertFile, - kubeCfg.TLSPrivateKeyFile) - if err != nil { - return nil, fmt.Errorf("failed to initialize certificate store: %v", err) - } - return certificate.NewManager(&certificate.Config{ - CertificateSigningRequestClient: certSigningRequestClient, - Template: &x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: fmt.Sprintf("system:node:%s", nodeName), - Organization: []string{"system:nodes"}, - }, - DNSNames: hostnames, - IPAddresses: ips, - }, - Usages: []certificates.KeyUsage{ - // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 - // - // Digital signature allows the certificate to be used to verify - // digital signatures used during TLS negotiation. - certificates.UsageDigitalSignature, - // KeyEncipherment allows the cert/key pair to be used to encrypt - // keys, including the symetric keys negotiated during TLS setup - // and used for data transfer. - certificates.UsageKeyEncipherment, - // ServerAuth allows the cert to be used by a TLS server to - // authenticate itself to a TLS client. - certificates.UsageServerAuth, - }, - CertificateStore: certificateStore, - }) -} - func allLocalIPsWithoutLoopback() ([]net.IP, error) { interfaces, err := net.Interfaces() if err != nil {