Merge pull request #48518 from smarterclayton/separate_cert_man

Automatic merge from submit-queue (batch tested with PRs 48518, 48525, 48269) Move the kubelet certificate management code into a single package Code is very similar and belongs together. Will allow future cert callers to potentially make this more generic, as well as to make it easier reuse code elsewhere.
2025-07-22 11:21:47 +00:00 · 2017-07-06 13:34:42 -07:00 · 2017-07-06 13:34:42 -07:00 · 50c6211850
commit 50c6211850
parent 4e276d49b9 b8e662fcea
6 changed files with 130 additions and 100 deletions
--- a/cmd/kubelet/app/BUILD
+++ b/cmd/kubelet/app/BUILD
@ -107,7 +107,6 @@ go_library(
        "//vendor/github.com/spf13/cobra:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
        "//vendor/golang.org/x/exp/inotify:go_default_library",
        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -19,8 +19,6 @@ package app
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
 	"math/rand"
@ -37,7 +35,6 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/api/core/v1"
 	clientv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@ -457,7 +454,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 				if err != nil {
 					return err
 				}
-				clientCertificateManager, err = initializeClientCertificateManager(s.CertDirectory, nodeName, clientConfig.CertData, clientConfig.KeyData, clientConfig.CertFile, clientConfig.KeyFile)
+				clientCertificateManager, err = certificate.NewKubeletClientCertificateManager(s.CertDirectory, nodeName, clientConfig.CertData, clientConfig.KeyData, clientConfig.CertFile, clientConfig.KeyFile)
 				if err != nil {
 					return err
 				}
@ -660,52 +657,6 @@ func updateTransport(clientConfig *restclient.Config, clientCertificateManager c
 	return nil
 }
 // initializeClientCertificateManager sets up a certificate manager without a
 // client that can be used to sign new certificates (or rotate). It answers with
 // whatever certificate it is initialized with. If a CSR client is set later, it
 // may begin rotating/renewing the client cert
 func initializeClientCertificateManager(certDirectory string, nodeName types.NodeName, certData []byte, keyData []byte, certFile string, keyFile string) (certificate.Manager, error) {
 	certificateStore, err := certificate.NewFileStore(
 		"kubelet-client",
 		certDirectory,
 		certDirectory,
 		certFile,
 		keyFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize certificate store: %v", err)
 	}
 	clientCertificateManager, err := certificate.NewManager(&certificate.Config{
 		Template: &x509.CertificateRequest{
 			Subject: pkix.Name{
 				Organization: []string{"system:nodes"},
 				CommonName:   fmt.Sprintf("system:node:%s", nodeName),
 			},
 		},
 		Usages: []certificates.KeyUsage{
 			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 			//
 			// DigitalSignature allows the certificate to be used to verify
 			// digital signatures including signatures used during TLS
 			// negotiation.
 			certificates.UsageDigitalSignature,
 			// KeyEncipherment allows the cert/key pair to be used to encrypt
 			// keys, including the symetric keys negotiated during TLS setup
 			// and used for data transfer..
 			certificates.UsageKeyEncipherment,
 			// ClientAuth allows the cert to be used by a TLS client to
 			// authenticate itself to the TLS server.
 			certificates.UsageClientAuth,
 		},
 		CertificateStore:        certificateStore,
 		BootstrapCertificatePEM: certData,
 		BootstrapKeyPEM:         keyData,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize certificate manager: %v", err)
 	}
 	return clientCertificateManager, nil
 }
 // getNodeName returns the node name according to the cloud provider
 // if cloud provider is specified. Otherwise, returns the hostname of the node.
 func getNodeName(cloud cloudprovider.Interface, hostname string) (types.NodeName, error) {
--- a/pkg/kubelet/BUILD
+++ b/pkg/kubelet/BUILD
@ -46,7 +46,6 @@ go_library(
        "//pkg/apis/componentconfig/v1alpha1:go_default_library",
        "//pkg/capabilities:go_default_library",
        "//pkg/client/clientset_generated/clientset:go_default_library",
        "//pkg/client/clientset_generated/clientset/typed/certificates/v1beta1:go_default_library",
        "//pkg/client/listers/core/v1:go_default_library",
        "//pkg/cloudprovider:go_default_library",
        "//pkg/features:go_default_library",
@ -118,7 +117,6 @@ go_library(
        "//vendor/github.com/google/cadvisor/events:go_default_library",
        "//vendor/github.com/google/cadvisor/info/v1:go_default_library",
        "//vendor/github.com/google/cadvisor/info/v2:go_default_library",
        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
--- a/pkg/kubelet/certificate/BUILD
+++ b/pkg/kubelet/certificate/BUILD
@ -13,15 +13,19 @@ go_library(
    srcs = [
        "certificate_manager.go",
        "certificate_store.go",
        "kubelet.go",
    ],
    tags = ["automanaged"],
    deps = [
        "//pkg/apis/componentconfig:go_default_library",
        "//pkg/client/clientset_generated/clientset:go_default_library",
        "//pkg/client/clientset_generated/clientset/typed/certificates/v1beta1:go_default_library",
        "//pkg/util:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/fields:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
        "//vendor/k8s.io/client-go/util/cert:go_default_library",
--- a/pkg/kubelet/certificate/kubelet.go
+++ b/pkg/kubelet/certificate/kubelet.go
@ -0,0 +1,124 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package certificate
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"net"
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 	clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1"
 )
 // NewKubeletServerCertificateManager creates a certificate manager for the kubelet when retrieving a server certificate
 // or returns an error.
 func NewKubeletServerCertificateManager(kubeClient clientset.Interface, kubeCfg *componentconfig.KubeletConfiguration, nodeName types.NodeName, ips []net.IP, hostnames []string) (Manager, error) {
 	var certSigningRequestClient clientcertificates.CertificateSigningRequestInterface
 	if kubeClient != nil && kubeClient.Certificates() != nil {
 		certSigningRequestClient = kubeClient.Certificates().CertificateSigningRequests()
 	}
 	certificateStore, err := NewFileStore(
 		"kubelet-server",
 		kubeCfg.CertDirectory,
 		kubeCfg.CertDirectory,
 		kubeCfg.TLSCertFile,
 		kubeCfg.TLSPrivateKeyFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize server certificate store: %v", err)
 	}
 	m, err := NewManager(&Config{
 		CertificateSigningRequestClient: certSigningRequestClient,
 		Template: &x509.CertificateRequest{
 			Subject: pkix.Name{
 				CommonName:   fmt.Sprintf("system:node:%s", nodeName),
 				Organization: []string{"system:nodes"},
 			},
 			DNSNames:    hostnames,
 			IPAddresses: ips,
 		},
 		Usages: []certificates.KeyUsage{
 			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 			//
 			// Digital signature allows the certificate to be used to verify
 			// digital signatures used during TLS negotiation.
 			certificates.UsageDigitalSignature,
 			// KeyEncipherment allows the cert/key pair to be used to encrypt
 			// keys, including the symetric keys negotiated during TLS setup
 			// and used for data transfer.
 			certificates.UsageKeyEncipherment,
 			// ServerAuth allows the cert to be used by a TLS server to
 			// authenticate itself to a TLS client.
 			certificates.UsageServerAuth,
 		},
 		CertificateStore: certificateStore,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize server certificate manager: %v", err)
 	}
 	return m, nil
 }
 // NewKubeletClientCertificateManager sets up a certificate manager without a
 // client that can be used to sign new certificates (or rotate). It answers with
 // whatever certificate it is initialized with. If a CSR client is set later, it
 // may begin rotating/renewing the client cert
 func NewKubeletClientCertificateManager(certDirectory string, nodeName types.NodeName, certData []byte, keyData []byte, certFile string, keyFile string) (Manager, error) {
 	certificateStore, err := NewFileStore(
 		"kubelet-client",
 		certDirectory,
 		certDirectory,
 		certFile,
 		keyFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize client certificate store: %v", err)
 	}
 	m, err := NewManager(&Config{
 		Template: &x509.CertificateRequest{
 			Subject: pkix.Name{
 				CommonName:   fmt.Sprintf("system:node:%s", nodeName),
 				Organization: []string{"system:nodes"},
 			},
 		},
 		Usages: []certificates.KeyUsage{
 			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 			//
 			// DigitalSignature allows the certificate to be used to verify
 			// digital signatures including signatures used during TLS
 			// negotiation.
 			certificates.UsageDigitalSignature,
 			// KeyEncipherment allows the cert/key pair to be used to encrypt
 			// keys, including the symetric keys negotiated during TLS setup
 			// and used for data transfer..
 			certificates.UsageKeyEncipherment,
 			// ClientAuth allows the cert to be used by a TLS client to
 			// authenticate itself to the TLS server.
 			certificates.UsageClientAuth,
 		},
 		CertificateStore:        certificateStore,
 		BootstrapCertificatePEM: certData,
 		BootstrapKeyPEM:         keyData,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize client certificate manager: %v", err)
 	}
 	return m, nil
 }
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -18,8 +18,6 @@ package kubelet
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"net"
 	"net/http"
@ -38,7 +36,6 @@ import (
 	cadvisorapi "github.com/google/cadvisor/info/v1"
 	cadvisorapiv2 "github.com/google/cadvisor/info/v2"
 	certificates "k8s.io/api/certificates/v1beta1"
 	"k8s.io/api/core/v1"
 	clientv1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -60,7 +57,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	componentconfigv1alpha1 "k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 	clientcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1"
 	corelisters "k8s.io/kubernetes/pkg/client/listers/core/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/features"
@ -710,7 +706,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
 		}
 		ips = append(ips, cloudIPs...)
 		names := append([]string{klet.GetHostname(), hostnameOverride}, cloudNames...)
-		klet.serverCertificateManager, err = initializeServerCertificateManager(klet.kubeClient, kubeCfg, klet.nodeName, ips, names)
+		klet.serverCertificateManager, err = certificate.NewKubeletServerCertificateManager(klet.kubeClient, kubeCfg, klet.nodeName, ips, names)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize certificate manager: %v", err)
 		}
@ -1111,48 +1107,6 @@ type Kubelet struct {
 	dockerLegacyService dockershim.DockerLegacyService
 }
 func initializeServerCertificateManager(kubeClient clientset.Interface, kubeCfg *componentconfig.KubeletConfiguration, nodeName types.NodeName, ips []net.IP, hostnames []string) (certificate.Manager, error) {
 	var certSigningRequestClient clientcertificates.CertificateSigningRequestInterface
 	if kubeClient != nil && kubeClient.Certificates() != nil {
 		certSigningRequestClient = kubeClient.Certificates().CertificateSigningRequests()
 	}
 	certificateStore, err := certificate.NewFileStore(
 		"kubelet-server",
 		kubeCfg.CertDirectory,
 		kubeCfg.CertDirectory,
 		kubeCfg.TLSCertFile,
 		kubeCfg.TLSPrivateKeyFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize certificate store: %v", err)
 	}
 	return certificate.NewManager(&certificate.Config{
 		CertificateSigningRequestClient: certSigningRequestClient,
 		Template: &x509.CertificateRequest{
 			Subject: pkix.Name{
 				CommonName:   fmt.Sprintf("system:node:%s", nodeName),
 				Organization: []string{"system:nodes"},
 			},
 			DNSNames:    hostnames,
 			IPAddresses: ips,
 		},
 		Usages: []certificates.KeyUsage{
 			// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
 			//
 			// Digital signature allows the certificate to be used to verify
 			// digital signatures used during TLS negotiation.
 			certificates.UsageDigitalSignature,
 			// KeyEncipherment allows the cert/key pair to be used to encrypt
 			// keys, including the symetric keys negotiated during TLS setup
 			// and used for data transfer.
 			certificates.UsageKeyEncipherment,
 			// ServerAuth allows the cert to be used by a TLS server to
 			// authenticate itself to a TLS client.
 			certificates.UsageServerAuth,
 		},
 		CertificateStore: certificateStore,
 	})
 }
 func allLocalIPsWithoutLoopback() ([]net.IP, error) {
 	interfaces, err := net.Interfaces()
 	if err != nil {