From 56262ca56aa4395dfbe2965bf9cfb489cf57360c Mon Sep 17 00:00:00 2001 From: SataQiu Date: Tue, 5 Dec 2023 18:17:14 +0800 Subject: [PATCH] kubeadm: cleanup unused CreateCSR and associated functions --- cmd/kubeadm/app/phases/certs/certs.go | 36 --------- cmd/kubeadm/app/phases/certs/certs_test.go | 85 --------------------- cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 15 ---- 3 files changed, 136 deletions(-) diff --git a/cmd/kubeadm/app/phases/certs/certs.go b/cmd/kubeadm/app/phases/certs/certs.go index ea4d34528c0..71fae77221f 100644 --- a/cmd/kubeadm/app/phases/certs/certs.go +++ b/cmd/kubeadm/app/phases/certs/certs.go @@ -139,15 +139,6 @@ func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.Cer return pkiutil.NewCSRAndKey(certConfig) } -// CreateCSR creates a certificate signing request -func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error { - csr, key, err := NewCSR(certSpec, cfg) - if err != nil { - return err - } - return writeCSRFilesIfNotExist(path, certSpec.BaseName, csr, key) -} - // CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. // The certSpec and caCertSpec should both be one of the variables from this package. func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error { @@ -271,33 +262,6 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert return nil } -// writeCSRFilesIfNotExist writes a new CSR to the given path. -// If there already is a CSR file at the given path; kubeadm tries to load it and check if it's a valid certificate. -// otherwise this function returns an error. -func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key crypto.Signer) error { - if pkiutil.CSROrKeyExist(csrDir, baseName) { - _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, baseName) - if err != nil { - return errors.Wrapf(err, "%s CSR existed but it could not be loaded properly", baseName) - } - - fmt.Printf("[certs] Using the existing %q CSR\n", baseName) - } else { - // Write .key and .csr files to disk - fmt.Printf("[certs] Generating %q key and CSR\n", baseName) - - if err := pkiutil.WriteKey(csrDir, baseName, key); err != nil { - return errors.Wrapf(err, "failure while saving %s key", baseName) - } - - if err := pkiutil.WriteCSR(csrDir, baseName, csr); err != nil { - return errors.Wrapf(err, "failure while saving %s CSR", baseName) - } - } - - return nil -} - type certKeyLocation struct { pkiDir string caBaseName string diff --git a/cmd/kubeadm/app/phases/certs/certs_test.go b/cmd/kubeadm/app/phases/certs/certs_test.go index 755ff124ac8..c74655edf23 100644 --- a/cmd/kubeadm/app/phases/certs/certs_test.go +++ b/cmd/kubeadm/app/phases/certs/certs_test.go @@ -18,8 +18,6 @@ package certs import ( "bytes" - "crypto" - "crypto/sha256" "crypto/x509" "net" "os" @@ -41,20 +39,6 @@ import ( testutil "k8s.io/kubernetes/cmd/kubeadm/test" ) -func createTestCSR(t *testing.T) (*x509.CertificateRequest, crypto.Signer) { - csr, key, err := pkiutil.NewCSRAndKey( - &pkiutil.CertConfig{ - Config: certutil.Config{ - CommonName: "testCert", - }, - }) - if err != nil { - t.Fatalf("couldn't create test cert: %v", err) - } - - return csr, key -} - func TestWriteCertificateAuthorityFilesIfNotExist(t *testing.T) { setupCert, setupKey := certstestutil.CreateCACert(t) caCert, caKey := certstestutil.CreateCACert(t) @@ -235,75 +219,6 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) { } } -func TestWriteCSRFilesIfNotExist(t *testing.T) { - csr, key := createTestCSR(t) - csr2, key2 := createTestCSR(t) - - var tests = []struct { - name string - setupFunc func(csrPath string) error - expectedError bool - expectedCSR *x509.CertificateRequest - }{ - { - name: "no files exist", - expectedCSR: csr, - }, - { - name: "other key exists", - setupFunc: func(csrPath string) error { - if err := pkiutil.WriteCSR(csrPath, "dummy", csr2); err != nil { - return err - } - return pkiutil.WriteKey(csrPath, "dummy", key2) - }, - expectedCSR: csr2, - }, - { - name: "existing CSR is garbage", - setupFunc: func(csrPath string) error { - return os.WriteFile(filepath.Join(csrPath, "dummy.csr"), []byte("a--bunch--of-garbage"), os.ModePerm) - }, - expectedError: true, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - tmpdir := testutil.SetupTempDir(t) - defer os.RemoveAll(tmpdir) - - if test.setupFunc != nil { - if err := test.setupFunc(tmpdir); err != nil { - t.Fatalf("couldn't set up test: %v", err) - } - } - - if err := writeCSRFilesIfNotExist(tmpdir, "dummy", csr, key); err != nil { - if test.expectedError { - return - } - t.Fatalf("unexpected error %v: ", err) - } - - if test.expectedError { - t.Fatal("Expected error, but got none") - } - - parsedCSR, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(tmpdir, "dummy") - if err != nil { - t.Fatalf("couldn't load csr and key: %v", err) - } - - if sha256.Sum256(test.expectedCSR.Raw) != sha256.Sum256(parsedCSR.Raw) { - t.Error("expected csr's fingerprint does not match ") - } - - }) - } - -} - func TestCreateServiceAccountKeyAndPublicKeyFiles(t *testing.T) { setupKey, err := keyutil.MakeEllipticPrivateKeyPEM() if err != nil { diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go index 5fa3de6a53b..b45592a92e2 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -334,21 +334,6 @@ func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error) { return key, nil } -// TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk -func TryLoadCSRAndKeyFromDisk(pkiPath, name string) (*x509.CertificateRequest, crypto.Signer, error) { - csr, err := TryLoadCSRFromDisk(pkiPath, name) - if err != nil { - return nil, nil, errors.Wrap(err, "could not load CSR file") - } - - key, err := TryLoadKeyFromDisk(pkiPath, name) - if err != nil { - return nil, nil, errors.Wrap(err, "could not load key file") - } - - return csr, key, nil -} - // TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error) { privateKeyPath := pathForKey(pkiPath, name)