github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-14 06:15:45 +00:00
Code Issues Projects Releases Wiki Activity

cmd/kube-apiserver: avoid importing the kubeadm pkiutils package

Browse Source 
The package "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
is used for a couple of function calls:
- pkiutil.NewCertAndKey() to generate a cert/key pair
- pkiutil.WriteCertAndKey() to write the pair to disk

Unroll and simplify the functions to obtain the same functionality
while removing the cmd/kubeadm dependency.
This commit is contained in:
Lubomir I. Ivanov 2023-09-05 14:14:47 +03:00
parent 8e2b12a220
commit 6ec8dbe5b5
1 changed files with 60 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
cmd/kube-apiserver/app/testing/testserver.go
View File

@ -18,9 +18,16 @@ package testing
import ( import (
"context" "context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt" "fmt"
"math"
"math/big"
"net" "net"
"os" "os"
"path/filepath" "path/filepath"
@ -44,6 +51,7 @@ import (
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
clientgotransport "k8s.io/client-go/transport" clientgotransport "k8s.io/client-go/transport"
"k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
logsapi "k8s.io/component-base/logs/api/v1" logsapi "k8s.io/component-base/logs/api/v1"
"k8s.io/klog/v2" "k8s.io/klog/v2"
"k8s.io/kube-aggregator/pkg/apiserver" "k8s.io/kube-aggregator/pkg/apiserver"
@ -51,7 +59,6 @@ import (
"k8s.io/kubernetes/cmd/kube-apiserver/app" "k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
testutil "k8s.io/kubernetes/test/utils" testutil "k8s.io/kubernetes/test/utils"
) )
@ -211,24 +218,63 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo
// give the kube api server an "identity" it can use to for request header auth // give the kube api server an "identity" it can use to for request header auth
// so that aggregated api servers can understand who the calling user is // so that aggregated api servers can understand who the calling user is
s.Authentication.RequestHeader.AllowedNames = []string{"ash", "misty", "brock"} s.Authentication.RequestHeader.AllowedNames = []string{"ash", "misty", "brock"}
// make a client certificate for the api server - common name has to match one of our defined names above
tenThousandHoursLater := time.Now().Add(10_000 * time.Hour) // create private key
clientCrtOfAPIServer, signer, err := pkiutil.NewCertAndKey(proxySigningCert, proxySigningKey, &pkiutil.CertConfig{ signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
Config: cert.Config{
CommonName: "misty",
Usages: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
},
NotAfter: &tenThousandHoursLater,
PublicKeyAlgorithm: x509.ECDSA,
})
if err != nil { if err != nil {
return result, err return result, err
} }
if err := pkiutil.WriteCertAndKey(s.SecureServing.ServerCert.CertDirectory, "misty-crt", clientCrtOfAPIServer, signer); err != nil {
// make a client certificate for the api server - common name has to match one of our defined names above
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return result, err return result, err
} }
serial = new(big.Int).Add(serial, big.NewInt(1))
tenThousandHoursLater := time.Now().Add(10_000 * time.Hour)
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: "misty",
},
SerialNumber: serial,
NotBefore: proxySigningCert.NotBefore,
NotAfter: tenThousandHoursLater,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
BasicConstraintsValid: true,
}
certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, proxySigningCert, signer.Public(), proxySigningKey)
if err != nil {
return result, err
}
clientCrtOfAPIServer, err := x509.ParseCertificate(certDERBytes)
if err != nil {
return result, err
}
// write the cert to disk
certificatePath := filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.crt")
certBlock := pem.Block{
Type: "CERTIFICATE",
Bytes: clientCrtOfAPIServer.Raw,
}
certBytes := pem.EncodeToMemory(&certBlock)
if err := cert.WriteCert(certificatePath, certBytes); err != nil {
return result, err
}
// write the key to disk
privateKeyPath := filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.key")
encodedPrivateKey, err := keyutil.MarshalPrivateKeyToPEM(signer)
if err != nil {
return result, err
}
if err := keyutil.WriteKey(privateKeyPath, encodedPrivateKey); err != nil {
return result, err
}
s.ProxyClientKeyFile = filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.key") s.ProxyClientKeyFile = filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.key")
s.ProxyClientCertFile = filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.crt") s.ProxyClientCertFile = filepath.Join(s.SecureServing.ServerCert.CertDirectory, "misty-crt.crt")