mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Refactor crlf & crypto
This commit is contained in:
Harry Zhang
parent
7178fba251
commit
a4d04095d0
@ -66,6 +66,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util"
|
||||||
"k8s.io/kubernetes/pkg/util/configz"
|
"k8s.io/kubernetes/pkg/util/configz"
|
||||||
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/pkg/util/wait"
|
"k8s.io/kubernetes/pkg/util/wait"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
@ -359,7 +360,7 @@ func StartControllers(s *options.CMServer, kubeClient *client.Client, kubeconfig
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err)
|
return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err)
|
||||||
}
|
}
|
||||||
if _, err := util.CertsFromPEM(rootCA); err != nil {
|
if _, err := crypto.CertsFromPEM(rootCA); err != nil {
|
||||||
return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err)
|
return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -60,6 +60,7 @@ import (
|
|||||||
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
|
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util"
|
||||||
"k8s.io/kubernetes/pkg/util/configz"
|
"k8s.io/kubernetes/pkg/util/configz"
|
||||||
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/pkg/util/flock"
|
"k8s.io/kubernetes/pkg/util/flock"
|
||||||
"k8s.io/kubernetes/pkg/util/io"
|
"k8s.io/kubernetes/pkg/util/io"
|
||||||
"k8s.io/kubernetes/pkg/util/mount"
|
"k8s.io/kubernetes/pkg/util/mount"
|
||||||
@ -377,7 +378,7 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) {
|
|||||||
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
|
if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
|
||||||
s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt")
|
s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt")
|
||||||
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key")
|
s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key")
|
||||||
if err := util.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil {
|
if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil {
|
||||||
return nil, fmt.Errorf("unable to generate self signed cert: %v", err)
|
return nil, fmt.Errorf("unable to generate self signed cert: %v", err)
|
||||||
}
|
}
|
||||||
glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
|
glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile)
|
||||||
|
|||||||
@ -59,6 +59,7 @@ import (
|
|||||||
quotainstall "k8s.io/kubernetes/pkg/quota/install"
|
quotainstall "k8s.io/kubernetes/pkg/quota/install"
|
||||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util"
|
||||||
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/pkg/util/wait"
|
"k8s.io/kubernetes/pkg/util/wait"
|
||||||
|
|
||||||
"k8s.io/kubernetes/contrib/mesos/pkg/profile"
|
"k8s.io/kubernetes/contrib/mesos/pkg/profile"
|
||||||
@ -309,7 +310,7 @@ func (s *CMServer) Run(_ []string) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err)
|
return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err)
|
||||||
}
|
}
|
||||||
if _, err := util.CertsFromPEM(rootCA); err != nil {
|
if _, err := crypto.CertsFromPEM(rootCA); err != nil {
|
||||||
return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err)
|
return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -22,7 +22,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/auth/authenticator"
|
"k8s.io/kubernetes/pkg/auth/authenticator"
|
||||||
"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
|
"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
|
||||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/password/passwordfile"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/password/passwordfile"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/basicauth"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/basicauth"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/keystone"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/keystone"
|
||||||
@ -159,7 +159,7 @@ func newServiceAccountAuthenticator(keyfile string, lookup bool, serviceAccountG
|
|||||||
|
|
||||||
// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
|
// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
|
||||||
func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
|
func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
|
||||||
roots, err := util.CertPoolFromFile(clientCAFile)
|
roots, err := crypto.CertPoolFromFile(clientCAFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -31,7 +31,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/api"
|
"k8s.io/kubernetes/pkg/api"
|
||||||
"k8s.io/kubernetes/pkg/api/unversioned"
|
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||||
"k8s.io/kubernetes/pkg/runtime"
|
"k8s.io/kubernetes/pkg/runtime"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/pkg/version"
|
"k8s.io/kubernetes/pkg/version"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -235,7 +235,7 @@ func InClusterConfig() (*Config, error) {
|
|||||||
}
|
}
|
||||||
tlsClientConfig := TLSClientConfig{}
|
tlsClientConfig := TLSClientConfig{}
|
||||||
rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + api.ServiceAccountRootCAKey
|
rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + api.ServiceAccountRootCAKey
|
||||||
if _, err := util.CertPoolFromFile(rootCAFile); err != nil {
|
if _, err := crypto.CertPoolFromFile(rootCAFile); err != nil {
|
||||||
glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
|
glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
|
||||||
} else {
|
} else {
|
||||||
tlsClientConfig.CAFile = rootCAFile
|
tlsClientConfig.CAFile = rootCAFile
|
||||||
|
|||||||
@ -45,6 +45,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/storage"
|
"k8s.io/kubernetes/pkg/storage"
|
||||||
"k8s.io/kubernetes/pkg/ui"
|
"k8s.io/kubernetes/pkg/ui"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util"
|
||||||
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
utilnet "k8s.io/kubernetes/pkg/util/net"
|
utilnet "k8s.io/kubernetes/pkg/util/net"
|
||||||
utilruntime "k8s.io/kubernetes/pkg/util/runtime"
|
utilruntime "k8s.io/kubernetes/pkg/util/runtime"
|
||||||
"k8s.io/kubernetes/pkg/util/sets"
|
"k8s.io/kubernetes/pkg/util/sets"
|
||||||
@ -679,7 +680,7 @@ func (s *GenericAPIServer) Run(options *ServerRunOptions) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if len(options.ClientCAFile) > 0 {
|
if len(options.ClientCAFile) > 0 {
|
||||||
clientCAs, err := util.CertPoolFromFile(options.ClientCAFile)
|
clientCAs, err := crypto.CertPoolFromFile(options.ClientCAFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Fatalf("Unable to load client CA file: %v", err)
|
glog.Fatalf("Unable to load client CA file: %v", err)
|
||||||
}
|
}
|
||||||
@ -699,7 +700,7 @@ func (s *GenericAPIServer) Run(options *ServerRunOptions) {
|
|||||||
alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}
|
alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}
|
||||||
// It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless
|
// It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless
|
||||||
// alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME")
|
// alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME")
|
||||||
if err := util.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil {
|
if err := crypto.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil {
|
||||||
glog.Errorf("Unable to generate self signed cert: %v", err)
|
glog.Errorf("Unable to generate self signed cert: %v", err)
|
||||||
} else {
|
} else {
|
||||||
glog.Infof("Using self-signed cert (%v, %v)", options.TLSCertFile, options.TLSPrivateKeyFile)
|
glog.Infof("Using self-signed cert (%v, %v)", options.TLSCertFile, options.TLSPrivateKeyFile)
|
||||||
|
|||||||
57
pkg/util/crlf/crlf.go
Normal file
57
pkg/util/crlf/crlf.go
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
/*
|
||||||
|
Copyright 2015 The Kubernetes Authors All rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package crlf
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
type crlfWriter struct {
|
||||||
|
io.Writer
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewCRLFWriter implements a CR/LF line ending writer used for normalizing
|
||||||
|
// text for Windows platforms.
|
||||||
|
func NewCRLFWriter(w io.Writer) io.Writer {
|
||||||
|
return crlfWriter{w}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (w crlfWriter) Write(b []byte) (n int, err error) {
|
||||||
|
for i, written := 0, 0; ; {
|
||||||
|
next := bytes.Index(b[i:], []byte("\n"))
|
||||||
|
if next == -1 {
|
||||||
|
n, err := w.Writer.Write(b[i:])
|
||||||
|
return written + n, err
|
||||||
|
}
|
||||||
|
next = next + i
|
||||||
|
n, err := w.Writer.Write(b[i:next])
|
||||||
|
if err != nil {
|
||||||
|
return written + n, err
|
||||||
|
}
|
||||||
|
written += n
|
||||||
|
n, err = w.Writer.Write([]byte("\r\n"))
|
||||||
|
if err != nil {
|
||||||
|
if n > 1 {
|
||||||
|
n = 1
|
||||||
|
}
|
||||||
|
return written + n, err
|
||||||
|
}
|
||||||
|
written += 1
|
||||||
|
i = next + 1
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
package util
|
package crypto
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
@ -30,7 +30,7 @@ import (
|
|||||||
"github.com/coreos/go-oidc/oidc"
|
"github.com/coreos/go-oidc/oidc"
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"k8s.io/kubernetes/pkg/auth/user"
|
"k8s.io/kubernetes/pkg/auth/user"
|
||||||
"k8s.io/kubernetes/pkg/util"
|
"k8s.io/kubernetes/pkg/util/crypto"
|
||||||
"k8s.io/kubernetes/pkg/util/net"
|
"k8s.io/kubernetes/pkg/util/net"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -65,7 +65,7 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
|
|||||||
}
|
}
|
||||||
|
|
||||||
if caFile != "" {
|
if caFile != "" {
|
||||||
roots, err = util.CertPoolFromFile(caFile)
|
roots, err = crypto.CertPoolFromFile(caFile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Failed to read the CA file: %v", err)
|
glog.Errorf("Failed to read the CA file: %v", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -137,7 +137,7 @@ func (op *oidcProvider) generateExpiredToken(t *testing.T, iss, sub, aud string,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath.
|
// generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath.
|
||||||
// This method is mostly identical to util.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage'
|
// This method is mostly identical to crypto.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage'
|
||||||
// in the certificate template. (Maybe we can merge these two methods).
|
// in the certificate template. (Maybe we can merge these two methods).
|
||||||
func generateSelfSignedCert(t *testing.T, host, certPath, keyPath string) {
|
func generateSelfSignedCert(t *testing.T, host, certPath, keyPath string) {
|
||||||
priv, err := rsa.GenerateKey(rand.Reader, 2048)
|
priv, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user