Allow components to generate certificates in-memory

This commit is contained in:
Jordan Liggitt 2018-10-16 17:22:13 -04:00
parent 151830e45f
commit b7160d4ee2
4 changed files with 44 additions and 16 deletions

View File

@ -44,6 +44,7 @@ import (
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/controller" "k8s.io/kubernetes/pkg/controller"
"k8s.io/kubernetes/pkg/master/ports" "k8s.io/kubernetes/pkg/master/ports"
// add the kubernetes feature gates // add the kubernetes feature gates
_ "k8s.io/kubernetes/pkg/features" _ "k8s.io/kubernetes/pkg/features"
) )
@ -102,7 +103,8 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
s.Authorization.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true
s.Authorization.AlwaysAllowPaths = []string{"/healthz"} s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" // Set the PairName but leave certificate directory blank to generate in-memory by default
s.SecureServing.ServerCert.CertDirectory = ""
s.SecureServing.ServerCert.PairName = "cloud-controller-manager" s.SecureServing.ServerCert.PairName = "cloud-controller-manager"
s.SecureServing.BindPort = ports.CloudControllerManagerPort s.SecureServing.BindPort = ports.CloudControllerManagerPort

View File

@ -78,7 +78,7 @@ func TestDefaultFlags(t *testing.T) {
BindPort: 10258, BindPort: 10258,
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/var/run/kubernetes", CertDirectory: "",
PairName: "cloud-controller-manager", PairName: "cloud-controller-manager",
}, },
HTTP2MaxStreamsPerConnection: 0, HTTP2MaxStreamsPerConnection: 0,

View File

@ -190,7 +190,8 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
s.Authorization.RemoteKubeConfigFileOptional = true s.Authorization.RemoteKubeConfigFileOptional = true
s.Authorization.AlwaysAllowPaths = []string{"/healthz"} s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" // Set the PairName but leave certificate directory blank to generate in-memory by default
s.SecureServing.ServerCert.CertDirectory = ""
s.SecureServing.ServerCert.PairName = "kube-controller-manager" s.SecureServing.ServerCert.PairName = "kube-controller-manager"
s.SecureServing.BindPort = ports.KubeControllerManagerPort s.SecureServing.BindPort = ports.KubeControllerManagerPort

View File

@ -75,19 +75,25 @@ type CertKey struct {
} }
type GeneratableKeyCert struct { type GeneratableKeyCert struct {
// CertKey allows setting an explicit cert/key file to use.
CertKey CertKey CertKey CertKey
// CertDirectory is a directory that will contain the certificates. If the cert and key aren't specifically set // CertDirectory specifies a directory to write generated certificates to if CertFile/KeyFile aren't explicitly set.
// this will be used to derive a match with the "pair-name" // PairName is used to determine the filenames within CertDirectory.
// If CertDirectory and PairName are not set, an in-memory certificate will be generated.
CertDirectory string CertDirectory string
// PairName is the name which will be used with CertDirectory to make a cert and key filenames.
// It becomes CertDirectory/PairName.crt and CertDirectory/PairName.key
PairName string
// GeneratedCert holds an in-memory generated certificate if CertFile/KeyFile aren't explicitly set, and CertDirectory/PairName are not set.
GeneratedCert *tls.Certificate
// FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests. // FixtureDirectory is a directory that contains test fixture used to avoid regeneration of certs during tests.
// The format is: // The format is:
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
FixtureDirectory string FixtureDirectory string
// PairName is the name which will be used with CertDirectory to make a cert and key names
// It becomes CertDirector/PairName.crt and CertDirector/PairName.key
PairName string
} }
func NewSecureServingOptions() *SecureServingOptions { func NewSecureServingOptions() *SecureServingOptions {
@ -121,6 +127,10 @@ func (s *SecureServingOptions) Validate() []error {
errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port", s.BindPort)) errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port", s.BindPort))
} }
if (len(s.ServerCert.CertKey.CertFile) != 0 || len(s.ServerCert.CertKey.KeyFile) != 0) && s.ServerCert.GeneratedCert != nil {
errors = append(errors, fmt.Errorf("cert/key file and in-memory certificate cannot both be set"))
}
return errors return errors
} }
@ -219,6 +229,8 @@ func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error
return fmt.Errorf("unable to load server certificate: %v", err) return fmt.Errorf("unable to load server certificate: %v", err)
} }
c.Cert = &tlsCert c.Cert = &tlsCert
} else if s.ServerCert.GeneratedCert != nil {
c.Cert = s.ServerCert.GeneratedCert
} }
if len(s.CipherSuites) != 0 { if len(s.CipherSuites) != 0 {
@ -264,13 +276,20 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
return nil return nil
} }
canReadCertAndKey := false
if len(s.ServerCert.CertDirectory) > 0 {
if len(s.ServerCert.PairName) == 0 {
return fmt.Errorf("PairName is required if CertDirectory is set")
}
keyCert.CertFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".crt") keyCert.CertFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".crt")
keyCert.KeyFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".key") keyCert.KeyFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".key")
if canRead, err := certutil.CanReadCertAndKey(keyCert.CertFile, keyCert.KeyFile); err != nil {
canReadCertAndKey, err := certutil.CanReadCertAndKey(keyCert.CertFile, keyCert.KeyFile)
if err != nil {
return err return err
} else {
canReadCertAndKey = canRead
} }
}
if !canReadCertAndKey { if !canReadCertAndKey {
// add either the bind address or localhost to the valid alternates // add either the bind address or localhost to the valid alternates
bindIP := s.BindAddress.String() bindIP := s.BindAddress.String()
@ -282,15 +301,21 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
if cert, key, err := certutil.GenerateSelfSignedCertKeyWithFixtures(publicAddress, alternateIPs, alternateDNS, s.ServerCert.FixtureDirectory); err != nil { if cert, key, err := certutil.GenerateSelfSignedCertKeyWithFixtures(publicAddress, alternateIPs, alternateDNS, s.ServerCert.FixtureDirectory); err != nil {
return fmt.Errorf("unable to generate self signed cert: %v", err) return fmt.Errorf("unable to generate self signed cert: %v", err)
} else { } else if len(keyCert.CertFile) > 0 && len(keyCert.KeyFile) > 0 {
if err := certutil.WriteCert(keyCert.CertFile, cert); err != nil { if err := certutil.WriteCert(keyCert.CertFile, cert); err != nil {
return err return err
} }
if err := certutil.WriteKey(keyCert.KeyFile, key); err != nil { if err := certutil.WriteKey(keyCert.KeyFile, key); err != nil {
return err return err
} }
glog.Infof("Generated self-signed cert (%s, %s)", keyCert.CertFile, keyCert.KeyFile) glog.Infof("Generated self-signed cert (%s, %s)", keyCert.CertFile, keyCert.KeyFile)
} else {
tlsCert, err := tls.X509KeyPair(cert, key)
if err != nil {
return fmt.Errorf("unable to generate self signed cert: %v", err)
}
s.ServerCert.GeneratedCert = &tlsCert
glog.Infof("Generated self-signed cert in-memory")
} }
} }