mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-21 14:38:46 +00:00
kubeadm: Implement certificate download for join
This implements the certificate download for the join process. If certificates have been uploaded during init (or explicitly on any master node) and the secret is still present in the cluster, the join process will try to download the secret data, decrypting it with the provided key in the new `--certificate-key` flag.
This commit is contained in:
Rafael Fernández López
@@ -2,8 +2,8 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["uploadcerts.go"],
|
||||
importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/uploadcerts",
|
||||
srcs = ["copycerts.go"],
|
||||
importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
||||
@@ -14,9 +14,12 @@ go_library(
|
||||
"//pkg/apis/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
|
||||
"//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library",
|
||||
"//vendor/github.com/pkg/errors:go_default_library",
|
||||
],
|
||||
@@ -38,7 +41,7 @@ filegroup(
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["uploadcerts_test.go"],
|
||||
srcs = ["copycerts_test.go"],
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
||||
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package uploadcerts
|
||||
package copycerts
|
||||
|
||||
import (
|
||||
"encoding/hex"
|
||||
@@ -28,9 +28,12 @@ import (
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
rbac "k8s.io/api/rbac/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
keyutil "k8s.io/client-go/util/keyutil"
|
||||
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||
@@ -92,7 +95,7 @@ func UploadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration,
|
||||
return err
|
||||
}
|
||||
|
||||
secretData, err := getSecretData(cfg, decodedKey)
|
||||
secretData, err := getDataFromDisk(cfg, decodedKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -169,7 +172,7 @@ func loadAndEncryptCert(certPath string, key []byte) ([]byte, error) {
|
||||
return cryptoutil.EncryptBytes(cert, key)
|
||||
}
|
||||
|
||||
func certsToUpload(cfg *kubeadmapi.InitConfiguration) map[string]string {
|
||||
func certsToTransfer(cfg *kubeadmapi.InitConfiguration) map[string]string {
|
||||
certsDir := cfg.CertificatesDir
|
||||
certs := map[string]string{
|
||||
kubeadmconstants.CACertName: path.Join(certsDir, kubeadmconstants.CACertName),
|
||||
@@ -191,15 +194,85 @@ func certsToUpload(cfg *kubeadmapi.InitConfiguration) map[string]string {
|
||||
return certs
|
||||
}
|
||||
|
||||
func getSecretData(cfg *kubeadmapi.InitConfiguration, key []byte) (map[string][]byte, error) {
|
||||
func getDataFromDisk(cfg *kubeadmapi.InitConfiguration, key []byte) (map[string][]byte, error) {
|
||||
secretData := map[string][]byte{}
|
||||
for certName, certPath := range certsToUpload(cfg) {
|
||||
for certName, certPath := range certsToTransfer(cfg) {
|
||||
cert, err := loadAndEncryptCert(certPath, key)
|
||||
if err == nil || (err != nil && os.IsNotExist(err)) {
|
||||
secretData[strings.Replace(certName, "/", "-", -1)] = cert
|
||||
secretData[certOrKeyNameToSecretName(certName)] = cert
|
||||
} else {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return secretData, nil
|
||||
}
|
||||
|
||||
// DownloadCerts downloads the certificates needed to join a new control plane.
|
||||
func DownloadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration, key string) error {
|
||||
fmt.Printf("[download-certs] downloading the certificates in Secret %q in the %q Namespace\n", kubeadmconstants.KubeadmCertsSecret, metav1.NamespaceSystem)
|
||||
|
||||
decodedKey, err := hex.DecodeString(key)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error decoding certificate key")
|
||||
}
|
||||
|
||||
secret, err := getSecret(client)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error downloading the secret")
|
||||
}
|
||||
|
||||
secretData, err := getDataFromSecret(secret, decodedKey)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error decoding secret data with provided key")
|
||||
}
|
||||
|
||||
for certOrKeyName, certOrKeyPath := range certsToTransfer(cfg) {
|
||||
certOrKeyData, found := secretData[certOrKeyNameToSecretName(certOrKeyName)]
|
||||
if !found {
|
||||
return errors.New("couldn't find required certificate or key in Secret")
|
||||
}
|
||||
if err := writeCertOrKey(certOrKeyPath, certOrKeyData); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func writeCertOrKey(certOrKeyPath string, certOrKeyData []byte) error {
|
||||
if _, err := keyutil.ParsePublicKeysPEM(certOrKeyData); err == nil {
|
||||
return keyutil.WriteKey(certOrKeyPath, certOrKeyData)
|
||||
} else if _, err := certutil.ParseCertsPEM(certOrKeyData); err == nil {
|
||||
return certutil.WriteCert(certOrKeyPath, certOrKeyData)
|
||||
}
|
||||
return errors.New("unknown data found in Secret entry")
|
||||
}
|
||||
|
||||
func getSecret(client clientset.Interface) (*v1.Secret, error) {
|
||||
secret, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Get(kubeadmconstants.KubeadmCertsSecret, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return nil, errors.Errorf("Secret %q was not found in the %q Namespace. This Secret might have expired. Please, run `kubeadm init phase upload-certs` on a control plane to generate a new one", kubeadmconstants.KubeadmCertsSecret, metav1.NamespaceSystem)
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
func getDataFromSecret(secret *v1.Secret, key []byte) (map[string][]byte, error) {
|
||||
secretData := map[string][]byte{}
|
||||
for certName, encryptedCert := range secret.Data {
|
||||
cert, err := cryptoutil.DecryptBytes(encryptedCert, key)
|
||||
if err != nil {
|
||||
// If any of the decrypt operations fail do not return a partial result,
|
||||
// return an empty result immediately
|
||||
return map[string][]byte{}, err
|
||||
}
|
||||
secretData[certName] = cert
|
||||
}
|
||||
return secretData, nil
|
||||
}
|
||||
|
||||
func certOrKeyNameToSecretName(certOrKeyName string) string {
|
||||
return strings.Replace(certOrKeyName, "/", "-", -1)
|
||||
}
|
||||
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package uploadcerts
|
||||
package copycerts
|
||||
|
||||
import (
|
||||
"encoding/hex"
|
||||
@@ -38,7 +38,7 @@ func TestUploadCerts(t *testing.T) {
|
||||
}
|
||||
|
||||
//teste cert name, teste cert can be decrypted
|
||||
func TestGetSecretData(t *testing.T) {
|
||||
func TestGetDataFromInitConfig(t *testing.T) {
|
||||
certData := []byte("cert-data")
|
||||
tmpdir := testutil.SetupTempDir(t)
|
||||
defer os.RemoveAll(tmpdir)
|
||||
@@ -58,14 +58,14 @@ func TestGetSecretData(t *testing.T) {
|
||||
t.Fatalf(dedent.Dedent("failed to create etcd cert dir.\nfatal error: %v"), err)
|
||||
}
|
||||
|
||||
certs := certsToUpload(cfg)
|
||||
certs := certsToTransfer(cfg)
|
||||
for name, path := range certs {
|
||||
if err := ioutil.WriteFile(path, certData, 0644); err != nil {
|
||||
t.Fatalf(dedent.Dedent("failed to write cert: %s\nfatal error: %v"), name, err)
|
||||
}
|
||||
}
|
||||
|
||||
secretData, err := getSecretData(cfg, decodedKey)
|
||||
secretData, err := getDataFromDisk(cfg, decodedKey)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to get secret data. fatal error: %v", err)
|
||||
}
|
||||
@@ -83,29 +83,44 @@ func TestGetSecretData(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestCertsToUpload(t *testing.T) {
|
||||
func TestCertsToTransfer(t *testing.T) {
|
||||
localEtcdCfg := &kubeadmapi.InitConfiguration{}
|
||||
externalEtcdCfg := &kubeadmapi.InitConfiguration{}
|
||||
externalEtcdCfg.Etcd = kubeadmapi.Etcd{}
|
||||
externalEtcdCfg.Etcd.External = &kubeadmapi.ExternalEtcd{}
|
||||
|
||||
commonExpectedCerts := []string{
|
||||
kubeadmconstants.CACertName,
|
||||
kubeadmconstants.CAKeyName,
|
||||
kubeadmconstants.FrontProxyCACertName,
|
||||
kubeadmconstants.FrontProxyCAKeyName,
|
||||
kubeadmconstants.ServiceAccountPublicKeyName,
|
||||
kubeadmconstants.ServiceAccountPrivateKeyName,
|
||||
}
|
||||
|
||||
tests := map[string]struct {
|
||||
config *kubeadmapi.InitConfiguration
|
||||
expectedCerts []string
|
||||
}{
|
||||
"local etcd": {
|
||||
config: localEtcdCfg,
|
||||
expectedCerts: []string{kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName},
|
||||
config: localEtcdCfg,
|
||||
expectedCerts: append(
|
||||
[]string{kubeadmconstants.EtcdCACertName, kubeadmconstants.EtcdCAKeyName},
|
||||
commonExpectedCerts...,
|
||||
),
|
||||
},
|
||||
"external etcd": {
|
||||
config: externalEtcdCfg,
|
||||
expectedCerts: []string{externalEtcdCA, externalEtcdCert, externalEtcdKey},
|
||||
config: externalEtcdCfg,
|
||||
expectedCerts: append(
|
||||
[]string{externalEtcdCA, externalEtcdCert, externalEtcdKey},
|
||||
commonExpectedCerts...,
|
||||
),
|
||||
},
|
||||
}
|
||||
|
||||
for name, test := range tests {
|
||||
t.Run(name, func(t2 *testing.T) {
|
||||
certList := certsToUpload(test.config)
|
||||
certList := certsToTransfer(test.config)
|
||||
for _, cert := range test.expectedCerts {
|
||||
if _, found := certList[cert]; !found {
|
||||
t2.Fatalf(dedent.Dedent("failed to get list of certs to upload\ncert %s not found"), cert)
|
||||
@@ -114,3 +129,30 @@ func TestCertsToUpload(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestCertOrKeyNameToSecretName(t *testing.T) {
|
||||
tests := []struct {
|
||||
keyName string
|
||||
expectedSecretName string
|
||||
}{
|
||||
{
|
||||
keyName: "apiserver-kubelet-client.crt",
|
||||
expectedSecretName: "apiserver-kubelet-client.crt",
|
||||
},
|
||||
{
|
||||
keyName: "etcd/ca.crt",
|
||||
expectedSecretName: "etcd-ca.crt",
|
||||
},
|
||||
{
|
||||
keyName: "etcd/healthcheck-client.crt",
|
||||
expectedSecretName: "etcd-healthcheck-client.crt",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
secretName := certOrKeyNameToSecretName(tc.keyName)
|
||||
if secretName != tc.expectedSecretName {
|
||||
t.Fatalf("secret name %s didn't match expected name %s", secretName, tc.expectedSecretName)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user