rke/cluster/certificates.go

package cluster

import (
	"context"
	"crypto/rsa"
	"fmt"
	"strings"

	"github.com/rancher/rke/hosts"
	"github.com/rancher/rke/k8s"
	"github.com/rancher/rke/log"
	"github.com/rancher/rke/pki"
	"github.com/rancher/rke/services"
	"github.com/sirupsen/logrus"
	"k8s.io/client-go/util/cert"
)

type RotateCertificatesFlags struct {
	RotateCACerts    bool
	RotateComponents []string
}

func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster, fullState *FullState) error {
	if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {
		kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle
		return nil
	}
	return nil
}

func regenerateAPICertificate(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {
	logrus.Debugf("[certificates] Regenerating kubeAPI certificate")
	kubeAPIAltNames := pki.GetAltNames(c.ControlPlaneHosts, c.ClusterDomain, c.KubernetesServiceIP, c.Authentication.SANs)
	caCrt := certificates[pki.CACertName].Certificate
	caKey := certificates[pki.CACertName].Key
	kubeAPIKey := certificates[pki.KubeAPICertName].Key
	kubeAPICert, _, err := pki.GenerateSignedCertAndKey(caCrt, caKey, true, pki.KubeAPICertName, kubeAPIAltNames, kubeAPIKey, nil)
	if err != nil {
		return nil, err
	}
	certificates[pki.KubeAPICertName] = pki.ToCertObject(pki.KubeAPICertName, "", "", kubeAPICert, kubeAPIKey)
	return certificates, nil
}

func GetClusterCertsFromKubernetes(ctx context.Context, kubeCluster *Cluster) (map[string]pki.CertificatePKI, error) {
	log.Infof(ctx, "[certificates] Getting Cluster certificates from Kubernetes")

	k8sClient, err := k8s.NewClient(kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport)
	if err != nil {
		return nil, fmt.Errorf("Failed to create Kubernetes Client: %v", err)
	}
	certificatesNames := []string{
		pki.CACertName,
		pki.KubeAPICertName,
		pki.KubeNodeCertName,
		pki.KubeProxyCertName,
		pki.KubeControllerCertName,
		pki.KubeSchedulerCertName,
		pki.KubeAdminCertName,
		pki.APIProxyClientCertName,
		pki.RequestHeaderCACertName,
		pki.ServiceAccountTokenKeyName,
	}

	for _, etcdHost := range kubeCluster.EtcdHosts {
		etcdName := pki.GetEtcdCrtName(etcdHost.InternalAddress)
		certificatesNames = append(certificatesNames, etcdName)
	}

	certMap := make(map[string]pki.CertificatePKI)
	for _, certName := range certificatesNames {
		secret, err := k8s.GetSecret(k8sClient, certName)
		if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&
			!strings.Contains(certName, pki.RequestHeaderCACertName) &&
			!strings.Contains(certName, pki.APIProxyClientCertName) &&
			!strings.Contains(certName, pki.ServiceAccountTokenKeyName) {
			return nil, err
		}
		// If I can't find an etcd, requestheader, or proxy client cert, I will not fail and will create it later.
		if (secret == nil || secret.Data == nil) &&
			(strings.HasPrefix(certName, "kube-etcd") ||
				strings.Contains(certName, pki.RequestHeaderCACertName) ||
				strings.Contains(certName, pki.APIProxyClientCertName) ||
				strings.Contains(certName, pki.ServiceAccountTokenKeyName)) {
			certMap[certName] = pki.CertificatePKI{}
			continue
		}

		secretCert, err := cert.ParseCertsPEM(secret.Data["Certificate"])
		if err != nil {
			return nil, fmt.Errorf("Failed to parse certificate of %s: %v", certName, err)
		}
		secretKey, err := cert.ParsePrivateKeyPEM(secret.Data["Key"])
		if err != nil {
			return nil, fmt.Errorf("Failed to parse private key of %s: %v", certName, err)
		}
		secretConfig := string(secret.Data["Config"])
		if len(secretCert) == 0 || secretKey == nil {
			return nil, fmt.Errorf("certificate or key of %s is not found", certName)
		}
		certificatePEM := string(cert.EncodeCertPEM(secretCert[0]))
		keyPEM := string(cert.EncodePrivateKeyPEM(secretKey.(*rsa.PrivateKey)))

		certMap[certName] = pki.CertificatePKI{
			Certificate:    secretCert[0],
			Key:            secretKey.(*rsa.PrivateKey),
			CertificatePEM: certificatePEM,
			KeyPEM:         keyPEM,
			Config:         secretConfig,
			EnvName:        string(secret.Data["EnvName"]),
			ConfigEnvName:  string(secret.Data["ConfigEnvName"]),
			KeyEnvName:     string(secret.Data["KeyEnvName"]),
			Path:           string(secret.Data["Path"]),
			KeyPath:        string(secret.Data["KeyPath"]),
			ConfigPath:     string(secret.Data["ConfigPath"]),
		}
	}
	// Handle service account token key issue
	kubeAPICert := certMap[pki.KubeAPICertName]
	if certMap[pki.ServiceAccountTokenKeyName].Key == nil {
		log.Infof(ctx, "[certificates] Creating service account token key")
		certMap[pki.ServiceAccountTokenKeyName] = pki.ToCertObject(pki.ServiceAccountTokenKeyName, pki.ServiceAccountTokenKeyName, "", kubeAPICert.Certificate, kubeAPICert.Key)
	}
	log.Infof(ctx, "[certificates] Successfully fetched Cluster certificates from Kubernetes")
	return certMap, nil
}

func (c *Cluster) getBackupHosts() []*hosts.Host {
	var backupHosts []*hosts.Host
	if len(c.Services.Etcd.ExternalURLs) > 0 {
		backupHosts = c.ControlPlaneHosts
	} else {
		// Save certificates on etcd and controlplane hosts
		backupHosts = hosts.GetUniqueHostList(c.EtcdHosts, c.ControlPlaneHosts, nil)
	}
	return backupHosts
}

func regenerateAPIAggregationCerts(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {
	logrus.Debugf("[certificates] Regenerating Kubernetes API server aggregation layer requestheader client CA certificates")
	requestHeaderCACrt, requestHeaderCAKey, err := pki.GenerateCACertAndKey(pki.RequestHeaderCACertName, nil)
	if err != nil {
		return nil, err
	}
	certificates[pki.RequestHeaderCACertName] = pki.ToCertObject(pki.RequestHeaderCACertName, "", "", requestHeaderCACrt, requestHeaderCAKey)

	//generate API server proxy client key and certs
	logrus.Debugf("[certificates] Regenerating Kubernetes API server proxy client certificates")
	apiserverProxyClientCrt, apiserverProxyClientKey, err := pki.GenerateSignedCertAndKey(requestHeaderCACrt, requestHeaderCAKey, true, pki.APIProxyClientCertName, nil, nil, nil)
	if err != nil {
		return nil, err
	}
	certificates[pki.APIProxyClientCertName] = pki.ToCertObject(pki.APIProxyClientCertName, "", "", apiserverProxyClientCrt, apiserverProxyClientKey)
	return certificates, nil
}

func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags, rotateflags RotateCertificatesFlags, clusterState *FullState) error {
	var (
		serviceAccountTokenKey string
	)
	componentsCertsFuncMap := map[string]pki.GenFunc{
		services.KubeAPIContainerName:        pki.GenerateKubeAPICertificate,
		services.KubeControllerContainerName: pki.GenerateKubeControllerCertificate,
		services.SchedulerContainerName:      pki.GenerateKubeSchedulerCertificate,
		services.KubeproxyContainerName:      pki.GenerateKubeProxyCertificate,
		services.KubeletContainerName:        pki.GenerateKubeNodeCertificate,
		services.EtcdContainerName:           pki.GenerateEtcdCertificates,
	}
	if rotateflags.RotateCACerts {
		// rotate CA cert and RequestHeader CA cert
		if err := pki.GenerateRKECACerts(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {
			return err
		}
		rotateflags.RotateComponents = nil
	}
	for _, k8sComponent := range rotateflags.RotateComponents {
		genFunc := componentsCertsFuncMap[k8sComponent]
		if genFunc != nil {
			if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
				return err
			}
		}
	}
	if len(rotateflags.RotateComponents) == 0 {
		// do not rotate service account token
		if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {
			serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))
		}
		if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
			return err
		}
		if serviceAccountTokenKey != "" {
			privateKey, err := cert.ParsePrivateKeyPEM([]byte(serviceAccountTokenKey))
			if err != nil {
				return err
			}
			c.Certificates[pki.ServiceAccountTokenKeyName] = pki.ToCertObject(
				pki.ServiceAccountTokenKeyName,
				pki.ServiceAccountTokenKeyName,
				"",
				c.Certificates[pki.ServiceAccountTokenKeyName].Certificate,
				privateKey.(*rsa.PrivateKey))
		}
	}
	clusterState.DesiredState.CertificatesBundle = c.Certificates
	clusterState.DesiredState.RancherKubernetesEngineConfig = &c.RancherKubernetesEngineConfig
	return nil
}

func GetRotateCertsFlags(rotateCACerts bool, components []string) RotateCertificatesFlags {
	return RotateCertificatesFlags{
		RotateCACerts:    rotateCACerts,
		RotateComponents: components,
	}
}
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`package cluster`

			`import (`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"context"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"crypto/rsa"`
			`"fmt"`
Handle missing backup kube-etcd gracefully 2018-04-25 05:11:57 +00:00			`"strings"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`"github.com/rancher/rke/hosts"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"github.com/rancher/rke/k8s"`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"github.com/rancher/rke/log"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"github.com/rancher/rke/pki"`
Add certificate bundle backup with etcd snapshot-save 2018-05-29 15:21:24 +00:00			`"github.com/rancher/rke/services"`
Use rancher/types 2017-11-13 21:28:38 +00:00			`"github.com/sirupsen/logrus"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"k8s.io/client-go/util/cert"`
			`)`

Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`type RotateCertificatesFlags struct {`
			`RotateCACerts bool`
			`RotateComponents []string`
			`}`

Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster Cluster, fullState FullState) error {`
Update main code path to use new state 2018-11-02 05:53:29 +00:00			`if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`kubeCluster.Certificates = fullState.DesiredState.CertificatesBundle`
Update main code path to use new state 2018-11-02 05:53:29 +00:00			`return nil`
			`}`
			`return nil`
			`}`

Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`func regenerateAPICertificate(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {`
			`logrus.Debugf("[certificates] Regenerating kubeAPI certificate")`
Support additional altnames for PKI certs 2018-03-22 18:36:25 +00:00			`kubeAPIAltNames := pki.GetAltNames(c.ControlPlaneHosts, c.ClusterDomain, c.KubernetesServiceIP, c.Authentication.SANs)`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`caCrt := certificates[pki.CACertName].Certificate`
			`caKey := certificates[pki.CACertName].Key`
Generate new KubeAPI certificate for new nodes using the same key 2017-11-26 22:29:52 +00:00			`kubeAPIKey := certificates[pki.KubeAPICertName].Key`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeAPICert, _, err := pki.GenerateSignedCertAndKey(caCrt, caKey, true, pki.KubeAPICertName, kubeAPIAltNames, kubeAPIKey, nil)`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certificates[pki.KubeAPICertName] = pki.ToCertObject(pki.KubeAPICertName, "", "", kubeAPICert, kubeAPIKey)`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`return certificates, nil`
			`}`

Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`func GetClusterCertsFromKubernetes(ctx context.Context, kubeCluster *Cluster) (map[string]pki.CertificatePKI, error) {`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Getting Cluster certificates from Kubernetes")`
handle upgrade cases backup state to kubernetes 2018-11-07 00:24:49 +00:00
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`k8sClient, err := k8s.NewClient(kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport)`
handle upgrade cases backup state to kubernetes 2018-11-07 00:24:49 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("Failed to create Kubernetes Client: %v", err)`
			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`certificatesNames := []string{`
			`pki.CACertName,`
			`pki.KubeAPICertName,`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`pki.KubeNodeCertName,`
			`pki.KubeProxyCertName,`
			`pki.KubeControllerCertName,`
			`pki.KubeSchedulerCertName,`
			`pki.KubeAdminCertName,`
Fix requestheaqder ca certificate regeneration 2018-09-08 00:23:47 +00:00			`pki.APIProxyClientCertName,`
			`pki.RequestHeaderCACertName,`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`pki.ServiceAccountTokenKeyName,`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`}`

Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`for _, etcdHost := range kubeCluster.EtcdHosts {`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`etcdName := pki.GetEtcdCrtName(etcdHost.InternalAddress)`
			`certificatesNames = append(certificatesNames, etcdName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`certMap := make(map[string]pki.CertificatePKI)`
			`for _, certName := range certificatesNames {`
handle upgrade cases backup state to kubernetes 2018-11-07 00:24:49 +00:00			`secret, err := k8s.GetSecret(k8sClient, certName)`
Fix requestheaqder ca certificate regeneration 2018-09-08 00:23:47 +00:00			`if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&`
			`!strings.Contains(certName, pki.RequestHeaderCACertName) &&`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`!strings.Contains(certName, pki.APIProxyClientCertName) &&`
			`!strings.Contains(certName, pki.ServiceAccountTokenKeyName) {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return nil, err`
			`}`
Fix requestheaqder ca certificate regeneration 2018-09-08 00:23:47 +00:00			`// If I can't find an etcd, requestheader, or proxy client cert, I will not fail and will create it later.`
			`if (secret == nil \|\| secret.Data == nil) &&`
			`(strings.HasPrefix(certName, "kube-etcd") \|\|`
			`strings.Contains(certName, pki.RequestHeaderCACertName) \|\|`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`strings.Contains(certName, pki.APIProxyClientCertName) \|\|`
			`strings.Contains(certName, pki.ServiceAccountTokenKeyName)) {`
Handle missing backup kube-etcd gracefully 2018-04-25 05:11:57 +00:00			`certMap[certName] = pki.CertificatePKI{}`
			`continue`
			`}`

Avoid panic if cert or key of a secret is not found 2018-09-04 19:26:59 +00:00			`secretCert, err := cert.ParseCertsPEM(secret.Data["Certificate"])`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to parse certificate of %s: %v", certName, err)`
			`}`
			`secretKey, err := cert.ParsePrivateKeyPEM(secret.Data["Key"])`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to parse private key of %s: %v", certName, err)`
			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`secretConfig := string(secret.Data["Config"])`
Avoid panic if cert or key of a secret is not found 2018-09-04 19:26:59 +00:00			`if len(secretCert) == 0 \|\| secretKey == nil {`
			`return nil, fmt.Errorf("certificate or key of %s is not found", certName)`
			`}`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`certificatePEM := string(cert.EncodeCertPEM(secretCert[0]))`
			`keyPEM := string(cert.EncodePrivateKeyPEM(secretKey.(*rsa.PrivateKey)))`

Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`certMap[certName] = pki.CertificatePKI{`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`Certificate: secretCert[0],`
			`Key: secretKey.(*rsa.PrivateKey),`
			`CertificatePEM: certificatePEM,`
			`KeyPEM: keyPEM,`
			`Config: secretConfig,`
			`EnvName: string(secret.Data["EnvName"]),`
			`ConfigEnvName: string(secret.Data["ConfigEnvName"]),`
			`KeyEnvName: string(secret.Data["KeyEnvName"]),`
			`Path: string(secret.Data["Path"]),`
			`KeyPath: string(secret.Data["KeyPath"]),`
			`ConfigPath: string(secret.Data["ConfigPath"]),`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`}`
			`}`
handle upgrade cases backup state to kubernetes 2018-11-07 00:24:49 +00:00			`// Handle service account token key issue`
			`kubeAPICert := certMap[pki.KubeAPICertName]`
			`if certMap[pki.ServiceAccountTokenKeyName].Key == nil {`
			`log.Infof(ctx, "[certificates] Creating service account token key")`
			`certMap[pki.ServiceAccountTokenKeyName] = pki.ToCertObject(pki.ServiceAccountTokenKeyName, pki.ServiceAccountTokenKeyName, "", kubeAPICert.Certificate, kubeAPICert.Key)`
			`}`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Successfully fetched Cluster certificates from Kubernetes")`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return certMap, nil`
			`}`

Add certificate bundle backup with etcd snapshot-save 2018-05-29 15:21:24 +00:00			`func (c Cluster) getBackupHosts() []hosts.Host {`
			`var backupHosts []*hosts.Host`
			`if len(c.Services.Etcd.ExternalURLs) > 0 {`
			`backupHosts = c.ControlPlaneHosts`
			`} else {`
			`// Save certificates on etcd and controlplane hosts`
			`backupHosts = hosts.GetUniqueHostList(c.EtcdHosts, c.ControlPlaneHosts, nil)`
			`}`
			`return backupHosts`
			`}`
Add metrics-server addon deployment 2018-07-17 18:19:08 +00:00
			`func regenerateAPIAggregationCerts(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {`
			`logrus.Debugf("[certificates] Regenerating Kubernetes API server aggregation layer requestheader client CA certificates")`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`requestHeaderCACrt, requestHeaderCAKey, err := pki.GenerateCACertAndKey(pki.RequestHeaderCACertName, nil)`
Add metrics-server addon deployment 2018-07-17 18:19:08 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`certificates[pki.RequestHeaderCACertName] = pki.ToCertObject(pki.RequestHeaderCACertName, "", "", requestHeaderCACrt, requestHeaderCAKey)`

			`//generate API server proxy client key and certs`
fix typo porxy > proxy Signed-off-by: Thorsten Schifferdecker <ts@systs.org> 2018-07-21 19:46:05 +00:00			`logrus.Debugf("[certificates] Regenerating Kubernetes API server proxy client certificates")`
Add metrics-server addon deployment 2018-07-17 18:19:08 +00:00			`apiserverProxyClientCrt, apiserverProxyClientKey, err := pki.GenerateSignedCertAndKey(requestHeaderCACrt, requestHeaderCAKey, true, pki.APIProxyClientCertName, nil, nil, nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`certificates[pki.APIProxyClientCertName] = pki.ToCertObject(pki.APIProxyClientCertName, "", "", apiserverProxyClientCrt, apiserverProxyClientKey)`
			`return certificates, nil`
			`}`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`func RotateRKECertificates(ctx context.Context, c Cluster, flags ExternalFlags, rotateflags RotateCertificatesFlags, clusterState FullState) error {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`var (`
			`serviceAccountTokenKey string`
			`)`
			`componentsCertsFuncMap := map[string]pki.GenFunc{`
			`services.KubeAPIContainerName: pki.GenerateKubeAPICertificate,`
			`services.KubeControllerContainerName: pki.GenerateKubeControllerCertificate,`
			`services.SchedulerContainerName: pki.GenerateKubeSchedulerCertificate,`
			`services.KubeproxyContainerName: pki.GenerateKubeProxyCertificate,`
			`services.KubeletContainerName: pki.GenerateKubeNodeCertificate,`
			`services.EtcdContainerName: pki.GenerateEtcdCertificates,`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if rotateflags.RotateCACerts {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`// rotate CA cert and RequestHeader CA cert`
Final fixes and cleanup for state management Fix dind and local and etcd snapshots add ExternalFlags and dialer options 2018-11-07 23:54:08 +00:00			`if err := pki.GenerateRKECACerts(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`return err`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`rotateflags.RotateComponents = nil`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`for _, k8sComponent := range rotateflags.RotateComponents {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`genFunc := componentsCertsFuncMap[k8sComponent]`
			`if genFunc != nil {`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if err := genFunc(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`return err`
			`}`
			`}`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if len(rotateflags.RotateComponents) == 0 {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`// do not rotate service account token`
			`if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {`
			`serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`return err`
			`}`
			`if serviceAccountTokenKey != "" {`
			`privateKey, err := cert.ParsePrivateKeyPEM([]byte(serviceAccountTokenKey))`
			`if err != nil {`
			`return err`
			`}`
			`c.Certificates[pki.ServiceAccountTokenKeyName] = pki.ToCertObject(`
			`pki.ServiceAccountTokenKeyName,`
			`pki.ServiceAccountTokenKeyName,`
			`"",`
			`c.Certificates[pki.ServiceAccountTokenKeyName].Certificate,`
			`privateKey.(*rsa.PrivateKey))`
			`}`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00			`clusterState.DesiredState.CertificatesBundle = c.Certificates`
			`clusterState.DesiredState.RancherKubernetesEngineConfig = &c.RancherKubernetesEngineConfig`
Add Rotate certificates command to rke 2018-08-20 04:37:04 +00:00			`return nil`
			`}`
Fix rotate certificates with new state 2018-11-12 23:24:59 +00:00
			`func GetRotateCertsFlags(rotateCACerts bool, components []string) RotateCertificatesFlags {`
			`return RotateCertificatesFlags{`
			`RotateCACerts: rotateCACerts,`
			`RotateComponents: components,`
			`}`
			`}`