rke/pki/pki.go

package pki

import (
	"context"
	"crypto/rsa"
	"crypto/x509"
	"net"

	"github.com/rancher/rke/hosts"
	"github.com/rancher/rke/log"
	"k8s.io/client-go/util/cert"
)

type CertificatePKI struct {
	Certificate   *x509.Certificate
	Key           *rsa.PrivateKey
	Config        string
	Name          string
	CommonName    string
	OUName        string
	EnvName       string
	Path          string
	KeyEnvName    string
	KeyPath       string
	ConfigEnvName string
	ConfigPath    string
}

// StartCertificatesGeneration ...
func StartCertificatesGeneration(ctx context.Context, cpHosts, etcdHosts []*hosts.Host, clusterDomain, localConfigPath string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {
	log.Infof(ctx, "[certificates] Generating kubernetes certificates")
	certs, err := generateCerts(ctx, cpHosts, etcdHosts, clusterDomain, localConfigPath, KubernetesServiceIP)
	if err != nil {
		return nil, err
	}
	return certs, nil
}

func generateCerts(ctx context.Context, cpHosts, etcdHosts []*hosts.Host, clusterDomain, localConfigPath string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {
	certs := make(map[string]CertificatePKI)
	// generate CA certificate and key
	log.Infof(ctx, "[certificates] Generating CA kubernetes certificates")
	caCrt, caKey, err := generateCACertAndKey()
	if err != nil {
		return nil, err
	}
	certs[CACertName] = ToCertObject(CACertName, "", "", caCrt, caKey)

	// generate API certificate and key
	log.Infof(ctx, "[certificates] Generating Kubernetes API server certificates")
	kubeAPIAltNames := GetAltNames(cpHosts, clusterDomain, KubernetesServiceIP)
	kubeAPICrt, kubeAPIKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, KubeAPICertName, kubeAPIAltNames, nil, nil)
	if err != nil {
		return nil, err
	}
	certs[KubeAPICertName] = ToCertObject(KubeAPICertName, "", "", kubeAPICrt, kubeAPIKey)

	// generate Kube controller-manager certificate and key
	log.Infof(ctx, "[certificates] Generating Kube Controller certificates")
	kubeControllerCrt, kubeControllerKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeControllerCertName), nil, nil, nil)
	if err != nil {
		return nil, err
	}
	certs[KubeControllerCertName] = ToCertObject(KubeControllerCertName, "", "", kubeControllerCrt, kubeControllerKey)

	// generate Kube scheduler certificate and key
	log.Infof(ctx, "[certificates] Generating Kube Scheduler certificates")
	kubeSchedulerCrt, kubeSchedulerKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeSchedulerCertName), nil, nil, nil)
	if err != nil {
		return nil, err
	}
	certs[KubeSchedulerCertName] = ToCertObject(KubeSchedulerCertName, "", "", kubeSchedulerCrt, kubeSchedulerKey)

	// generate Kube Proxy certificate and key
	log.Infof(ctx, "[certificates] Generating Kube Proxy certificates")
	kubeProxyCrt, kubeProxyKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeProxyCertName), nil, nil, nil)
	if err != nil {
		return nil, err
	}
	certs[KubeProxyCertName] = ToCertObject(KubeProxyCertName, "", "", kubeProxyCrt, kubeProxyKey)

	// generate Kubelet certificate and key
	log.Infof(ctx, "[certificates] Generating Node certificate")
	nodeCrt, nodeKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, KubeNodeCommonName, nil, nil, []string{KubeNodeOrganizationName})
	if err != nil {
		return nil, err
	}
	certs[KubeNodeCertName] = ToCertObject(KubeNodeCertName, KubeNodeCommonName, KubeNodeOrganizationName, nodeCrt, nodeKey)

	// generate Admin certificate and key
	log.Infof(ctx, "[certificates] Generating admin certificates and kubeconfig")
	kubeAdminCrt, kubeAdminKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, KubeAdminCertName, nil, nil, []string{KubeAdminOrganizationName})
	if err != nil {
		return nil, err
	}
	kubeAdminConfig := GetKubeConfigX509WithData(
		"https://"+cpHosts[0].Address+":6443",
		KubeAdminCertName,
		string(cert.EncodeCertPEM(caCrt)),
		string(cert.EncodeCertPEM(kubeAdminCrt)),
		string(cert.EncodePrivateKeyPEM(kubeAdminKey)))

	kubeAdminCertObj := ToCertObject(KubeAdminCertName, KubeAdminCertName, KubeAdminOrganizationName, kubeAdminCrt, kubeAdminKey)
	kubeAdminCertObj.Config = kubeAdminConfig
	kubeAdminCertObj.ConfigPath = localConfigPath
	certs[KubeAdminCertName] = kubeAdminCertObj

	etcdAltNames := GetAltNames(etcdHosts, clusterDomain, KubernetesServiceIP)
	for _, host := range etcdHosts {
		log.Infof(ctx, "[certificates] Generating etcd-%s certificate and key", host.InternalAddress)
		etcdCrt, etcdKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, EtcdCertName, etcdAltNames, nil, nil)
		if err != nil {
			return nil, err
		}
		etcdName := GetEtcdCrtName(host.InternalAddress)
		certs[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey)
	}

	return certs, nil
}

func RegenerateEtcdCertificate(
	ctx context.Context,
	crtMap map[string]CertificatePKI,
	etcdHost *hosts.Host,
	etcdHosts []*hosts.Host,
	clusterDomain string,
	KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {

	log.Infof(ctx, "[certificates] Regenerating new etcd-%s certificate and key", etcdHost.InternalAddress)
	caCrt := crtMap[CACertName].Certificate
	caKey := crtMap[CACertName].Key
	etcdAltNames := GetAltNames(etcdHosts, clusterDomain, KubernetesServiceIP)

	etcdCrt, etcdKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, EtcdCertName, etcdAltNames, nil, nil)
	if err != nil {
		return nil, err
	}
	etcdName := GetEtcdCrtName(etcdHost.InternalAddress)
	crtMap[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey)
	log.Infof(ctx, "[certificates] Successfully generated new etcd-%s certificate and key", etcdHost.InternalAddress)
	return crtMap, nil
}
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`package pki`

			`import (`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"context"`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`"crypto/rsa"`
			`"crypto/x509"`
			`"net"`

			`"github.com/rancher/rke/hosts"`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"github.com/rancher/rke/log"`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`"k8s.io/client-go/util/cert"`
			`)`

			`type CertificatePKI struct {`
Refactor PKI ENV 2017-11-10 02:39:10 +00:00			`Certificate *x509.Certificate`
			`Key *rsa.PrivateKey`
			`Config string`
			`Name string`
			`CommonName string`
			`OUName string`
			`EnvName string`
			`Path string`
			`KeyEnvName string`
			`KeyPath string`
			`ConfigEnvName string`
			`ConfigPath string`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// StartCertificatesGeneration ...`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`func StartCertificatesGeneration(ctx context.Context, cpHosts, etcdHosts []*hosts.Host, clusterDomain, localConfigPath string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {`
Add nginx ingress controller and labels/taints sync 2018-02-01 21:28:31 +00:00			`log.Infof(ctx, "[certificates] Generating kubernetes certificates")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs, err := generateCerts(ctx, cpHosts, etcdHosts, clusterDomain, localConfigPath, KubernetesServiceIP)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return nil, err`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return certs, nil`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`func generateCerts(ctx context.Context, cpHosts, etcdHosts []*hosts.Host, clusterDomain, localConfigPath string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`certs := make(map[string]CertificatePKI)`
			`// generate CA certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating CA kubernetes certificates")`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`caCrt, caKey, err := generateCACertAndKey()`
			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[CACertName] = ToCertObject(CACertName, "", "", caCrt, caKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
			`// generate API certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating Kubernetes API server certificates")`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`kubeAPIAltNames := GetAltNames(cpHosts, clusterDomain, KubernetesServiceIP)`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeAPICrt, kubeAPIKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, KubeAPICertName, kubeAPIAltNames, nil, nil)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[KubeAPICertName] = ToCertObject(KubeAPICertName, "", "", kubeAPICrt, kubeAPIKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
			`// generate Kube controller-manager certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating Kube Controller certificates")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeControllerCrt, kubeControllerKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeControllerCertName), nil, nil, nil)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[KubeControllerCertName] = ToCertObject(KubeControllerCertName, "", "", kubeControllerCrt, kubeControllerKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
			`// generate Kube scheduler certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating Kube Scheduler certificates")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeSchedulerCrt, kubeSchedulerKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeSchedulerCertName), nil, nil, nil)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[KubeSchedulerCertName] = ToCertObject(KubeSchedulerCertName, "", "", kubeSchedulerCrt, kubeSchedulerKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
			`// generate Kube Proxy certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating Kube Proxy certificates")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeProxyCrt, kubeProxyKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, getDefaultCN(KubeProxyCertName), nil, nil, nil)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[KubeProxyCertName] = ToCertObject(KubeProxyCertName, "", "", kubeProxyCrt, kubeProxyKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
Deploy kube config file locally for admin 2017-11-01 21:46:43 +00:00			`// generate Kubelet certificate and key`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Generating Node certificate")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`nodeCrt, nodeKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, KubeNodeCommonName, nil, nil, []string{KubeNodeOrganizationName})`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certs[KubeNodeCertName] = ToCertObject(KubeNodeCertName, KubeNodeCommonName, KubeNodeOrganizationName, nodeCrt, nodeKey)`
Deploy kube config file locally for admin 2017-11-01 21:46:43 +00:00
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`// generate Admin certificate and key`
Add nginx ingress controller and labels/taints sync 2018-02-01 21:28:31 +00:00			`log.Infof(ctx, "[certificates] Generating admin certificates and kubeconfig")`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeAdminCrt, kubeAdminKey, err := GenerateSignedCertAndKey(caCrt, caKey, false, KubeAdminCertName, nil, nil, []string{KubeAdminOrganizationName})`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`if err != nil {`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`return nil, err`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeAdminConfig := GetKubeConfigX509WithData(`
			`"https://"+cpHosts[0].Address+":6443",`
			`KubeAdminCertName,`
			`string(cert.EncodeCertPEM(caCrt)),`
			`string(cert.EncodeCertPEM(kubeAdminCrt)),`
			`string(cert.EncodePrivateKeyPEM(kubeAdminKey)))`

			`kubeAdminCertObj := ToCertObject(KubeAdminCertName, KubeAdminCertName, KubeAdminOrganizationName, kubeAdminCrt, kubeAdminKey)`
			`kubeAdminCertObj.Config = kubeAdminConfig`
			`kubeAdminCertObj.ConfigPath = localConfigPath`
			`certs[KubeAdminCertName] = kubeAdminCertObj`

			`etcdAltNames := GetAltNames(etcdHosts, clusterDomain, KubernetesServiceIP)`
			`for _, host := range etcdHosts {`
Add nginx ingress controller and labels/taints sync 2018-02-01 21:28:31 +00:00			`log.Infof(ctx, "[certificates] Generating etcd-%s certificate and key", host.InternalAddress)`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`etcdCrt, etcdKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, EtcdCertName, etcdAltNames, nil, nil)`
			`if err != nil {`
			`return nil, err`
			`}`
			`etcdName := GetEtcdCrtName(host.InternalAddress)`
			`certs[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`return certs, nil`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`func RegenerateEtcdCertificate(`
			`ctx context.Context,`
			`crtMap map[string]CertificatePKI,`
			`etcdHost *hosts.Host,`
			`etcdHosts []*hosts.Host,`
			`clusterDomain string,`
			`KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`log.Infof(ctx, "[certificates] Regenerating new etcd-%s certificate and key", etcdHost.InternalAddress)`
			`caCrt := crtMap[CACertName].Certificate`
			`caKey := crtMap[CACertName].Key`
			`etcdAltNames := GetAltNames(etcdHosts, clusterDomain, KubernetesServiceIP)`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`etcdCrt, etcdKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, EtcdCertName, etcdAltNames, nil, nil)`
Generate new KubeAPI certificate for new nodes using the same key 2017-11-26 22:29:52 +00:00			`if err != nil {`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`return nil, err`
Refactor PKI ENV 2017-11-10 02:39:10 +00:00			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`etcdName := GetEtcdCrtName(etcdHost.InternalAddress)`
			`crtMap[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey)`
			`log.Infof(ctx, "[certificates] Successfully generated new etcd-%s certificate and key", etcdHost.InternalAddress)`
			`return crtMap, nil`
Refactor PKI ENV 2017-11-10 02:39:10 +00:00			`}`