2017-11-02 10:07:10 +00:00
|
|
|
package cluster
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/rsa"
|
|
|
|
|
"fmt"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/rancher/rke/k8s"
|
|
|
|
|
"github.com/rancher/rke/pki"
|
2017-11-13 21:28:38 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2017-11-02 10:07:10 +00:00
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
|
"k8s.io/client-go/util/cert"
|
|
|
|
|
)
|
|
|
|
|
|
2017-11-09 19:50:49 +00:00
|
|
|
func SetUpAuthentication(kubeCluster, currentCluster *Cluster) error {
|
2017-11-14 18:11:21 +00:00
|
|
|
if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {
|
2017-11-02 10:07:10 +00:00
|
|
|
var err error
|
|
|
|
|
if currentCluster != nil {
|
2017-11-15 02:54:26 +00:00
|
|
|
kubeCluster.Certificates = currentCluster.Certificates
|
2017-11-02 10:07:10 +00:00
|
|
|
} else {
|
|
|
|
|
kubeCluster.Certificates, err = pki.StartCertificatesGeneration(
|
|
|
|
|
kubeCluster.ControlPlaneHosts,
|
|
|
|
|
kubeCluster.WorkerHosts,
|
|
|
|
|
kubeCluster.ClusterDomain,
|
|
|
|
|
kubeCluster.KubernetesServiceIP)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Failed to generate Kubernetes certificates: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-07 15:44:17 +00:00
|
|
|
func getClusterCerts(kubeClient *kubernetes.Clientset) (map[string]pki.CertificatePKI, error) {
|
2017-11-02 10:07:10 +00:00
|
|
|
logrus.Infof("[certificates] Getting Cluster certificates from Kubernetes")
|
|
|
|
|
certificatesNames := []string{
|
|
|
|
|
pki.CACertName,
|
|
|
|
|
pki.KubeAPICertName,
|
|
|
|
|
pki.KubeNodeName,
|
|
|
|
|
pki.KubeProxyName,
|
|
|
|
|
pki.KubeControllerName,
|
|
|
|
|
pki.KubeSchedulerName,
|
|
|
|
|
pki.KubeAdminCommonName,
|
|
|
|
|
}
|
|
|
|
|
certMap := make(map[string]pki.CertificatePKI)
|
|
|
|
|
for _, certName := range certificatesNames {
|
2017-11-07 15:44:17 +00:00
|
|
|
secret, err := k8s.GetSecret(kubeClient, certName)
|
2017-11-02 10:07:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"])
|
|
|
|
|
secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"])
|
|
|
|
|
secretConfig := string(secret.Data["Config"])
|
|
|
|
|
certMap[certName] = pki.CertificatePKI{
|
2017-11-14 18:11:21 +00:00
|
|
|
Certificate: secretCert[0],
|
|
|
|
|
Key: secretKey.(*rsa.PrivateKey),
|
|
|
|
|
Config: secretConfig,
|
|
|
|
|
EnvName: string(secret.Data["EnvName"]),
|
|
|
|
|
ConfigEnvName: string(secret.Data["ConfigEnvName"]),
|
|
|
|
|
KeyEnvName: string(secret.Data["KeyEnvName"]),
|
2017-11-02 10:07:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
logrus.Infof("[certificates] Successfully fetched Cluster certificates from Kubernetes")
|
|
|
|
|
return certMap, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-07 15:44:17 +00:00
|
|
|
func saveClusterCerts(kubeClient *kubernetes.Clientset, crts map[string]pki.CertificatePKI) error {
|
2017-11-02 10:07:10 +00:00
|
|
|
logrus.Infof("[certificates] Save kubernetes certificates as secrets")
|
|
|
|
|
for crtName, crt := range crts {
|
2017-11-07 15:44:17 +00:00
|
|
|
err := saveCertToKubernetes(kubeClient, crtName, crt)
|
2017-11-02 10:07:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Failed to save certificate [%s] to kubernetes: %v", crtName, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
logrus.Infof("[certificates] Successfuly saved certificates as kubernetes secret [%s]", pki.CertificatesSecretName)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-07 15:44:17 +00:00
|
|
|
func saveCertToKubernetes(kubeClient *kubernetes.Clientset, crtName string, crt pki.CertificatePKI) error {
|
2017-11-02 10:07:10 +00:00
|
|
|
logrus.Debugf("[certificates] Saving certificate [%s] to kubernetes", crtName)
|
|
|
|
|
timeout := make(chan bool, 1)
|
|
|
|
|
go func() {
|
|
|
|
|
for {
|
2017-11-07 15:44:17 +00:00
|
|
|
err := k8s.UpdateSecret(kubeClient, "Certificate", cert.EncodeCertPEM(crt.Certificate), crtName)
|
2017-11-02 10:07:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-11-07 15:44:17 +00:00
|
|
|
err = k8s.UpdateSecret(kubeClient, "Key", cert.EncodePrivateKeyPEM(crt.Key), crtName)
|
2017-11-02 10:07:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-11-14 18:11:21 +00:00
|
|
|
err = k8s.UpdateSecret(kubeClient, "EnvName", []byte(crt.EnvName), crtName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
err = k8s.UpdateSecret(kubeClient, "KeyEnvName", []byte(crt.KeyEnvName), crtName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-11-02 10:07:10 +00:00
|
|
|
if len(crt.Config) > 0 {
|
2017-11-14 18:11:21 +00:00
|
|
|
err = k8s.UpdateSecret(kubeClient, "ConfigEnvName", []byte(crt.ConfigEnvName), crtName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-11-07 15:44:17 +00:00
|
|
|
err = k8s.UpdateSecret(kubeClient, "Config", []byte(crt.Config), crtName)
|
2017-11-02 10:07:10 +00:00
|
|
|
if err != nil {
|
|
|
|
|
time.Sleep(time.Second * 5)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
timeout <- true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
select {
|
|
|
|
|
case <-timeout:
|
|
|
|
|
return nil
|
|
|
|
|
case <-time.After(time.Second * KubernetesClientTimeOut):
|
|
|
|
|
return fmt.Errorf("[certificates] Timeout waiting for kubernetes to be ready")
|
|
|
|
|
}
|
|
|
|
|
}
|
