rke/cluster/certificates.go

package cluster

import (
	"context"
	"crypto/rsa"
	"fmt"
	"time"

	"github.com/rancher/rke/hosts"
	"github.com/rancher/rke/k8s"
	"github.com/rancher/rke/log"
	"github.com/rancher/rke/pki"
	"github.com/sirupsen/logrus"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/util/cert"
)

func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster) error {
	if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {
		var err error
		if currentCluster != nil {
			kubeCluster.Certificates = currentCluster.Certificates
		} else {
			log.Infof(ctx, "[certificates] Attempting to recover certificates from backup on host [%s]", kubeCluster.EtcdHosts[0].Address)
			kubeCluster.Certificates, err = pki.FetchCertificatesFromHost(ctx, kubeCluster.EtcdHosts, kubeCluster.EtcdHosts[0], kubeCluster.SystemImages.Alpine, kubeCluster.LocalKubeConfigPath, kubeCluster.PrivateRegistriesMap)
			if err != nil {
				return err
			}
			if kubeCluster.Certificates != nil {
				log.Infof(ctx, "[certificates] Certificate backup found on host [%s]", kubeCluster.EtcdHosts[0].Address)
				return nil
			}
			log.Infof(ctx, "[certificates] No Certificate backup found on host [%s]", kubeCluster.EtcdHosts[0].Address)

			kubeCluster.Certificates, err = pki.StartCertificatesGeneration(ctx,
				kubeCluster.ControlPlaneHosts,
				kubeCluster.EtcdHosts,
				kubeCluster.ClusterDomain,
				kubeCluster.LocalKubeConfigPath,
				kubeCluster.KubernetesServiceIP)
			if err != nil {
				return fmt.Errorf("Failed to generate Kubernetes certificates: %v", err)
			}
			log.Infof(ctx, "[certificates] Temporarily saving certs to etcd host [%s]", kubeCluster.EtcdHosts[0].Address)
			if err := pki.DeployCertificatesOnHost(ctx, kubeCluster.EtcdHosts, kubeCluster.EtcdHosts[0], kubeCluster.Certificates, kubeCluster.SystemImages.CertDownloader, pki.TempCertPath, kubeCluster.PrivateRegistriesMap); err != nil {
				return err
			}
			log.Infof(ctx, "[certificates] Saved certs to etcd host [%s]", kubeCluster.EtcdHosts[0].Address)
		}
	}
	return nil
}

func regenerateAPICertificate(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {
	logrus.Debugf("[certificates] Regenerating kubeAPI certificate")
	kubeAPIAltNames := pki.GetAltNames(c.ControlPlaneHosts, c.ClusterDomain, c.KubernetesServiceIP)
	caCrt := certificates[pki.CACertName].Certificate
	caKey := certificates[pki.CACertName].Key
	kubeAPIKey := certificates[pki.KubeAPICertName].Key
	kubeAPICert, _, err := pki.GenerateSignedCertAndKey(caCrt, caKey, true, pki.KubeAPICertName, kubeAPIAltNames, kubeAPIKey, nil)
	if err != nil {
		return nil, err
	}
	certificates[pki.KubeAPICertName] = pki.ToCertObject(pki.KubeAPICertName, "", "", kubeAPICert, kubeAPIKey)
	return certificates, nil
}

func getClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, etcdHosts []*hosts.Host) (map[string]pki.CertificatePKI, error) {
	log.Infof(ctx, "[certificates] Getting Cluster certificates from Kubernetes")
	certificatesNames := []string{
		pki.CACertName,
		pki.KubeAPICertName,
		pki.KubeNodeCertName,
		pki.KubeProxyCertName,
		pki.KubeControllerCertName,
		pki.KubeSchedulerCertName,
		pki.KubeAdminCertName,
	}

	for _, etcdHost := range etcdHosts {
		etcdName := pki.GetEtcdCrtName(etcdHost.InternalAddress)
		certificatesNames = append(certificatesNames, etcdName)
	}

	certMap := make(map[string]pki.CertificatePKI)
	for _, certName := range certificatesNames {
		secret, err := k8s.GetSecret(kubeClient, certName)
		if err != nil {
			return nil, err
		}
		secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"])
		secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"])
		secretConfig := string(secret.Data["Config"])
		certMap[certName] = pki.CertificatePKI{
			Certificate:   secretCert[0],
			Key:           secretKey.(*rsa.PrivateKey),
			Config:        secretConfig,
			EnvName:       string(secret.Data["EnvName"]),
			ConfigEnvName: string(secret.Data["ConfigEnvName"]),
			KeyEnvName:    string(secret.Data["KeyEnvName"]),
		}
	}
	log.Infof(ctx, "[certificates] Successfully fetched Cluster certificates from Kubernetes")
	return certMap, nil
}

func saveClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, crts map[string]pki.CertificatePKI) error {
	log.Infof(ctx, "[certificates] Save kubernetes certificates as secrets")
	for crtName, crt := range crts {
		err := saveCertToKubernetes(kubeClient, crtName, crt)
		if err != nil {
			return fmt.Errorf("Failed to save certificate [%s] to kubernetes: %v", crtName, err)
		}
	}
	log.Infof(ctx, "[certificates] Successfully saved certificates as kubernetes secret [%s]", pki.CertificatesSecretName)
	return nil
}

func saveCertToKubernetes(kubeClient *kubernetes.Clientset, crtName string, crt pki.CertificatePKI) error {
	logrus.Debugf("[certificates] Saving certificate [%s] to kubernetes", crtName)
	timeout := make(chan bool, 1)
	go func() {
		for {
			err := k8s.UpdateSecret(kubeClient, "Certificate", cert.EncodeCertPEM(crt.Certificate), crtName)
			if err != nil {
				time.Sleep(time.Second * 5)
				continue
			}
			err = k8s.UpdateSecret(kubeClient, "Key", cert.EncodePrivateKeyPEM(crt.Key), crtName)
			if err != nil {
				time.Sleep(time.Second * 5)
				continue
			}
			err = k8s.UpdateSecret(kubeClient, "EnvName", []byte(crt.EnvName), crtName)
			if err != nil {
				time.Sleep(time.Second * 5)
				continue
			}
			err = k8s.UpdateSecret(kubeClient, "KeyEnvName", []byte(crt.KeyEnvName), crtName)
			if err != nil {
				time.Sleep(time.Second * 5)
				continue
			}
			if len(crt.Config) > 0 {
				err = k8s.UpdateSecret(kubeClient, "ConfigEnvName", []byte(crt.ConfigEnvName), crtName)
				if err != nil {
					time.Sleep(time.Second * 5)
					continue
				}
				err = k8s.UpdateSecret(kubeClient, "Config", []byte(crt.Config), crtName)
				if err != nil {
					time.Sleep(time.Second * 5)
					continue
				}
			}
			timeout <- true
			break
		}
	}()
	select {
	case <-timeout:
		return nil
	case <-time.After(time.Second * KubernetesClientTimeOut):
		return fmt.Errorf("[certificates] Timeout waiting for kubernetes to be ready")
	}
}
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`package cluster`

			`import (`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"context"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"crypto/rsa"`
			`"fmt"`
			`"time"`

Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`"github.com/rancher/rke/hosts"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"github.com/rancher/rke/k8s"`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`"github.com/rancher/rke/log"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"github.com/rancher/rke/pki"`
Use rancher/types 2017-11-13 21:28:38 +00:00			`"github.com/sirupsen/logrus"`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/client-go/util/cert"`
			`)`

Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Cluster) error {`
Update rancher types 2017-11-14 18:11:21 +00:00			`if kubeCluster.Authentication.Strategy == X509AuthenticationProvider {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`var err error`
			`if currentCluster != nil {`
Add cluster upgrade Restructer k8s Move getClusterCerts from SetUpAuthintication to GetClusterState Update cluster.yaml 2017-11-15 02:54:26 +00:00			`kubeCluster.Certificates = currentCluster.Certificates`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`} else {`
recoverable provisioning 2018-01-10 23:03:08 +00:00			`log.Infof(ctx, "[certificates] Attempting to recover certificates from backup on host [%s]", kubeCluster.EtcdHosts[0].Address)`
Pass private registries list through the function calls 2018-01-31 17:50:55 +00:00			`kubeCluster.Certificates, err = pki.FetchCertificatesFromHost(ctx, kubeCluster.EtcdHosts, kubeCluster.EtcdHosts[0], kubeCluster.SystemImages.Alpine, kubeCluster.LocalKubeConfigPath, kubeCluster.PrivateRegistriesMap)`
recoverable provisioning 2018-01-10 23:03:08 +00:00			`if err != nil {`
			`return err`
			`}`
			`if kubeCluster.Certificates != nil {`
			`log.Infof(ctx, "[certificates] Certificate backup found on host [%s]", kubeCluster.EtcdHosts[0].Address)`
			`return nil`
			`}`
			`log.Infof(ctx, "[certificates] No Certificate backup found on host [%s]", kubeCluster.EtcdHosts[0].Address)`

Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`kubeCluster.Certificates, err = pki.StartCertificatesGeneration(ctx,`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`kubeCluster.ControlPlaneHosts,`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeCluster.EtcdHosts,`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`kubeCluster.ClusterDomain,`
Add HA Add relative path for local kube config Add default cluster yaml config name 2017-11-15 01:12:33 +00:00			`kubeCluster.LocalKubeConfigPath,`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`kubeCluster.KubernetesServiceIP)`
			`if err != nil {`
			`return fmt.Errorf("Failed to generate Kubernetes certificates: %v", err)`
			`}`
recoverable provisioning 2018-01-10 23:03:08 +00:00			`log.Infof(ctx, "[certificates] Temporarily saving certs to etcd host [%s]", kubeCluster.EtcdHosts[0].Address)`
Pass private registries list through the function calls 2018-01-31 17:50:55 +00:00			`if err := pki.DeployCertificatesOnHost(ctx, kubeCluster.EtcdHosts, kubeCluster.EtcdHosts[0], kubeCluster.Certificates, kubeCluster.SystemImages.CertDownloader, pki.TempCertPath, kubeCluster.PrivateRegistriesMap); err != nil {`
recoverable provisioning 2018-01-10 23:03:08 +00:00			`return err`
			`}`
			`log.Infof(ctx, "[certificates] Saved certs to etcd host [%s]", kubeCluster.EtcdHosts[0].Address)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`}`
			`}`
			`return nil`
			`}`

Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`func regenerateAPICertificate(c *Cluster, certificates map[string]pki.CertificatePKI) (map[string]pki.CertificatePKI, error) {`
			`logrus.Debugf("[certificates] Regenerating kubeAPI certificate")`
			`kubeAPIAltNames := pki.GetAltNames(c.ControlPlaneHosts, c.ClusterDomain, c.KubernetesServiceIP)`
			`caCrt := certificates[pki.CACertName].Certificate`
			`caKey := certificates[pki.CACertName].Key`
Generate new KubeAPI certificate for new nodes using the same key 2017-11-26 22:29:52 +00:00			`kubeAPIKey := certificates[pki.KubeAPICertName].Key`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`kubeAPICert, _, err := pki.GenerateSignedCertAndKey(caCrt, caKey, true, pki.KubeAPICertName, kubeAPIAltNames, kubeAPIKey, nil)`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`certificates[pki.KubeAPICertName] = pki.ToCertObject(pki.KubeAPICertName, "", "", kubeAPICert, kubeAPIKey)`
Add cluster validation and regenerate kubeapi cert 2017-11-21 19:25:08 +00:00			`return certificates, nil`
			`}`

Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`func getClusterCerts(ctx context.Context, kubeClient kubernetes.Clientset, etcdHosts []hosts.Host) (map[string]pki.CertificatePKI, error) {`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Getting Cluster certificates from Kubernetes")`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`certificatesNames := []string{`
			`pki.CACertName,`
			`pki.KubeAPICertName,`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00			`pki.KubeNodeCertName,`
			`pki.KubeProxyCertName,`
			`pki.KubeControllerCertName,`
			`pki.KubeSchedulerCertName,`
			`pki.KubeAdminCertName,`
			`}`

			`for _, etcdHost := range etcdHosts {`
			`etcdName := pki.GetEtcdCrtName(etcdHost.InternalAddress)`
			`certificatesNames = append(certificatesNames, etcdName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`}`
Add generic generation for pki objects and etcd TLS 2018-01-16 23:10:14 +00:00
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`certMap := make(map[string]pki.CertificatePKI)`
			`for _, certName := range certificatesNames {`
unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`secret, err := k8s.GetSecret(kubeClient, certName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"])`
			`secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"])`
			`secretConfig := string(secret.Data["Config"])`
			`certMap[certName] = pki.CertificatePKI{`
Update rancher types 2017-11-14 18:11:21 +00:00			`Certificate: secretCert[0],`
			`Key: secretKey.(*rsa.PrivateKey),`
			`Config: secretConfig,`
			`EnvName: string(secret.Data["EnvName"]),`
			`ConfigEnvName: string(secret.Data["ConfigEnvName"]),`
			`KeyEnvName: string(secret.Data["KeyEnvName"]),`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`}`
			`}`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Successfully fetched Cluster certificates from Kubernetes")`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return certMap, nil`
			`}`

Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`func saveClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, crts map[string]pki.CertificatePKI) error {`
			`log.Infof(ctx, "[certificates] Save kubernetes certificates as secrets")`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`for crtName, crt := range crts {`
unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`err := saveCertToKubernetes(kubeClient, crtName, crt)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if err != nil {`
			`return fmt.Errorf("Failed to save certificate [%s] to kubernetes: %v", crtName, err)`
			`}`
			`}`
Add context.Context to everything and also make logging pluggable 2018-01-09 22:10:56 +00:00			`log.Infof(ctx, "[certificates] Successfully saved certificates as kubernetes secret [%s]", pki.CertificatesSecretName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return nil`
			`}`

unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`func saveCertToKubernetes(kubeClient *kubernetes.Clientset, crtName string, crt pki.CertificatePKI) error {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`logrus.Debugf("[certificates] Saving certificate [%s] to kubernetes", crtName)`
			`timeout := make(chan bool, 1)`
			`go func() {`
			`for {`
unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`err := k8s.UpdateSecret(kubeClient, "Certificate", cert.EncodeCertPEM(crt.Certificate), crtName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`err = k8s.UpdateSecret(kubeClient, "Key", cert.EncodePrivateKeyPEM(crt.Key), crtName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
Update rancher types 2017-11-14 18:11:21 +00:00			`err = k8s.UpdateSecret(kubeClient, "EnvName", []byte(crt.EnvName), crtName)`
			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
			`err = k8s.UpdateSecret(kubeClient, "KeyEnvName", []byte(crt.KeyEnvName), crtName)`
			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if len(crt.Config) > 0 {`
Update rancher types 2017-11-14 18:11:21 +00:00			`err = k8s.UpdateSecret(kubeClient, "ConfigEnvName", []byte(crt.ConfigEnvName), crtName)`
			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
unit tests and go lint fixes Add k8s operation test 2017-11-07 15:44:17 +00:00			`err = k8s.UpdateSecret(kubeClient, "Config", []byte(crt.Config), crtName)`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`if err != nil {`
			`time.Sleep(time.Second * 5)`
			`continue`
			`}`
			`}`
			`timeout <- true`
			`break`
			`}`
			`}()`
			`select {`
			`case <-timeout:`
			`return nil`
			`case <-time.After(time.Second * KubernetesClientTimeOut):`
			`return fmt.Errorf("[certificates] Timeout waiting for kubernetes to be ready")`
			`}`
			`}`