rke/pki/pki.go

package pki

import (
	"crypto/rsa"
	"crypto/x509"
	"fmt"
	"net"

	"github.com/Sirupsen/logrus"
	"github.com/rancher/rke/hosts"
	"k8s.io/client-go/util/cert"
)

type CertificatePKI struct {
	Certificate *x509.Certificate
	Key         *rsa.PrivateKey
	Config      string
}

// StartCertificatesGeneration ...
func StartCertificatesGeneration(cpHosts []hosts.Host, workerHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {
	logrus.Infof("[certificates] Generating kubernetes certificates")
	certs, err := generateCerts(cpHosts, clusterDomain, KubernetesServiceIP)
	if err != nil {
		return nil, err
	}
	return certs, nil
}

func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {
	certs := make(map[string]CertificatePKI)
	// generate CA certificate and key
	logrus.Infof("[certificates] Generating CA kubernetes certificates")
	caCrt, caKey, err := generateCACertAndKey()
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] CA Certificate: %s", string(cert.EncodeCertPEM(caCrt)))
	certs[CACertName] = CertificatePKI{
		Certificate: caCrt,
		Key:         caKey,
	}

	// generate API certificate and key
	logrus.Infof("[certificates] Generating Kubernetes API server certificates")
	kubeAPIAltNames := getAltNames(cpHosts, clusterDomain, KubernetesServiceIP)
	kubeAPICrt, kubeAPIKey, err := generateKubeAPICertAndKey(caCrt, caKey, kubeAPIAltNames)
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Kube API Certificate: %s", string(cert.EncodeCertPEM(kubeAPICrt)))
	certs[KubeAPICertName] = CertificatePKI{
		Certificate: kubeAPICrt,
		Key:         kubeAPIKey,
	}

	// generate Kube controller-manager certificate and key
	logrus.Infof("[certificates] Generating Kube Controller certificates")
	kubeControllerCrt, kubeControllerKey, err := generateClientCertAndKey(caCrt, caKey, KubeControllerCommonName, []string{})
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Kube Controller Certificate: %s", string(cert.EncodeCertPEM(kubeControllerCrt)))
	certs[KubeControllerName] = CertificatePKI{
		Certificate: kubeControllerCrt,
		Key:         kubeControllerKey,
		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeControllerName, CACertPath, KubeControllerCertPath, KubeControllerKeyPath),
	}

	// generate Kube scheduler certificate and key
	logrus.Infof("[certificates] Generating Kube Scheduler certificates")
	kubeSchedulerCrt, kubeSchedulerKey, err := generateClientCertAndKey(caCrt, caKey, KubeSchedulerCommonName, []string{})
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Kube Scheduler Certificate: %s", string(cert.EncodeCertPEM(kubeSchedulerCrt)))
	certs[KubeSchedulerName] = CertificatePKI{
		Certificate: kubeSchedulerCrt,
		Key:         kubeSchedulerKey,
		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeSchedulerName, CACertPath, KubeSchedulerCertPath, KubeSchedulerKeyPath),
	}

	// generate Kube Proxy certificate and key
	logrus.Infof("[certificates] Generating Kube Proxy certificates")
	kubeProxyCrt, kubeProxyKey, err := generateClientCertAndKey(caCrt, caKey, KubeProxyCommonName, []string{})
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Kube Proxy Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))
	certs[KubeProxyName] = CertificatePKI{
		Certificate: kubeProxyCrt,
		Key:         kubeProxyKey,
		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeProxyName, CACertPath, KubeProxyCertPath, KubeProxyKeyPath),
	}

	// generate Kubelet certificate and key
	logrus.Infof("[certificates] Generating Node certificate")
	nodeCrt, nodeKey, err := generateClientCertAndKey(caCrt, caKey, KubeNodeCommonName, []string{KubeNodeOrganizationName})
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Node Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))
	certs[KubeNodeName] = CertificatePKI{
		Certificate: nodeCrt,
		Key:         nodeKey,
		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeNodeName, CACertPath, KubeNodeCertPath, KubeNodeKeyPath),
	}
	logrus.Infof("[certificates] Generating admin certificates and kubeconfig")
	kubeAdminCrt, kubeAdminKey, err := generateClientCertAndKey(caCrt, caKey, KubeAdminCommonName, []string{KubeAdminOrganizationName})
	if err != nil {
		return nil, err
	}
	logrus.Debugf("[certificates] Admin Certificate: %s", string(cert.EncodeCertPEM(kubeAdminCrt)))
	certs[KubeAdminCommonName] = CertificatePKI{
		Certificate: kubeAdminCrt,
		Key:         kubeAdminKey,
		Config: getKubeConfigX509WithData(
			"https://"+cpHosts[0].IP+":6443",
			KubeAdminCommonName,
			string(cert.EncodeCertPEM(caCrt)),
			string(cert.EncodeCertPEM(kubeAdminCrt)),
			string(cert.EncodePrivateKeyPEM(kubeAdminKey))),
	}
	return certs, nil
}

func generateClientCertAndKey(caCrt *x509.Certificate, caKey *rsa.PrivateKey, commonName string, orgs []string) (*x509.Certificate, *rsa.PrivateKey, error) {
	rootKey, err := cert.NewPrivateKey()
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate private key for %s certificate: %v", commonName, err)
	}
	caConfig := cert.Config{
		CommonName:   commonName,
		Organization: orgs,
		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
	}
	clientCert, err := cert.NewSignedCert(caConfig, rootKey, caCrt, caKey)
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate %s certificate: %v", commonName, err)
	}

	return clientCert, rootKey, nil
}

func generateKubeAPICertAndKey(caCrt *x509.Certificate, caKey *rsa.PrivateKey, altNames *cert.AltNames) (*x509.Certificate, *rsa.PrivateKey, error) {
	rootKey, err := cert.NewPrivateKey()
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate private key for kube-apiserver certificate: %v", err)
	}
	caConfig := cert.Config{
		CommonName: KubeAPICertName,
		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
		AltNames:   *altNames,
	}
	kubeCACert, err := cert.NewSignedCert(caConfig, rootKey, caCrt, caKey)
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate kube-apiserver certificate: %v", err)
	}

	return kubeCACert, rootKey, nil
}

func generateCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
	rootKey, err := cert.NewPrivateKey()
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate private key for CA certificate: %v", err)
	}
	caConfig := cert.Config{
		CommonName: CACertName,
	}
	kubeCACert, err := cert.NewSelfSignedCACert(caConfig, rootKey)
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to generate CA certificate: %v", err)
	}

	return kubeCACert, rootKey, nil
}

func getAltNames(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) *cert.AltNames {
	ips := []net.IP{}
	dnsNames := []string{}
	for _, host := range cpHosts {
		ips = append(ips, net.ParseIP(host.IP))
		if host.IP != host.AdvertiseAddress {
			ips = append(ips, net.ParseIP(host.AdvertiseAddress))
		}
		dnsNames = append(dnsNames, host.Hostname)
	}
	ips = append(ips, net.ParseIP("127.0.0.1"))
	ips = append(ips, KubernetesServiceIP)
	dnsNames = append(dnsNames, []string{
		"localhost",
		"kubernetes",
		"kubernetes.default",
		"kubernetes.default.svc",
		"kubernetes.default.svc." + clusterDomain,
	}...)
	return &cert.AltNames{
		IPs:      ips,
		DNSNames: dnsNames,
	}
}
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`package pki`

			`import (`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"fmt"`
			`"net"`

			`"github.com/Sirupsen/logrus"`
			`"github.com/rancher/rke/hosts"`
			`"k8s.io/client-go/util/cert"`
			`)`

			`type CertificatePKI struct {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate *x509.Certificate`
			`Key *rsa.PrivateKey`
			`Config string`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// StartCertificatesGeneration ...`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`func StartCertificatesGeneration(cpHosts []hosts.Host, workerHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`logrus.Infof("[certificates] Generating kubernetes certificates")`
			`certs, err := generateCerts(cpHosts, clusterDomain, KubernetesServiceIP)`
			`if err != nil {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return nil, err`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return certs, nil`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {`
			`certs := make(map[string]CertificatePKI)`
			`// generate CA certificate and key`
			`logrus.Infof("[certificates] Generating CA kubernetes certificates")`
			`caCrt, caKey, err := generateCACertAndKey()`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] CA Certificate: %s", string(cert.EncodeCertPEM(caCrt)))`
			`certs[CACertName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: caCrt,`
			`Key: caKey,`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// generate API certificate and key`
			`logrus.Infof("[certificates] Generating Kubernetes API server certificates")`
			`kubeAPIAltNames := getAltNames(cpHosts, clusterDomain, KubernetesServiceIP)`
			`kubeAPICrt, kubeAPIKey, err := generateKubeAPICertAndKey(caCrt, caKey, kubeAPIAltNames)`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Kube API Certificate: %s", string(cert.EncodeCertPEM(kubeAPICrt)))`
			`certs[KubeAPICertName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: kubeAPICrt,`
			`Key: kubeAPIKey,`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// generate Kube controller-manager certificate and key`
			`logrus.Infof("[certificates] Generating Kube Controller certificates")`
			`kubeControllerCrt, kubeControllerKey, err := generateClientCertAndKey(caCrt, caKey, KubeControllerCommonName, []string{})`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Kube Controller Certificate: %s", string(cert.EncodeCertPEM(kubeControllerCrt)))`
			`certs[KubeControllerName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: kubeControllerCrt,`
			`Key: kubeControllerKey,`
			`Config: getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeControllerName, CACertPath, KubeControllerCertPath, KubeControllerKeyPath),`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// generate Kube scheduler certificate and key`
			`logrus.Infof("[certificates] Generating Kube Scheduler certificates")`
			`kubeSchedulerCrt, kubeSchedulerKey, err := generateClientCertAndKey(caCrt, caKey, KubeSchedulerCommonName, []string{})`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Kube Scheduler Certificate: %s", string(cert.EncodeCertPEM(kubeSchedulerCrt)))`
			`certs[KubeSchedulerName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: kubeSchedulerCrt,`
			`Key: kubeSchedulerKey,`
			`Config: getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeSchedulerName, CACertPath, KubeSchedulerCertPath, KubeSchedulerKeyPath),`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

			`// generate Kube Proxy certificate and key`
			`logrus.Infof("[certificates] Generating Kube Proxy certificates")`
			`kubeProxyCrt, kubeProxyKey, err := generateClientCertAndKey(caCrt, caKey, KubeProxyCommonName, []string{})`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Kube Proxy Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))`
			`certs[KubeProxyName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: kubeProxyCrt,`
			`Key: kubeProxyKey,`
			`Config: getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeProxyName, CACertPath, KubeProxyCertPath, KubeProxyKeyPath),`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`

Deploy kube config file locally for admin 2017-11-01 21:46:43 +00:00			`// generate Kubelet certificate and key`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`logrus.Infof("[certificates] Generating Node certificate")`
			`nodeCrt, nodeKey, err := generateClientCertAndKey(caCrt, caKey, KubeNodeCommonName, []string{KubeNodeOrganizationName})`
			`if err != nil {`
			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Node Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))`
			`certs[KubeNodeName] = CertificatePKI{`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`Certificate: nodeCrt,`
			`Key: nodeKey,`
			`Config: getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeNodeName, CACertPath, KubeNodeCertPath, KubeNodeKeyPath),`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`}`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`logrus.Infof("[certificates] Generating admin certificates and kubeconfig")`
Deploy kube config file locally for admin 2017-11-01 21:46:43 +00:00			`kubeAdminCrt, kubeAdminKey, err := generateClientCertAndKey(caCrt, caKey, KubeAdminCommonName, []string{KubeAdminOrganizationName})`
			`if err != nil {`
Use Cluster structure Use separate cluster package Save cluster state and certs to kubernetes Handle Remove and sync cluster state/crts Reuse kubernetes client and combine image and version Separate building functions and small fixes 2017-11-02 10:07:10 +00:00			`return nil, err`
			`}`
			`logrus.Debugf("[certificates] Admin Certificate: %s", string(cert.EncodeCertPEM(kubeAdminCrt)))`
			`certs[KubeAdminCommonName] = CertificatePKI{`
			`Certificate: kubeAdminCrt,`
			`Key: kubeAdminKey,`
			`Config: getKubeConfigX509WithData(`
			`"https://"+cpHosts[0].IP+":6443",`
			`KubeAdminCommonName,`
			`string(cert.EncodeCertPEM(caCrt)),`
			`string(cert.EncodeCertPEM(kubeAdminCrt)),`
			`string(cert.EncodePrivateKeyPEM(kubeAdminKey))),`
			`}`
			`return certs, nil`
Deploy kube config file locally for admin 2017-11-01 21:46:43 +00:00			`}`

Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`func generateClientCertAndKey(caCrt x509.Certificate, caKey rsa.PrivateKey, commonName string, orgs []string) (x509.Certificate, rsa.PrivateKey, error) {`
			`rootKey, err := cert.NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate private key for %s certificate: %v", commonName, err)`
			`}`
			`caConfig := cert.Config{`
			`CommonName: commonName,`
			`Organization: orgs,`
			`Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},`
			`}`
			`clientCert, err := cert.NewSignedCert(caConfig, rootKey, caCrt, caKey)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate %s certificate: %v", commonName, err)`
			`}`

			`return clientCert, rootKey, nil`
			`}`

			`func generateKubeAPICertAndKey(caCrt x509.Certificate, caKey rsa.PrivateKey, altNames cert.AltNames) (x509.Certificate, *rsa.PrivateKey, error) {`
			`rootKey, err := cert.NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate private key for kube-apiserver certificate: %v", err)`
			`}`
			`caConfig := cert.Config{`
			`CommonName: KubeAPICertName,`
			`Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`AltNames: *altNames,`
			`}`
			`kubeCACert, err := cert.NewSignedCert(caConfig, rootKey, caCrt, caKey)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate kube-apiserver certificate: %v", err)`
			`}`

			`return kubeCACert, rootKey, nil`
			`}`

			`func generateCACertAndKey() (x509.Certificate, rsa.PrivateKey, error) {`
			`rootKey, err := cert.NewPrivateKey()`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate private key for CA certificate: %v", err)`
			`}`
			`caConfig := cert.Config{`
			`CommonName: CACertName,`
			`}`
			`kubeCACert, err := cert.NewSelfSignedCACert(caConfig, rootKey)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("Failed to generate CA certificate: %v", err)`
			`}`

			`return kubeCACert, rootKey, nil`
			`}`

			`func getAltNames(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP net.IP) *cert.AltNames {`
			`ips := []net.IP{}`
			`dnsNames := []string{}`
			`for _, host := range cpHosts {`
			`ips = append(ips, net.ParseIP(host.IP))`
renamed ControlPlaneIP 2017-11-02 09:27:26 +00:00			`if host.IP != host.AdvertiseAddress {`
			`ips = append(ips, net.ParseIP(host.AdvertiseAddress))`
add support for specifc control plane IP per host 2017-10-31 11:39:21 +00:00			`}`
Add default cluster config file and return service container pointer Add more generic functions to go services Add x509 authentication 2017-10-31 13:55:35 +00:00			`dnsNames = append(dnsNames, host.Hostname)`
			`}`
			`ips = append(ips, net.ParseIP("127.0.0.1"))`
			`ips = append(ips, KubernetesServiceIP)`
			`dnsNames = append(dnsNames, []string{`
			`"localhost",`
			`"kubernetes",`
			`"kubernetes.default",`
			`"kubernetes.default.svc",`
			`"kubernetes.default.svc." + clusterDomain,`
			`}...)`
			`return &cert.AltNames{`
			`IPs: ips,`
			`DNSNames: dnsNames,`
			`}`
			`}`
No results found.