Refactor PKI ENV

cluster/kubectl.go

@@ -23,12 +23,20 @@ type KubectlCommand struct {
 
 func (c *Cluster) buildClusterConfigEnv() []string {
 	// This needs to be updated when add more configuration
-	return []string{
-		pki.ConvertConfigToENV(pki.KubeAdminConfigENVName, c.Certificates[pki.KubeAdminCommonName].Config),
-		pki.ConvertConfigToENV(ClusterCIDREnvName, c.ClusterCIDR),
-		pki.ConvertConfigToENV(ClusterDNSServerIPEnvName, c.ClusterDNSServer),
-		pki.ConvertConfigToENV(ClusterDomainEnvName, c.ClusterDomain),
+	environmentMap := map[string]string{
+		ClusterCIDREnvName:        c.ClusterCIDR,
+		ClusterDNSServerIPEnvName: c.ClusterDNSServer,
+		ClusterDomainEnvName:      c.ClusterDomain,
 	}
+	adminConfig := c.Certificates[pki.KubeAdminCommonName]
+	//build ClusterConfigEnv
+	env := []string{
+		adminConfig.ConfigToEnv(),
+	}
+	for k, v := range environmentMap {
+		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	}
+	return env
 }
 
 func (c *Cluster) RunKubectlCmd(kubectlCmd *KubectlCommand) error {

pki/deploy.go

@@ -2,8 +2,6 @@ package pki
 
 import (
 	"context"
-	"crypto/rsa"
-	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"time"
@@ -13,42 +11,24 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/rancher/rke/docker"
 	"github.com/rancher/rke/hosts"
-	"k8s.io/client-go/util/cert"
 )
 
-func ConvertCrtToENV(name string, certificate *x509.Certificate) string {
-	encodedCrt := cert.EncodeCertPEM(certificate)
-	return fmt.Sprintf("%s=%s", name, string(encodedCrt))
-}
-
-func ConvertKeyToENV(name string, key *rsa.PrivateKey) string {
-	encodedKey := cert.EncodePrivateKeyPEM(key)
-	return fmt.Sprintf("%s=%s", name, string(encodedKey))
-}
-
-func ConvertConfigToENV(name string, config string) string {
-	return fmt.Sprintf("%s=%s", name, config)
-}
-
 func DeployCertificatesOnMasters(cpHosts []hosts.Host, crtMap map[string]CertificatePKI) error {
-	env := []string{
-		ConvertCrtToENV(CACertENVName, crtMap[CACertName].Certificate),
-		ConvertKeyToENV(CAKeyENVName, crtMap[CACertName].Key),
-		ConvertCrtToENV(KubeAPICertENVName, crtMap[KubeAPICertName].Certificate),
-		ConvertKeyToENV(KubeAPIKeyENVName, crtMap[KubeAPICertName].Key),
-		ConvertCrtToENV(KubeControllerCertENVName, crtMap[KubeControllerName].Certificate),
-		ConvertKeyToENV(KubeControllerKeyENVName, crtMap[KubeControllerName].Key),
-		ConvertConfigToENV(KubeControllerConfigENVName, crtMap[KubeControllerName].Config),
-		ConvertCrtToENV(KubeSchedulerCertENVName, crtMap[KubeSchedulerName].Certificate),
-		ConvertKeyToENV(KubeSchedulerKeyENVName, crtMap[KubeSchedulerName].Key),
-		ConvertConfigToENV(KubeSchedulerConfigENVName, crtMap[KubeSchedulerName].Config),
-		ConvertCrtToENV(KubeProxyCertENVName, crtMap[KubeProxyName].Certificate),
-		ConvertKeyToENV(KubeProxyKeyENVName, crtMap[KubeProxyName].Key),
-		ConvertConfigToENV(KubeProxyConfigENVName, crtMap[KubeProxyName].Config),
-		ConvertCrtToENV(KubeNodeCertENVName, crtMap[KubeNodeName].Certificate),
-		ConvertKeyToENV(KubeNodeKeyENVName, crtMap[KubeNodeName].Key),
-		ConvertConfigToENV(KubeNodeConfigENVName, crtMap[KubeNodeName].Config),
+	// list of certificates that should be deployed on the masters
+	crtList := []string{
+		CACertName,
+		KubeAPICertName,
+		KubeControllerName,
+		KubeSchedulerName,
+		KubeProxyName,
+		KubeNodeName,
 	}
+	env := []string{}
+	for _, crtName := range crtList {
+		c := crtMap[crtName]
+		env = append(env, c.ToEnv()...)
+	}
+
 	for i := range cpHosts {
 		err := doRunDeployer(&cpHosts[i], env)
 		if err != nil {
@@ -59,15 +39,18 @@ func DeployCertificatesOnMasters(cpHosts []hosts.Host, crtMap map[string]Certifi
 }
 
 func DeployCertificatesOnWorkers(workerHosts []hosts.Host, crtMap map[string]CertificatePKI) error {
-	env := []string{
-		ConvertCrtToENV(CACertENVName, crtMap[CACertName].Certificate),
-		ConvertCrtToENV(KubeProxyCertENVName, crtMap[KubeProxyName].Certificate),
-		ConvertKeyToENV(KubeProxyKeyENVName, crtMap[KubeProxyName].Key),
-		ConvertConfigToENV(KubeProxyConfigENVName, crtMap[KubeProxyName].Config),
-		ConvertCrtToENV(KubeNodeCertENVName, crtMap[KubeNodeName].Certificate),
-		ConvertKeyToENV(KubeNodeKeyENVName, crtMap[KubeNodeName].Key),
-		ConvertConfigToENV(KubeNodeConfigENVName, crtMap[KubeNodeName].Config),
+	// list of certificates that should be deployed on the workers
+	crtList := []string{
+		CACertName,
+		KubeProxyName,
+		KubeNodeName,
 	}
+	env := []string{}
+	for _, crtName := range crtList {
+		c := crtMap[crtName]
+		env = append(env, c.ToEnv()...)
+	}
+
 	for i := range workerHosts {
 		err := doRunDeployer(&workerHosts[i], env)
 		if err != nil {

pki/pki.go

@@ -15,6 +15,15 @@ type CertificatePKI struct {
 	Certificate   *x509.Certificate
 	Key           *rsa.PrivateKey
 	Config        string
+	Name          string
+	CommonName    string
+	OUName        string
+	EnvName       string
+	Path          string
+	KeyEnvName    string
+	KeyPath       string
+	ConfigEnvName string
+	ConfigPath    string
 }
 
 // StartCertificatesGeneration ...
@@ -39,6 +48,11 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	certs[CACertName] = CertificatePKI{
 		Certificate: caCrt,
 		Key:         caKey,
+		Name:        CACertName,
+		EnvName:     CACertENVName,
+		KeyEnvName:  CAKeyENVName,
+		Path:        CACertPath,
+		KeyPath:     CAKeyPath,
 	}
 
 	// generate API certificate and key
@@ -52,6 +66,11 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	certs[KubeAPICertName] = CertificatePKI{
 		Certificate: kubeAPICrt,
 		Key:         kubeAPIKey,
+		Name:        KubeAPICertName,
+		EnvName:     KubeAPICertENVName,
+		KeyEnvName:  KubeAPIKeyENVName,
+		Path:        KubeAPICertPath,
+		KeyPath:     KubeAPIKeyPath,
 	}
 
 	// generate Kube controller-manager certificate and key
@@ -65,6 +84,14 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 		Certificate:   kubeControllerCrt,
 		Key:           kubeControllerKey,
 		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeControllerName, CACertPath, KubeControllerCertPath, KubeControllerKeyPath),
+		Name:          KubeControllerName,
+		CommonName:    KubeControllerCommonName,
+		EnvName:       KubeControllerCertENVName,
+		KeyEnvName:    KubeControllerKeyENVName,
+		Path:          KubeControllerCertPath,
+		KeyPath:       KubeControllerKeyPath,
+		ConfigEnvName: KubeControllerConfigENVName,
+		ConfigPath:    KubeControllerConfigPath,
 	}
 
 	// generate Kube scheduler certificate and key
@@ -78,6 +105,14 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 		Certificate:   kubeSchedulerCrt,
 		Key:           kubeSchedulerKey,
 		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeSchedulerName, CACertPath, KubeSchedulerCertPath, KubeSchedulerKeyPath),
+		Name:          KubeSchedulerName,
+		CommonName:    KubeSchedulerCommonName,
+		EnvName:       KubeSchedulerCertENVName,
+		KeyEnvName:    KubeSchedulerKeyENVName,
+		Path:          KubeSchedulerCertPath,
+		KeyPath:       KubeSchedulerKeyPath,
+		ConfigEnvName: KubeSchedulerConfigENVName,
+		ConfigPath:    KubeSchedulerConfigPath,
 	}
 
 	// generate Kube Proxy certificate and key
@@ -91,6 +126,14 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 		Certificate:   kubeProxyCrt,
 		Key:           kubeProxyKey,
 		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeProxyName, CACertPath, KubeProxyCertPath, KubeProxyKeyPath),
+		Name:          KubeProxyName,
+		CommonName:    KubeProxyCommonName,
+		EnvName:       KubeProxyCertENVName,
+		Path:          KubeProxyCertPath,
+		KeyEnvName:    KubeProxyKeyENVName,
+		KeyPath:       KubeProxyKeyPath,
+		ConfigEnvName: KubeProxyConfigENVName,
+		ConfigPath:    KubeProxyConfigPath,
 	}
 
 	// generate Kubelet certificate and key
@@ -104,6 +147,15 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 		Certificate:   nodeCrt,
 		Key:           nodeKey,
 		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeNodeName, CACertPath, KubeNodeCertPath, KubeNodeKeyPath),
+		Name:          KubeNodeName,
+		CommonName:    KubeNodeCommonName,
+		OUName:        KubeNodeOrganizationName,
+		EnvName:       KubeNodeCertENVName,
+		KeyEnvName:    KubeNodeKeyENVName,
+		Path:          KubeNodeCertPath,
+		KeyPath:       KubeNodeKeyPath,
+		ConfigEnvName: KubeNodeConfigENVName,
+		ConfigPath:    KubeNodeCommonName,
 	}
 	logrus.Infof("[certificates] Generating admin certificates and kubeconfig")
 	kubeAdminCrt, kubeAdminKey, err := generateClientCertAndKey(caCrt, caKey, KubeAdminCommonName, []string{KubeAdminOrganizationName})
@@ -120,6 +172,10 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 			string(cert.EncodeCertPEM(caCrt)),
 			string(cert.EncodeCertPEM(kubeAdminCrt)),
 			string(cert.EncodePrivateKeyPEM(kubeAdminKey))),
+		CommonName:    KubeAdminCommonName,
+		OUName:        KubeAdminOrganizationName,
+		ConfigEnvName: KubeAdminConfigENVName,
+		ConfigPath:    KubeAdminConfigPath,
 	}
 	return certs, nil
 }
@@ -200,3 +256,28 @@ func getAltNames(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP
 		DNSNames: dnsNames,
 	}
 }
+
+func (c *CertificatePKI) ToEnv() []string {
+	env := []string{
+		c.CertToEnv(),
+		c.KeyToEnv(),
+	}
+	if c.Config != "" {
+		env = append(env, c.ConfigToEnv())
+	}
+	return env
+}
+
+func (c *CertificatePKI) CertToEnv() string {
+	encodedCrt := cert.EncodeCertPEM(c.Certificate)
+	return fmt.Sprintf("%s=%s", c.EnvName, string(encodedCrt))
+}
+
+func (c *CertificatePKI) KeyToEnv() string {
+	encodedKey := cert.EncodePrivateKeyPEM(c.Key)
+	return fmt.Sprintf("%s=%s", c.KeyEnvName, string(encodedKey))
+}
+
+func (c *CertificatePKI) ConfigToEnv() string {
+	return fmt.Sprintf("%s=%s", c.ConfigEnvName, c.Config)
+}