func newKubeletKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey) (*rsa.PrivateKey, *x509.Certificate, error) {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return nil, nil, err
}
config := tlsutil.CertConfig{
CommonName: "kubelet",
Organization: []string{"kube-node"},
}
cert, err := tlsutil.NewSignedCertificate(config, key, caCert, caPrivKey)
if err != nil {
return nil, nil, err
}
return key, cert, err
}
func newTLSAssets(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, altNames tlsutil.AltNames) ([]Asset, error) {
var (
assets []Asset
err error
)
if caCert == nil {
caPrivKey, caCert, err = newCACert()
if err != nil {
return assets, err
}
}
apiKey, apiCert, err := newAPIKeyAndCert(caCert, caPrivKey, altNames)
if err != nil {
return assets, err
}
saPrivKey, err := tlsutil.NewPrivateKey()
if err != nil {
return assets, err
}
saPubKey, err := tlsutil.EncodePublicKeyPEM(&saPrivKey.PublicKey)
if err != nil {
return assets, err
}
kubeletKey, kubeletCert, err := newKubeletKeyAndCert(caCert, caPrivKey)
if err != nil {
return assets, err
}
assets = append(assets, []Asset{
{Name: AssetPathCAKey, Data: tlsutil.EncodePrivateKeyPEM(caPrivKey)},
{Name: AssetPathCACert, Data: tlsutil.EncodeCertificatePEM(caCert)},
{Name: AssetPathAPIServerKey, Data: tlsutil.EncodePrivateKeyPEM(apiKey)},
{Name: AssetPathAPIServerCert, Data: tlsutil.EncodeCertificatePEM(apiCert)},
{Name: AssetPathServiceAccountPrivKey, Data: tlsutil.EncodePrivateKeyPEM(saPrivKey)},
{Name: AssetPathServiceAccountPubKey, Data: saPubKey},
{Name: AssetPathKubeletKey, Data: tlsutil.EncodePrivateKeyPEM(kubeletKey)},
{Name: AssetPathKubeletCert, Data: tlsutil.EncodeCertificatePEM(kubeletCert)},
}...)
return assets, nil
}
func newCACert() (*rsa.PrivateKey, *x509.Certificate, error) {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return nil, nil, err
}
config := tlsutil.CertConfig{
CommonName: "kube-ca",
Organization: []string{"kube-aws"},
}
cert, err := tlsutil.NewSelfSignedCACertificate(config, key)
if err != nil {
return nil, nil, err
}
return key, cert, err
}
func newAPIKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, altNames tlsutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return nil, nil, err
}
altNames.IPs = append(altNames.IPs, net.ParseIP("10.3.0.1"))
altNames.DNSNames = append(altNames.DNSNames, []string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local",
}...)
config := tlsutil.CertConfig{
CommonName: "kube-apiserver",
Organization: []string{"kube-master"},
AltNames: altNames,
}
cert, err := tlsutil.NewSignedCertificate(config, key, caCert, caPrivKey)
if err != nil {
return nil, nil, err
}
return key, cert, err
}
