func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOptions) (*Config, error) {
if o == nil || o.PasswordFile == nil {
return c, nil
}
if c.SecureServingInfo != nil {
if o.ClientCert != nil && len(o.ClientCert.ClientCA) > 0 {
clientCAs, err := certutil.CertsFromFile(o.ClientCert.ClientCA)
if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err)
}
if c.SecureServingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool()
}
for _, cert := range clientCAs {
c.SecureServingInfo.ClientCA.AddCert(cert)
}
}
if o.RequestHeader != nil && len(o.RequestHeader.ClientCAFile) > 0 {
clientCAs, err := certutil.CertsFromFile(o.RequestHeader.ClientCAFile)
if err != nil {
return nil, fmt.Errorf("unable to load requestheader client CA file: %v", err)
}
if c.SecureServingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool()
}
for _, cert := range clientCAs {
c.SecureServingInfo.ClientCA.AddCert(cert)
}
}
}
c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
return c, nil
}
// This function is called from the main init and does the work for the default phase behaviour
// TODO: Make an integration test for this function that runs after the certificates phase
// and makes sure that those two phases work well together...
func CreateAdminAndKubeletKubeConfig(masterEndpoint, pkiDir, outDir string) error {
// Parse the certificate from a file
caCertPath := path.Join(pkiDir, "ca.pem")
caCerts, err := certutil.CertsFromFile(caCertPath)
if err != nil {
return fmt.Errorf("couldn't load the CA cert file %s: %v", caCertPath, err)
}
// We are only putting one certificate in the CA certificate pem file, so it's safe to just use the first one
caCert := caCerts[0]
// Parse the rsa private key from a file
caKeyPath := path.Join(pkiDir, "ca-key.pem")
priv, err := certutil.PrivateKeyFromFile(caKeyPath)
if err != nil {
return fmt.Errorf("couldn't load the CA private key file %s: %v", caKeyPath, err)
}
var caKey *rsa.PrivateKey
switch k := priv.(type) {
case *rsa.PrivateKey:
caKey = k
case *ecdsa.PrivateKey:
// TODO: Abstract rsa.PrivateKey away and make certutil.NewSignedCert accept a ecdsa.PrivateKey as well
// After that, we can support generating kubeconfig files from ecdsa private keys as well
return fmt.Errorf("the CA private key file %s isn't in RSA format", caKeyPath)
default:
return fmt.Errorf("the CA private key file %s isn't in RSA format", caKeyPath)
}
// User admin should have full access to the cluster
adminCertConfig := &certutil.Config{
CommonName: AdminKubeConfigClientName,
Organization: []string{"system:masters"},
}
adminKubeConfigFilePath := path.Join(outDir, AdminKubeConfigFileName)
if err := createKubeConfigFileForClient(masterEndpoint, adminKubeConfigFilePath, adminCertConfig, caCert, caKey); err != nil {
return fmt.Errorf("couldn't create config for %s: %v", AdminKubeConfigClientName, err)
}
// The kubelet should have limited access to the cluster
kubeletCertConfig := &certutil.Config{
CommonName: KubeletKubeConfigClientName,
Organization: []string{"system:nodes"},
}
kubeletKubeConfigFilePath := path.Join(outDir, KubeletKubeConfigFileName)
if err := createKubeConfigFileForClient(masterEndpoint, kubeletKubeConfigFilePath, kubeletCertConfig, caCert, caKey); err != nil {
return fmt.Errorf("couldn't create config for %s: %v", KubeletKubeConfigClientName, err)
}
// TODO make credentials for the controller manager and kube proxy
return nil
}
func (c *Config) applyClientCert(clientCAFile string) (*Config, error) {
if c.SecureServingInfo != nil {
if len(clientCAFile) > 0 {
clientCAs, err := certutil.CertsFromFile(clientCAFile)
if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err)
}
if c.SecureServingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool()
}
for _, cert := range clientCAs {
c.SecureServingInfo.ClientCA.AddCert(cert)
}
}
}
return c, nil
}