func newKubeletKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey) (*rsa.PrivateKey, *x509.Certificate, error) { key, err := tlsutil.NewPrivateKey() if err != nil { return nil, nil, err } config := tlsutil.CertConfig{ CommonName: "kubelet", Organization: []string{"kube-node"}, } cert, err := tlsutil.NewSignedCertificate(config, key, caCert, caPrivKey) if err != nil { return nil, nil, err } return key, cert, err }
func newTLSAssets(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, altNames tlsutil.AltNames) ([]Asset, error) { var ( assets []Asset err error ) if caCert == nil { caPrivKey, caCert, err = newCACert() if err != nil { return assets, err } } apiKey, apiCert, err := newAPIKeyAndCert(caCert, caPrivKey, altNames) if err != nil { return assets, err } saPrivKey, err := tlsutil.NewPrivateKey() if err != nil { return assets, err } saPubKey, err := tlsutil.EncodePublicKeyPEM(&saPrivKey.PublicKey) if err != nil { return assets, err } kubeletKey, kubeletCert, err := newKubeletKeyAndCert(caCert, caPrivKey) if err != nil { return assets, err } assets = append(assets, []Asset{ {Name: AssetPathCAKey, Data: tlsutil.EncodePrivateKeyPEM(caPrivKey)}, {Name: AssetPathCACert, Data: tlsutil.EncodeCertificatePEM(caCert)}, {Name: AssetPathAPIServerKey, Data: tlsutil.EncodePrivateKeyPEM(apiKey)}, {Name: AssetPathAPIServerCert, Data: tlsutil.EncodeCertificatePEM(apiCert)}, {Name: AssetPathServiceAccountPrivKey, Data: tlsutil.EncodePrivateKeyPEM(saPrivKey)}, {Name: AssetPathServiceAccountPubKey, Data: saPubKey}, {Name: AssetPathKubeletKey, Data: tlsutil.EncodePrivateKeyPEM(kubeletKey)}, {Name: AssetPathKubeletCert, Data: tlsutil.EncodeCertificatePEM(kubeletCert)}, }...) return assets, nil }
func newCACert() (*rsa.PrivateKey, *x509.Certificate, error) { key, err := tlsutil.NewPrivateKey() if err != nil { return nil, nil, err } config := tlsutil.CertConfig{ CommonName: "kube-ca", Organization: []string{"kube-aws"}, } cert, err := tlsutil.NewSelfSignedCACertificate(config, key) if err != nil { return nil, nil, err } return key, cert, err }
func newAPIKeyAndCert(caCert *x509.Certificate, caPrivKey *rsa.PrivateKey, altNames tlsutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) { key, err := tlsutil.NewPrivateKey() if err != nil { return nil, nil, err } altNames.IPs = append(altNames.IPs, net.ParseIP("10.3.0.1")) altNames.DNSNames = append(altNames.DNSNames, []string{ "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster.local", }...) config := tlsutil.CertConfig{ CommonName: "kube-apiserver", Organization: []string{"kube-master"}, AltNames: altNames, } cert, err := tlsutil.NewSignedCertificate(config, key, caCert, caPrivKey) if err != nil { return nil, nil, err } return key, cert, err }