func initTLSCA(cfg tlsutil.CACertConfig, keyPath, certPath string) (*rsa.PrivateKey, *x509.Certificate, error) {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return nil, nil, err
}
cert, err := tlsutil.NewSelfSignedCACertificate(cfg, key)
if err != nil {
return nil, nil, err
}
if err := writeKey(keyPath, key); err != nil {
return nil, nil, err
}
if err := writeCert(certPath, cert); err != nil {
return nil, nil, err
}
return key, cert, nil
}
func (tc *TLSConfig) generateTLSCA(cfg tlsutil.CACertConfig) (*x509.Certificate, *rsa.PrivateKey, error) {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return nil, nil, err
}
cert, err := tlsutil.NewSelfSignedCACertificate(cfg, key)
if err != nil {
return nil, nil, err
}
if err := tlsutil.WritePrivateKeyPEMBlock(tc.CAKey, key); err != nil {
return nil, nil, err
}
if err := tlsutil.WriteCertificatePEMBlock(tc.CACert, cert); err != nil {
return nil, nil, err
}
return cert, key, nil
}
func (c *Cluster) NewTLSAssets() (*RawTLSAssets, error) {
// Convert from days to time.Duration
caDuration := time.Duration(c.TLSCADurationDays) * 24 * time.Hour
certDuration := time.Duration(c.TLSCertDurationDays) * 24 * time.Hour
// Generate keys for the various components.
keys := make([]*rsa.PrivateKey, 4)
var err error
for i := range keys {
if keys[i], err = tlsutil.NewPrivateKey(); err != nil {
return nil, err
}
}
caKey, apiServerKey, workerKey, adminKey := keys[0], keys[1], keys[2], keys[3]
caConfig := tlsutil.CACertConfig{
CommonName: "kube-ca",
Organization: "kube-aws",
Duration: caDuration,
}
caCert, err := tlsutil.NewSelfSignedCACertificate(caConfig, caKey)
if err != nil {
return nil, err
}
//Compute kubernetesServiceIP from serviceCIDR
_, serviceNet, err := net.ParseCIDR(c.ServiceCIDR)
if err != nil {
return nil, fmt.Errorf("invalid serviceCIDR: %v", err)
}
kubernetesServiceIPAddr := incrementIP(serviceNet.IP)
apiServerConfig := tlsutil.ServerCertConfig{
CommonName: "kube-apiserver",
DNSNames: []string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local",
c.ExternalDNSName,
},
IPAddresses: []string{
c.ControllerIP,
kubernetesServiceIPAddr.String(),
},
Duration: certDuration,
}
apiServerCert, err := tlsutil.NewSignedServerCertificate(apiServerConfig, apiServerKey, caCert, caKey)
if err != nil {
return nil, err
}
workerConfig := tlsutil.ClientCertConfig{
CommonName: "kube-worker",
DNSNames: []string{
"*.*.compute.internal",
"*.ec2.internal",
},
Duration: certDuration,
}
workerCert, err := tlsutil.NewSignedClientCertificate(workerConfig, workerKey, caCert, caKey)
if err != nil {
return nil, err
}
adminConfig := tlsutil.ClientCertConfig{
CommonName: "kube-admin",
Duration: certDuration,
}
adminCert, err := tlsutil.NewSignedClientCertificate(adminConfig, adminKey, caCert, caKey)
if err != nil {
return nil, err
}
return &RawTLSAssets{
CACert: tlsutil.EncodeCertificatePEM(caCert),
APIServerCert: tlsutil.EncodeCertificatePEM(apiServerCert),
WorkerCert: tlsutil.EncodeCertificatePEM(workerCert),
AdminCert: tlsutil.EncodeCertificatePEM(adminCert),
CAKey: tlsutil.EncodePrivateKeyPEM(caKey),
APIServerKey: tlsutil.EncodePrivateKeyPEM(apiServerKey),
WorkerKey: tlsutil.EncodePrivateKeyPEM(workerKey),
AdminKey: tlsutil.EncodePrivateKeyPEM(adminKey),
}, nil
}