// PerformTLSBootstrap executes a certificate signing request with the // provided connection details. func PerformTLSBootstrap(connection *ConnectionDetails) (*clientcmdapi.Config, error) { csrClient := connection.CertClient.CertificateSigningRequests() fmt.Println("<node/csr> created API client to obtain unique certificate for this node, generating keys and certificate signing request") key, err := certutil.MakeEllipticPrivateKeyPEM() if err != nil { return nil, fmt.Errorf("<node/csr> failed to generating private key [%v]", err) } cert, err := csr.RequestNodeCertificate(csrClient, key, connection.NodeName) if err != nil { return nil, fmt.Errorf("<node/csr> failed to request signed certificate from the API server [%v]", err) } fmtCert, err := certutil.FormatBytesCert(cert) if err != nil { return nil, fmt.Errorf("<node/csr> failed to format certificate [%v]", err) } fmt.Printf("<node/csr> received signed certificate from the API server:\n%s\n", fmtCert) fmt.Println("<node/csr> generating kubelet configuration") bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", connection.Endpoint, connection.CACert) finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", connection.NodeName), key, cert, ) return finalConfig, nil }
// PerformTLSBootstrap creates a RESTful client in order to execute certificate signing request. func PerformTLSBootstrap(s *kubeadmapi.KubeadmConfig, apiEndpoint string, caCert []byte) (*clientcmdapi.Config, error) { // TODO(phase1+) try all the api servers until we find one that works bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", apiEndpoint, caCert) hostName, err := os.Hostname() if err != nil { return nil, fmt.Errorf("<node/csr> failed to get node hostname [%v]", err) } // TODO: hostname == nodename doesn't hold on all clouds (AWS). // But we don't have a cloudprovider, so we're stuck. glog.Errorf("assuming that hostname is the same as NodeName") nodeName := types.NodeName(hostName) bootstrapClientConfig, err := clientcmd.NewDefaultClientConfig( *kubeadmutil.MakeClientConfigWithToken( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), s.Secrets.BearerToken, ), &clientcmd.ConfigOverrides{}, ).ClientConfig() if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client configuration [%v]", err) } client, err := unversionedcertificates.NewForConfig(bootstrapClientConfig) if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client [%v]", err) } csrClient := client.CertificateSigningRequests() // TODO(phase1+) checkCertsAPI() has a side-effect of making first attempt of communicating with the API, // we should _make it more explicit_ and have a user-settable _retry timeout_ to account for potential connectivity issues // (for example user may be bringing up machines in parallel and for some reasons master is slow to boot) if err := checkCertsAPI(bootstrapClientConfig); err != nil { return nil, fmt.Errorf("<node/csr> failed to proceed due to API compatibility issue - %v", err) } fmt.Println("<node/csr> created API client to obtain unique certificate for this node, generating keys and certificate signing request") key, err := certutil.MakeEllipticPrivateKeyPEM() if err != nil { return nil, fmt.Errorf("<node/csr> failed to generating private key [%v]", err) } cert, err := csr.RequestNodeCertificate(csrClient, key, nodeName) if err != nil { return nil, fmt.Errorf("<node/csr> failed to request signed certificate from the API server [%v]", err) } // TODO(phase1+) print some basic info about the cert fmt.Println("<node/csr> received signed certificate from the API server, generating kubelet configuration") finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), key, cert, ) return finalConfig, nil }
func CreateCertsAndConfigForClients(cfg kubeadmapi.API, clientNames []string, caKey *rsa.PrivateKey, caCert *x509.Certificate) (map[string]*clientcmdapi.Config, error) { basicClientConfig := kubeadmutil.CreateBasicClientConfig( "kubernetes", // TODO this is not great, but there is only one address we can use here // so we'll pick the first one, there is much of chance to have an empty // slice by the time this gets called fmt.Sprintf("https://%s:%d", cfg.AdvertiseAddresses[0], cfg.BindPort), certutil.EncodeCertPEM(caCert), ) configs := map[string]*clientcmdapi.Config{} for _, client := range clientNames { key, cert, err := newClientKeyAndCert(caCert, caKey) if err != nil { return nil, fmt.Errorf("failure while creating %s client certificate - [%v]", client, err) } config := kubeadmutil.MakeClientConfigWithCerts( basicClientConfig, "kubernetes", client, certutil.EncodePrivateKeyPEM(key), certutil.EncodeCertPEM(cert), ) configs[client] = config } return configs, nil }
// PerformTLSBootstrap creates a RESTful client in order to execute certificate signing request. func PerformTLSBootstrap(s *kubeadmapi.NodeConfiguration, apiEndpoint string, caCert []byte) (*clientcmdapi.Config, error) { // TODO(phase1+) try all the api servers until we find one that works bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", apiEndpoint, caCert) hostName, err := os.Hostname() if err != nil { return nil, fmt.Errorf("<node/csr> failed to get node hostname [%v]", err) } // TODO(phase1+) https://github.com/kubernetes/kubernetes/issues/33641 nodeName := types.NodeName(hostName) bootstrapClientConfig, err := clientcmd.NewDefaultClientConfig( *kubeadmutil.MakeClientConfigWithToken( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), s.Secrets.BearerToken, ), &clientcmd.ConfigOverrides{}, ).ClientConfig() if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client configuration [%v]", err) } client, err := unversionedcertificates.NewForConfig(bootstrapClientConfig) if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client [%v]", err) } csrClient := client.CertificateSigningRequests() // TODO(phase1+) https://github.com/kubernetes/kubernetes/issues/33643 if err := checkCertsAPI(bootstrapClientConfig); err != nil { return nil, fmt.Errorf("<node/csr> failed to proceed due to API compatibility issue - %v", err) } fmt.Println("<node/csr> created API client to obtain unique certificate for this node, generating keys and certificate signing request") key, err := certutil.MakeEllipticPrivateKeyPEM() if err != nil { return nil, fmt.Errorf("<node/csr> failed to generating private key [%v]", err) } cert, err := csr.RequestNodeCertificate(csrClient, key, nodeName) if err != nil { return nil, fmt.Errorf("<node/csr> failed to request signed certificate from the API server [%v]", err) } fmtCert, err := certutil.FormatBytesCert(cert) if err != nil { return nil, fmt.Errorf("<node/csr> failed to format certificate [%v]", err) } fmt.Printf("<node/csr> received signed certificate from the API server:\n%s\n", fmtCert) fmt.Println("<node/csr> generating kubelet configuration") finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), key, cert, ) return finalConfig, nil }
func createControllerManagerKubeconfigSecret(clientset *client.Clientset, namespace, name, svcName, kubeconfigName string, entKeyPairs *entityKeyPairs) (*api.Secret, error) { basicClientConfig := kubeadmutil.CreateBasicClientConfig( name, fmt.Sprintf("https://%s", svcName), certutil.EncodeCertPEM(entKeyPairs.ca.Cert), ) config := kubeadmutil.MakeClientConfigWithCerts( basicClientConfig, name, "federation-controller-manager", certutil.EncodePrivateKeyPEM(entKeyPairs.controllerManager.Key), certutil.EncodeCertPEM(entKeyPairs.controllerManager.Cert), ) return util.CreateKubeconfigSecret(clientset, config, namespace, kubeconfigName, false) }