// PerformTLSBootstrap creates a RESTful client in order to execute certificate signing request. func PerformTLSBootstrap(s *kubeadmapi.KubeadmConfig, apiEndpoint string, caCert []byte) (*clientcmdapi.Config, error) { // TODO(phase1+) try all the api servers until we find one that works bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", apiEndpoint, caCert) hostName, err := os.Hostname() if err != nil { return nil, fmt.Errorf("<node/csr> failed to get node hostname [%v]", err) } // TODO: hostname == nodename doesn't hold on all clouds (AWS). // But we don't have a cloudprovider, so we're stuck. glog.Errorf("assuming that hostname is the same as NodeName") nodeName := types.NodeName(hostName) bootstrapClientConfig, err := clientcmd.NewDefaultClientConfig( *kubeadmutil.MakeClientConfigWithToken( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), s.Secrets.BearerToken, ), &clientcmd.ConfigOverrides{}, ).ClientConfig() if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client configuration [%v]", err) } client, err := unversionedcertificates.NewForConfig(bootstrapClientConfig) if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client [%v]", err) } csrClient := client.CertificateSigningRequests() // TODO(phase1+) checkCertsAPI() has a side-effect of making first attempt of communicating with the API, // we should _make it more explicit_ and have a user-settable _retry timeout_ to account for potential connectivity issues // (for example user may be bringing up machines in parallel and for some reasons master is slow to boot) if err := checkCertsAPI(bootstrapClientConfig); err != nil { return nil, fmt.Errorf("<node/csr> failed to proceed due to API compatibility issue - %v", err) } fmt.Println("<node/csr> created API client to obtain unique certificate for this node, generating keys and certificate signing request") key, err := certutil.MakeEllipticPrivateKeyPEM() if err != nil { return nil, fmt.Errorf("<node/csr> failed to generating private key [%v]", err) } cert, err := csr.RequestNodeCertificate(csrClient, key, nodeName) if err != nil { return nil, fmt.Errorf("<node/csr> failed to request signed certificate from the API server [%v]", err) } // TODO(phase1+) print some basic info about the cert fmt.Println("<node/csr> received signed certificate from the API server, generating kubelet configuration") finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), key, cert, ) return finalConfig, nil }
// PerformTLSBootstrap creates a RESTful client in order to execute certificate signing request. func PerformTLSBootstrap(s *kubeadmapi.NodeConfiguration, apiEndpoint string, caCert []byte) (*clientcmdapi.Config, error) { // TODO(phase1+) try all the api servers until we find one that works bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", apiEndpoint, caCert) hostName, err := os.Hostname() if err != nil { return nil, fmt.Errorf("<node/csr> failed to get node hostname [%v]", err) } // TODO(phase1+) https://github.com/kubernetes/kubernetes/issues/33641 nodeName := types.NodeName(hostName) bootstrapClientConfig, err := clientcmd.NewDefaultClientConfig( *kubeadmutil.MakeClientConfigWithToken( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), s.Secrets.BearerToken, ), &clientcmd.ConfigOverrides{}, ).ClientConfig() if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client configuration [%v]", err) } client, err := unversionedcertificates.NewForConfig(bootstrapClientConfig) if err != nil { return nil, fmt.Errorf("<node/csr> failed to create API client [%v]", err) } csrClient := client.CertificateSigningRequests() // TODO(phase1+) https://github.com/kubernetes/kubernetes/issues/33643 if err := checkCertsAPI(bootstrapClientConfig); err != nil { return nil, fmt.Errorf("<node/csr> failed to proceed due to API compatibility issue - %v", err) } fmt.Println("<node/csr> created API client to obtain unique certificate for this node, generating keys and certificate signing request") key, err := certutil.MakeEllipticPrivateKeyPEM() if err != nil { return nil, fmt.Errorf("<node/csr> failed to generating private key [%v]", err) } cert, err := csr.RequestNodeCertificate(csrClient, key, nodeName) if err != nil { return nil, fmt.Errorf("<node/csr> failed to request signed certificate from the API server [%v]", err) } fmtCert, err := certutil.FormatBytesCert(cert) if err != nil { return nil, fmt.Errorf("<node/csr> failed to format certificate [%v]", err) } fmt.Printf("<node/csr> received signed certificate from the API server:\n%s\n", fmtCert) fmt.Println("<node/csr> generating kubelet configuration") finalConfig := kubeadmutil.MakeClientConfigWithCerts( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), key, cert, ) return finalConfig, nil }
// creates a set of clients for this endpoint func createClients(caCert []byte, endpoint, token string, nodeName types.NodeName) (*clientset.Clientset, error) { bareClientConfig := kubeadmutil.CreateBasicClientConfig("kubernetes", endpoint, caCert) bootstrapClientConfig, err := clientcmd.NewDefaultClientConfig( *kubeadmutil.MakeClientConfigWithToken( bareClientConfig, "kubernetes", fmt.Sprintf("kubelet-%s", nodeName), token, ), &clientcmd.ConfigOverrides{}, ).ClientConfig() if err != nil { return nil, fmt.Errorf("failed to create API client configuration [%v]", err) } clientSet, err := clientset.NewForConfig(bootstrapClientConfig) if err != nil { return nil, fmt.Errorf("failed to create clients for the API endpoint %s [%v]", endpoint, err) } return clientSet, nil }