func newServerKeyAndCert(s *kubeadmapi.KubeadmConfig, caCert *x509.Certificate, caKey *rsa.PrivateKey, altNames certutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) { key, err := certutil.NewPrivateKey() if err != nil { return nil, nil, fmt.Errorf("unabel to create private key [%v]", err) } internalAPIServerFQDN := []string{ "kubernetes", "kubernetes.default", "kubernetes.default.svc", fmt.Sprintf("kubernetes.default.svc.%s", s.InitFlags.Services.DNSDomain), } internalAPIServerVirtualIP, err := ipallocator.GetIndexedIP(&s.InitFlags.Services.CIDR, 1) if err != nil { return nil, nil, fmt.Errorf("unable to allocate IP address for the API server from the given CIDR (%q) [%v]", &s.InitFlags.Services.CIDR, err) } altNames.IPs = append(altNames.IPs, internalAPIServerVirtualIP) altNames.DNSNames = append(altNames.DNSNames, internalAPIServerFQDN...) config := certutil.Config{ CommonName: "kube-apiserver", AltNames: altNames, } cert, err := certutil.NewSignedCert(config, key, caCert, caKey) if err != nil { return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err) } return key, cert, nil }
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. // It first generates a self-signed CA certificate, a server certificate (signed by the CA) and a key for // signing service account tokens. It returns CA key and certificate, which is convenient for use with // client config funcs. func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) (*rsa.PrivateKey, *x509.Certificate, error) { var ( err error altNames certutil.AltNames ) for _, a := range cfg.API.AdvertiseAddresses { if ip := net.ParseIP(a); ip != nil { altNames.IPs = append(altNames.IPs, ip) } else { return nil, nil, fmt.Errorf("could not parse ip %q", a) } } altNames.DNSNames = append(altNames.DNSNames, cfg.API.ExternalDNSNames...) pkiPath := path.Join(kubeadmapi.GlobalEnvParams.HostPKIPath) caKey, caCert, err := newCertificateAuthority() if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating CA keys and certificate - %v", err) } if err := writeKeysAndCert(pkiPath, "ca", caKey, caCert); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving CA keys and certificate - %v", err) } fmt.Printf("<master/pki> generated Certificate Authority key and certificate:\n%s\n", certutil.FormatCert(caCert)) pub, prv, cert := pathsKeysCerts(pkiPath, "ca") fmt.Printf("Public: %s\nPrivate: %s\nCert: %s\n", pub, prv, cert) apiKey, apiCert, err := newServerKeyAndCert(cfg, caCert, caKey, altNames) if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating API server keys and certificate - %v", err) } if err := writeKeysAndCert(pkiPath, "apiserver", apiKey, apiCert); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving API server keys and certificate - %v", err) } fmt.Printf("<master/pki> generated API Server key and certificate:\n%s\n", certutil.FormatCert(apiCert)) pub, prv, cert = pathsKeysCerts(pkiPath, "apiserver") fmt.Printf("Public: %s\nPrivate: %s\nCert: %s\n", pub, prv, cert) saKey, err := newServiceAccountKey() if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating service account signing keys [%v]", err) } if err := writeKeysAndCert(pkiPath, "sa", saKey, nil); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving service account signing keys - %v", err) } fmt.Printf("<master/pki> generated Service Account Signing keys:\n") pub, prv, _ = pathsKeysCerts(pkiPath, "sa") fmt.Printf("Public: %s\nPrivate: %s\n", pub, prv) fmt.Printf("<master/pki> created keys and certificates in %q\n", pkiPath) return caKey, caCert, nil }
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. // It first generates a self-signed CA certificate, a server certificate (signed by the CA) and a key for // signing service account tokens. It returns CA key and certificate, which is convenient for use with // client config funcs. func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) (*rsa.PrivateKey, *x509.Certificate, error) { var ( err error altNames certutil.AltNames ) for _, a := range cfg.API.AdvertiseAddresses { if ip := net.ParseIP(a); ip != nil { altNames.IPs = append(altNames.IPs, ip) } else { return nil, nil, fmt.Errorf("could not parse ip %q", a) } } altNames.DNSNames = append(altNames.DNSNames, cfg.API.ExternalDNSNames...) pkiPath := kubeadmapi.GlobalEnvParams.HostPKIPath caKey, caCert, err := newCertificateAuthority() if err != nil { return nil, nil, fmt.Errorf("failure while creating CA keys and certificate [%v]", err) } if err := writeKeysAndCert(pkiPath, "ca", caKey, caCert); err != nil { return nil, nil, fmt.Errorf("failure while saving CA keys and certificate [%v]", err) } fmt.Println("[certificates] Generated Certificate Authority key and certificate.") apiKey, apiCert, err := newServerKeyAndCert(cfg, caCert, caKey, altNames) if err != nil { return nil, nil, fmt.Errorf("failure while creating API server keys and certificate [%v]", err) } if err := writeKeysAndCert(pkiPath, "apiserver", apiKey, apiCert); err != nil { return nil, nil, fmt.Errorf("failure while saving API server keys and certificate [%v]", err) } fmt.Println("[certificates] Generated API Server key and certificate") saKey, err := newServiceAccountKey() if err != nil { return nil, nil, fmt.Errorf("failure while creating service account signing keys [%v]", err) } if err := writeKeysAndCert(pkiPath, "sa", saKey, nil); err != nil { return nil, nil, fmt.Errorf("failure while saving service account signing keys [%v]", err) } fmt.Println("[certificates] Generated Service Account signing keys") fmt.Printf("[certificates] Created keys and certificates in %q\n", pkiPath) return caKey, caCert, nil }
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. // It first generates a self-signed CA certificate, a server certificate (signed by the CA) and a key for // signing service account tokens. It returns CA key and certificate, which is convenient for use with // client config funcs. func CreatePKIAssets(s *kubeadmapi.KubeadmConfig) (*rsa.PrivateKey, *x509.Certificate, error) { var ( err error altNames certutil.AltNames ) altNames.IPs = append(altNames.IPs, s.InitFlags.API.AdvertiseAddrs...) altNames.DNSNames = append(altNames.DNSNames, s.InitFlags.API.ExternalDNSNames...) pkiPath := path.Join(s.EnvParams["host_pki_path"]) caKey, caCert, err := newCertificateAuthority() if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating CA keys and certificate - %v", err) } if err := writeKeysAndCert(pkiPath, "ca", caKey, caCert); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving CA keys and certificate - %v", err) } apiKey, apiCert, err := newServerKeyAndCert(s, caCert, caKey, altNames) if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating API server keys and certificate - %v", err) } if err := writeKeysAndCert(pkiPath, "apiserver", apiKey, apiCert); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving API server keys and certificate - %v", err) } saKey, err := newServiceAccountKey() if err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while creating service account signing keys [%v]", err) } if err := writeKeysAndCert(pkiPath, "sa", saKey, nil); err != nil { return nil, nil, fmt.Errorf("<master/pki> failure while saving service account signing keys - %v", err) } // TODO(phase1+) print a summary of SANs used and checksums (signatures) of each of the certificates fmt.Printf("<master/pki> created keys and certificates in %q\n", pkiPath) return caKey, caCert, nil }
func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain string, ips, hostnames []string) (*KeyPair, error) { key, err := certutil.NewPrivateKey() if err != nil { return nil, fmt.Errorf("unable to create a server private key: %v", err) } namespacedName := fmt.Sprintf("%s.%s", svcName, svcNamespace) internalAPIServerFQDN := []string{ svcName, namespacedName, fmt.Sprintf("%s.svc", namespacedName), fmt.Sprintf("%s.svc.%s", namespacedName, dnsDomain), } altNames := certutil.AltNames{} for _, ipStr := range ips { ip := net.ParseIP(ipStr) if ip != nil { altNames.IPs = append(altNames.IPs, ip) } } altNames.DNSNames = append(altNames.DNSNames, hostnames...) altNames.DNSNames = append(altNames.DNSNames, internalAPIServerFQDN...) config := certutil.Config{ CommonName: commonName, AltNames: altNames, } cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) if err != nil { return nil, fmt.Errorf("unable to sign the server certificate: %v", err) } return &KeyPair{ Key: key, Cert: cert, }, nil }
func newServerKeyAndCert(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey, altNames certutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) { key, err := certutil.NewPrivateKey() if err != nil { return nil, nil, fmt.Errorf("unabel to create private key [%v]", err) } internalAPIServerFQDN := []string{ "kubernetes", "kubernetes.default", "kubernetes.default.svc", fmt.Sprintf("kubernetes.default.svc.%s", cfg.Networking.DNSDomain), } _, n, err := net.ParseCIDR(cfg.Networking.ServiceSubnet) if err != nil { return nil, nil, fmt.Errorf("error parsing CIDR %q: %v", cfg.Networking.ServiceSubnet, err) } internalAPIServerVirtualIP, err := ipallocator.GetIndexedIP(n, 1) if err != nil { return nil, nil, fmt.Errorf("unable to allocate IP address for the API server from the given CIDR (%q) [%v]", &cfg.Networking.ServiceSubnet, err) } altNames.IPs = append(altNames.IPs, internalAPIServerVirtualIP) altNames.DNSNames = append(altNames.DNSNames, internalAPIServerFQDN...) config := certutil.Config{ CommonName: "kube-apiserver", AltNames: altNames, } cert, err := certutil.NewSignedCert(config, key, caCert, caKey) if err != nil { return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err) } return key, cert, nil }
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. // It first generates a self-signed CA certificate, a server certificate (signed by the CA) and a key for // signing service account tokens. It returns CA key and certificate, which is convenient for use with // client config funcs. func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration, pkiPath string) (*x509.Certificate, error) { altNames := certutil.AltNames{} // First, define all domains this cert should be signed for internalAPIServerFQDN := []string{ "kubernetes", "kubernetes.default", "kubernetes.default.svc", fmt.Sprintf("kubernetes.default.svc.%s", cfg.Networking.DNSDomain), } hostname, err := os.Hostname() if err != nil { return nil, fmt.Errorf("couldn't get the hostname: %v", err) } altNames.DNSNames = append(cfg.API.ExternalDNSNames, hostname) altNames.DNSNames = append(altNames.DNSNames, internalAPIServerFQDN...) // then, add all IP addresses we're bound to for _, a := range cfg.API.AdvertiseAddresses { if ip := net.ParseIP(a); ip != nil { altNames.IPs = append(altNames.IPs, ip) } else { return nil, fmt.Errorf("could not parse ip %q", a) } } // and lastly, extract the internal IP address for the API server _, n, err := net.ParseCIDR(cfg.Networking.ServiceSubnet) if err != nil { return nil, fmt.Errorf("error parsing CIDR %q: %v", cfg.Networking.ServiceSubnet, err) } internalAPIServerVirtualIP, err := ipallocator.GetIndexedIP(n, 1) if err != nil { return nil, fmt.Errorf("unable to allocate IP address for the API server from the given CIDR (%q) [%v]", &cfg.Networking.ServiceSubnet, err) } altNames.IPs = append(altNames.IPs, internalAPIServerVirtualIP) caKey, caCert, err := newCertificateAuthority() if err != nil { return nil, fmt.Errorf("failure while creating CA keys and certificate [%v]", err) } if err := writeKeysAndCert(pkiPath, "ca", caKey, caCert); err != nil { return nil, fmt.Errorf("failure while saving CA keys and certificate [%v]", err) } fmt.Println("[certificates] Generated Certificate Authority key and certificate.") apiKey, apiCert, err := newServerKeyAndCert(caCert, caKey, altNames) if err != nil { return nil, fmt.Errorf("failure while creating API server keys and certificate [%v]", err) } if err := writeKeysAndCert(pkiPath, "apiserver", apiKey, apiCert); err != nil { return nil, fmt.Errorf("failure while saving API server keys and certificate [%v]", err) } fmt.Println("[certificates] Generated API Server key and certificate") // Generate a private key for service accounts saKey, err := certutil.NewPrivateKey() if err != nil { return nil, fmt.Errorf("failure while creating service account signing keys [%v]", err) } if err := writeKeysAndCert(pkiPath, "sa", saKey, nil); err != nil { return nil, fmt.Errorf("failure while saving service account signing keys [%v]", err) } fmt.Println("[certificates] Generated Service Account signing keys") fmt.Printf("[certificates] Created keys and certificates in %q\n", pkiPath) return caCert, nil }