Пример #1
0
func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOptions) (*Config, error) {
	if o == nil || o.PasswordFile == nil {
		return c, nil
	}

	if c.SecureServingInfo != nil {
		if o.ClientCert != nil && len(o.ClientCert.ClientCA) > 0 {
			clientCAs, err := certutil.CertsFromFile(o.ClientCert.ClientCA)
			if err != nil {
				return nil, fmt.Errorf("unable to load client CA file: %v", err)
			}
			if c.SecureServingInfo.ClientCA == nil {
				c.SecureServingInfo.ClientCA = x509.NewCertPool()
			}
			for _, cert := range clientCAs {
				c.SecureServingInfo.ClientCA.AddCert(cert)
			}
		}
		if o.RequestHeader != nil && len(o.RequestHeader.ClientCAFile) > 0 {
			clientCAs, err := certutil.CertsFromFile(o.RequestHeader.ClientCAFile)
			if err != nil {
				return nil, fmt.Errorf("unable to load requestheader client CA file: %v", err)
			}
			if c.SecureServingInfo.ClientCA == nil {
				c.SecureServingInfo.ClientCA = x509.NewCertPool()
			}
			for _, cert := range clientCAs {
				c.SecureServingInfo.ClientCA.AddCert(cert)
			}
		}
	}

	c.SupportsBasicAuth = len(o.PasswordFile.BasicAuthFile) > 0
	return c, nil
}
Пример #2
0
// This function is called from the main init and does the work for the default phase behaviour
// TODO: Make an integration test for this function that runs after the certificates phase
// and makes sure that those two phases work well together...
func CreateAdminAndKubeletKubeConfig(masterEndpoint, pkiDir, outDir string) error {
	// Parse the certificate from a file
	caCertPath := path.Join(pkiDir, "ca.pem")
	caCerts, err := certutil.CertsFromFile(caCertPath)
	if err != nil {
		return fmt.Errorf("couldn't load the CA cert file %s: %v", caCertPath, err)
	}
	// We are only putting one certificate in the CA certificate pem file, so it's safe to just use the first one
	caCert := caCerts[0]

	// Parse the rsa private key from a file
	caKeyPath := path.Join(pkiDir, "ca-key.pem")
	priv, err := certutil.PrivateKeyFromFile(caKeyPath)
	if err != nil {
		return fmt.Errorf("couldn't load the CA private key file %s: %v", caKeyPath, err)
	}
	var caKey *rsa.PrivateKey
	switch k := priv.(type) {
	case *rsa.PrivateKey:
		caKey = k
	case *ecdsa.PrivateKey:
		// TODO: Abstract rsa.PrivateKey away and make certutil.NewSignedCert accept a ecdsa.PrivateKey as well
		// After that, we can support generating kubeconfig files from ecdsa private keys as well
		return fmt.Errorf("the CA private key file %s isn't in RSA format", caKeyPath)
	default:
		return fmt.Errorf("the CA private key file %s isn't in RSA format", caKeyPath)
	}

	// User admin should have full access to the cluster
	adminCertConfig := &certutil.Config{
		CommonName:   AdminKubeConfigClientName,
		Organization: []string{"system:masters"},
	}
	adminKubeConfigFilePath := path.Join(outDir, AdminKubeConfigFileName)
	if err := createKubeConfigFileForClient(masterEndpoint, adminKubeConfigFilePath, adminCertConfig, caCert, caKey); err != nil {
		return fmt.Errorf("couldn't create config for %s: %v", AdminKubeConfigClientName, err)
	}

	// The kubelet should have limited access to the cluster
	kubeletCertConfig := &certutil.Config{
		CommonName:   KubeletKubeConfigClientName,
		Organization: []string{"system:nodes"},
	}
	kubeletKubeConfigFilePath := path.Join(outDir, KubeletKubeConfigFileName)
	if err := createKubeConfigFileForClient(masterEndpoint, kubeletKubeConfigFilePath, kubeletCertConfig, caCert, caKey); err != nil {
		return fmt.Errorf("couldn't create config for %s: %v", KubeletKubeConfigClientName, err)
	}

	// TODO make credentials for the controller manager and kube proxy

	return nil
}
Пример #3
0
func (c *Config) applyClientCert(clientCAFile string) (*Config, error) {
	if c.SecureServingInfo != nil {
		if len(clientCAFile) > 0 {
			clientCAs, err := certutil.CertsFromFile(clientCAFile)
			if err != nil {
				return nil, fmt.Errorf("unable to load client CA file: %v", err)
			}
			if c.SecureServingInfo.ClientCA == nil {
				c.SecureServingInfo.ClientCA = x509.NewCertPool()
			}
			for _, cert := range clientCAs {
				c.SecureServingInfo.ClientCA.AddCert(cert)
			}
		}
	}

	return c, nil
}