示例#1
0
func initTLSClient(cfg tlsutil.ClientCertConfig, caCert *x509.Certificate, caKey *rsa.PrivateKey, keyPath, certPath string) error {
	key, err := tlsutil.NewPrivateKey()
	if err != nil {
		return err
	}

	cert, err := tlsutil.NewSignedClientCertificate(cfg, key, caCert, caKey)
	if err != nil {
		return err
	}

	if err := writeKey(keyPath, key); err != nil {
		return err
	}
	if err := writeCert(certPath, cert); err != nil {
		return err
	}

	return nil
}
示例#2
0
func (tc *TLSConfig) generateTLSClientWorker(cfg tlsutil.ClientCertConfig, caCert *x509.Certificate, caKey *rsa.PrivateKey) error {
	key, err := tlsutil.NewPrivateKey()
	if err != nil {
		return err
	}

	cert, err := tlsutil.NewSignedClientCertificate(cfg, key, caCert, caKey)
	if err != nil {
		return err
	}

	if err := tlsutil.WritePrivateKeyPEMBlock(tc.WorkerKey, key); err != nil {
		return err
	}
	if err := tlsutil.WriteCertificatePEMBlock(tc.WorkerCert, cert); err != nil {
		return err
	}

	return nil
}
示例#3
0
func (c *Cluster) NewTLSAssets() (*RawTLSAssets, error) {
	// Convert from days to time.Duration
	caDuration := time.Duration(c.TLSCADurationDays) * 24 * time.Hour
	certDuration := time.Duration(c.TLSCertDurationDays) * 24 * time.Hour

	// Generate keys for the various components.
	keys := make([]*rsa.PrivateKey, 4)
	var err error
	for i := range keys {
		if keys[i], err = tlsutil.NewPrivateKey(); err != nil {
			return nil, err
		}
	}
	caKey, apiServerKey, workerKey, adminKey := keys[0], keys[1], keys[2], keys[3]

	caConfig := tlsutil.CACertConfig{
		CommonName:   "kube-ca",
		Organization: "kube-aws",
		Duration:     caDuration,
	}
	caCert, err := tlsutil.NewSelfSignedCACertificate(caConfig, caKey)
	if err != nil {
		return nil, err
	}

	//Compute kubernetesServiceIP from serviceCIDR
	_, serviceNet, err := net.ParseCIDR(c.ServiceCIDR)
	if err != nil {
		return nil, fmt.Errorf("invalid serviceCIDR: %v", err)
	}
	kubernetesServiceIPAddr := incrementIP(serviceNet.IP)

	apiServerConfig := tlsutil.ServerCertConfig{
		CommonName: "kube-apiserver",
		DNSNames: []string{
			"kubernetes",
			"kubernetes.default",
			"kubernetes.default.svc",
			"kubernetes.default.svc.cluster.local",
			c.ExternalDNSName,
		},
		IPAddresses: []string{
			c.ControllerIP,
			kubernetesServiceIPAddr.String(),
		},
		Duration: certDuration,
	}
	apiServerCert, err := tlsutil.NewSignedServerCertificate(apiServerConfig, apiServerKey, caCert, caKey)
	if err != nil {
		return nil, err
	}

	workerConfig := tlsutil.ClientCertConfig{
		CommonName: "kube-worker",
		DNSNames: []string{
			"*.*.compute.internal",
			"*.ec2.internal",
		},
		Duration: certDuration,
	}
	workerCert, err := tlsutil.NewSignedClientCertificate(workerConfig, workerKey, caCert, caKey)
	if err != nil {
		return nil, err
	}

	adminConfig := tlsutil.ClientCertConfig{
		CommonName: "kube-admin",
		Duration:   certDuration,
	}
	adminCert, err := tlsutil.NewSignedClientCertificate(adminConfig, adminKey, caCert, caKey)
	if err != nil {
		return nil, err
	}

	return &RawTLSAssets{
		CACert:        tlsutil.EncodeCertificatePEM(caCert),
		APIServerCert: tlsutil.EncodeCertificatePEM(apiServerCert),
		WorkerCert:    tlsutil.EncodeCertificatePEM(workerCert),
		AdminCert:     tlsutil.EncodeCertificatePEM(adminCert),
		CAKey:         tlsutil.EncodePrivateKeyPEM(caKey),
		APIServerKey:  tlsutil.EncodePrivateKeyPEM(apiServerKey),
		WorkerKey:     tlsutil.EncodePrivateKeyPEM(workerKey),
		AdminKey:      tlsutil.EncodePrivateKeyPEM(adminKey),
	}, nil
}