func initTLSClient(cfg tlsutil.ClientCertConfig, caCert *x509.Certificate, caKey *rsa.PrivateKey, keyPath, certPath string) error {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return err
}
cert, err := tlsutil.NewSignedClientCertificate(cfg, key, caCert, caKey)
if err != nil {
return err
}
if err := writeKey(keyPath, key); err != nil {
return err
}
if err := writeCert(certPath, cert); err != nil {
return err
}
return nil
}
func (tc *TLSConfig) generateTLSClientWorker(cfg tlsutil.ClientCertConfig, caCert *x509.Certificate, caKey *rsa.PrivateKey) error {
key, err := tlsutil.NewPrivateKey()
if err != nil {
return err
}
cert, err := tlsutil.NewSignedClientCertificate(cfg, key, caCert, caKey)
if err != nil {
return err
}
if err := tlsutil.WritePrivateKeyPEMBlock(tc.WorkerKey, key); err != nil {
return err
}
if err := tlsutil.WriteCertificatePEMBlock(tc.WorkerCert, cert); err != nil {
return err
}
return nil
}
func (c *Cluster) NewTLSAssets() (*RawTLSAssets, error) {
// Convert from days to time.Duration
caDuration := time.Duration(c.TLSCADurationDays) * 24 * time.Hour
certDuration := time.Duration(c.TLSCertDurationDays) * 24 * time.Hour
// Generate keys for the various components.
keys := make([]*rsa.PrivateKey, 4)
var err error
for i := range keys {
if keys[i], err = tlsutil.NewPrivateKey(); err != nil {
return nil, err
}
}
caKey, apiServerKey, workerKey, adminKey := keys[0], keys[1], keys[2], keys[3]
caConfig := tlsutil.CACertConfig{
CommonName: "kube-ca",
Organization: "kube-aws",
Duration: caDuration,
}
caCert, err := tlsutil.NewSelfSignedCACertificate(caConfig, caKey)
if err != nil {
return nil, err
}
//Compute kubernetesServiceIP from serviceCIDR
_, serviceNet, err := net.ParseCIDR(c.ServiceCIDR)
if err != nil {
return nil, fmt.Errorf("invalid serviceCIDR: %v", err)
}
kubernetesServiceIPAddr := incrementIP(serviceNet.IP)
apiServerConfig := tlsutil.ServerCertConfig{
CommonName: "kube-apiserver",
DNSNames: []string{
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local",
c.ExternalDNSName,
},
IPAddresses: []string{
c.ControllerIP,
kubernetesServiceIPAddr.String(),
},
Duration: certDuration,
}
apiServerCert, err := tlsutil.NewSignedServerCertificate(apiServerConfig, apiServerKey, caCert, caKey)
if err != nil {
return nil, err
}
workerConfig := tlsutil.ClientCertConfig{
CommonName: "kube-worker",
DNSNames: []string{
"*.*.compute.internal",
"*.ec2.internal",
},
Duration: certDuration,
}
workerCert, err := tlsutil.NewSignedClientCertificate(workerConfig, workerKey, caCert, caKey)
if err != nil {
return nil, err
}
adminConfig := tlsutil.ClientCertConfig{
CommonName: "kube-admin",
Duration: certDuration,
}
adminCert, err := tlsutil.NewSignedClientCertificate(adminConfig, adminKey, caCert, caKey)
if err != nil {
return nil, err
}
return &RawTLSAssets{
CACert: tlsutil.EncodeCertificatePEM(caCert),
APIServerCert: tlsutil.EncodeCertificatePEM(apiServerCert),
WorkerCert: tlsutil.EncodeCertificatePEM(workerCert),
AdminCert: tlsutil.EncodeCertificatePEM(adminCert),
CAKey: tlsutil.EncodePrivateKeyPEM(caKey),
APIServerKey: tlsutil.EncodePrivateKeyPEM(apiServerKey),
WorkerKey: tlsutil.EncodePrivateKeyPEM(workerKey),
AdminKey: tlsutil.EncodePrivateKeyPEM(adminKey),
}, nil
}