func CreateCertsAndConfigForClients(cfg kubeadmapi.API, clientNames []string, caKey *rsa.PrivateKey, caCert *x509.Certificate) (map[string]*clientcmdapi.Config, error) { basicClientConfig := kubeadmutil.CreateBasicClientConfig( "kubernetes", // TODO this is not great, but there is only one address we can use here // so we'll pick the first one, there is much of chance to have an empty // slice by the time this gets called fmt.Sprintf("https://%s:%d", cfg.AdvertiseAddresses[0], cfg.BindPort), certutil.EncodeCertPEM(caCert), ) configs := map[string]*clientcmdapi.Config{} for _, client := range clientNames { key, cert, err := newClientKeyAndCert(caCert, caKey) if err != nil { return nil, fmt.Errorf("failure while creating %s client certificate - [%v]", client, err) } config := kubeadmutil.MakeClientConfigWithCerts( basicClientConfig, "kubernetes", client, certutil.EncodePrivateKeyPEM(key), certutil.EncodeCertPEM(cert), ) configs[client] = config } return configs, nil }
func writeKeysAndCert(pkiPath string, name string, key *rsa.PrivateKey, cert *x509.Certificate) error { var ( publicKeyPath = path.Join(pkiPath, fmt.Sprintf("%s-pub.pem", name)) privateKeyPath = path.Join(pkiPath, fmt.Sprintf("%s-key.pem", name)) certificatePath = path.Join(pkiPath, fmt.Sprintf("%s.pem", name)) ) if key != nil { if err := certutil.WriteKey(privateKeyPath, certutil.EncodePrivateKeyPEM(key)); err != nil { return fmt.Errorf("unable to write private key file (%q) [%v]", privateKeyPath, err) } if pubKey, err := certutil.EncodePublicKeyPEM(&key.PublicKey); err == nil { if err := certutil.WriteKey(publicKeyPath, pubKey); err != nil { return fmt.Errorf("unable to write public key file (%q) [%v]", publicKeyPath, err) } } else { return fmt.Errorf("unable to encode public key to PEM [%v]", err) } } if cert != nil { if err := certutil.WriteCert(certificatePath, certutil.EncodeCertPEM(cert)); err != nil { return fmt.Errorf("unable to write certificate file (%q) [%v]", certificatePath, err) } } return nil }
func createControllerManagerKubeconfigSecret(clientset *client.Clientset, namespace, name, svcName, kubeconfigName string, entKeyPairs *entityKeyPairs, dryRun bool) (*api.Secret, error) { config := kubeadmkubeconfigphase.MakeClientConfigWithCerts( fmt.Sprintf("https://%s", svcName), name, "federation-controller-manager", certutil.EncodeCertPEM(entKeyPairs.ca.Cert), certutil.EncodePrivateKeyPEM(entKeyPairs.controllerManager.Key), certutil.EncodeCertPEM(entKeyPairs.controllerManager.Cert), ) return util.CreateKubeconfigSecret(clientset, config, namespace, kubeconfigName, dryRun) }
func createAPIServerCredentialsSecret(clientset *client.Clientset, namespace, credentialsName string, entKeyPairs *entityKeyPairs) (*api.Secret, error) { // Build the secret object with API server credentials. secret := &api.Secret{ ObjectMeta: api.ObjectMeta{ Name: credentialsName, Namespace: namespace, }, Data: map[string][]byte{ "ca.crt": certutil.EncodeCertPEM(entKeyPairs.ca.Cert), "server.crt": certutil.EncodeCertPEM(entKeyPairs.server.Cert), "server.key": certutil.EncodePrivateKeyPEM(entKeyPairs.server.Key), }, } // Boilerplate to create the secret in the host cluster. return clientset.Core().Secrets(namespace).Create(secret) }
func createKubeConfigFileForClient(masterEndpoint, kubeConfigFilePath string, config *certutil.Config, caCert *x509.Certificate, caKey *rsa.PrivateKey) error { key, cert, err := certphase.NewClientKeyAndCert(config, caCert, caKey) if err != nil { return fmt.Errorf("failure while creating %s client certificate [%v]", config.CommonName, err) } kubeConfig := MakeClientConfigWithCerts( masterEndpoint, "kubernetes", config.CommonName, certutil.EncodeCertPEM(caCert), certutil.EncodePrivateKeyPEM(key), certutil.EncodeCertPEM(cert), ) // Write it now to a file return WriteKubeconfigToDisk(kubeConfigFilePath, kubeConfig) }
func updateKubeconfig(config util.AdminConfig, name, endpoint string, entKeyPairs *entityKeyPairs, dryRun bool) error { po := config.PathOptions() kubeconfig, err := po.GetStartingConfig() if err != nil { return err } // Populate API server endpoint info. cluster := clientcmdapi.NewCluster() // Prefix "https" as the URL scheme to endpoint. if !strings.HasPrefix(endpoint, "https://") { endpoint = fmt.Sprintf("https://%s", endpoint) } cluster.Server = endpoint cluster.CertificateAuthorityData = certutil.EncodeCertPEM(entKeyPairs.ca.Cert) // Populate credentials. authInfo := clientcmdapi.NewAuthInfo() authInfo.ClientCertificateData = certutil.EncodeCertPEM(entKeyPairs.admin.Cert) authInfo.ClientKeyData = certutil.EncodePrivateKeyPEM(entKeyPairs.admin.Key) authInfo.Username = AdminCN // Populate context. context := clientcmdapi.NewContext() context.Cluster = name context.AuthInfo = name // Update the config struct with API server endpoint info, // credentials and context. kubeconfig.Clusters[name] = cluster kubeconfig.AuthInfos[name] = authInfo kubeconfig.Contexts[name] = context if !dryRun { // Write the update kubeconfig. if err := clientcmd.ModifyConfig(po, *kubeconfig, true); err != nil { return err } } return nil }