Merge pull request #141 from neolit123/decouple-from-k-k

decouple etcdadm from kubernetes/kubernetes
kubernetes-retired · Dec 6, 2019 · 6de9b34 · 6de9b34
2 parents 9a08cc2 + b4939f4
commit 6de9b34
Show file tree

Hide file tree

Showing 6 changed files with 285 additions and 57 deletions.
diff --git a/apis/config.go b/apis/config.go
@@ -298,7 +298,7 @@ func DefaultAdvertiseClientURLs(cfg *EtcdAdmConfig) error {
 
 // Returns the address associated with the host's default interface.
 func defaultExternalAddress() (net.IP, error) {
-	ip, err := netutil.ChooseBindAddress(net.ParseIP("0.0.0.0"))
+	ip, err := netutil.ResolveBindAddress(net.ParseIP("0.0.0.0"))
 	if err != nil {
 		return nil, fmt.Errorf("failed to find a default external address: %s", err)
 	}

diff --git a/certs/pkiutil/pki_helpers.go b/certs/pkiutil/pki_helpers.go
@@ -22,23 +22,44 @@ modified to work independently of kubeadm internals like the configuration.
 package pkiutil
 
 import (
+	"crypto"
+	cryptorand "crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
 	"net"
 	"os"
 	"path/filepath"
 	"time"
 
+	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/validation"
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/client-go/util/keyutil"
+	"math"
+	"math/big"
 	"sigs.k8s.io/etcdadm/apis"
 	"sigs.k8s.io/etcdadm/constants"
 )
 
+const (
+	// PrivateKeyBlockType is a possible value for pem.Block.Type.
+	PrivateKeyBlockType = "PRIVATE KEY"
+	// PublicKeyBlockType is a possible value for pem.Block.Type.
+	PublicKeyBlockType = "PUBLIC KEY"
+	// CertificateBlockType is a possible value for pem.Block.Type.
+	CertificateBlockType = "CERTIFICATE"
+	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+	rsaKeySize             = 2048
+	certificateValidity    = time.Hour * 24 * 365
+)
+
 // NewCertificateAuthority creates new certificate and private key for the certificate authority
 func NewCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
-	key, err := certutil.NewPrivateKey()
+	key, err := NewPrivateKey()
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
 	}
@@ -56,12 +77,12 @@ func NewCertificateAuthority() (*x509.Certificate, *rsa.PrivateKey, error) {
 
 // NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
 func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config certutil.Config) (*x509.Certificate, *rsa.PrivateKey, error) {
-	key, err := certutil.NewPrivateKey()
+	key, err := NewPrivateKey()
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
 	}
 
-	cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
+	cert, err := NewSignedCert(&config, key, caCert, caKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
 	}
@@ -95,7 +116,7 @@ func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
 	}
 
 	certificatePath := pathForCert(pkiPath, name)
-	if err := certutil.WriteCert(certificatePath, certutil.EncodeCertPEM(cert)); err != nil {
+	if err := certutil.WriteCert(certificatePath, EncodeCertPEM(cert)); err != nil {
 		return fmt.Errorf("unable to write certificate to file %q: [%v]", certificatePath, err)
 	}
 
@@ -109,7 +130,7 @@ func WriteKey(pkiPath, name string, key *rsa.PrivateKey) error {
 	}
 
 	privateKeyPath := pathForKey(pkiPath, name)
-	if err := certutil.WriteKey(privateKeyPath, certutil.EncodePrivateKeyPEM(key)); err != nil {
+	if err := keyutil.WriteKey(privateKeyPath, EncodePrivateKeyPEM(key)); err != nil {
 		return fmt.Errorf("unable to write private key to file %q: [%v]", privateKeyPath, err)
 	}
 
@@ -122,12 +143,12 @@ func WritePublicKey(pkiPath, name string, key *rsa.PublicKey) error {
 		return fmt.Errorf("public key cannot be nil when writing to file")
 	}
 
-	publicKeyBytes, err := certutil.EncodePublicKeyPEM(key)
+	publicKeyBytes, err := EncodePublicKeyPEM(key)
 	if err != nil {
 		return err
 	}
 	publicKeyPath := pathForPublicKey(pkiPath, name)
-	if err := certutil.WriteKey(publicKeyPath, publicKeyBytes); err != nil {
+	if err := keyutil.WriteKey(publicKeyPath, publicKeyBytes); err != nil {
 		return fmt.Errorf("unable to write public key to file %q: [%v]", publicKeyPath, err)
 	}
 
@@ -194,7 +215,7 @@ func TryLoadKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, error) {
 	privateKeyPath := pathForKey(pkiPath, name)
 
 	// Parse the private key from a file
-	privKey, err := certutil.PrivateKeyFromFile(privateKeyPath)
+	privKey, err := keyutil.PrivateKeyFromFile(privateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("couldn't load the private key file %s: %v", privateKeyPath, err)
 	}
@@ -216,15 +237,15 @@ func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rs
 	privateKeyPath := pathForKey(pkiPath, name)
 
 	// Parse the private key from a file
-	privKey, err := certutil.PrivateKeyFromFile(privateKeyPath)
+	privKey, err := keyutil.PrivateKeyFromFile(privateKeyPath)
 	if err != nil {
 		return nil, nil, fmt.Errorf("couldn't load the private key file %s: %v", privateKeyPath, err)
 	}
 
 	publicKeyPath := pathForPublicKey(pkiPath, name)
 
 	// Parse the public key from a file
-	pubKeys, err := certutil.PublicKeysFromFile(publicKeyPath)
+	pubKeys, err := keyutil.PublicKeysFromFile(publicKeyPath)
 	if err != nil {
 		return nil, nil, fmt.Errorf("couldn't load the public key file %s: %v", publicKeyPath, err)
 	}
@@ -296,3 +317,72 @@ func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName s
 		}
 	}
 }
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
+	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
+
+	certTmpl := x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    caCert.NotBefore,
+		NotAfter:     time.Now().Add(certificateValidity).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  cfg.Usages,
+	}
+	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// EncodeCertPEM returns PEM-endcoded certificate data
+func EncodeCertPEM(cert *x509.Certificate) []byte {
+	block := pem.Block{
+		Type:  CertificateBlockType,
+		Bytes: cert.Raw,
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// EncodePublicKeyPEM returns PEM-encoded public data
+func EncodePublicKeyPEM(key crypto.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key)
+	if err != nil {
+		return []byte{}, err
+	}
+	block := pem.Block{
+		Type:  PublicKeyBlockType,
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(&block), nil
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  RSAPrivateKeyBlockType, // "RSA PRIVATE KEY"
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+	return pem.EncodeToMemory(&block)
+}
diff --git a/cmd/version.go b/cmd/version.go
@@ -26,7 +26,7 @@ import (
 	"github.com/spf13/cobra"
 
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
-	"k8s.io/kubernetes/pkg/version"
+	"k8s.io/component-base/version"
 )
 
 // Version TODO: add description

diff --git a/go.mod b/go.mod
@@ -3,46 +3,30 @@ module sigs.k8s.io/etcdadm
 go 1.12
 
 require (
-	github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 // indirect
 	github.com/coreos/bbolt v1.3.1-coreos.6 // indirect
 	github.com/coreos/etcd v3.3.13+incompatible
 	github.com/coreos/go-semver v0.2.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 // indirect
 	github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // indirect
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
 	github.com/ghodss/yaml v1.0.0
-	github.com/gogo/protobuf v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // indirect
-	github.com/google/btree v0.0.0-20180124185431-e89373fe6b4a // indirect
 	github.com/gorilla/websocket v1.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.8.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jonboulle/clockwork v0.1.0 // indirect
-	github.com/json-iterator/go v1.1.6 // indirect
-	github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/pkg/errors v0.8.1 // indirect
-	github.com/prometheus/client_golang v0.8.0 // indirect
-	github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 // indirect
-	github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e // indirect
-	github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273 // indirect
+	github.com/pkg/errors v0.8.1
 	github.com/satori/go.uuid v1.2.0
-	github.com/sirupsen/logrus v1.1.1
+	github.com/sirupsen/logrus v1.2.0
 	github.com/soheilhy/cmux v0.1.4 // indirect
 	github.com/spf13/cobra v0.0.3
-	github.com/spf13/pflag v1.0.1 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 // indirect
 	github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 // indirect
 	go.uber.org/atomic v1.3.2 // indirect
 	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.9.0 // indirect
-	golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 // indirect
-	gopkg.in/yaml.v2 v2.2.1 // indirect
-	k8s.io/apimachinery v0.0.0-20180510142256-21efb2924c7c
-	k8s.io/client-go v0.0.0-20180515144434-1692bdde78a6
-	k8s.io/kubernetes v1.11.1
+	k8s.io/apimachinery v0.0.0-20191128180518-03184f823e28
+	k8s.io/client-go v0.0.0-20191204082519-e9644b2e3edc
+	k8s.io/component-base v0.0.0-20191204083906-3ac1376c73aa
 )