Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create separate chains of trust for separate actors #1232

Merged
merged 4 commits into from
Feb 21, 2019
Merged

Create separate chains of trust for separate actors #1232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9ad500
tls: create new chains of trust
abhinavdahiya Feb 9, 2019
6147bc0
kubeconfig: add clients to use newer CAs and client certs
abhinavdahiya Feb 11, 2019
ab2a808
bootstrap: include all the new PKI assets into bootstrap ign
abhinavdahiya Feb 11, 2019
91dfe76
manifests: drop unsed tls assets
abhinavdahiya Feb 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 78 additions & 28 deletions pkg/asset/ignition/bootstrap/bootstrap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,23 +62,50 @@ var _ asset.WritableAsset = (*Bootstrap)(nil)
func (a *Bootstrap) Dependencies() []asset.Asset {
return []asset.Asset{
&installconfig.InstallConfig{},
&tls.RootCA{},
&tls.EtcdCA{},
&tls.KubeCA{},
&kubeconfig.Admin{},
&kubeconfig.AdminClient{},
&kubeconfig.Kubelet{},
&kubeconfig.KubeletClient{},
&machines.Master{},
&manifests.Manifests{},
&manifests.Openshift{},
&tls.AggregatorCA{},
&tls.EtcdClientCertKey{},
&tls.AggregatorCABundle{},
&tls.AggregatorClientCertKey{},
&tls.AggregatorSignerCertKey{},
&tls.APIServerCertKey{},
&tls.APIServerProxyCertKey{},
&tls.AdminCertKey{},
&tls.EtcdCA{},
&tls.EtcdCABundle{},
&tls.EtcdClientCertKey{},
&tls.EtcdSignerCertKey{},
&tls.EtcdSignerClientCertKey{},
&tls.JournalCertKey{},
&tls.KubeAPIServerLBCABundle{},
&tls.KubeAPIServerLBServerCertKey{},
&tls.KubeAPIServerLBSignerCertKey{},
&tls.KubeAPIServerLocalhostCABundle{},
&tls.KubeAPIServerLocalhostServerCertKey{},
&tls.KubeAPIServerLocalhostSignerCertKey{},
&tls.KubeAPIServerServiceNetworkCABundle{},
&tls.KubeAPIServerServiceNetworkServerCertKey{},
&tls.KubeAPIServerServiceNetworkSignerCertKey{},
&tls.KubeAPIServerToKubeletCABundle{},
&tls.KubeAPIServerToKubeletClientCertKey{},
&tls.KubeAPIServerToKubeletSignerCertKey{},
&tls.KubeCA{},
&tls.KubeControlPlaneCABundle{},
&tls.KubeControlPlaneKubeControllerManagerClientCertKey{},
&tls.KubeControlPlaneKubeSchedulerClientCertKey{},
&tls.KubeControlPlaneSignerCertKey{},
&tls.KubeletCertKey{},
&tls.KubeletClientCABundle{},
&tls.KubeletClientCertKey{},
&tls.KubeletCSRSignerCertKey{},
&tls.KubeletServingCABundle{},
&tls.MCSCertKey{},
&tls.RootCA{},
&tls.ServiceAccountKeyPair{},
&tls.JournalCertKey{},
&kubeconfig.Admin{},
&kubeconfig.Kubelet{},
&machines.Master{},
&manifests.Manifests{},
&manifests.Openshift{},
}
}

Expand Down Expand Up @@ -333,31 +360,54 @@ func readFile(name string, reader io.Reader, templateData interface{}) (finalNam
}

func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
mfsts := &manifests.Manifests{}
openshiftManifests := &manifests.Openshift{}
dependencies.Get(mfsts, openshiftManifests)

a.Config.Storage.Files = append(
a.Config.Storage.Files,
ignition.FilesFromAsset(rootDir, "root", 0644, mfsts)...,
)
a.Config.Storage.Files = append(
a.Config.Storage.Files,
ignition.FilesFromAsset(rootDir, "root", 0644, openshiftManifests)...,
)
for _, asset := range []asset.WritableAsset{
&manifests.Manifests{},
&manifests.Openshift{},
&machines.Master{},
} {
dependencies.Get(asset)
a.Config.Storage.Files = append(a.Config.Storage.Files, ignition.FilesFromAsset(rootDir, "root", 0644, asset)...)
}

for _, asset := range []asset.WritableAsset{
&kubeconfig.Admin{},
&kubeconfig.AdminClient{},
&kubeconfig.Kubelet{},
&machines.Master{},
&tls.KubeCA{},
&kubeconfig.KubeletClient{},
&kubeconfig.KubeletClient{},
&tls.AggregatorCA{},
&tls.EtcdCA{},
&tls.EtcdClientCertKey{},
&tls.AggregatorCABundle{},
&tls.AggregatorClientCertKey{},
&tls.AggregatorSignerCertKey{},
&tls.APIServerCertKey{},
&tls.APIServerProxyCertKey{},
&tls.AdminCertKey{},
&tls.EtcdCA{},
&tls.EtcdCABundle{},
&tls.EtcdClientCertKey{},
&tls.EtcdSignerCertKey{},
&tls.EtcdSignerClientCertKey{},
&tls.KubeAPIServerLBCABundle{},
&tls.KubeAPIServerLBServerCertKey{},
&tls.KubeAPIServerLBSignerCertKey{},
&tls.KubeAPIServerLocalhostCABundle{},
&tls.KubeAPIServerLocalhostServerCertKey{},
&tls.KubeAPIServerLocalhostSignerCertKey{},
&tls.KubeAPIServerServiceNetworkCABundle{},
&tls.KubeAPIServerServiceNetworkServerCertKey{},
&tls.KubeAPIServerServiceNetworkSignerCertKey{},
&tls.KubeAPIServerToKubeletCABundle{},
&tls.KubeAPIServerToKubeletClientCertKey{},
&tls.KubeAPIServerToKubeletSignerCertKey{},
&tls.KubeCA{},
&tls.KubeControlPlaneCABundle{},
&tls.KubeControlPlaneKubeControllerManagerClientCertKey{},
&tls.KubeControlPlaneKubeSchedulerClientCertKey{},
&tls.KubeControlPlaneSignerCertKey{},
&tls.KubeletCertKey{},
&tls.KubeletClientCABundle{},
&tls.KubeletClientCertKey{},
&tls.KubeletCSRSignerCertKey{},
&tls.KubeletServingCABundle{},
&tls.MCSCertKey{},
&tls.ServiceAccountKeyPair{},
} {
Expand Down
46 changes: 45 additions & 1 deletion pkg/asset/kubeconfig/admin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,12 @@ import (
)

var (
kubeconfigAdminPath = filepath.Join("auth", "kubeconfig")
kubeconfigAdminPath = filepath.Join("auth", "kubeconfig")
kubeconfigAdminClientPath = filepath.Join("auth", "kubeconfig-admin")
)

// Admin is the asset for the admin kubeconfig.
// [DEPRECATED]
type Admin struct {
kubeconfig
}
Expand Down Expand Up @@ -53,3 +55,45 @@ func (k *Admin) Name() string {
func (k *Admin) Load(f asset.FileFetcher) (found bool, err error) {
return k.load(f, kubeconfigAdminPath)
}

// AdminClient is the asset for the admin kubeconfig.
type AdminClient struct {
kubeconfig
}

var _ asset.WritableAsset = (*AdminClient)(nil)

// Dependencies returns the dependency of the kubeconfig.
func (k *AdminClient) Dependencies() []asset.Asset {
return []asset.Asset{
&tls.AdminKubeConfigClientCertKey{},
&tls.AdminKubeConfigCABundle{},
&installconfig.InstallConfig{},
}
}

// Generate generates the kubeconfig.
func (k *AdminClient) Generate(parents asset.Parents) error {
ca := &tls.AdminKubeConfigCABundle{}
clientCertKey := &tls.AdminKubeConfigClientCertKey{}
installConfig := &installconfig.InstallConfig{}
parents.Get(ca, clientCertKey, installConfig)

return k.kubeconfig.generate(
ca,
clientCertKey,
installConfig.Config,
"admin",
kubeconfigAdminClientPath,
)
}

// Name returns the human-friendly name of the asset.
func (k *AdminClient) Name() string {
return "Kubeconfig Admin Client"
}

// Load returns the kubeconfig from disk.
func (k *AdminClient) Load(f asset.FileFetcher) (found bool, err error) {
return k.load(f, kubeconfigAdminClientPath)
}
8 changes: 4 additions & 4 deletions pkg/asset/kubeconfig/kubeconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ type kubeconfig struct {

// generate generates the kubeconfig.
func (k *kubeconfig) generate(
rootCA tls.CertKeyInterface,
ca tls.CertInterface,
clientCertKey tls.CertKeyInterface,
installConfig *types.InstallConfig,
userName string,
Expand All @@ -32,16 +32,16 @@ func (k *kubeconfig) generate(
Name: installConfig.ObjectMeta.Name,
Cluster: clientcmd.Cluster{
Server: fmt.Sprintf("https://api.%s:6443", installConfig.ClusterDomain()),
CertificateAuthorityData: []byte(rootCA.Cert()),
CertificateAuthorityData: ca.Cert(),
},
},
},
AuthInfos: []clientcmd.NamedAuthInfo{
{
Name: userName,
AuthInfo: clientcmd.AuthInfo{
ClientCertificateData: []byte(clientCertKey.Cert()),
ClientKeyData: []byte(clientCertKey.Key()),
ClientCertificateData: clientCertKey.Cert(),
ClientKeyData: clientCertKey.Key(),
},
},
},
Expand Down
46 changes: 45 additions & 1 deletion pkg/asset/kubeconfig/kubelet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,12 @@ import (
)

var (
kubeconfigKubeletPath = filepath.Join("auth", "kubeconfig-kubelet")
kubeconfigKubeletPath = filepath.Join("auth", "kubeconfig-kubelet")
kubeconfigKubeletClientPath = filepath.Join("auth", "kubeconfig-kubelet-client")
)

// Kubelet is the asset for the kubelet kubeconfig.
// [DEPRECATED]
type Kubelet struct {
kubeconfig
}
Expand Down Expand Up @@ -53,3 +55,45 @@ func (k *Kubelet) Name() string {
func (k *Kubelet) Load(asset.FileFetcher) (bool, error) {
return false, nil
}

// KubeletClient is the asset for the kubelet kubeconfig.
type KubeletClient struct {
kubeconfig
}

var _ asset.WritableAsset = (*KubeletClient)(nil)

// Dependencies returns the dependency of the kubeconfig.
func (k *KubeletClient) Dependencies() []asset.Asset {
return []asset.Asset{
&tls.KubeletClientCABundle{},
&tls.KubeletClientCertKey{},
&installconfig.InstallConfig{},
}
}

// Generate generates the kubeconfig.
func (k *KubeletClient) Generate(parents asset.Parents) error {
ca := &tls.KubeletClientCABundle{}
clientcertkey := &tls.KubeletClientCertKey{}
installConfig := &installconfig.InstallConfig{}
parents.Get(ca, clientcertkey, installConfig)

return k.kubeconfig.generate(
ca,
clientcertkey,
installConfig.Config,
"kubelet",
kubeconfigKubeletClientPath,
)
}

// Name returns the human-friendly name of the asset.
func (k *KubeletClient) Name() string {
return "Kubeconfig Kubelet Client"
}

// Load is a no-op because kubelet kubeconfig is not written to disk.
func (k *KubeletClient) Load(asset.FileFetcher) (bool, error) {
return false, nil
}
7 changes: 0 additions & 7 deletions pkg/asset/manifests/operators.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,8 @@ func (m *Manifests) Dependencies() []asset.Asset {
&Networking{},
&tls.RootCA{},
&tls.EtcdCA{},
&tls.IngressCertKey{},
&tls.KubeCA{},
&tls.EtcdClientCertKey{},
&tls.MCSCertKey{},
&tls.KubeletCertKey{},

&bootkube.KubeCloudConfig{},
&bootkube.MachineConfigServerTLSSecret{},
Expand Down Expand Up @@ -126,7 +123,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
clusterID := &installconfig.ClusterID{}
installConfig := &installconfig.InstallConfig{}
etcdCA := &tls.EtcdCA{}
kubeCA := &tls.KubeCA{}
mcsCertKey := &tls.MCSCertKey{}
etcdClientCertKey := &tls.EtcdClientCertKey{}
rootCA := &tls.RootCA{}
Expand All @@ -135,7 +131,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
installConfig,
etcdCA,
etcdClientCertKey,
kubeCA,
mcsCertKey,
rootCA,
)
Expand All @@ -150,8 +145,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
EtcdCaCert: string(etcdCA.Cert()),
EtcdClientCert: base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()),
EtcdClientKey: base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()),
KubeCaCert: base64.StdEncoding.EncodeToString(kubeCA.Cert()),
KubeCaKey: base64.StdEncoding.EncodeToString(kubeCA.Key()),
McsTLSCert: base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
McsTLSKey: base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
PullSecretBase64: base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
Expand Down
2 changes: 0 additions & 2 deletions pkg/asset/manifests/template.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ type bootkubeTemplateData struct {
EtcdCaCert string
EtcdClientCert string
EtcdClientKey string
KubeCaCert string
KubeCaKey string
McsTLSCert string
McsTLSKey string
PullSecretBase64 string
Expand Down
44 changes: 0 additions & 44 deletions pkg/asset/tls/admincertkey.go
View file
Open in desktop

This file was deleted.

Loading