-
Notifications
You must be signed in to change notification settings - Fork 0
/
pki.go
195 lines (181 loc) · 6.86 KB
/
pki.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
package pki
import (
"context"
"crypto/rsa"
"crypto/x509"
"fmt"
"net"
"path"
"path/filepath"
"strings"
"github.com/docker/docker/api/types/container"
"github.com/rancher/rke/docker"
"github.com/rancher/rke/hosts"
"github.com/rancher/rke/log"
"github.com/rancher/types/apis/management.cattle.io/v3"
)
type CertificatePKI struct {
Certificate *x509.Certificate `json:"-"`
Key *rsa.PrivateKey `json:"-"`
CSR *x509.CertificateRequest `json:"-"`
CertificatePEM string `json:"certificatePEM"`
KeyPEM string `json:"keyPEM"`
CSRPEM string `json:"-"`
Config string `json:"config"`
Name string `json:"name"`
CommonName string `json:"commonName"`
OUName string `json:"ouName"`
EnvName string `json:"envName"`
Path string `json:"path"`
KeyEnvName string `json:"keyEnvName"`
KeyPath string `json:"keyPath"`
ConfigEnvName string `json:"configEnvName"`
ConfigPath string `json:"configPath"`
}
type GenFunc func(context.Context, map[string]CertificatePKI, v3.RancherKubernetesEngineConfig, string, string, bool) error
type CSRFunc func(context.Context, map[string]CertificatePKI, v3.RancherKubernetesEngineConfig) error
const (
etcdRole = "etcd"
controlRole = "controlplane"
workerRole = "worker"
BundleCertContainer = "rke-bundle-cert"
)
func GenerateRKECerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineConfig, configPath, configDir string) (map[string]CertificatePKI, error) {
certs := make(map[string]CertificatePKI)
// generate RKE CA certificates
if err := GenerateRKECACerts(ctx, certs, configPath, configDir); err != nil {
return certs, err
}
// Generating certificates for kubernetes components
if err := GenerateRKEServicesCerts(ctx, certs, rkeConfig, configPath, configDir, false, false); err != nil {
return certs, err
}
return certs, nil
}
func GenerateRKENodeCerts(ctx context.Context, rkeConfig v3.RancherKubernetesEngineConfig, nodeAddress string, certBundle map[string]CertificatePKI) map[string]CertificatePKI {
crtMap := make(map[string]CertificatePKI)
crtKeys := []string{}
removeCAKey := true
for _, node := range rkeConfig.Nodes {
if node.Address == nodeAddress {
for _, role := range node.Role {
switch role {
case controlRole:
keys := getControlCertKeys()
crtKeys = append(crtKeys, keys...)
removeCAKey = false
case workerRole:
keys := getWorkerCertKeys()
crtKeys = append(crtKeys, keys...)
case etcdRole:
keys := getEtcdCertKeys(rkeConfig.Nodes, etcdRole)
crtKeys = append(crtKeys, keys...)
}
}
break
}
}
for _, key := range crtKeys {
crtMap[key] = certBundle[key]
}
if removeCAKey {
caCert := crtMap[CACertName]
caCert.Key = nil
caCert.KeyEnvName = ""
caCert.KeyPath = ""
crtMap[CACertName] = caCert
}
return crtMap
}
func RegenerateEtcdCertificate(
ctx context.Context,
crtMap map[string]CertificatePKI,
etcdHost *hosts.Host,
etcdHosts []*hosts.Host,
clusterDomain string,
KubernetesServiceIP net.IP) (map[string]CertificatePKI, error) {
log.Infof(ctx, "[certificates] Regenerating new etcd-%s certificate and key", etcdHost.InternalAddress)
caCrt := crtMap[CACertName].Certificate
caKey := crtMap[CACertName].Key
etcdAltNames := GetAltNames(etcdHosts, clusterDomain, KubernetesServiceIP, []string{})
etcdCrt, etcdKey, err := GenerateSignedCertAndKey(caCrt, caKey, true, EtcdCertName, etcdAltNames, nil, nil)
if err != nil {
return nil, err
}
etcdName := GetEtcdCrtName(etcdHost.InternalAddress)
crtMap[etcdName] = ToCertObject(etcdName, "", "", etcdCrt, etcdKey, nil)
log.Infof(ctx, "[certificates] Successfully generated new etcd-%s certificate and key", etcdHost.InternalAddress)
return crtMap, nil
}
func SaveBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemImage, etcdSnapshotPath string, prsMap map[string]v3.PrivateRegistry) error {
imageCfg := &container.Config{
Cmd: []string{
"sh",
"-c",
fmt.Sprintf("if [ -d %s ] && [ \"$(ls -A %s)\" ]; then tar czvf %s %s;fi", TempCertPath, TempCertPath, BundleCertPath, TempCertPath),
},
Image: alpineSystemImage,
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
},
Privileged: true,
}
if err := docker.DoRunContainer(ctx, host.DClient, imageCfg, hostCfg, BundleCertContainer, host.Address, "certificates", prsMap); err != nil {
return err
}
status, err := docker.WaitForContainer(ctx, host.DClient, host.Address, BundleCertContainer)
if err != nil {
return err
}
if status != 0 {
return fmt.Errorf("Failed to run certificate bundle compress, exit status is: %d", status)
}
log.Infof(ctx, "[certificates] successfully saved certificate bundle [%s/pki.bundle.tar.gz] on host [%s]", etcdSnapshotPath, host.Address)
return docker.RemoveContainer(ctx, host.DClient, host.Address, BundleCertContainer)
}
func ExtractBackupBundleOnHost(ctx context.Context, host *hosts.Host, alpineSystemImage, etcdSnapshotPath string, prsMap map[string]v3.PrivateRegistry) error {
imageCfg := &container.Config{
Cmd: []string{
"sh",
"-c",
fmt.Sprintf(
"mkdir -p %s; tar xzvf %s -C %s --strip-components %d --exclude %s",
TempCertPath,
BundleCertPath,
TempCertPath,
len(strings.Split(filepath.Clean(TempCertPath), "/"))-1,
ClusterStateFile),
},
Image: alpineSystemImage,
}
hostCfg := &container.HostConfig{
Binds: []string{
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),
fmt.Sprintf("%s:/backup:z", etcdSnapshotPath),
},
Privileged: true,
}
if err := docker.DoRunContainer(ctx, host.DClient, imageCfg, hostCfg, BundleCertContainer, host.Address, "certificates", prsMap); err != nil {
return err
}
status, err := docker.WaitForContainer(ctx, host.DClient, host.Address, BundleCertContainer)
if err != nil {
return err
}
if status != 0 {
containerErrLog, _, err := docker.GetContainerLogsStdoutStderr(ctx, host.DClient, BundleCertContainer, "5", false)
if err != nil {
return err
}
// removing the container in case of an error too
if err := docker.RemoveContainer(ctx, host.DClient, host.Address, BundleCertContainer); err != nil {
return err
}
return fmt.Errorf("Failed to run certificate bundle extract, exit status is: %d, container logs: %s", status, containerErrLog)
}
log.Infof(ctx, "[certificates] successfully extracted certificate bundle on host [%s] to backup path [%s]", host.Address, TempCertPath)
return docker.RemoveContainer(ctx, host.DClient, host.Address, BundleCertContainer)
}