adds tls certificate to tls config #681
Conversation
|
/retest |
|
Can we use https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go#L63? It seems that we only need |
Yes, if/when we want to generate a "self signed" Certificate Authority (CA) certificate to use when creating our self signed user certificate, thus creating the CA chain I mentioned over chat, we could use this code, or something close to it, to do that. As for using these cert. apis "now" those particular cert. apis are just thin wrappers with a few predefined constants that we may or may not want. If we did use these cert. apis we'd also be using cert.NewSignedCert to consume our new CACert when generating the cert that we need for the streaming encryption. *** However, after reading through cert.GenerateSelfSignedCertKey, that looks to me to be (possibly) the more useful api for our needs :-) Pretty sure I could recode to use that api, if we decide to go the full self signed CA cert chain route. Let's leave this question as a potential route to go depending on what auth requirements get set for the CRI API. For example, self signed CA cert might be an admin decision not a runtime one. We should open an auth design issue for that here in containerd/cri and another over in the kubernetes CRI api. |
pkg/server/streaming.go
Outdated
|
|
||
| // Generate pem block using the private key | ||
| keyPem := pem.EncodeToMemory(&pem.Block{ | ||
| Type: "RSA PRIVATE KEY", |
pkg/server/streaming.go
Outdated
|
|
||
| // Generate a pem block with the certificate | ||
| certPem := pem.EncodeToMemory(&pem.Block{ | ||
| Type: "CERTIFICATE", |
pkg/server/streaming.go
Outdated
| NotAfter: time.Now().AddDate(years, 0, 0), | ||
| SerialNumber: serialNumber, | ||
| Subject: pkix.Name{ | ||
| CommonName: fmt.Sprintf("system:node:%s", hostName), |
There was a problem hiding this comment.
Let's use something else. This is for kubelet I think.
containerd?
pkg/server/streaming.go
Outdated
| @@ -112,3 +130,80 @@ func handleResizing(resize <-chan remotecommand.TerminalSize, resizeFunc func(si | |||
| } | |||
| }() | |||
| } | |||
|
|
|||
| func newTLSCert() (tls.Certificate, error) { | |||
There was a problem hiding this comment.
Add comment to explain what we are doing here, and add TODO.
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
|
comments addressed @Random-Liu |
| "k8s.io/kubernetes/pkg/kubelet/server/streaming" | ||
| "k8s.io/utils/exec" | ||
|
|
||
| ctrdutil "github.com/containerd/cri/pkg/containerd/util" | ||
| ) | ||
|
|
||
| const ( |
There was a problem hiding this comment.
Prefer private const. I can take care of that.
|
/lgtm |
Addresses issue #665
Adds a tls config comprising a newly generated x509 certificate from a newly generated public/private key pair.
Signed-off-by: Mike Brown brownwm@us.ibm.com