-
Notifications
You must be signed in to change notification settings - Fork 451
/
bootstrap.go
118 lines (104 loc) · 4.18 KB
/
bootstrap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package bootstrap
import (
"context"
"crypto/x509/pkix"
"fmt"
"net"
"strings"
"github.com/go-logr/logr"
certificatesv1 "k8s.io/api/certificates/v1"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
bootstraptokenapi "k8s.io/cluster-bootstrap/token/api"
"sigs.k8s.io/controller-runtime/pkg/client"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
"github.com/gardener/gardener/pkg/client/kubernetes"
"github.com/gardener/gardener/pkg/gardenlet/bootstrap/certificate"
gardenletbootstraputil "github.com/gardener/gardener/pkg/gardenlet/bootstrap/util"
kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
)
// RequestKubeconfigWithBootstrapClient creates a kubeconfig with a signed certificate using the given bootstrap client
// returns the kubeconfig []byte representation, the CSR name, the seed name or an error
func RequestKubeconfigWithBootstrapClient(
ctx context.Context,
log logr.Logger,
seedClient client.Client,
bootstrapClientSet kubernetes.Interface,
kubeconfigKey, bootstrapKubeconfigKey client.ObjectKey,
seedName string,
validityDuration *metav1.Duration,
) (
[]byte,
string,
string,
error,
) {
certificateSubject := &pkix.Name{
Organization: []string{v1beta1constants.SeedsGroup},
CommonName: v1beta1constants.SeedUserNamePrefix + seedName,
}
certData, privateKeyData, csrName, err := certificate.RequestCertificate(ctx, log, bootstrapClientSet.Kubernetes(), certificateSubject, []string{}, []net.IP{}, validityDuration)
if err != nil {
return nil, "", "", fmt.Errorf("unable to bootstrap the kubeconfig for the Garden cluster: %w", err)
}
log.Info("Storing kubeconfig with bootstrapped certificate in kubeconfig secret on target cluster")
kubeconfig, err := gardenletbootstraputil.UpdateGardenKubeconfigSecret(ctx, bootstrapClientSet.RESTConfig(), certData, privateKeyData, seedClient, kubeconfigKey)
if err != nil {
return nil, "", "", fmt.Errorf("unable to update secret %q with bootstrapped kubeconfig: %w", kubeconfigKey.String(), err)
}
log.Info("Deleting boostrap kubeconfig secret from target cluster")
if err := kubernetesutils.DeleteObject(ctx, seedClient, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: bootstrapKubeconfigKey.Name,
Namespace: bootstrapKubeconfigKey.Namespace,
},
}); err != nil {
return nil, "", "", err
}
return kubeconfig, csrName, seedName, nil
}
// DeleteBootstrapAuth checks which authentication mechanism was used to request a certificate
// (either a bootstrap token or a service account token was used). If the latter is true then it
// also deletes the corresponding ClusterRoleBinding.
func DeleteBootstrapAuth(ctx context.Context, reader client.Reader, writer client.Writer, csrName string) error {
csr := &certificatesv1.CertificateSigningRequest{}
if err := reader.Get(ctx, kubernetesutils.Key(csrName), csr); err != nil {
return err
}
var resourcesToDelete []client.Object
switch {
case strings.HasPrefix(csr.Spec.Username, bootstraptokenapi.BootstrapUserPrefix):
resourcesToDelete = append(resourcesToDelete,
&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: bootstraptokenapi.BootstrapTokenSecretPrefix + strings.TrimPrefix(csr.Spec.Username, "system:bootstrap:"),
Namespace: metav1.NamespaceSystem,
},
},
)
case strings.HasPrefix(csr.Spec.Username, serviceaccount.ServiceAccountUsernamePrefix):
serviceAccountNamespace, serviceAccountName, err := serviceaccount.SplitUsername(csr.Spec.Username)
if err != nil {
return err
}
resourcesToDelete = append(resourcesToDelete,
&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: serviceAccountName,
Namespace: serviceAccountNamespace,
},
},
&rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: gardenletbootstraputil.ClusterRoleBindingName(serviceAccountNamespace, serviceAccountName),
},
},
)
}
return kubernetesutils.DeleteObjects(ctx, writer, resourcesToDelete...)
}