/
tls-serving-certificate.go
112 lines (94 loc) · 3.68 KB
/
tls-serving-certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
/*
Copyright 2020 The Kubermatic Kubernetes Platform contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package etcd
import (
"crypto/x509"
"fmt"
"net"
kubermaticv1 "k8c.io/kubermatic/v2/pkg/apis/kubermatic/v1"
"k8c.io/kubermatic/v2/pkg/resources"
"k8c.io/kubermatic/v2/pkg/resources/certificates/triple"
"k8c.io/kubermatic/v2/pkg/resources/reconciling"
corev1 "k8s.io/api/core/v1"
certutil "k8s.io/client-go/util/cert"
)
type tlsCertificateCreatorData interface {
Cluster() *kubermaticv1.Cluster
GetRootCA() (*triple.KeyPair, error)
}
// TLSCertificateCreator returns a function to create/update the secret with the etcd tls certificate.
func TLSCertificateCreator(data tlsCertificateCreatorData) reconciling.NamedSecretCreatorGetter {
return func() (string, reconciling.SecretCreator) {
return resources.EtcdTLSCertificateSecretName, func(se *corev1.Secret) (*corev1.Secret, error) {
ca, err := data.GetRootCA()
if err != nil {
return nil, fmt.Errorf("failed to get cluster ca: %w", err)
}
altNames := certutil.AltNames{
DNSNames: []string{
"localhost",
},
IPs: []net.IP{
net.ParseIP("127.0.0.1"),
},
}
etcdClusterSize := kubermaticv1.DefaultEtcdClusterSize
if data.Cluster().Spec.Features[kubermaticv1.ClusterFeatureEtcdLauncher] {
etcdClusterSize = kubermaticv1.MaxEtcdClusterSize
}
// TODO: make this dynamic based on existing pod count
for i := 0; i < etcdClusterSize; i++ {
// Member name
podName := fmt.Sprintf("etcd-%d", i)
altNames.DNSNames = append(altNames.DNSNames, podName)
// Pod DNS name
absolutePodDNSName := fmt.Sprintf("etcd-%d.%s.%s.svc.cluster.local", i, resources.EtcdServiceName, data.Cluster().Status.NamespaceName)
altNames.DNSNames = append(altNames.DNSNames, absolutePodDNSName)
}
if b, exists := se.Data[resources.EtcdTLSCertSecretKey]; exists {
certs, err := certutil.ParseCertsPEM(b)
if err != nil {
return nil, fmt.Errorf("failed to parse certificate (key=%s) from existing secret %s: %w", resources.EtcdTLSCertSecretKey, resources.EtcdTLSCertificateSecretName, err)
}
if resources.IsServerCertificateValidForAllOf(certs[0], "etcd", altNames, ca.Cert) {
return se, nil
}
}
key, err := triple.NewPrivateKey()
if err != nil {
return nil, fmt.Errorf("failed to create private key for etcd server tls certificate: %w", err)
}
config := certutil.Config{
CommonName: "etcd",
AltNames: altNames,
Usages: []x509.ExtKeyUsage{
x509.ExtKeyUsageServerAuth,
// etcd needs even the server cert to allow client authentication, see
// https://github.com/openshift/kubecsr/commit/aad75d333646da657e788db93f2ff75da850b542
// not having it does not cause etcd to fail, but produces lots of warnings and errors
x509.ExtKeyUsageClientAuth,
},
}
cert, err := triple.NewSignedCert(config, key, ca.Cert, ca.Key)
if err != nil {
return nil, fmt.Errorf("unable to sign the server certificate: %w", err)
}
if se.Data == nil {
se.Data = map[string][]byte{}
}
se.Data[resources.EtcdTLSKeySecretKey] = triple.EncodePrivateKeyPEM(key)
se.Data[resources.EtcdTLSCertSecretKey] = triple.EncodeCertPEM(cert)
return se, nil
}
}
}