/
create_kubecfg.go
162 lines (139 loc) · 4.49 KB
/
create_kubecfg.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubeconfig
import (
"context"
"crypto/x509/pkix"
"fmt"
"os/user"
"sort"
"time"
"k8s.io/klog/v2"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/pki"
"k8s.io/kops/pkg/rbac"
"k8s.io/kops/upup/pkg/fi"
)
const DefaultKubecfgAdminLifetime = 18 * time.Hour
func BuildKubecfg(ctx context.Context, cluster *kops.Cluster, keyStore fi.KeystoreReader, secretStore fi.SecretStore, cloud fi.Cloud, admin time.Duration, configUser string, internal bool, kopsStateStore string, useKopsAuthenticationPlugin bool) (*KubeconfigBuilder, error) {
clusterName := cluster.ObjectMeta.Name
var server string
if internal {
server = "https://" + cluster.APIInternalName()
} else {
if cluster.Spec.API.PublicName != "" {
server = "https://" + cluster.Spec.API.PublicName
} else {
server = "https://api." + clusterName
}
// If a load balancer exists we use it, except for when an SSL certificate is set.
// This should avoid a lot of pain with DNS pre-creation.
if cluster.Spec.API.LoadBalancer != nil && (cluster.Spec.API.LoadBalancer.SSLCertificate == "" || admin != 0) {
ingresses, err := cloud.GetApiIngressStatus(cluster)
if err != nil {
return nil, fmt.Errorf("error getting ingress status: %v", err)
}
var targets []string
for _, ingress := range ingresses {
if ingress.Hostname != "" {
targets = append(targets, ingress.Hostname)
}
if ingress.IP != "" {
targets = append(targets, ingress.IP)
}
}
sort.Strings(targets)
if len(targets) == 0 {
klog.Warningf("Did not find API endpoint; may not be able to reach cluster")
} else {
if len(targets) != 1 {
klog.Warningf("Found multiple API endpoints (%v), choosing arbitrarily", targets)
}
server = "https://" + targets[0]
}
}
}
b := NewKubeconfigBuilder()
// Use the secondary load balancer port if a certificate is on the primary listener
if admin != 0 && cluster.Spec.API.LoadBalancer != nil && cluster.Spec.API.LoadBalancer.SSLCertificate != "" && cluster.Spec.API.LoadBalancer.Class == kops.LoadBalancerClassNetwork {
server = server + ":8443"
}
b.Context = clusterName
b.Server = server
b.TLSServerName = cluster.APIInternalName()
// add the CA Cert to the kubeconfig only if we didn't specify a certificate for the LB
// or if we're using admin credentials and the secondary port
if cluster.Spec.API.LoadBalancer == nil || cluster.Spec.API.LoadBalancer.SSLCertificate == "" || cluster.Spec.API.LoadBalancer.Class == kops.LoadBalancerClassNetwork || internal {
keySet, err := keyStore.FindKeyset(ctx, fi.CertificateIDCA)
if err != nil {
return nil, fmt.Errorf("error fetching CA keypair: %v", err)
}
if keySet != nil {
b.CACerts, err = keySet.ToCertificateBytes()
if err != nil {
return nil, err
}
} else {
return nil, fmt.Errorf("cannot find CA certificate")
}
}
if admin != 0 {
cn := "kubecfg"
user, err := user.Current()
if err != nil || user == nil {
klog.Infof("unable to get user: %v", err)
} else {
cn += "-" + user.Name
}
req := pki.IssueCertRequest{
Signer: fi.CertificateIDCA,
Type: "client",
Subject: pkix.Name{
CommonName: cn,
Organization: []string{rbac.SystemPrivilegedGroup},
},
Validity: admin,
}
cert, privateKey, _, err := pki.IssueCert(ctx, &req, fi.NewPKIKeystoreAdapter(keyStore))
if err != nil {
return nil, err
}
b.ClientCert, err = cert.AsBytes()
if err != nil {
return nil, err
}
b.ClientKey, err = privateKey.AsBytes()
if err != nil {
return nil, err
}
}
if useKopsAuthenticationPlugin {
b.AuthenticationExec = []string{
"kops",
"helpers",
"kubectl-auth",
"--cluster=" + clusterName,
"--state=" + kopsStateStore,
}
// If there's an existing client-cert / client-key, we need to clear it so it won't be used
b.ClientCert = nil
b.ClientKey = nil
}
b.Server = server
if configUser == "" {
b.User = cluster.ObjectMeta.Name
} else {
b.User = configUser
}
return b, nil
}