Generate CSRs for kubeadm #70809
Generate CSRs for kubeadm #70809
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
/kind feature |
k8s-ci-robot
added
kind/feature
| defer os.Remove(f.Name()) | ||
|
|
||
| if _, err := CertificateRequestFromFile(f.Name()); err == nil { | ||
| t.Fatalf("Expected error reading csr from empty file, got none") |
There was a problem hiding this comment.
error should start lowercase.
CSR upper case?
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
|
|
@timothysc that one's included too. |
|
/test pull-kubernetes-kubemark-e2e-gce-big |
|
/test pull-kubernetes-e2e-kops-aws pull-kubernetes-kubemark-e2e-gce-big |
|
@fedebongio: GitHub didn't allow me to request PR reviews from the following users: client-go, changes, only, for, the. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -87,6 +87,26 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro | |||
| return x509.ParseCertificate(certDERBytes) | |||
| } | |||
|
|
|||
| // NewCSR creates a new CSR | |||
| func NewCSR(cfg Config, key crypto.Signer) (*x509.CertificateRequest, error) { | |||
There was a problem hiding this comment.
the certificates packages in client-go are kind of a kitchen sink and we are working on removing a lot of the surface. @awly would you keep these functions here? I'm wondering if adding this to kubeadm utilities would be preferable.
There was a problem hiding this comment.
I'd move this to pkiutil.
Everything under client-go is intended for clients of k8s that do not want to vendor the entire k8s codebase. We should keep only things that are relevant for clients here.
There was a problem hiding this comment.
Ack. Everything removed from staging.
|
|
||
| csrPath := pathForCSR(csrDir, name) | ||
| if err := certutil.WriteCSR(csrPath, certutil.EncodeCSRPEM(csr)); err != nil { | ||
| return errors.Wrapf(err, "unable to write csr to file %s", csrPath) |
There was a problem hiding this comment.
Is it correct that csr -> CSR ?
| csr, _, err := NewCSR(&kubeadmCert, cfg) | ||
|
|
||
| if err != nil { | ||
| t.Errorf("invalid signature on csr: %v", err) |
There was a problem hiding this comment.
Is it correct that csr -> CSR ?
| @@ -65,6 +65,21 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert | |||
| return cert, key, nil | |||
| } | |||
|
|
|||
| // NewCSRAndKey generates a new CSR and key that could be signed to create the given | |||
| return nil, nil, errors.Wrap(err, "unable to create private key") | ||
| } | ||
| csr, err := certutil.NewCSR(*config, key) | ||
|
|
There was a problem hiding this comment.
Strange NL choice here. Probably move the empty line before the NewCSR call?
| @@ -276,6 +295,30 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey | |||
| return nil | |||
| } | |||
|
|
|||
| func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key *rsa.PrivateKey) error { | |||
There was a problem hiding this comment.
I'd rather put a big comment on top of this one, to prevent people from accidentally calling it.
| @@ -276,6 +295,30 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey | |||
| return nil | |||
| } | |||
|
|
|||
| func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key *rsa.PrivateKey) error { | |||
| if pkiutil.CSROrKeyExist(csrDir, baseName) { | |||
| _, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, baseName) | |||
There was a problem hiding this comment.
Do we really have to load the key here? In the wake of Meltdown and Spectre I am a bit hesitant to load a key in memory, just to check if it exists. Probably a good old os.Stat of a *.key file can do the trick here?
It's better to keep it in this way in the testing code though (but not in production code).
There was a problem hiding this comment.
I'd prefer to keep this consistent with the other similar methods. Maybe file an issue against kubernetes/kubeadm to fix this everywhere? It should be pretty straightforward
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
| @@ -47,6 +48,11 @@ var ( | |||
| ` + cmdutil.AlphaDisclaimer) | |||
| ) | |||
|
|
|||
| var ( | |||
| csrOnly bool | |||
There was a problem hiding this comment.
I don't love that we have to do this, but I don't see any other way to plum this
liztio
force-pushed
the
csr
branch
3 times, most recently
from
d22d781
to
b6e97e5
Compare
|
It looks like this needs a rebase now that @fabriziopandini 's PR has merged. |
k8s-ci-robot
removed
the
do-not-merge/hold
cmd/kubeadm/app/cmd/init.go
Outdated
| client clientset.Interface | ||
| waiter apiclient.Waiter | ||
| outputWriter io.Writer | ||
|
|
There was a problem hiding this comment.
There is no change here that relates to your PR.
cmd/kubeadm/app/cmd/init.go
Outdated
| @@ -236,23 +237,23 @@ func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta1.InitConfig | |||
| } | |||
|
|
|||
| // AddInitOtherFlags adds init flags that are not bound to a configuration file to the given flagset | |||
| func AddInitOtherFlags(flagSet *flag.FlagSet, cfgPath *string, skipTokenPrint, dryRun *bool, ignorePreflightErrors *[]string) { | |||
| func AddInitOtherFlags(flagSet *flag.FlagSet, initOpts *initOptions) { | |||
There was a problem hiding this comment.
I'm ok with this, but this seems orthogonal to the purpose of the PR.
| @@ -0,0 +1,77 @@ | |||
| /* | |||
| Copyright 2017 The Kubernetes Authors. | |||
|
|
||
| csrPath := pathForCSR(csrDir, name) | ||
| if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil { | ||
| return err |
There was a problem hiding this comment.
Wrap for consistency, also to denote location for debugging.
| return err | ||
| } | ||
|
|
||
|
|
|
|
||
| key, err := TryLoadKeyFromDisk(pkiPath, name) | ||
| if err != nil { | ||
| return nil, nil, err |
|
/test pull-kubernetes-e2e-kops-aws |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
timothysc
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: liztio The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
What this PR does / why we need it:
Generating CSRs makes it much easier to integrate kubeadm's certificates into a larger organisation. Previously adminstrators would have to carefully set up certificates in the correct configuration. With a CSR they can simply sign them appropriately and move them to the directory.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #kubernetes/kubeadm#794
Special notes for your reviewer:
Does this PR introduce a user-facing change?: