-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate CSRs for kubeadm #70809
Generate CSRs for kubeadm #70809
Conversation
/kind feature |
defer os.Remove(f.Name()) | ||
|
||
if _, err := CertificateRequestFromFile(f.Name()); err == nil { | ||
t.Fatalf("Expected error reading csr from empty file, got none") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
error should start lowercase.
CSR upper case?
|
@timothysc that one's included too. |
/test pull-kubernetes-kubemark-e2e-gce-big |
/test pull-kubernetes-e2e-kops-aws pull-kubernetes-kubemark-e2e-gce-big |
@fedebongio: GitHub didn't allow me to request PR reviews from the following users: client-go, changes, only, for, the. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -87,6 +87,26 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro | |||
return x509.ParseCertificate(certDERBytes) | |||
} | |||
|
|||
// NewCSR creates a new CSR | |||
func NewCSR(cfg Config, key crypto.Signer) (*x509.CertificateRequest, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the certificates packages in client-go are kind of a kitchen sink and we are working on removing a lot of the surface. @awly would you keep these functions here? I'm wondering if adding this to kubeadm utilities would be preferable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd move this to pkiutil.
Everything under client-go is intended for clients of k8s that do not want to vendor the entire k8s codebase. We should keep only things that are relevant for clients here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. Everything removed from staging.
|
||
csrPath := pathForCSR(csrDir, name) | ||
if err := certutil.WriteCSR(csrPath, certutil.EncodeCSRPEM(csr)); err != nil { | ||
return errors.Wrapf(err, "unable to write csr to file %s", csrPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct that csr -> CSR ?
csr, _, err := NewCSR(&kubeadmCert, cfg) | ||
|
||
if err != nil { | ||
t.Errorf("invalid signature on csr: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct that csr -> CSR ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @liztio !
Only some tiny nits on my behalf.
@@ -65,6 +65,21 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert | |||
return cert, key, nil | |||
} | |||
|
|||
// NewCSRAndKey generates a new CSR and key that could be signed to create the given |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfinished comment?
return nil, nil, errors.Wrap(err, "unable to create private key") | ||
} | ||
csr, err := certutil.NewCSR(*config, key) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strange NL choice here. Probably move the empty line before the NewCSR
call?
@@ -276,6 +295,30 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey | |||
return nil | |||
} | |||
|
|||
func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key *rsa.PrivateKey) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather put a big comment on top of this one, to prevent people from accidentally calling it.
@@ -276,6 +295,30 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey | |||
return nil | |||
} | |||
|
|||
func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key *rsa.PrivateKey) error { | |||
if pkiutil.CSROrKeyExist(csrDir, baseName) { | |||
_, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, baseName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really have to load the key here? In the wake of Meltdown and Spectre I am a bit hesitant to load a key in memory, just to check if it exists. Probably a good old os.Stat
of a *.key
file can do the trick here?
It's better to keep it in this way in the testing code though (but not in production code).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer to keep this consistent with the other similar methods. Maybe file an issue against kubernetes/kubeadm to fix this everywhere? It should be pretty straightforward
@@ -47,6 +48,11 @@ var ( | |||
` + cmdutil.AlphaDisclaimer) | |||
) | |||
|
|||
var ( | |||
csrOnly bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love that we have to do this, but I don't see any other way to plum this
d22d781
to
b6e97e5
Compare
It looks like this needs a rebase now that @fabriziopandini 's PR has merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comments.
cmd/kubeadm/app/cmd/init.go
Outdated
client clientset.Interface | ||
waiter apiclient.Waiter | ||
outputWriter io.Writer | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no change here that relates to your PR.
cmd/kubeadm/app/cmd/init.go
Outdated
@@ -236,23 +237,23 @@ func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta1.InitConfig | |||
} | |||
|
|||
// AddInitOtherFlags adds init flags that are not bound to a configuration file to the given flagset | |||
func AddInitOtherFlags(flagSet *flag.FlagSet, cfgPath *string, skipTokenPrint, dryRun *bool, ignorePreflightErrors *[]string) { | |||
func AddInitOtherFlags(flagSet *flag.FlagSet, initOpts *initOptions) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with this, but this seems orthogonal to the purpose of the PR.
@@ -0,0 +1,77 @@ | |||
/* | |||
Copyright 2017 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2018
|
||
csrPath := pathForCSR(csrDir, name) | ||
if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil { | ||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrap for consistency, also to denote location for debugging.
return err | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nix spare line
|
||
key, err := TryLoadKeyFromDisk(pkiPath, name) | ||
if err != nil { | ||
return nil, nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same re: Wrap.
/test pull-kubernetes-e2e-kops-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thanks for all the updates @liztio . i don't see anything blocking.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: liztio The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
What this PR does / why we need it:
Generating CSRs makes it much easier to integrate kubeadm's certificates into a larger organisation. Previously adminstrators would have to carefully set up certificates in the correct configuration. With a CSR they can simply sign them appropriately and move them to the directory.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #kubernetes/kubeadm#794
Special notes for your reviewer:
Does this PR introduce a user-facing change?: