Support modifying certs key size

puppetlabs · Aug 9, 2022 · 07086eb · 07086eb
1 parent 8277618
commit 07086eb
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -69,6 +69,7 @@ The above parameters are:
 * `ETCD_IP`: The IP each etcd member listens on. We recommend passing the fact for the interface to be used by the cluster.
 * `KUBE_API_ADVERTISE_ADDRESS`: The IP each etcd/apiserver instance uses on each controller. We recommend passing the fact for the interface to be used by the cluster.
 * `INSTALL_DASHBOARD`: A boolean which specifies whether to install the dashboard.
+* `KEY_SIZE`: Number of bits in certificates (default: `2048`).
 
 Kubetool creates:
 

diff --git a/tooling/kube_tool.rb b/tooling/kube_tool.rb
@@ -13,7 +13,8 @@
            :cni_provider_version       => nil,
            :etcd_initial_cluster       => nil,
            :kube_api_advertise_address => nil,
-      	   :install_dashboard          => nil,
+           :install_dashboard          => nil,
+           :key_size                   => nil,
           }
 
 parser = OptionParser.new do|opts|
@@ -49,6 +50,10 @@
     options[:kube_api_advertise_address] = api_address;
   end
 
+  opts.on('-b', '--key-size key_size', 'Specifies the number of bits in the key to create') do |key_size|
+    options[:key_size] = key_size
+  end
+
   opts.on('-d', '--install-dashboard dashboard', 'install the kube dashboard') do |dashboard|
     options[:install_dashboard] = dashboard;
   end
@@ -64,16 +69,17 @@
 
 class Kube_tool
   def build_hiera(hash)
+    key_size = hash[:key_size].to_i
     OtherParams.create( hash[:os], hash[:version], hash[:container_runtime], hash[:cni_provider], hash[:cni_provider_version], hash[:etcd_initial_cluster], hash[:etcd_ip], hash[:kube_api_advertise_address], hash[:install_dashboard])
     PreChecks.checks
-    CreateCerts.etcd_ca
-    CreateCerts.etcd_clients
-    CreateCerts.etcd_certificates( hash[:etcd_initial_cluster])
-    CreateCerts.kube_ca
-    CreateCerts.kube_front_proxy_ca
-    CreateCerts.sa    
+    CreateCerts.etcd_ca(key_size)
+    CreateCerts.etcd_clients(key_size)
+    CreateCerts.etcd_certificates(hash[:etcd_initial_cluster], key_size)
+    CreateCerts.kube_ca(key_size)
+    CreateCerts.kube_front_proxy_ca(key_size)
+    CreateCerts.sa(key_size)
     CleanUp.remove_files
-    CleanUp.clean_yaml( hash[:os])
+    CleanUp.clean_yaml(hash[:os])
   end
 end
 

diff --git a/tooling/kube_tool/create_certs.rb b/tooling/kube_tool/create_certs.rb
@@ -6,15 +6,15 @@
 #TODO fix repeatitive code after inital internal release
 
 class CreateCerts
-  def CreateCerts.etcd_ca
+  def CreateCerts.etcd_ca(key_size)
     puts "Creating etcd ca"
     files = ['ca-conf.json', 'ca-csr.json', 'ca-key.pem', 'ca-key.pem']
     files.each do |x|
       if File.exist?(x)
         FileUtils.rm_f(x)
       end
     end
-    csr = { "CN": "etcd", "key": {"algo": "rsa", "size": 2048 }}
+    csr = { "CN": "etcd", "key": {"algo": "rsa", "size": key_size }}
     conf = { "signing": { "default": { "expiry": "43800h" }, "profiles": { "server": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] }, "client": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
     File.open("ca-csr.json", "w+") { |file| file.write(csr.to_json) }
     File.open("ca-conf.json", "w+") { |file| file.write(conf.to_json) }
@@ -28,9 +28,9 @@ def CreateCerts.etcd_ca
     File.open("kubernetes.yaml", "a") { |file| file.write(data.to_yaml) }
   end
 
-  def CreateCerts.etcd_clients
+  def CreateCerts.etcd_clients(key_size)
     puts "Creating etcd client certs"
-    csr = { "CN": "client", "hosts": [""], "key": { "algo": "rsa", "size": 2048 } }
+    csr = { "CN": "client", "hosts": [""], "key": { "algo": "rsa", "size": key_size } }
     File.open("kube-etcd-csr.json", "w+") { |file| file.write(csr.to_json) }
     system("cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-conf.json -profile client kube-etcd-csr.json | cfssljson -bare client")
     FileUtils.rm_f('kube-etcd-csr.csr')
@@ -42,7 +42,7 @@ def CreateCerts.etcd_clients
     File.open("kubernetes.yaml", "a") { |file| file.write(data.to_yaml) }
   end
 
-  def CreateCerts.etcd_certificates(etcd_initial_cluster)
+  def CreateCerts.etcd_certificates(etcd_initial_cluster, key_size)
     etcd_servers = etcd_initial_cluster.split(",")
     etcd_server_ips = []
     etcd_servers.each do | servers |
@@ -56,9 +56,9 @@ def CreateCerts.etcd_certificates(etcd_initial_cluster)
       ip = server[1]
       if File.exist?("#{hostname}.yaml")
         FileUtils.rm_f("#{hostname}.yaml")
-      end  
+      end
         puts "Creating etcd peer and server certificates"
-        csr = { "CN": "etcd-#{hostname}", "hosts": etcd_server_ips, "key": { "algo": "rsa", "size": 2048 }}
+        csr = { "CN": "etcd-#{hostname}", "hosts": etcd_server_ips, "key": { "algo": "rsa", "size": key_size }}
         File.open("config.json", "w+") { |file| file.write(csr.to_json) }
         system("cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-conf.json -profile server --hostname=#{etcd_server_ips * ","},#{hostname} config.json | cfssljson -bare #{hostname}-server")
         system("cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-conf.json -profile peer --hostname=#{ip},#{hostname} config.json | cfssljson -bare #{hostname}-peer")
@@ -81,15 +81,15 @@ def CreateCerts.etcd_certificates(etcd_initial_cluster)
     end
   end
 
-  def CreateCerts.kube_ca
+  def CreateCerts.kube_ca(key_size)
     puts "Creating kube ca"
     files = ['ca-conf.json', 'ca-csr.json', 'ca-key.pem', 'ca-key.pem']
     files.each do |x|
       if File.exist?(x)
         FileUtils.rm_f(x)
       end
     end
-    csr = { "CN": "kubernetes", "key": {"algo": "rsa", "size": 2048 }}
+    csr = { "CN": "kubernetes", "key": {"algo": "rsa", "size": key_size }}
     conf = { "signing": { "default": { "expiry": "43800h" }, "profiles": { "server": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] }, "client": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
     File.open("ca-csr.json", "w+") { |file| file.write(csr.to_json) }
     File.open("ca-conf.json", "w+") { |file| file.write(conf.to_json) }
@@ -104,18 +104,18 @@ def CreateCerts.kube_ca
     data['kubernetes::kubernetes_ca_key'] = key
     data['kubernetes::discovery_token_hash'] = discovery_token_hash
     FileUtils.rm_f('discovery_token_hash.csr')
-    File.open("kubernetes.yaml", "a") { |file| file.write(data.to_yaml) } 
+    File.open("kubernetes.yaml", "a") { |file| file.write(data.to_yaml) }
   end
 
-  def CreateCerts.kube_front_proxy_ca
+  def CreateCerts.kube_front_proxy_ca(key_size)
     puts "Creating kube front-proxy ca"
     files = ['front-proxy-ca-conf.json', 'front-proxy-ca-csr.json', 'front-proxy-ca-key.pem', 'front-proxy-ca-key.pem']
     files.each do |x|
       if File.exist?(x)
         FileUtils.rm_f(x)
       end
     end
-    csr = { "CN": "front-proxy-ca", "key": {"algo": "rsa", "size": 2048 }}
+    csr = { "CN": "front-proxy-ca", "key": {"algo": "rsa", "size": key_size }}
     conf = { "signing": { "default": { "expiry": "87600h" }}}
     File.open("front-proxy-ca-csr.json", "w+") { |file| file.write(csr.to_json) }
     File.open("front-proxy-ca-conf.json", "w+") { |file| file.write(conf.to_json) }
@@ -128,10 +128,10 @@ def CreateCerts.kube_front_proxy_ca
     data['kubernetes::kubernetes_front_proxy_ca_key'] = key
     File.open("kubernetes.yaml", "a") { |file| file.write(data.to_yaml) }
   end
-  
-  def CreateCerts.sa
+
+  def CreateCerts.sa(key_size)
     puts "Creating service account certs"
-    key = OpenSSL::PKey::RSA.new 2048
+    key = OpenSSL::PKey::RSA.new key_size
     open 'sa-key.pem', 'w' do |io|
       io.write key.to_pem
     end
@@ -148,5 +148,3 @@ def CreateCerts.sa
 
 
 end
-
-
diff --git a/tooling/start-kubetool.sh b/tooling/start-kubetool.sh
@@ -1,7 +1,6 @@
 #!/bin/sh
-
-if [[ -z "${CNI_PROVIDER_VERSION}" ]]; then
-/etc/k8s/kube_tool.rb -o ${OS} -v ${VERSION} -r ${CONTAINER_RUNTIME} -c ${CNI_PROVIDER} -i ${ETCD_INITIAL_CLUSTER} -t ${ETCD_IP} -a ${KUBE_API_ADVERTISE_ADDRESS} -d ${INSTALL_DASHBOARD}
-else
-/etc/k8s/kube_tool.rb -o ${OS} -v ${VERSION} -r ${CONTAINER_RUNTIME} -c ${CNI_PROVIDER} -p ${CNI_PROVIDER_VERSION} -i ${ETCD_INITIAL_CLUSTER} -t ${ETCD_IP} -a ${KUBE_API_ADVERTISE_ADDRESS} -d ${INSTALL_DASHBOARD}
-fi
+KEY_SIZE="${KEY_SIZE:-2048}"
+
+/etc/k8s/kube_tool.rb -o ${OS} -v ${VERSION} -r ${CONTAINER_RUNTIME} -c ${CNI_PROVIDER}\
+ -p ${CNI_PROVIDER_VERSION} -i ${ETCD_INITIAL_CLUSTER} -t ${ETCD_IP} -a ${KUBE_API_ADVERTISE_ADDRESS}\
+ -d ${INSTALL_DASHBOARD} -b ${KEY_SIZE}