-
Notifications
You must be signed in to change notification settings - Fork 4
/
certs.go
109 lines (91 loc) · 3.35 KB
/
certs.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package certs
import (
"crypto"
"crypto/x509"
"github.com/pkg/errors"
kubeadmv1beta2 "github.com/wtxue/kok-operator/pkg/apis/kubeadm/v1beta2"
"github.com/wtxue/kok-operator/pkg/util/pkiutil"
"k8s.io/klog/v2"
)
type CaAll struct {
CaCert *x509.Certificate
CaKey crypto.Signer
Cfg *KubeadmCert
}
// CreateCACertAndKeyFiles generates and writes out a given certificate authority.
// The certSpec should be one of the variables from this package.
func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmv1beta2.WarpperConfiguration, cfgMaps map[string][]byte) (*CaAll, error) {
if certSpec.CAName != "" {
return nil, errors.Errorf("this function should only be used for CAs, but cert %s has CA %s", certSpec.Name, certSpec.CAName)
}
klog.V(1).Infof("creating a new certificate authority for %s", certSpec.Name)
certConfig, err := certSpec.GetConfig(cfg)
if err != nil {
return nil, err
}
caCert, caKey, err := pkiutil.NewCertificateAuthority(certConfig)
if err != nil {
return nil, err
}
keyPath, keyByte, err := pkiutil.BuildKeyByte(cfg.CertificatesDir, certSpec.BaseName, caKey)
if err != nil {
return nil, err
}
cfgMaps[keyPath] = keyByte
certPath, certByte, err := pkiutil.BuildCertByte(cfg.CertificatesDir, certSpec.BaseName, caCert)
if err != nil {
return nil, err
}
cfgMaps[certPath] = certByte
return &CaAll{
CaCert: caCert,
CaKey: caKey,
Cfg: certSpec}, nil
}
func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, ca *CaAll, cfg *kubeadmv1beta2.WarpperConfiguration, certsMaps map[string][]byte) error {
if certSpec.CAName != ca.Cfg.Name {
return errors.Errorf("expected CAname for %s to be %q, but was %s", certSpec.Name, certSpec.CAName, ca.Cfg.Name)
}
certConfig, err := certSpec.GetConfig(cfg)
if err != nil {
return errors.Wrapf(err, "couldn't create %q certificate", certSpec.Name)
}
cert, key, err := pkiutil.NewCertAndKey(ca.CaCert, ca.CaKey, certConfig)
if err != nil {
return err
}
keyPath, keyByte, err := pkiutil.BuildKeyByte(cfg.CertificatesDir, certSpec.BaseName, key)
if err != nil {
return err
}
certsMaps[keyPath] = keyByte
certPath, certByte, err := pkiutil.BuildCertByte(cfg.CertificatesDir, certSpec.BaseName, cert)
if err != nil {
return err
}
certsMaps[certPath] = certByte
return nil
}
// CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users.
// If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.
func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm, certsMaps map[string][]byte) error {
klog.V(1).Infoln("creating new public/private key files for signing service account users")
// The key does NOT exist, let's generate it now
key, err := pkiutil.NewPrivateKey(keyType)
if err != nil {
return err
}
// Write .key and .pub files to remote
klog.Infof("[certs] Generating %q key and public key\n", pkiutil.ServiceAccountKeyBaseName)
keyPath, keyByte, err := pkiutil.BuildKeyByte(certsDir, pkiutil.ServiceAccountKeyBaseName, key)
if err != nil {
return err
}
certsMaps[keyPath] = keyByte
publicPath, publicByte, err := pkiutil.BuildPublicKeyByte(certsDir, pkiutil.ServiceAccountKeyBaseName, key.Public())
if err != nil {
return err
}
certsMaps[publicPath] = publicByte
return nil
}