github.com/openshift/installer@v1.4.17/pkg/asset/tls/aggregator.go (about) 1 package tls 2 3 import ( 4 "context" 5 "crypto/x509" 6 "crypto/x509/pkix" 7 8 "github.com/openshift/installer/pkg/asset" 9 ) 10 11 // AggregatorCA is the asset that generates the aggregator-ca key/cert pair. 12 // [DEPRECATED] 13 type AggregatorCA struct { 14 SelfSignedCertKey 15 } 16 17 var _ asset.Asset = (*AggregatorCA)(nil) 18 19 // Dependencies returns the dependency of the the cert/key pair, which includes 20 // the parent CA, and install config if it depends on the install config for 21 // DNS names, etc. 22 func (a *AggregatorCA) Dependencies() []asset.Asset { 23 return []asset.Asset{} 24 } 25 26 // Generate generates the cert/key pair based on its dependencies. 27 func (a *AggregatorCA) Generate(ctx context.Context, dependencies asset.Parents) error { 28 cfg := &CertCfg{ 29 Subject: pkix.Name{CommonName: "aggregator", OrganizationalUnit: []string{"bootkube"}}, 30 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 31 Validity: ValidityOneDay, 32 IsCA: true, 33 } 34 35 return a.SelfSignedCertKey.Generate(ctx, cfg, "aggregator-ca") 36 } 37 38 // Name returns the human-friendly name of the asset. 39 func (a *AggregatorCA) Name() string { 40 return "Certificate (aggregator)" 41 } 42 43 // APIServerProxyCertKey is the asset that generates the API server proxy key/cert pair. 44 // [DEPRECATED] 45 type APIServerProxyCertKey struct { 46 SignedCertKey 47 } 48 49 var _ asset.Asset = (*APIServerProxyCertKey)(nil) 50 51 // Dependencies returns the dependency of the the cert/key pair, which includes 52 // the parent CA, and install config if it depends on the install config for 53 // DNS names, etc. 54 func (a *APIServerProxyCertKey) Dependencies() []asset.Asset { 55 return []asset.Asset{ 56 &AggregatorCA{}, 57 } 58 } 59 60 // Generate generates the cert/key pair based on its dependencies. 61 func (a *APIServerProxyCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 62 aggregatorCA := &AggregatorCA{} 63 dependencies.Get(aggregatorCA) 64 65 cfg := &CertCfg{ 66 Subject: pkix.Name{CommonName: "system:kube-apiserver-proxy", Organization: []string{"kube-master"}}, 67 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 68 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 69 Validity: ValidityOneDay, 70 } 71 72 return a.SignedCertKey.Generate(ctx, cfg, aggregatorCA, "apiserver-proxy", DoNotAppendParent) 73 } 74 75 // Name returns the human-friendly name of the asset. 76 func (a *APIServerProxyCertKey) Name() string { 77 return "Certificate (system:kube-apiserver-proxy)" 78 } 79 80 // AggregatorSignerCertKey is a key/cert pair that signs the aggregator client certs. 81 type AggregatorSignerCertKey struct { 82 SelfSignedCertKey 83 } 84 85 var _ asset.WritableAsset = (*AggregatorSignerCertKey)(nil) 86 87 // Dependencies returns the dependency of the root-ca, which is empty. 88 func (c *AggregatorSignerCertKey) Dependencies() []asset.Asset { 89 return []asset.Asset{} 90 } 91 92 // Generate generates the root-ca key and cert pair. 93 func (c *AggregatorSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 94 cfg := &CertCfg{ 95 Subject: pkix.Name{CommonName: "aggregator-signer", OrganizationalUnit: []string{"openshift"}}, 96 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 97 Validity: ValidityOneDay, 98 IsCA: true, 99 } 100 101 return c.SelfSignedCertKey.Generate(ctx, cfg, "aggregator-signer") 102 } 103 104 // Name returns the human-friendly name of the asset. 105 func (c *AggregatorSignerCertKey) Name() string { 106 return "Certificate (aggregator-signer)" 107 } 108 109 // AggregatorCABundle is the asset the generates the aggregator-ca-bundle, 110 // which contains all the individual client CAs. 111 type AggregatorCABundle struct { 112 CertBundle 113 } 114 115 var _ asset.Asset = (*AggregatorCABundle)(nil) 116 117 // Dependencies returns the dependency of the cert bundle. 118 func (a *AggregatorCABundle) Dependencies() []asset.Asset { 119 return []asset.Asset{ 120 &AggregatorSignerCertKey{}, 121 } 122 } 123 124 // Generate generates the cert bundle based on its dependencies. 125 func (a *AggregatorCABundle) Generate(ctx context.Context, deps asset.Parents) error { 126 var certs []CertInterface 127 for _, asset := range a.Dependencies() { 128 deps.Get(asset) 129 certs = append(certs, asset.(CertInterface)) 130 } 131 return a.CertBundle.Generate(ctx, "aggregator-ca-bundle", certs...) 132 } 133 134 // Name returns the human-friendly name of the asset. 135 func (a *AggregatorCABundle) Name() string { 136 return "Certificate (aggregator-ca-bundle)" 137 } 138 139 // AggregatorClientCertKey is the asset that generates the API server proxy key/cert pair. 140 type AggregatorClientCertKey struct { 141 SignedCertKey 142 } 143 144 var _ asset.Asset = (*AggregatorClientCertKey)(nil) 145 146 // Dependencies returns the dependency of the the cert/key pair 147 func (a *AggregatorClientCertKey) Dependencies() []asset.Asset { 148 return []asset.Asset{ 149 &AggregatorSignerCertKey{}, 150 } 151 } 152 153 // Generate generates the cert/key pair based on its dependencies. 154 func (a *AggregatorClientCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 155 ca := &AggregatorSignerCertKey{} 156 dependencies.Get(ca) 157 158 cfg := &CertCfg{ 159 Subject: pkix.Name{CommonName: "system:kube-apiserver-proxy", Organization: []string{"kube-master"}}, 160 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 161 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 162 Validity: ValidityOneDay, 163 } 164 165 return a.SignedCertKey.Generate(ctx, cfg, ca, "aggregator-client", DoNotAppendParent) 166 } 167 168 // Name returns the human-friendly name of the asset. 169 func (a *AggregatorClientCertKey) Name() string { 170 return "Certificate (system:kube-apiserver-proxy)" 171 }