github.com/openshift/installer@v1.4.17/pkg/asset/tls/apiserver.go (about) 1 package tls 2 3 import ( 4 "context" 5 "crypto/x509" 6 "crypto/x509/pkix" 7 "net" 8 9 "github.com/pkg/errors" 10 11 "github.com/openshift/installer/pkg/asset" 12 "github.com/openshift/installer/pkg/asset/installconfig" 13 ) 14 15 // KubeAPIServerToKubeletSignerCertKey is a key/cert pair that signs the kube-apiserver to kubelet client certs. 16 type KubeAPIServerToKubeletSignerCertKey struct { 17 SelfSignedCertKey 18 } 19 20 var _ asset.WritableAsset = (*KubeAPIServerToKubeletSignerCertKey)(nil) 21 22 // Dependencies returns the dependency of the root-ca, which is empty. 23 func (c *KubeAPIServerToKubeletSignerCertKey) Dependencies() []asset.Asset { 24 return []asset.Asset{} 25 } 26 27 // Generate generates the root-ca key and cert pair. 28 func (c *KubeAPIServerToKubeletSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 29 cfg := &CertCfg{ 30 Subject: pkix.Name{CommonName: "kube-apiserver-to-kubelet-signer", OrganizationalUnit: []string{"openshift"}}, 31 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 32 Validity: ValidityOneYear, 33 IsCA: true, 34 } 35 36 return c.SelfSignedCertKey.Generate(ctx, cfg, "kube-apiserver-to-kubelet-signer") 37 } 38 39 // Name returns the human-friendly name of the asset. 40 func (c *KubeAPIServerToKubeletSignerCertKey) Name() string { 41 return "Certificate (kube-apiserver-to-kubelet-signer)" 42 } 43 44 // KubeAPIServerToKubeletCABundle is the asset the generates the kube-apiserver-to-kubelet-ca-bundle, 45 // which contains all the individual client CAs. 46 type KubeAPIServerToKubeletCABundle struct { 47 CertBundle 48 } 49 50 var _ asset.Asset = (*KubeAPIServerToKubeletCABundle)(nil) 51 52 // Dependencies returns the dependency of the cert bundle. 53 func (a *KubeAPIServerToKubeletCABundle) Dependencies() []asset.Asset { 54 return []asset.Asset{ 55 &KubeAPIServerToKubeletSignerCertKey{}, 56 } 57 } 58 59 // Generate generates the cert bundle based on its dependencies. 60 func (a *KubeAPIServerToKubeletCABundle) Generate(ctx context.Context, deps asset.Parents) error { 61 var certs []CertInterface 62 for _, asset := range a.Dependencies() { 63 deps.Get(asset) 64 certs = append(certs, asset.(CertInterface)) 65 } 66 return a.CertBundle.Generate(ctx, "kube-apiserver-to-kubelet-ca-bundle", certs...) 67 } 68 69 // Name returns the human-friendly name of the asset. 70 func (a *KubeAPIServerToKubeletCABundle) Name() string { 71 return "Certificate (kube-apiserver-to-kubelet-ca-bundle)" 72 } 73 74 // KubeAPIServerToKubeletClientCertKey is the asset that generates the kube-apiserver to kubelet client key/cert pair. 75 type KubeAPIServerToKubeletClientCertKey struct { 76 SignedCertKey 77 } 78 79 var _ asset.Asset = (*KubeAPIServerToKubeletClientCertKey)(nil) 80 81 // Dependencies returns the dependency of the the cert/key pair 82 func (a *KubeAPIServerToKubeletClientCertKey) Dependencies() []asset.Asset { 83 return []asset.Asset{ 84 &KubeAPIServerToKubeletSignerCertKey{}, 85 } 86 } 87 88 // Generate generates the cert/key pair based on its dependencies. 89 func (a *KubeAPIServerToKubeletClientCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 90 ca := &KubeAPIServerToKubeletSignerCertKey{} 91 dependencies.Get(ca) 92 93 cfg := &CertCfg{ 94 Subject: pkix.Name{CommonName: "system:kube-apiserver", Organization: []string{"kube-master"}}, 95 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 96 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 97 Validity: ValidityOneYear, 98 } 99 100 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-to-kubelet-client", DoNotAppendParent) 101 } 102 103 // Name returns the human-friendly name of the asset. 104 func (a *KubeAPIServerToKubeletClientCertKey) Name() string { 105 return "Certificate (kube-apiserver-to-kubelet-client)" 106 } 107 108 // KubeAPIServerLocalhostSignerCertKey is a key/cert pair that signs the kube-apiserver server cert for SNI localhost. 109 type KubeAPIServerLocalhostSignerCertKey struct { 110 SelfSignedCertKey 111 } 112 113 var _ asset.WritableAsset = (*KubeAPIServerLocalhostSignerCertKey)(nil) 114 115 // Dependencies returns the dependency of the root-ca, which is empty. 116 func (c *KubeAPIServerLocalhostSignerCertKey) Dependencies() []asset.Asset { 117 return []asset.Asset{} 118 } 119 120 // Generate generates the root-ca key and cert pair. 121 func (c *KubeAPIServerLocalhostSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 122 cfg := &CertCfg{ 123 Subject: pkix.Name{CommonName: "kube-apiserver-localhost-signer", OrganizationalUnit: []string{"openshift"}}, 124 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 125 Validity: ValidityTenYears, 126 IsCA: true, 127 } 128 129 return c.SelfSignedCertKey.Generate(ctx, cfg, "kube-apiserver-localhost-signer") 130 } 131 132 // Load reads the asset files from disk. 133 func (c *KubeAPIServerLocalhostSignerCertKey) Load(f asset.FileFetcher) (bool, error) { 134 return c.loadCertKey(f, "kube-apiserver-localhost-signer") 135 } 136 137 // Name returns the human-friendly name of the asset. 138 func (c *KubeAPIServerLocalhostSignerCertKey) Name() string { 139 return "Certificate (kube-apiserver-localhost-signer)" 140 } 141 142 // KubeAPIServerLocalhostCABundle is the asset the generates the kube-apiserver-localhost-ca-bundle, 143 // which contains all the individual client CAs. 144 type KubeAPIServerLocalhostCABundle struct { 145 CertBundle 146 } 147 148 var _ asset.Asset = (*KubeAPIServerLocalhostCABundle)(nil) 149 150 // Dependencies returns the dependency of the cert bundle. 151 func (a *KubeAPIServerLocalhostCABundle) Dependencies() []asset.Asset { 152 return []asset.Asset{ 153 &KubeAPIServerLocalhostSignerCertKey{}, 154 } 155 } 156 157 // Generate generates the cert bundle based on its dependencies. 158 func (a *KubeAPIServerLocalhostCABundle) Generate(ctx context.Context, deps asset.Parents) error { 159 var certs []CertInterface 160 for _, asset := range a.Dependencies() { 161 deps.Get(asset) 162 certs = append(certs, asset.(CertInterface)) 163 } 164 return a.CertBundle.Generate(ctx, "kube-apiserver-localhost-ca-bundle", certs...) 165 } 166 167 // Name returns the human-friendly name of the asset. 168 func (a *KubeAPIServerLocalhostCABundle) Name() string { 169 return "Certificate (kube-apiserver-localhost-ca-bundle)" 170 } 171 172 // KubeAPIServerLocalhostServerCertKey is the asset that generates the kube-apiserver serving key/cert pair for SNI localhost. 173 type KubeAPIServerLocalhostServerCertKey struct { 174 SignedCertKey 175 } 176 177 var _ asset.Asset = (*KubeAPIServerLocalhostServerCertKey)(nil) 178 179 // Dependencies returns the dependency of the the cert/key pair 180 func (a *KubeAPIServerLocalhostServerCertKey) Dependencies() []asset.Asset { 181 return []asset.Asset{ 182 &KubeAPIServerLocalhostSignerCertKey{}, 183 } 184 } 185 186 // Generate generates the cert/key pair based on its dependencies. 187 func (a *KubeAPIServerLocalhostServerCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 188 ca := &KubeAPIServerLocalhostSignerCertKey{} 189 dependencies.Get(ca) 190 191 cfg := &CertCfg{ 192 Subject: pkix.Name{CommonName: "system:kube-apiserver", Organization: []string{"kube-master"}}, 193 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 194 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 195 Validity: ValidityOneDay, 196 DNSNames: []string{ 197 "localhost", 198 }, 199 IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}, 200 } 201 202 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-localhost-server", AppendParent) 203 } 204 205 // Name returns the human-friendly name of the asset. 206 func (a *KubeAPIServerLocalhostServerCertKey) Name() string { 207 return "Certificate (kube-apiserver-localhost-server)" 208 } 209 210 // KubeAPIServerServiceNetworkSignerCertKey is a key/cert pair that signs the kube-apiserver server cert for SNI service network. 211 type KubeAPIServerServiceNetworkSignerCertKey struct { 212 SelfSignedCertKey 213 } 214 215 var _ asset.WritableAsset = (*KubeAPIServerServiceNetworkSignerCertKey)(nil) 216 217 // Dependencies returns the dependency of the root-ca, which is empty. 218 func (c *KubeAPIServerServiceNetworkSignerCertKey) Dependencies() []asset.Asset { 219 return []asset.Asset{} 220 } 221 222 // Generate generates the root-ca key and cert pair. 223 func (c *KubeAPIServerServiceNetworkSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 224 cfg := &CertCfg{ 225 Subject: pkix.Name{CommonName: "kube-apiserver-service-network-signer", OrganizationalUnit: []string{"openshift"}}, 226 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 227 Validity: ValidityTenYears, 228 IsCA: true, 229 } 230 231 return c.SelfSignedCertKey.Generate(ctx, cfg, "kube-apiserver-service-network-signer") 232 } 233 234 // Load reads the asset files from disk. 235 func (c *KubeAPIServerServiceNetworkSignerCertKey) Load(f asset.FileFetcher) (bool, error) { 236 return c.loadCertKey(f, "kube-apiserver-service-network-signer") 237 } 238 239 // Name returns the human-friendly name of the asset. 240 func (c *KubeAPIServerServiceNetworkSignerCertKey) Name() string { 241 return "Certificate (kube-apiserver-service-network-signer)" 242 } 243 244 // KubeAPIServerServiceNetworkCABundle is the asset the generates the kube-apiserver-service-network-ca-bundle, 245 // which contains all the individual client CAs. 246 type KubeAPIServerServiceNetworkCABundle struct { 247 CertBundle 248 } 249 250 var _ asset.Asset = (*KubeAPIServerServiceNetworkCABundle)(nil) 251 252 // Dependencies returns the dependency of the cert bundle. 253 func (a *KubeAPIServerServiceNetworkCABundle) Dependencies() []asset.Asset { 254 return []asset.Asset{ 255 &KubeAPIServerServiceNetworkSignerCertKey{}, 256 } 257 } 258 259 // Generate generates the cert bundle based on its dependencies. 260 func (a *KubeAPIServerServiceNetworkCABundle) Generate(ctx context.Context, deps asset.Parents) error { 261 var certs []CertInterface 262 for _, asset := range a.Dependencies() { 263 deps.Get(asset) 264 certs = append(certs, asset.(CertInterface)) 265 } 266 return a.CertBundle.Generate(ctx, "kube-apiserver-service-network-ca-bundle", certs...) 267 } 268 269 // Name returns the human-friendly name of the asset. 270 func (a *KubeAPIServerServiceNetworkCABundle) Name() string { 271 return "Certificate (kube-apiserver-service-network-ca-bundle)" 272 } 273 274 // KubeAPIServerServiceNetworkServerCertKey is the asset that generates the kube-apiserver serving key/cert pair for SNI service network. 275 type KubeAPIServerServiceNetworkServerCertKey struct { 276 SignedCertKey 277 } 278 279 var _ asset.Asset = (*KubeAPIServerServiceNetworkServerCertKey)(nil) 280 281 // Dependencies returns the dependency of the the cert/key pair 282 func (a *KubeAPIServerServiceNetworkServerCertKey) Dependencies() []asset.Asset { 283 return []asset.Asset{ 284 &KubeAPIServerServiceNetworkSignerCertKey{}, 285 &installconfig.InstallConfig{}, 286 } 287 } 288 289 // Generate generates the cert/key pair based on its dependencies. 290 func (a *KubeAPIServerServiceNetworkServerCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 291 ca := &KubeAPIServerServiceNetworkSignerCertKey{} 292 installConfig := &installconfig.InstallConfig{} 293 dependencies.Get(ca, installConfig) 294 serviceAddress, err := cidrhost(installConfig.Config.Networking.ServiceNetwork[0].IPNet, 1) 295 if err != nil { 296 return errors.Wrap(err, "failed to get service address for kube-apiserver from InstallConfig") 297 } 298 299 cfg := &CertCfg{ 300 Subject: pkix.Name{CommonName: "system:kube-apiserver", Organization: []string{"kube-master"}}, 301 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 302 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 303 Validity: ValidityOneDay, 304 DNSNames: []string{ 305 "kubernetes", "kubernetes.default", 306 "kubernetes.default.svc", 307 "kubernetes.default.svc.cluster.local", 308 "openshift", "openshift.default", 309 "openshift.default.svc", 310 "openshift.default.svc.cluster.local", 311 }, 312 IPAddresses: []net.IP{net.ParseIP(serviceAddress)}, 313 } 314 315 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-service-network-server", AppendParent) 316 } 317 318 // Name returns the human-friendly name of the asset. 319 func (a *KubeAPIServerServiceNetworkServerCertKey) Name() string { 320 return "Certificate (kube-apiserver-service-network-server)" 321 } 322 323 // KubeAPIServerLBSignerCertKey is a key/cert pair that signs the kube-apiserver server cert for SNI load balancer. 324 type KubeAPIServerLBSignerCertKey struct { 325 SelfSignedCertKey 326 } 327 328 var _ asset.WritableAsset = (*KubeAPIServerLBSignerCertKey)(nil) 329 330 // Dependencies returns the dependency of the root-ca, which is empty. 331 func (c *KubeAPIServerLBSignerCertKey) Dependencies() []asset.Asset { 332 return []asset.Asset{} 333 } 334 335 // Generate generates the root-ca key and cert pair. 336 func (c *KubeAPIServerLBSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 337 cfg := &CertCfg{ 338 Subject: pkix.Name{CommonName: "kube-apiserver-lb-signer", OrganizationalUnit: []string{"openshift"}}, 339 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 340 Validity: ValidityTenYears, 341 IsCA: true, 342 } 343 344 return c.SelfSignedCertKey.Generate(ctx, cfg, "kube-apiserver-lb-signer") 345 } 346 347 // Load reads the asset files from disk. 348 func (c *KubeAPIServerLBSignerCertKey) Load(f asset.FileFetcher) (bool, error) { 349 return c.loadCertKey(f, "kube-apiserver-lb-signer") 350 } 351 352 // Name returns the human-friendly name of the asset. 353 func (c *KubeAPIServerLBSignerCertKey) Name() string { 354 return "Certificate (kube-apiserver-lb-signer)" 355 } 356 357 // KubeAPIServerLBCABundle is the asset the generates the kube-apiserver-lb-ca-bundle, 358 // which contains all the individual client CAs. 359 type KubeAPIServerLBCABundle struct { 360 CertBundle 361 } 362 363 var _ asset.Asset = (*KubeAPIServerLBCABundle)(nil) 364 365 // Dependencies returns the dependency of the cert bundle. 366 func (a *KubeAPIServerLBCABundle) Dependencies() []asset.Asset { 367 return []asset.Asset{ 368 &KubeAPIServerLBSignerCertKey{}, 369 } 370 } 371 372 // Generate generates the cert bundle based on its dependencies. 373 func (a *KubeAPIServerLBCABundle) Generate(ctx context.Context, deps asset.Parents) error { 374 var certs []CertInterface 375 for _, asset := range a.Dependencies() { 376 deps.Get(asset) 377 certs = append(certs, asset.(CertInterface)) 378 } 379 return a.CertBundle.Generate(ctx, "kube-apiserver-lb-ca-bundle", certs...) 380 } 381 382 // Name returns the human-friendly name of the asset. 383 func (a *KubeAPIServerLBCABundle) Name() string { 384 return "Certificate (kube-apiserver-lb-ca-bundle)" 385 } 386 387 // KubeAPIServerExternalLBServerCertKey is the asset that generates the kube-apiserver serving key/cert pair for SNI external load balancer. 388 type KubeAPIServerExternalLBServerCertKey struct { 389 SignedCertKey 390 } 391 392 var _ asset.Asset = (*KubeAPIServerExternalLBServerCertKey)(nil) 393 394 // Dependencies returns the dependency of the the cert/key pair 395 func (a *KubeAPIServerExternalLBServerCertKey) Dependencies() []asset.Asset { 396 return []asset.Asset{ 397 &KubeAPIServerLBSignerCertKey{}, 398 &installconfig.InstallConfig{}, 399 } 400 } 401 402 // Generate generates the cert/key pair based on its dependencies. 403 func (a *KubeAPIServerExternalLBServerCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 404 ca := &KubeAPIServerLBSignerCertKey{} 405 installConfig := &installconfig.InstallConfig{} 406 dependencies.Get(ca, installConfig) 407 408 cfg := &CertCfg{ 409 Subject: pkix.Name{CommonName: "system:kube-apiserver", Organization: []string{"kube-master"}}, 410 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 411 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 412 Validity: ValidityOneDay, 413 DNSNames: []string{ 414 apiAddress(installConfig.Config), 415 }, 416 } 417 418 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-lb-server", AppendParent) 419 } 420 421 // Name returns the human-friendly name of the asset. 422 func (a *KubeAPIServerExternalLBServerCertKey) Name() string { 423 return "Certificate (kube-apiserver-external-lb-server)" 424 } 425 426 // KubeAPIServerInternalLBServerCertKey is the asset that generates the kube-apiserver serving key/cert pair for SNI internal load balancer. 427 type KubeAPIServerInternalLBServerCertKey struct { 428 SignedCertKey 429 } 430 431 var _ asset.Asset = (*KubeAPIServerInternalLBServerCertKey)(nil) 432 433 // Dependencies returns the dependency of the the cert/key pair 434 func (a *KubeAPIServerInternalLBServerCertKey) Dependencies() []asset.Asset { 435 return []asset.Asset{ 436 &KubeAPIServerLBSignerCertKey{}, 437 &installconfig.InstallConfig{}, 438 } 439 } 440 441 // Generate generates the cert/key pair based on its dependencies. 442 func (a *KubeAPIServerInternalLBServerCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 443 ca := &KubeAPIServerLBSignerCertKey{} 444 installConfig := &installconfig.InstallConfig{} 445 dependencies.Get(ca, installConfig) 446 447 cfg := &CertCfg{ 448 Subject: pkix.Name{CommonName: "system:kube-apiserver", Organization: []string{"kube-master"}}, 449 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 450 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, 451 Validity: ValidityOneDay, 452 DNSNames: []string{ 453 internalAPIAddress(installConfig.Config), 454 }, 455 } 456 457 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-internal-lb-server", AppendParent) 458 } 459 460 // Name returns the human-friendly name of the asset. 461 func (a *KubeAPIServerInternalLBServerCertKey) Name() string { 462 return "Certificate (kube-apiserver-internal-lb-server)" 463 } 464 465 // KubeAPIServerCompleteCABundle is the asset the generates the kube-apiserver-complete-server-ca-bundle, 466 // which contains all the certs that are valid to confirm the kube-apiserver identity. 467 type KubeAPIServerCompleteCABundle struct { 468 CertBundle 469 } 470 471 var _ asset.Asset = (*KubeAPIServerCompleteCABundle)(nil) 472 473 // Dependencies returns the dependency of the cert bundle. 474 func (a *KubeAPIServerCompleteCABundle) Dependencies() []asset.Asset { 475 return []asset.Asset{ 476 &KubeAPIServerLocalhostCABundle{}, 477 &KubeAPIServerServiceNetworkCABundle{}, 478 &KubeAPIServerLBCABundle{}, 479 } 480 } 481 482 // Generate generates the cert bundle based on its dependencies. 483 func (a *KubeAPIServerCompleteCABundle) Generate(ctx context.Context, deps asset.Parents) error { 484 var certs []CertInterface 485 for _, asset := range a.Dependencies() { 486 deps.Get(asset) 487 certs = append(certs, asset.(CertInterface)) 488 } 489 return a.CertBundle.Generate(ctx, "kube-apiserver-complete-server-ca-bundle", certs...) 490 } 491 492 // Name returns the human-friendly name of the asset. 493 func (a *KubeAPIServerCompleteCABundle) Name() string { 494 return "Certificate (kube-apiserver-complete-server-ca-bundle)" 495 } 496 497 // KubeAPIServerCompleteClientCABundle is the asset the generates the kube-apiserver-complete-client-ca-bundle, 498 // which contains all the certs that are valid for the kube-apiserver to trust for clients. 499 type KubeAPIServerCompleteClientCABundle struct { 500 CertBundle 501 } 502 503 var _ asset.Asset = (*KubeAPIServerCompleteClientCABundle)(nil) 504 505 // Dependencies returns the dependency of the cert bundle. 506 func (a *KubeAPIServerCompleteClientCABundle) Dependencies() []asset.Asset { 507 return []asset.Asset{ 508 &AdminKubeConfigCABundle{}, // admin.kubeconfig 509 &KubeletClientCABundle{}, // signed kubelet certs 510 &KubeControlPlaneCABundle{}, // controller-manager, scheduler 511 &KubeAPIServerToKubeletCABundle{}, // kube-apiserver to kubelet (kubelet piggy-backs on KAS client-ca) 512 &KubeletBootstrapCABundle{}, // used to create the kubelet kubeconfig files that are used to create CSRs 513 } 514 } 515 516 // Generate generates the cert bundle based on its dependencies. 517 func (a *KubeAPIServerCompleteClientCABundle) Generate(ctx context.Context, deps asset.Parents) error { 518 var certs []CertInterface 519 for _, asset := range a.Dependencies() { 520 deps.Get(asset) 521 certs = append(certs, asset.(CertInterface)) 522 } 523 return a.CertBundle.Generate(ctx, "kube-apiserver-complete-client-ca-bundle", certs...) 524 } 525 526 // Name returns the human-friendly name of the asset. 527 func (a *KubeAPIServerCompleteClientCABundle) Name() string { 528 return "Certificate (kube-apiserver-complete-client-ca-bundle)" 529 }