github.com/openshift/installer@v1.4.17/pkg/asset/tls/kubecontrolplane.go (about) 1 package tls 2 3 import ( 4 "context" 5 "crypto/x509" 6 "crypto/x509/pkix" 7 8 "github.com/openshift/installer/pkg/asset" 9 ) 10 11 // KubeControlPlaneSignerCertKey is a key/cert pair that signs the kube control-plane client certs. 12 type KubeControlPlaneSignerCertKey struct { 13 SelfSignedCertKey 14 } 15 16 var _ asset.WritableAsset = (*KubeControlPlaneSignerCertKey)(nil) 17 18 // Dependencies returns the dependency of the root-ca, which is empty. 19 func (c *KubeControlPlaneSignerCertKey) Dependencies() []asset.Asset { 20 return []asset.Asset{} 21 } 22 23 // Generate generates the root-ca key and cert pair. 24 func (c *KubeControlPlaneSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 25 cfg := &CertCfg{ 26 Subject: pkix.Name{CommonName: "kube-control-plane-signer", OrganizationalUnit: []string{"openshift"}}, 27 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 28 Validity: ValidityOneYear, 29 IsCA: true, 30 } 31 32 return c.SelfSignedCertKey.Generate(ctx, cfg, "kube-control-plane-signer") 33 } 34 35 // Name returns the human-friendly name of the asset. 36 func (c *KubeControlPlaneSignerCertKey) Name() string { 37 return "Certificate (kube-control-plane-signer)" 38 } 39 40 // KubeControlPlaneCABundle is the asset the generates the kube-control-plane-ca-bundle, 41 // which contains all the individual client CAs. 42 type KubeControlPlaneCABundle struct { 43 CertBundle 44 } 45 46 var _ asset.Asset = (*KubeControlPlaneCABundle)(nil) 47 48 // Dependencies returns the dependency of the cert bundle. 49 func (a *KubeControlPlaneCABundle) Dependencies() []asset.Asset { 50 return []asset.Asset{ 51 &KubeControlPlaneSignerCertKey{}, 52 &KubeAPIServerLBSignerCertKey{}, 53 &KubeAPIServerLocalhostSignerCertKey{}, 54 &KubeAPIServerServiceNetworkSignerCertKey{}, 55 } 56 } 57 58 // Generate generates the cert bundle based on its dependencies. 59 func (a *KubeControlPlaneCABundle) Generate(ctx context.Context, deps asset.Parents) error { 60 var certs []CertInterface 61 for _, asset := range a.Dependencies() { 62 deps.Get(asset) 63 certs = append(certs, asset.(CertInterface)) 64 } 65 return a.CertBundle.Generate(ctx, "kube-control-plane-ca-bundle", certs...) 66 } 67 68 // Name returns the human-friendly name of the asset. 69 func (a *KubeControlPlaneCABundle) Name() string { 70 return "Certificate (kube-control-plane-ca-bundle)" 71 } 72 73 // KubeControlPlaneKubeControllerManagerClientCertKey is the asset that generates the kube-controller-manger client key/cert pair. 74 type KubeControlPlaneKubeControllerManagerClientCertKey struct { 75 SignedCertKey 76 } 77 78 var _ asset.Asset = (*KubeControlPlaneKubeControllerManagerClientCertKey)(nil) 79 80 // Dependencies returns the dependency of the the cert/key pair 81 func (a *KubeControlPlaneKubeControllerManagerClientCertKey) Dependencies() []asset.Asset { 82 return []asset.Asset{ 83 &KubeControlPlaneSignerCertKey{}, 84 } 85 } 86 87 // Generate generates the cert/key pair based on its dependencies. 88 func (a *KubeControlPlaneKubeControllerManagerClientCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 89 ca := &KubeControlPlaneSignerCertKey{} 90 dependencies.Get(ca) 91 92 cfg := &CertCfg{ 93 Subject: pkix.Name{CommonName: "system:admin", Organization: []string{"system:masters"}}, 94 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 95 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 96 Validity: ValidityOneYear, 97 } 98 99 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-control-plane-kube-controller-manager-client", DoNotAppendParent) 100 } 101 102 // Name returns the human-friendly name of the asset. 103 func (a *KubeControlPlaneKubeControllerManagerClientCertKey) Name() string { 104 return "Certificate (kube-control-plane-kube-controller-manager-client)" 105 } 106 107 // KubeControlPlaneKubeSchedulerClientCertKey is the asset that generates the kube-scheduler client key/cert pair. 108 type KubeControlPlaneKubeSchedulerClientCertKey struct { 109 SignedCertKey 110 } 111 112 var _ asset.Asset = (*KubeControlPlaneKubeSchedulerClientCertKey)(nil) 113 114 // Dependencies returns the dependency of the the cert/key pair 115 func (a *KubeControlPlaneKubeSchedulerClientCertKey) Dependencies() []asset.Asset { 116 return []asset.Asset{ 117 &KubeControlPlaneSignerCertKey{}, 118 } 119 } 120 121 // Generate generates the cert/key pair based on its dependencies. 122 func (a *KubeControlPlaneKubeSchedulerClientCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 123 ca := &KubeControlPlaneSignerCertKey{} 124 dependencies.Get(ca) 125 126 cfg := &CertCfg{ 127 Subject: pkix.Name{CommonName: "system:admin", Organization: []string{"system:masters"}}, 128 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 129 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 130 Validity: ValidityOneYear, 131 } 132 133 return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-control-plane-kube-scheduler-client", DoNotAppendParent) 134 } 135 136 // Name returns the human-friendly name of the asset. 137 func (a *KubeControlPlaneKubeSchedulerClientCertKey) Name() string { 138 return "Certificate (kube-control-plane-kube-scheduler-client)" 139 }