github.com/openshift/installer@v1.4.17/pkg/asset/tls/kubelet.go (about) 1 package tls 2 3 import ( 4 "context" 5 "crypto/x509" 6 "crypto/x509/pkix" 7 8 "github.com/openshift/installer/pkg/asset" 9 ) 10 11 // KubeletCSRSignerCertKey is a key/cert pair that signs the kubelet client certs. 12 type KubeletCSRSignerCertKey struct { 13 SelfSignedCertKey 14 } 15 16 var _ asset.WritableAsset = (*KubeletCSRSignerCertKey)(nil) 17 18 // Dependencies returns the dependency of the root-ca, which is empty. 19 func (c *KubeletCSRSignerCertKey) Dependencies() []asset.Asset { 20 return []asset.Asset{} 21 } 22 23 // Generate generates the root-ca key and cert pair. 24 func (c *KubeletCSRSignerCertKey) Generate(ctx context.Context, parents asset.Parents) error { 25 cfg := &CertCfg{ 26 Subject: pkix.Name{CommonName: "kubelet-signer", OrganizationalUnit: []string{"openshift"}}, 27 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 28 Validity: ValidityOneDay, 29 IsCA: true, 30 } 31 32 return c.SelfSignedCertKey.Generate(ctx, cfg, "kubelet-signer") 33 } 34 35 // Name returns the human-friendly name of the asset. 36 func (c *KubeletCSRSignerCertKey) Name() string { 37 return "Certificate (kubelet-signer)" 38 } 39 40 // KubeletClientCABundle is the asset the generates the kubelet-client-ca-bundle, 41 // which contains all the individual client CAs. 42 type KubeletClientCABundle struct { 43 CertBundle 44 } 45 46 var _ asset.Asset = (*KubeletClientCABundle)(nil) 47 48 // Dependencies returns the dependency of the cert bundle. 49 func (a *KubeletClientCABundle) Dependencies() []asset.Asset { 50 return []asset.Asset{ 51 &KubeletCSRSignerCertKey{}, 52 } 53 } 54 55 // Generate generates the cert bundle based on its dependencies. 56 func (a *KubeletClientCABundle) Generate(ctx context.Context, deps asset.Parents) error { 57 var certs []CertInterface 58 for _, asset := range a.Dependencies() { 59 deps.Get(asset) 60 certs = append(certs, asset.(CertInterface)) 61 } 62 return a.CertBundle.Generate(ctx, "kubelet-client-ca-bundle", certs...) 63 } 64 65 // Name returns the human-friendly name of the asset. 66 func (a *KubeletClientCABundle) Name() string { 67 return "Certificate (kubelet-client-ca-bundle)" 68 } 69 70 // KubeletServingCABundle is the asset the generates the kubelet-serving-ca-bundle, 71 // which contains all the individual client CAs. 72 type KubeletServingCABundle struct { 73 CertBundle 74 } 75 76 var _ asset.Asset = (*KubeletServingCABundle)(nil) 77 78 // Dependencies returns the dependency of the cert bundle. 79 func (a *KubeletServingCABundle) Dependencies() []asset.Asset { 80 return []asset.Asset{ 81 &KubeletCSRSignerCertKey{}, 82 } 83 } 84 85 // Generate generates the cert bundle based on its dependencies. 86 func (a *KubeletServingCABundle) Generate(ctx context.Context, deps asset.Parents) error { 87 var certs []CertInterface 88 for _, asset := range a.Dependencies() { 89 deps.Get(asset) 90 certs = append(certs, asset.(CertInterface)) 91 } 92 return a.CertBundle.Generate(ctx, "kubelet-serving-ca-bundle", certs...) 93 } 94 95 // Name returns the human-friendly name of the asset. 96 func (a *KubeletServingCABundle) Name() string { 97 return "Certificate (kubelet-serving-ca-bundle)" 98 } 99 100 // KubeletBootstrapCertSigner is a key/cert pair that signs the kubelet bootstrap kubeconfig client certs that the kubelet 101 // uses to create CSRs for it's real certificates 102 type KubeletBootstrapCertSigner struct { 103 SelfSignedCertKey 104 } 105 106 var _ asset.WritableAsset = (*KubeletBootstrapCertSigner)(nil) 107 108 // Dependencies returns the dependency of the root-ca, which is empty. 109 func (c *KubeletBootstrapCertSigner) Dependencies() []asset.Asset { 110 return []asset.Asset{} 111 } 112 113 // Generate generates the root-ca key and cert pair. 114 func (c *KubeletBootstrapCertSigner) Generate(ctx context.Context, parents asset.Parents) error { 115 cfg := &CertCfg{ 116 Subject: pkix.Name{CommonName: "kubelet-bootstrap-kubeconfig-signer", OrganizationalUnit: []string{"openshift"}}, 117 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, 118 Validity: ValidityTenYears, 119 IsCA: true, 120 } 121 122 return c.SelfSignedCertKey.Generate(ctx, cfg, "kubelet-bootstrap-kubeconfig-signer") 123 } 124 125 // Name returns the human-friendly name of the asset. 126 func (c *KubeletBootstrapCertSigner) Name() string { 127 return "Certificate (kubelet-bootstrap-kubeconfig-signer)" 128 } 129 130 // KubeletBootstrapCABundle is the asset the generates the admin-kubeconfig-ca-bundle, 131 // which contains all the individual client CAs. 132 type KubeletBootstrapCABundle struct { 133 CertBundle 134 } 135 136 var _ asset.Asset = (*KubeletBootstrapCABundle)(nil) 137 138 // Dependencies returns the dependency of the cert bundle. 139 func (a *KubeletBootstrapCABundle) Dependencies() []asset.Asset { 140 return []asset.Asset{ 141 &KubeletBootstrapCertSigner{}, 142 } 143 } 144 145 // Generate generates the cert bundle based on its dependencies. 146 func (a *KubeletBootstrapCABundle) Generate(ctx context.Context, deps asset.Parents) error { 147 var certs []CertInterface 148 for _, asset := range a.Dependencies() { 149 deps.Get(asset) 150 certs = append(certs, asset.(CertInterface)) 151 } 152 return a.CertBundle.Generate(ctx, "kubelet-bootstrap-kubeconfig-ca-bundle", certs...) 153 } 154 155 // Name returns the human-friendly name of the asset. 156 func (a *KubeletBootstrapCABundle) Name() string { 157 return "Certificate (kubelet-bootstrap-kubeconfig-ca-bundle)" 158 } 159 160 // KubeletClientCertKey is the asset that generates the key/cert pair for kubelet client to apiserver. 161 // This credential can be revoked by deleting the configmap containing its signer. 162 type KubeletClientCertKey struct { 163 SignedCertKey 164 } 165 166 var _ asset.Asset = (*KubeletClientCertKey)(nil) 167 168 // Dependencies returns the dependency of the the cert/key pair, which includes 169 // the parent CA, and install config if it depends on the install config for 170 // DNS names, etc. 171 func (a *KubeletClientCertKey) Dependencies() []asset.Asset { 172 return []asset.Asset{ 173 &KubeletBootstrapCertSigner{}, 174 } 175 } 176 177 // Generate generates the cert/key pair based on its dependencies. 178 func (a *KubeletClientCertKey) Generate(ctx context.Context, dependencies asset.Parents) error { 179 ca := &KubeletBootstrapCertSigner{} 180 dependencies.Get(ca) 181 182 cfg := &CertCfg{ 183 Subject: pkix.Name{CommonName: "system:serviceaccount:openshift-machine-config-operator:node-bootstrapper", Organization: []string{"system:serviceaccounts:openshift-machine-config-operator", "system:serviceaccounts"}}, 184 KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, 185 ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 186 Validity: ValidityTenYears, 187 } 188 189 return a.SignedCertKey.Generate(ctx, cfg, ca, "kubelet-client", DoNotAppendParent) 190 } 191 192 // Name returns the human-friendly name of the asset. 193 func (a *KubeletClientCertKey) Name() string { 194 return "Certificate (kubelet-client)" 195 }