github.com/openshift/installer@v1.4.17/pkg/asset/tls/root.go

github.com/openshift/installer@v1.4.17/pkg/asset/tls/root.go (about)

     1  package tls
     2  
     3  import (
     4  	"context"
     5  	"crypto/x509"
     6  	"crypto/x509/pkix"
     7  
     8  	"github.com/openshift/installer/pkg/asset"
     9  )
    10  
    11  // RootCA contains the private key and the cert that acts as a certificate
    12  // authority, which is in turn really only used to generate a certificate
    13  // for the Machine Config Server.  More in
    14  // https://docs.openshift.com/container-platform/4.13/security/certificate_types_descriptions/machine-config-operator-certificates.html
    15  // and
    16  // https://github.com/openshift/api/tree/master/tls/docs/MachineConfig%20Operator%20Certificates
    17  // This logic dates back to the very creation of OpenShift 4 and the initial code for this project.
    18  // The private key is (as best we know) completely discarded after an installation is complete.
    19  type RootCA struct {
    20  	SelfSignedCertKey
    21  }
    22  
    23  var _ asset.WritableAsset = (*RootCA)(nil)
    24  
    25  // Dependencies returns nothing.
    26  func (c *RootCA) Dependencies() []asset.Asset {
    27  	return []asset.Asset{}
    28  }
    29  
    30  // Generate generates the MCS/Ignition CA.
    31  func (c *RootCA) Generate(ctx context.Context, parents asset.Parents) error {
    32  	cfg := &CertCfg{
    33  		Subject:   pkix.Name{CommonName: "root-ca", OrganizationalUnit: []string{"openshift"}},
    34  		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
    35  		Validity:  ValidityTenYears,
    36  		IsCA:      true,
    37  	}
    38  
    39  	return c.SelfSignedCertKey.Generate(ctx, cfg, "root-ca")
    40  }
    41  
    42  // Name returns the human-friendly name of the asset.
    43  func (c *RootCA) Name() string {
    44  	return "Machine Config Server Root CA"
    45  }