Merge pull request #122181 from SataQiu/clean-certs-20231205

kubeadm: cleanup unused CreateCSR and associated functions
2023-12-14 07:26:27 +01:00
parent d1f4e93ddf 56262ca56a
commit 36d95c33b1
3 changed files with 0 additions and 136 deletions
--- a/cmd/kubeadm/app/phases/certs/certs.go
+++ b/cmd/kubeadm/app/phases/certs/certs.go
@@ -139,15 +139,6 @@ func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.Cer
 	return pkiutil.NewCSRAndKey(certConfig)
 }

-// CreateCSR creates a certificate signing request
-func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error {
-	csr, key, err := NewCSR(certSpec, cfg)
-	if err != nil {
-		return err
-	}
-	return writeCSRFilesIfNotExist(path, certSpec.BaseName, csr, key)
-}
-
 // CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key.
 // The certSpec and caCertSpec should both be one of the variables from this package.
 func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error {
@@ -271,33 +262,6 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
 	return nil
 }

-// writeCSRFilesIfNotExist writes a new CSR to the given path.
-// If there already is a CSR file at the given path; kubeadm tries to load it and check if it's a valid certificate.
-// otherwise this function returns an error.
-func writeCSRFilesIfNotExist(csrDir string, baseName string, csr *x509.CertificateRequest, key crypto.Signer) error {
-	if pkiutil.CSROrKeyExist(csrDir, baseName) {
-		_, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(csrDir, baseName)
-		if err != nil {
-			return errors.Wrapf(err, "%s CSR existed but it could not be loaded properly", baseName)
-		}
-
-		fmt.Printf("[certs] Using the existing %q CSR\n", baseName)
-	} else {
-		// Write .key and .csr files to disk
-		fmt.Printf("[certs] Generating %q key and CSR\n", baseName)
-
-		if err := pkiutil.WriteKey(csrDir, baseName, key); err != nil {
-			return errors.Wrapf(err, "failure while saving %s key", baseName)
-		}
-
-		if err := pkiutil.WriteCSR(csrDir, baseName, csr); err != nil {
-			return errors.Wrapf(err, "failure while saving %s CSR", baseName)
-		}
-	}
-
-	return nil
-}
-
 type certKeyLocation struct {
 	pkiDir     string
 	caBaseName string
--- a/cmd/kubeadm/app/phases/certs/certs_test.go
+++ b/cmd/kubeadm/app/phases/certs/certs_test.go
@@ -18,8 +18,6 @@ package certs

 import (
 	"bytes"
-	"crypto"
-	"crypto/sha256"
 	"crypto/x509"
 	"net"
 	"os"
@@ -41,20 +39,6 @@ import (
 	testutil "k8s.io/kubernetes/cmd/kubeadm/test"
 )

-func createTestCSR(t *testing.T) (*x509.CertificateRequest, crypto.Signer) {
-	csr, key, err := pkiutil.NewCSRAndKey(
-		&pkiutil.CertConfig{
-			Config: certutil.Config{
-				CommonName: "testCert",
-			},
-		})
-	if err != nil {
-		t.Fatalf("couldn't create test cert: %v", err)
-	}
-
-	return csr, key
-}
-
 func TestWriteCertificateAuthorityFilesIfNotExist(t *testing.T) {
 	setupCert, setupKey := certstestutil.CreateCACert(t)
 	caCert, caKey := certstestutil.CreateCACert(t)
@@ -235,75 +219,6 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
 	}
 }

-func TestWriteCSRFilesIfNotExist(t *testing.T) {
-	csr, key := createTestCSR(t)
-	csr2, key2 := createTestCSR(t)
-
-	var tests = []struct {
-		name          string
-		setupFunc     func(csrPath string) error
-		expectedError bool
-		expectedCSR   *x509.CertificateRequest
-	}{
-		{
-			name:        "no files exist",
-			expectedCSR: csr,
-		},
-		{
-			name: "other key exists",
-			setupFunc: func(csrPath string) error {
-				if err := pkiutil.WriteCSR(csrPath, "dummy", csr2); err != nil {
-					return err
-				}
-				return pkiutil.WriteKey(csrPath, "dummy", key2)
-			},
-			expectedCSR: csr2,
-		},
-		{
-			name: "existing CSR is garbage",
-			setupFunc: func(csrPath string) error {
-				return os.WriteFile(filepath.Join(csrPath, "dummy.csr"), []byte("a--bunch--of-garbage"), os.ModePerm)
-			},
-			expectedError: true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			tmpdir := testutil.SetupTempDir(t)
-			defer os.RemoveAll(tmpdir)
-
-			if test.setupFunc != nil {
-				if err := test.setupFunc(tmpdir); err != nil {
-					t.Fatalf("couldn't set up test: %v", err)
-				}
-			}
-
-			if err := writeCSRFilesIfNotExist(tmpdir, "dummy", csr, key); err != nil {
-				if test.expectedError {
-					return
-				}
-				t.Fatalf("unexpected error %v: ", err)
-			}
-
-			if test.expectedError {
-				t.Fatal("Expected error, but got none")
-			}
-
-			parsedCSR, _, err := pkiutil.TryLoadCSRAndKeyFromDisk(tmpdir, "dummy")
-			if err != nil {
-				t.Fatalf("couldn't load csr and key: %v", err)
-			}
-
-			if sha256.Sum256(test.expectedCSR.Raw) != sha256.Sum256(parsedCSR.Raw) {
-				t.Error("expected csr's fingerprint does not match ")
-			}
-
-		})
-	}
-
-}
-
 func TestCreateServiceAccountKeyAndPublicKeyFiles(t *testing.T) {
 	setupKey, err := keyutil.MakeEllipticPrivateKeyPEM()
 	if err != nil {
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@@ -334,21 +334,6 @@ func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error) {
 	return key, nil
 }

-// TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk
-func TryLoadCSRAndKeyFromDisk(pkiPath, name string) (*x509.CertificateRequest, crypto.Signer, error) {
-	csr, err := TryLoadCSRFromDisk(pkiPath, name)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "could not load CSR file")
-	}
-
-	key, err := TryLoadKeyFromDisk(pkiPath, name)
-	if err != nil {
-		return nil, nil, errors.Wrap(err, "could not load key file")
-	}
-
-	return csr, key, nil
-}
-
 // TryLoadPrivatePublicKeyFromDisk tries to load the key from the disk and validates that it is valid
 func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (crypto.PrivateKey, crypto.PublicKey, error) {
 	privateKeyPath := pathForKey(pkiPath, name)