From d14df7afa7105f56f8d86c03f5a376a1a2222437 Mon Sep 17 00:00:00 2001 From: Ilya Dmitrichenko Date: Wed, 7 Sep 2016 13:59:21 +0200 Subject: [PATCH] Move CSR helper for nodes out of kubelet Including `cmd/kubelet/app` in kubeadm causes flag leakage. Namelly, the problem is with `pkg/credentialprovider/gcp`, which leaks `--google-json-key` and changing the behaviour of `init()` doesn't sound reasonable, given kubelet is the only one who uses this packages and obviously the flag is part of the functionality. The helper is already generic enough, it has already been exported and works well for kubeadm, so moving it should be fine. --- cmd/kubelet/app/bootstrap.go | 81 +--------------------------- hack/.linted_packages | 1 + pkg/kubelet/util/csr/csr.go | 102 +++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 79 deletions(-) create mode 100644 pkg/kubelet/util/csr/csr.go diff --git a/cmd/kubelet/app/bootstrap.go b/cmd/kubelet/app/bootstrap.go index 16ae5d43363..c4e52b7faff 100644 --- a/cmd/kubelet/app/bootstrap.go +++ b/cmd/kubelet/app/bootstrap.go @@ -17,7 +17,6 @@ limitations under the License. package app import ( - "crypto/x509/pkix" "fmt" "io/ioutil" _ "net/http/pprof" @@ -26,17 +25,13 @@ import ( "github.com/golang/glog" - "k8s.io/kubernetes/pkg/api" - "k8s.io/kubernetes/pkg/api/unversioned" - "k8s.io/kubernetes/pkg/apis/certificates" unversionedcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/certificates/unversioned" "k8s.io/kubernetes/pkg/client/restclient" "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api" - "k8s.io/kubernetes/pkg/fields" + "k8s.io/kubernetes/pkg/kubelet/util/csr" utilcertificates "k8s.io/kubernetes/pkg/util/certificates" "k8s.io/kubernetes/pkg/util/crypto" - "k8s.io/kubernetes/pkg/watch" ) const ( @@ -98,7 +93,7 @@ func bootstrapClientCert(kubeconfigPath string, bootstrapPath string, certDir st if err != nil { return fmt.Errorf("unable to build bootstrap client cert path: %v", err) } - certData, err := RequestClientCertificate(bootstrapClient.CertificateSigningRequests(), keyData, nodeName) + certData, err := csr.RequestNodeCertificate(bootstrapClient.CertificateSigningRequests(), keyData, nodeName) if err != nil { return err } @@ -185,75 +180,3 @@ func loadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err } return generatedData, true, nil } - -// RequestClientCertificate will create a certificate signing request and send it to API server, -// then it will watch the object's status, once approved by API server, it will return the API -// server's issued certificate (pem-encoded). If there is any errors, or the watch timeouts, -// it will return an error. -func RequestClientCertificate(client unversionedcertificates.CertificateSigningRequestInterface, privateKeyData []byte, nodeName string) (certData []byte, err error) { - subject := &pkix.Name{ - Organization: []string{"system:nodes"}, - CommonName: fmt.Sprintf("system:node:%s", nodeName), - } - - privateKey, err := utilcertificates.ParsePrivateKey(privateKeyData) - if err != nil { - return nil, fmt.Errorf("invalid private key for certificate request: %v", err) - } - csr, err := utilcertificates.NewCertificateRequest(privateKey, subject, nil, nil) - if err != nil { - return nil, fmt.Errorf("unable to generate certificate request: %v", err) - } - - req, err := client.Create(&certificates.CertificateSigningRequest{ - // Username, UID, Groups will be injected by API server. - TypeMeta: unversioned.TypeMeta{Kind: "CertificateSigningRequest"}, - ObjectMeta: api.ObjectMeta{GenerateName: "csr-"}, - - // TODO: For now, this is a request for a certificate with allowed usage of "TLS Web Client Authentication". - // Need to figure out whether/how to surface the allowed usage in the spec. - Spec: certificates.CertificateSigningRequestSpec{Request: csr}, - }) - if err != nil { - return nil, fmt.Errorf("cannot create certificate signing request: %v", err) - - } - - // Make a default timeout = 3600s. - var defaultTimeoutSeconds int64 = 3600 - resultCh, err := client.Watch(api.ListOptions{ - Watch: true, - TimeoutSeconds: &defaultTimeoutSeconds, - FieldSelector: fields.OneTermEqualSelector("metadata.name", req.Name), - }) - if err != nil { - return nil, fmt.Errorf("cannot watch on the certificate signing request: %v", err) - } - - var status certificates.CertificateSigningRequestStatus - ch := resultCh.ResultChan() - - for { - event, ok := <-ch - if !ok { - break - } - - if event.Type == watch.Modified || event.Type == watch.Added { - if event.Object.(*certificates.CertificateSigningRequest).UID != req.UID { - continue - } - status = event.Object.(*certificates.CertificateSigningRequest).Status - for _, c := range status.Conditions { - if c.Type == certificates.CertificateDenied { - return nil, fmt.Errorf("certificate signing request is not approved, reason: %v, message: %v", c.Reason, c.Message) - } - if c.Type == certificates.CertificateApproved && status.Certificate != nil { - return status.Certificate, nil - } - } - } - } - - return nil, fmt.Errorf("watch channel closed") -} diff --git a/hack/.linted_packages b/hack/.linted_packages index 86bbae83d87..b339646f888 100644 --- a/hack/.linted_packages +++ b/hack/.linted_packages @@ -104,6 +104,7 @@ pkg/kubelet/container pkg/kubelet/envvars pkg/kubelet/eviction pkg/kubelet/sysctls +pkg/kubelet/util/csr pkg/kubelet/util/format pkg/kubelet/util/ioutils pkg/kubelet/volume diff --git a/pkg/kubelet/util/csr/csr.go b/pkg/kubelet/util/csr/csr.go new file mode 100644 index 00000000000..cba5496bf6c --- /dev/null +++ b/pkg/kubelet/util/csr/csr.go @@ -0,0 +1,102 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package csr + +import ( + "crypto/x509/pkix" + "fmt" + + "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/unversioned" + "k8s.io/kubernetes/pkg/apis/certificates" + unversionedcertificates "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/certificates/unversioned" + "k8s.io/kubernetes/pkg/fields" + utilcertificates "k8s.io/kubernetes/pkg/util/certificates" + "k8s.io/kubernetes/pkg/watch" +) + +// RequestNodeCertificate will create a certificate signing request and send it to API server, +// then it will watch the object's status, once approved by API server, it will return the API +// server's issued certificate (pem-encoded). If there is any errors, or the watch timeouts, +// it will return an error. This is intended for use on nodes (kubelet and kubeadm). +func RequestNodeCertificate(client unversionedcertificates.CertificateSigningRequestInterface, privateKeyData []byte, nodeName string) (certData []byte, err error) { + subject := &pkix.Name{ + Organization: []string{"system:nodes"}, + CommonName: fmt.Sprintf("system:node:%s", nodeName), + } + + privateKey, err := utilcertificates.ParsePrivateKey(privateKeyData) + if err != nil { + return nil, fmt.Errorf("invalid private key for certificate request: %v", err) + } + csr, err := utilcertificates.NewCertificateRequest(privateKey, subject, nil, nil) + if err != nil { + return nil, fmt.Errorf("unable to generate certificate request: %v", err) + } + + req, err := client.Create(&certificates.CertificateSigningRequest{ + // Username, UID, Groups will be injected by API server. + TypeMeta: unversioned.TypeMeta{Kind: "CertificateSigningRequest"}, + ObjectMeta: api.ObjectMeta{GenerateName: "csr-"}, + + // TODO: For now, this is a request for a certificate with allowed usage of "TLS Web Client Authentication". + // Need to figure out whether/how to surface the allowed usage in the spec. + Spec: certificates.CertificateSigningRequestSpec{Request: csr}, + }) + if err != nil { + return nil, fmt.Errorf("cannot create certificate signing request: %v", err) + + } + + // Make a default timeout = 3600s. + var defaultTimeoutSeconds int64 = 3600 + resultCh, err := client.Watch(api.ListOptions{ + Watch: true, + TimeoutSeconds: &defaultTimeoutSeconds, + FieldSelector: fields.OneTermEqualSelector("metadata.name", req.Name), + }) + if err != nil { + return nil, fmt.Errorf("cannot watch on the certificate signing request: %v", err) + } + + var status certificates.CertificateSigningRequestStatus + ch := resultCh.ResultChan() + + for { + event, ok := <-ch + if !ok { + break + } + + if event.Type == watch.Modified || event.Type == watch.Added { + if event.Object.(*certificates.CertificateSigningRequest).UID != req.UID { + continue + } + status = event.Object.(*certificates.CertificateSigningRequest).Status + for _, c := range status.Conditions { + if c.Type == certificates.CertificateDenied { + return nil, fmt.Errorf("certificate signing request is not approved, reason: %v, message: %v", c.Reason, c.Message) + } + if c.Type == certificates.CertificateApproved && status.Certificate != nil { + return status.Certificate, nil + } + } + } + } + + return nil, fmt.Errorf("watch channel closed") +}