Bumping k8s version to 1.13.0-beta.1
This commit is contained in:
Cheng Xing
102
vendor/k8s.io/client-go/util/certificate/csr/csr.go
generated
vendored
102
vendor/k8s.io/client-go/util/certificate/csr/csr.go
generated
vendored
@@ -18,23 +18,19 @@ package csr
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/sha512"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/klog"
|
||||
|
||||
certificates "k8s.io/api/certificates/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apimachinery/pkg/watch"
|
||||
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
|
||||
@@ -43,41 +39,6 @@ import (
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
)
|
||||
|
||||
// RequestNodeCertificate will create a certificate signing request for a node
|
||||
// (Organization and CommonName for the CSR will be set as expected for node
|
||||
// certificates) and send it to API server, then it will watch the object's
|
||||
// status, once approved by API server, it will return the API server's issued
|
||||
// certificate (pem-encoded). If there is any errors, or the watch timeouts, it
|
||||
// will return an error. This is intended for use on nodes (kubelet and
|
||||
// kubeadm).
|
||||
func RequestNodeCertificate(client certificatesclient.CertificateSigningRequestInterface, privateKeyData []byte, nodeName types.NodeName) (certData []byte, err error) {
|
||||
subject := &pkix.Name{
|
||||
Organization: []string{"system:nodes"},
|
||||
CommonName: "system:node:" + string(nodeName),
|
||||
}
|
||||
|
||||
privateKey, err := certutil.ParsePrivateKeyPEM(privateKeyData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid private key for certificate request: %v", err)
|
||||
}
|
||||
csrData, err := certutil.MakeCSR(privateKey, subject, nil, nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to generate certificate request: %v", err)
|
||||
}
|
||||
|
||||
usages := []certificates.KeyUsage{
|
||||
certificates.UsageDigitalSignature,
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageClientAuth,
|
||||
}
|
||||
name := digestedName(privateKeyData, subject, usages)
|
||||
req, err := RequestCertificate(client, csrData, name, usages, privateKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return WaitForCertificate(client, req, 3600*time.Second)
|
||||
}
|
||||
|
||||
// RequestCertificate will either use an existing (if this process has run
|
||||
// before but not to completion) or create a certificate signing request using the
|
||||
// PEM encoded CSR and send it to API server, then it will watch the object's
|
||||
@@ -104,7 +65,7 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
|
||||
switch {
|
||||
case err == nil:
|
||||
case errors.IsAlreadyExists(err) && len(name) > 0:
|
||||
glog.Infof("csr for this node already exists, reusing")
|
||||
klog.Infof("csr for this node already exists, reusing")
|
||||
req, err = client.Get(name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return nil, formatError("cannot retrieve certificate signing request: %v", err)
|
||||
@@ -112,7 +73,7 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
|
||||
if err := ensureCompatible(req, csr, privateKey); err != nil {
|
||||
return nil, fmt.Errorf("retrieved csr is not compatible: %v", err)
|
||||
}
|
||||
glog.Infof("csr for this node is still valid")
|
||||
klog.Infof("csr for this node is still valid")
|
||||
default:
|
||||
return nil, formatError("cannot create certificate signing request: %v", err)
|
||||
}
|
||||
@@ -168,57 +129,25 @@ func WaitForCertificate(client certificatesclient.CertificateSigningRequestInter
|
||||
return event.Object.(*certificates.CertificateSigningRequest).Status.Certificate, nil
|
||||
}
|
||||
|
||||
// This digest should include all the relevant pieces of the CSR we care about.
|
||||
// We can't direcly hash the serialized CSR because of random padding that we
|
||||
// regenerate every loop and we include usages which are not contained in the
|
||||
// CSR. This needs to be kept up to date as we add new fields to the node
|
||||
// certificates and with ensureCompatible.
|
||||
func digestedName(privateKeyData []byte, subject *pkix.Name, usages []certificates.KeyUsage) string {
|
||||
hash := sha512.New512_256()
|
||||
|
||||
// Here we make sure two different inputs can't write the same stream
|
||||
// to the hash. This delimiter is not in the base64.URLEncoding
|
||||
// alphabet so there is no way to have spill over collisions. Without
|
||||
// it 'CN:foo,ORG:bar' hashes to the same value as 'CN:foob,ORG:ar'
|
||||
const delimiter = '|'
|
||||
encode := base64.RawURLEncoding.EncodeToString
|
||||
|
||||
write := func(data []byte) {
|
||||
hash.Write([]byte(encode(data)))
|
||||
hash.Write([]byte{delimiter})
|
||||
}
|
||||
|
||||
write(privateKeyData)
|
||||
write([]byte(subject.CommonName))
|
||||
for _, v := range subject.Organization {
|
||||
write([]byte(v))
|
||||
}
|
||||
for _, v := range usages {
|
||||
write([]byte(v))
|
||||
}
|
||||
|
||||
return "node-csr-" + encode(hash.Sum(nil))
|
||||
}
|
||||
|
||||
// ensureCompatible ensures that a CSR object is compatible with an original CSR
|
||||
func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error {
|
||||
newCsr, err := ParseCSR(new)
|
||||
newCSR, err := parseCSR(new)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to parse new csr: %v", err)
|
||||
}
|
||||
origCsr, err := ParseCSR(orig)
|
||||
origCSR, err := parseCSR(orig)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to parse original csr: %v", err)
|
||||
}
|
||||
if !reflect.DeepEqual(newCsr.Subject, origCsr.Subject) {
|
||||
return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCsr.Subject, origCsr.Subject)
|
||||
if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) {
|
||||
return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject)
|
||||
}
|
||||
signer, ok := privateKey.(crypto.Signer)
|
||||
if !ok {
|
||||
return fmt.Errorf("privateKey is not a signer")
|
||||
}
|
||||
newCsr.PublicKey = signer.Public()
|
||||
if err := newCsr.CheckSignature(); err != nil {
|
||||
newCSR.PublicKey = signer.Public()
|
||||
if err := newCSR.CheckSignature(); err != nil {
|
||||
return fmt.Errorf("error validating signature new CSR against old key: %v", err)
|
||||
}
|
||||
if len(new.Status.Certificate) > 0 {
|
||||
@@ -247,17 +176,12 @@ func formatError(format string, err error) error {
|
||||
return fmt.Errorf(format, err)
|
||||
}
|
||||
|
||||
// ParseCSR extracts the CSR from the API object and decodes it.
|
||||
func ParseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
|
||||
// parseCSR extracts the CSR from the API object and decodes it.
|
||||
func parseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateRequest, error) {
|
||||
// extract PEM from request object
|
||||
pemBytes := obj.Spec.Request
|
||||
block, _ := pem.Decode(pemBytes)
|
||||
block, _ := pem.Decode(obj.Spec.Request)
|
||||
if block == nil || block.Type != "CERTIFICATE REQUEST" {
|
||||
return nil, fmt.Errorf("PEM block type must be CERTIFICATE REQUEST")
|
||||
}
|
||||
csr, err := x509.ParseCertificateRequest(block.Bytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return csr, nil
|
||||
return x509.ParseCertificateRequest(block.Bytes)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user