Merge pull request #1179 from mrogers950/ca_roots

pkg/asset/tls: self-sign kube-ca
2026-02-05 15:47:14 +01:00 · 2019-02-19 01:11:39 +01:00
parent 3e8831844d a4d952ecde
commit 820ff4c0cb
4 changed files with 22 additions and 15 deletions
--- a/pkg/asset/kubeconfig/admin.go
+++ b/pkg/asset/kubeconfig/admin.go
@@ -22,7 +22,7 @@ var _ asset.WritableAsset = (*Admin)(nil)
 // Dependencies returns the dependency of the kubeconfig.
 func (k *Admin) Dependencies() []asset.Asset {
 	return []asset.Asset{
-		&tls.RootCA{},
+		&tls.KubeCA{},
 		&tls.AdminCertKey{},
 		&installconfig.InstallConfig{},
 	}
@@ -30,13 +30,13 @@ func (k *Admin) Dependencies() []asset.Asset {

 // Generate generates the kubeconfig.
 func (k *Admin) Generate(parents asset.Parents) error {
-	rootCA := &tls.RootCA{}
+	kubeCA := &tls.KubeCA{}
 	adminCertKey := &tls.AdminCertKey{}
 	installConfig := &installconfig.InstallConfig{}
-	parents.Get(rootCA, adminCertKey, installConfig)
+	parents.Get(kubeCA, adminCertKey, installConfig)

 	return k.kubeconfig.generate(
-		rootCA,
+		kubeCA,
 		adminCertKey,
 		installConfig.Config,
 		"admin",
--- a/pkg/asset/kubeconfig/kubelet.go
+++ b/pkg/asset/kubeconfig/kubelet.go
@@ -22,7 +22,7 @@ var _ asset.WritableAsset = (*Kubelet)(nil)
 // Dependencies returns the dependency of the kubeconfig.
 func (k *Kubelet) Dependencies() []asset.Asset {
 	return []asset.Asset{
-		&tls.RootCA{},
+		&tls.KubeCA{},
 		&tls.KubeletCertKey{},
 		&installconfig.InstallConfig{},
 	}
@@ -30,13 +30,13 @@ func (k *Kubelet) Dependencies() []asset.Asset {

 // Generate generates the kubeconfig.
 func (k *Kubelet) Generate(parents asset.Parents) error {
-	rootCA := &tls.RootCA{}
+	kubeCA := &tls.KubeCA{}
 	kubeletCertKey := &tls.KubeletCertKey{}
 	installConfig := &installconfig.InstallConfig{}
-	parents.Get(rootCA, kubeletCertKey, installConfig)
+	parents.Get(kubeCA, kubeletCertKey, installConfig)

 	return k.kubeconfig.generate(
-		rootCA,
+		kubeCA,
 		kubeletCertKey,
 		installConfig.Config,
 		"kubelet",
--- a/pkg/asset/tls/apiservercertkey.go
+++ b/pkg/asset/tls/apiservercertkey.go
@@ -54,7 +54,7 @@ func (a *APIServerCertKey) Generate(dependencies asset.Parents) error {
 		IPAddresses: []net.IP{net.ParseIP(apiServerAddress), net.ParseIP("127.0.0.1")},
 	}

-	return a.CertKey.Generate(cfg, kubeCA, "apiserver", AppendParent)
+	return a.CertKey.Generate(cfg, kubeCA, "apiserver", DoNotAppendParent)
 }

 // Name returns the human-friendly name of the asset.
--- a/pkg/asset/tls/kubeca.go
+++ b/pkg/asset/tls/kubeca.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509/pkix"

 	"github.com/openshift/installer/pkg/asset"
+	"github.com/pkg/errors"
 )

 // KubeCA is the asset that generates the kube-ca key/cert pair.
@@ -18,15 +19,11 @@ var _ asset.Asset = (*KubeCA)(nil)
 // the parent CA, and install config if it depends on the install config for
 // DNS names, etc.
 func (a *KubeCA) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&RootCA{},
-	}
+	return []asset.Asset{}
 }

 // Generate generates the cert/key pair based on its dependencies.
 func (a *KubeCA) Generate(dependencies asset.Parents) error {
-	rootCA := &RootCA{}
-	dependencies.Get(rootCA)

 	cfg := &CertCfg{
 		Subject:   pkix.Name{CommonName: "kube-ca", OrganizationalUnit: []string{"bootkube"}},
@@ -35,7 +32,17 @@ func (a *KubeCA) Generate(dependencies asset.Parents) error {
 		IsCA:      true,
 	}

-	return a.CertKey.Generate(cfg, rootCA, "kube-ca", DoNotAppendParent)
+	key, crt, err := GenerateRootCertKey(cfg)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate Kube CA")
+	}
+
+	a.KeyRaw = PrivateKeyToPem(key)
+	a.CertRaw = CertToPem(crt)
+
+	a.generateFiles("kube-ca")
+
+	return nil
 }

 // Name returns the human-friendly name of the asset.