From 5d2abe5c6df1a20d035b68eaae1569003cf6455f Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 8 Feb 2019 13:48:09 -0500 Subject: [PATCH 1/4] pkg/asset/tls: self-sign kube-ca Detach kube-ca from the root-ca chain in order to make it a proper independent chain of trust, and ensure compatibility with non-golang TLS clients that need to trust kube-ca. Part of https://jira.coreos.com/browse/CORS-999 --- pkg/asset/tls/kubeca.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/pkg/asset/tls/kubeca.go b/pkg/asset/tls/kubeca.go index d481880317..aeca712686 100644 --- a/pkg/asset/tls/kubeca.go +++ b/pkg/asset/tls/kubeca.go @@ -5,6 +5,7 @@ import ( "crypto/x509/pkix" "github.com/openshift/installer/pkg/asset" + "github.com/pkg/errors" ) // KubeCA is the asset that generates the kube-ca key/cert pair. @@ -18,15 +19,11 @@ var _ asset.Asset = (*KubeCA)(nil) // the parent CA, and install config if it depends on the install config for // DNS names, etc. func (a *KubeCA) Dependencies() []asset.Asset { - return []asset.Asset{ - &RootCA{}, - } + return []asset.Asset{} } // Generate generates the cert/key pair based on its dependencies. func (a *KubeCA) Generate(dependencies asset.Parents) error { - rootCA := &RootCA{} - dependencies.Get(rootCA) cfg := &CertCfg{ Subject: pkix.Name{CommonName: "kube-ca", OrganizationalUnit: []string{"bootkube"}}, @@ -35,7 +32,17 @@ func (a *KubeCA) Generate(dependencies asset.Parents) error { IsCA: true, } - return a.CertKey.Generate(cfg, rootCA, "kube-ca", DoNotAppendParent) + key, crt, err := GenerateRootCertKey(cfg) + if err != nil { + return errors.Wrap(err, "failed to generate Kube CA") + } + + a.KeyRaw = PrivateKeyToPem(key) + a.CertRaw = CertToPem(crt) + + a.generateFiles("kube-ca") + + return nil } // Name returns the human-friendly name of the asset. From ec2580ca2c0abd692c3a462ccd784191b1c72d82 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 8 Feb 2019 14:09:30 -0500 Subject: [PATCH 2/4] pkg/asset/tls: don't append parent to kube-apiserver cert A self-signed CA must not be included in a server certificate bundle. --- pkg/asset/tls/apiservercertkey.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/asset/tls/apiservercertkey.go b/pkg/asset/tls/apiservercertkey.go index 7a7e1f322b..34870066d4 100644 --- a/pkg/asset/tls/apiservercertkey.go +++ b/pkg/asset/tls/apiservercertkey.go @@ -54,7 +54,7 @@ func (a *APIServerCertKey) Generate(dependencies asset.Parents) error { IPAddresses: []net.IP{net.ParseIP(apiServerAddress), net.ParseIP("127.0.0.1")}, } - return a.CertKey.Generate(cfg, kubeCA, "apiserver", AppendParent) + return a.CertKey.Generate(cfg, kubeCA, "apiserver", DoNotAppendParent) } // Name returns the human-friendly name of the asset. From 4ccb47cc6f050bb676dc42ac5e654e8202a7a1c1 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 8 Feb 2019 14:32:14 -0500 Subject: [PATCH 3/4] pkg/asset/kubeconfig: use kube-ca in admin kubeconfig Admin now requires the kube-ca CA data, not root CA. --- pkg/asset/kubeconfig/admin.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/asset/kubeconfig/admin.go b/pkg/asset/kubeconfig/admin.go index 4e70f019f4..2af06c9304 100644 --- a/pkg/asset/kubeconfig/admin.go +++ b/pkg/asset/kubeconfig/admin.go @@ -22,7 +22,7 @@ var _ asset.WritableAsset = (*Admin)(nil) // Dependencies returns the dependency of the kubeconfig. func (k *Admin) Dependencies() []asset.Asset { return []asset.Asset{ - &tls.RootCA{}, + &tls.KubeCA{}, &tls.AdminCertKey{}, &installconfig.InstallConfig{}, } @@ -30,13 +30,13 @@ func (k *Admin) Dependencies() []asset.Asset { // Generate generates the kubeconfig. func (k *Admin) Generate(parents asset.Parents) error { - rootCA := &tls.RootCA{} + kubeCA := &tls.KubeCA{} adminCertKey := &tls.AdminCertKey{} installConfig := &installconfig.InstallConfig{} - parents.Get(rootCA, adminCertKey, installConfig) + parents.Get(kubeCA, adminCertKey, installConfig) return k.kubeconfig.generate( - rootCA, + kubeCA, adminCertKey, installConfig.Config, "admin", From a4d952ecde40dd2dbd815654c133458512e60d0c Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 8 Feb 2019 16:11:31 -0500 Subject: [PATCH 4/4] pkg/asset/kubeconfig: use kube-ca in kubelet kubeconfig The kubelet kubeconfig now requires kube-ca CA data, not root CA. --- pkg/asset/kubeconfig/kubelet.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/asset/kubeconfig/kubelet.go b/pkg/asset/kubeconfig/kubelet.go index 17c26cbca1..62b3a12ce5 100644 --- a/pkg/asset/kubeconfig/kubelet.go +++ b/pkg/asset/kubeconfig/kubelet.go @@ -22,7 +22,7 @@ var _ asset.WritableAsset = (*Kubelet)(nil) // Dependencies returns the dependency of the kubeconfig. func (k *Kubelet) Dependencies() []asset.Asset { return []asset.Asset{ - &tls.RootCA{}, + &tls.KubeCA{}, &tls.KubeletCertKey{}, &installconfig.InstallConfig{}, } @@ -30,13 +30,13 @@ func (k *Kubelet) Dependencies() []asset.Asset { // Generate generates the kubeconfig. func (k *Kubelet) Generate(parents asset.Parents) error { - rootCA := &tls.RootCA{} + kubeCA := &tls.KubeCA{} kubeletCertKey := &tls.KubeletCertKey{} installConfig := &installconfig.InstallConfig{} - parents.Get(rootCA, kubeletCertKey, installConfig) + parents.Get(kubeCA, kubeletCertKey, installConfig) return k.kubeconfig.generate( - rootCA, + kubeCA, kubeletCertKey, installConfig.Config, "kubelet",