Commit 18458392 authored by Andrew Lytvynov's avatar Andrew Lytvynov

Extract new keyutil package from client-go/util/cert

This package contains public/private key utilities copied directly from client-go/util/cert. All imports were updated. Future PRs will actually refactor the libraries. Updates #71004
parent b8b14341
...@@ -61,7 +61,7 @@ go_library( ...@@ -61,7 +61,7 @@ go_library(
"//staging/src/k8s.io/client-go/informers:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/cloud-provider:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library",
"//staging/src/k8s.io/component-base/cli/flag:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library",
"//staging/src/k8s.io/component-base/cli/globalflag:go_default_library", "//staging/src/k8s.io/component-base/cli/globalflag:go_default_library",
......
...@@ -53,7 +53,7 @@ import ( ...@@ -53,7 +53,7 @@ import (
"k8s.io/apiserver/pkg/util/webhook" "k8s.io/apiserver/pkg/util/webhook"
clientgoinformers "k8s.io/client-go/informers" clientgoinformers "k8s.io/client-go/informers"
clientgoclientset "k8s.io/client-go/kubernetes" clientgoclientset "k8s.io/client-go/kubernetes"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/keyutil"
cloudprovider "k8s.io/cloud-provider" cloudprovider "k8s.io/cloud-provider"
cliflag "k8s.io/component-base/cli/flag" cliflag "k8s.io/component-base/cli/flag"
"k8s.io/component-base/cli/globalflag" "k8s.io/component-base/cli/globalflag"
...@@ -580,7 +580,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) { ...@@ -580,7 +580,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
} }
if s.ServiceAccountSigningKeyFile != "" && s.Authentication.ServiceAccounts.Issuer != "" { if s.ServiceAccountSigningKeyFile != "" && s.Authentication.ServiceAccounts.Issuer != "" {
sk, err := certutil.PrivateKeyFromFile(s.ServiceAccountSigningKeyFile) sk, err := keyutil.PrivateKeyFromFile(s.ServiceAccountSigningKeyFile)
if err != nil { if err != nil {
return options, fmt.Errorf("failed to parse service-account-issuer-key-file: %v", err) return options, fmt.Errorf("failed to parse service-account-issuer-key-file: %v", err)
} }
......
...@@ -131,6 +131,7 @@ go_library( ...@@ -131,6 +131,7 @@ go_library(
"//staging/src/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library", "//staging/src/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library", "//staging/src/k8s.io/client-go/util/flowcontrol:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/cloud-provider:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library",
"//staging/src/k8s.io/component-base/cli/flag:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library",
"//staging/src/k8s.io/component-base/cli/globalflag:go_default_library", "//staging/src/k8s.io/component-base/cli/globalflag:go_default_library",
......
...@@ -47,6 +47,7 @@ import ( ...@@ -47,6 +47,7 @@ import (
"k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/leaderelection"
"k8s.io/client-go/tools/leaderelection/resourcelock" "k8s.io/client-go/tools/leaderelection/resourcelock"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
cloudprovider "k8s.io/cloud-provider" cloudprovider "k8s.io/cloud-provider"
cliflag "k8s.io/component-base/cli/flag" cliflag "k8s.io/component-base/cli/flag"
"k8s.io/component-base/cli/globalflag" "k8s.io/component-base/cli/globalflag"
...@@ -514,7 +515,7 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController ...@@ -514,7 +515,7 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController
klog.Warningf("%q is disabled because there is no private key", saTokenControllerName) klog.Warningf("%q is disabled because there is no private key", saTokenControllerName)
return nil, false, nil return nil, false, nil
} }
privateKey, err := certutil.PrivateKeyFromFile(ctx.ComponentConfig.SAController.ServiceAccountKeyFile) privateKey, err := keyutil.PrivateKeyFromFile(ctx.ComponentConfig.SAController.ServiceAccountKeyFile)
if err != nil { if err != nil {
return nil, true, fmt.Errorf("error reading key for service account token controller: %v", err) return nil, true, fmt.Errorf("error reading key for service account token controller: %v", err)
} }
......
...@@ -22,6 +22,7 @@ go_library( ...@@ -22,6 +22,7 @@ go_library(
"//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
"//staging/src/k8s.io/client-go/tools/clientcmd/api:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd/api:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library", "//vendor/github.com/pkg/errors:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
......
...@@ -29,6 +29,7 @@ import ( ...@@ -29,6 +29,7 @@ import (
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api" clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
"k8s.io/klog" "k8s.io/klog"
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
...@@ -206,13 +207,17 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc ...@@ -206,13 +207,17 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc
return nil, errors.Wrapf(err, "failure while creating %s client certificate", spec.ClientName) return nil, errors.Wrapf(err, "failure while creating %s client certificate", spec.ClientName)
} }
encodedClientKey, err := keyutil.MarshalPrivateKeyToPEM(clientKey)
if err != nil {
return nil, errors.Wrapf(err, "failed to marshal private key to PEM")
}
// create a kubeconfig with the client certs // create a kubeconfig with the client certs
return kubeconfigutil.CreateWithCerts( return kubeconfigutil.CreateWithCerts(
spec.APIServer, spec.APIServer,
clustername, clustername,
spec.ClientName, spec.ClientName,
pkiutil.EncodeCertPEM(spec.CACert), pkiutil.EncodeCertPEM(spec.CACert),
certutil.EncodePrivateKeyPEM(clientKey), encodedClientKey,
pkiutil.EncodeCertPEM(clientCert), pkiutil.EncodeCertPEM(clientCert),
), nil ), nil
} }
......
...@@ -12,6 +12,7 @@ go_library( ...@@ -12,6 +12,7 @@ go_library(
deps = [ deps = [
"//cmd/kubeadm/app/util/pkiutil:go_default_library", "//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
], ],
) )
......
...@@ -24,6 +24,7 @@ import ( ...@@ -24,6 +24,7 @@ import (
"testing" "testing"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
pkiutil "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" pkiutil "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
) )
...@@ -238,11 +239,15 @@ func WritePKIFiles(t *testing.T, dir string, files PKIFiles) { ...@@ -238,11 +239,15 @@ func WritePKIFiles(t *testing.T, dir string, files PKIFiles) {
if err != nil { if err != nil {
t.Errorf("unable to write public key to file %q: [%v]", filename, err) t.Errorf("unable to write public key to file %q: [%v]", filename, err)
} }
if err := certutil.WriteKey(path.Join(dir, filename), publicKeyBytes); err != nil { if err := keyutil.WriteKey(path.Join(dir, filename), publicKeyBytes); err != nil {
t.Errorf("unable to write public key to file %q: [%v]", filename, err) t.Errorf("unable to write public key to file %q: [%v]", filename, err)
} }
case *rsa.PrivateKey: case *rsa.PrivateKey:
if err := certutil.WriteKey(path.Join(dir, filename), certutil.EncodePrivateKeyPEM(body)); err != nil { privateKey, err := keyutil.MarshalPrivateKeyToPEM(body)
if err != nil {
t.Errorf("unable to write private key to file %q: [%v]", filename, err)
}
if err := keyutil.WriteKey(path.Join(dir, filename), privateKey); err != nil {
t.Errorf("unable to write private key to file %q: [%v]", filename, err) t.Errorf("unable to write private key to file %q: [%v]", filename, err)
} }
} }
......
...@@ -27,6 +27,7 @@ go_library( ...@@ -27,6 +27,7 @@ go_library(
"//pkg/registry/core/service/ipallocator:go_default_library", "//pkg/registry/core/service/ipallocator:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library", "//vendor/github.com/pkg/errors:go_default_library",
], ],
) )
......
...@@ -37,6 +37,7 @@ import ( ...@@ -37,6 +37,7 @@ import (
"k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
...@@ -141,7 +142,11 @@ func WriteKey(pkiPath, name string, key *rsa.PrivateKey) error { ...@@ -141,7 +142,11 @@ func WriteKey(pkiPath, name string, key *rsa.PrivateKey) error {
} }
privateKeyPath := pathForKey(pkiPath, name) privateKeyPath := pathForKey(pkiPath, name)
if err := certutil.WriteKey(privateKeyPath, certutil.EncodePrivateKeyPEM(key)); err != nil { encoded, err := keyutil.MarshalPrivateKeyToPEM(key)
if err != nil {
return errors.Wrapf(err, "unable to marshal private key to PEM")
}
if err := keyutil.WriteKey(privateKeyPath, encoded); err != nil {
return errors.Wrapf(err, "unable to write private key to file %s", privateKeyPath) return errors.Wrapf(err, "unable to write private key to file %s", privateKeyPath)
} }
...@@ -180,7 +185,7 @@ func WritePublicKey(pkiPath, name string, key *rsa.PublicKey) error { ...@@ -180,7 +185,7 @@ func WritePublicKey(pkiPath, name string, key *rsa.PublicKey) error {
return err return err
} }
publicKeyPath := pathForPublicKey(pkiPath, name) publicKeyPath := pathForPublicKey(pkiPath, name)
if err := certutil.WriteKey(publicKeyPath, publicKeyBytes); err != nil { if err := keyutil.WriteKey(publicKeyPath, publicKeyBytes); err != nil {
return errors.Wrapf(err, "unable to write public key to file %s", publicKeyPath) return errors.Wrapf(err, "unable to write public key to file %s", publicKeyPath)
} }
...@@ -258,7 +263,7 @@ func TryLoadKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, error) { ...@@ -258,7 +263,7 @@ func TryLoadKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, error) {
privateKeyPath := pathForKey(pkiPath, name) privateKeyPath := pathForKey(pkiPath, name)
// Parse the private key from a file // Parse the private key from a file
privKey, err := certutil.PrivateKeyFromFile(privateKeyPath) privKey, err := keyutil.PrivateKeyFromFile(privateKeyPath)
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "couldn't load the private key file %s", privateKeyPath) return nil, errors.Wrapf(err, "couldn't load the private key file %s", privateKeyPath)
} }
...@@ -297,7 +302,7 @@ func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rs ...@@ -297,7 +302,7 @@ func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rs
privateKeyPath := pathForKey(pkiPath, name) privateKeyPath := pathForKey(pkiPath, name)
// Parse the private key from a file // Parse the private key from a file
privKey, err := certutil.PrivateKeyFromFile(privateKeyPath) privKey, err := keyutil.PrivateKeyFromFile(privateKeyPath)
if err != nil { if err != nil {
return nil, nil, errors.Wrapf(err, "couldn't load the private key file %s", privateKeyPath) return nil, nil, errors.Wrapf(err, "couldn't load the private key file %s", privateKeyPath)
} }
...@@ -305,7 +310,7 @@ func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rs ...@@ -305,7 +310,7 @@ func TryLoadPrivatePublicKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, *rs
publicKeyPath := pathForPublicKey(pkiPath, name) publicKeyPath := pathForPublicKey(pkiPath, name)
// Parse the public key from a file // Parse the public key from a file
pubKeys, err := certutil.PublicKeysFromFile(publicKeyPath) pubKeys, err := keyutil.PublicKeysFromFile(publicKeyPath)
if err != nil { if err != nil {
return nil, nil, errors.Wrapf(err, "couldn't load the public key file %s", publicKeyPath) return nil, nil, errors.Wrapf(err, "couldn't load the public key file %s", publicKeyPath)
} }
......
...@@ -132,6 +132,7 @@ go_library( ...@@ -132,6 +132,7 @@ go_library(
"//staging/src/k8s.io/client-go/tools/record:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/certificate:go_default_library", "//staging/src/k8s.io/client-go/util/certificate:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/cloud-provider:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library",
"//staging/src/k8s.io/component-base/cli/flag:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library",
"//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned:go_default_library", "//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned:go_default_library",
......
...@@ -54,6 +54,7 @@ import ( ...@@ -54,6 +54,7 @@ import (
"k8s.io/client-go/tools/record" "k8s.io/client-go/tools/record"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate" "k8s.io/client-go/util/certificate"
"k8s.io/client-go/util/keyutil"
cloudprovider "k8s.io/cloud-provider" cloudprovider "k8s.io/cloud-provider"
cliflag "k8s.io/component-base/cli/flag" cliflag "k8s.io/component-base/cli/flag"
csiclientset "k8s.io/csi-api/pkg/client/clientset/versioned" csiclientset "k8s.io/csi-api/pkg/client/clientset/versioned"
...@@ -899,7 +900,7 @@ func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletCo ...@@ -899,7 +900,7 @@ func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletCo
return nil, err return nil, err
} }
if err := certutil.WriteKey(kc.TLSPrivateKeyFile, key); err != nil { if err := keyutil.WriteKey(kc.TLSPrivateKeyFile, key); err != nil {
return nil, err return nil, err
} }
......
...@@ -31,6 +31,7 @@ go_library( ...@@ -31,6 +31,7 @@ go_library(
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
"//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library", "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/github.com/go-openapi/spec:go_default_library", "//vendor/github.com/go-openapi/spec:go_default_library",
], ],
) )
......
...@@ -38,9 +38,11 @@ import ( ...@@ -38,9 +38,11 @@ import (
"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth" "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
// Initialize all known client auth plugins. // Initialize all known client auth plugins.
_ "k8s.io/client-go/plugin/pkg/client/auth" _ "k8s.io/client-go/plugin/pkg/client/auth"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/serviceaccount"
) )
...@@ -226,7 +228,7 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er ...@@ -226,7 +228,7 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
// IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file // IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file
func IsValidServiceAccountKeyFile(file string) bool { func IsValidServiceAccountKeyFile(file string) bool {
_, err := certutil.PublicKeysFromFile(file) _, err := keyutil.PublicKeysFromFile(file)
return err == nil return err == nil
} }
...@@ -279,7 +281,7 @@ func newAuthenticatorFromOIDCIssuerURL(opts oidc.Options) (authenticator.Token, ...@@ -279,7 +281,7 @@ func newAuthenticatorFromOIDCIssuerURL(opts oidc.Options) (authenticator.Token,
func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) { func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
allPublicKeys := []interface{}{} allPublicKeys := []interface{}{}
for _, keyfile := range keyfiles { for _, keyfile := range keyfiles {
publicKeys, err := certutil.PublicKeysFromFile(keyfile) publicKeys, err := keyutil.PublicKeysFromFile(keyfile)
if err != nil { if err != nil {
return nil, err return nil, err
} }
...@@ -294,7 +296,7 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud ...@@ -294,7 +296,7 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
func newServiceAccountAuthenticator(iss string, keyfiles []string, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) { func newServiceAccountAuthenticator(iss string, keyfiles []string, apiAudiences authenticator.Audiences, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
allPublicKeys := []interface{}{} allPublicKeys := []interface{}{}
for _, keyfile := range keyfiles { for _, keyfile := range keyfiles {
publicKeys, err := certutil.PublicKeysFromFile(keyfile) publicKeys, err := keyutil.PublicKeysFromFile(keyfile)
if err != nil { if err != nil {
return nil, err return nil, err
} }
......
...@@ -17,7 +17,7 @@ go_test( ...@@ -17,7 +17,7 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
], ],
) )
...@@ -40,6 +40,7 @@ go_library( ...@@ -40,6 +40,7 @@ go_library(
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/certificate:go_default_library", "//staging/src/k8s.io/client-go/util/certificate:go_default_library",
"//staging/src/k8s.io/client-go/util/certificate/csr:go_default_library", "//staging/src/k8s.io/client-go/util/certificate/csr:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )
......
...@@ -43,6 +43,7 @@ import ( ...@@ -43,6 +43,7 @@ import (
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate" "k8s.io/client-go/util/certificate"
"k8s.io/client-go/util/certificate/csr" "k8s.io/client-go/util/certificate/csr"
"k8s.io/client-go/util/keyutil"
) )
const tmpPrivateKeyFile = "kubelet-client.key.tmp" const tmpPrivateKeyFile = "kubelet-client.key.tmp"
...@@ -134,7 +135,7 @@ func LoadClientCert(kubeconfigPath, bootstrapPath, certDir string, nodeName type ...@@ -134,7 +135,7 @@ func LoadClientCert(kubeconfigPath, bootstrapPath, certDir string, nodeName type
var keyData []byte var keyData []byte
if cert, err := store.Current(); err == nil { if cert, err := store.Current(); err == nil {
if cert.PrivateKey != nil { if cert.PrivateKey != nil {
keyData, err = certutil.MarshalPrivateKeyToPEM(cert.PrivateKey) keyData, err = keyutil.MarshalPrivateKeyToPEM(cert.PrivateKey)
if err != nil { if err != nil {
keyData = nil keyData = nil
} }
...@@ -148,7 +149,7 @@ func LoadClientCert(kubeconfigPath, bootstrapPath, certDir string, nodeName type ...@@ -148,7 +149,7 @@ func LoadClientCert(kubeconfigPath, bootstrapPath, certDir string, nodeName type
klog.V(2).Infof("No valid private key and/or certificate found, reusing existing private key or creating a new one") klog.V(2).Infof("No valid private key and/or certificate found, reusing existing private key or creating a new one")
// Note: always call LoadOrGenerateKeyFile so that private key is // Note: always call LoadOrGenerateKeyFile so that private key is
// reused on next startup if CSR request fails. // reused on next startup if CSR request fails.
keyData, _, err = certutil.LoadOrGenerateKeyFile(privKeyPath) keyData, _, err = keyutil.LoadOrGenerateKeyFile(privKeyPath)
if err != nil { if err != nil {
return err return err
} }
...@@ -272,7 +273,7 @@ func verifyKeyData(data []byte) bool { ...@@ -272,7 +273,7 @@ func verifyKeyData(data []byte) bool {
if len(data) == 0 { if len(data) == 0 {
return false return false
} }
_, err := certutil.ParsePrivateKeyPEM(data) _, err := keyutil.ParsePrivateKeyPEM(data)
return err == nil return err == nil
} }
...@@ -316,7 +317,7 @@ func requestNodeCertificate(client certificatesv1beta1.CertificateSigningRequest ...@@ -316,7 +317,7 @@ func requestNodeCertificate(client certificatesv1beta1.CertificateSigningRequest
CommonName: "system:node:" + string(nodeName), CommonName: "system:node:" + string(nodeName),
} }
privateKey, err := certutil.ParsePrivateKeyPEM(privateKeyData) privateKey, err := keyutil.ParsePrivateKeyPEM(privateKeyData)
if err != nil { if err != nil {
return nil, fmt.Errorf("invalid private key for certificate request: %v", err) return nil, fmt.Errorf("invalid private key for certificate request: %v", err)
} }
......
...@@ -29,7 +29,7 @@ import ( ...@@ -29,7 +29,7 @@ import (
"k8s.io/apimachinery/pkg/watch" "k8s.io/apimachinery/pkg/watch"
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/keyutil"
) )
func TestLoadRESTClientConfig(t *testing.T) { func TestLoadRESTClientConfig(t *testing.T) {
...@@ -104,7 +104,7 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) { ...@@ -104,7 +104,7 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
client := &fakeClient{ client := &fakeClient{
failureType: createError, failureType: createError,
} }
privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM() privateKeyData, err := keyutil.MakeEllipticPrivateKeyPEM()
if err != nil { if err != nil {
t.Fatalf("Unable to generate a new private key: %v", err) t.Fatalf("Unable to generate a new private key: %v", err)
} }
...@@ -119,7 +119,7 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) { ...@@ -119,7 +119,7 @@ func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) {
} }
func TestRequestNodeCertificate(t *testing.T) { func TestRequestNodeCertificate(t *testing.T) {
privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM() privateKeyData, err := keyutil.MakeEllipticPrivateKeyPEM()
if err != nil { if err != nil {
t.Fatalf("Unable to generate a new private key: %v", err) t.Fatalf("Unable to generate a new private key: %v", err)
} }
......
...@@ -59,7 +59,7 @@ go_test( ...@@ -59,7 +59,7 @@ go_test(
"//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/gopkg.in/square/go-jose.v2/jwt:go_default_library", "//vendor/gopkg.in/square/go-jose.v2/jwt:go_default_library",
], ],
) )
...@@ -22,14 +22,14 @@ import ( ...@@ -22,14 +22,14 @@ import (
"strings" "strings"
"testing" "testing"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/kubernetes/fake"
v1listers "k8s.io/client-go/listers/core/v1" v1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/keyutil"
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
"k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/serviceaccount"
) )
...@@ -98,12 +98,12 @@ X2i8uIp/C/ASqiIGUeeKQtX0/IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg== ...@@ -98,12 +98,12 @@ X2i8uIp/C/ASqiIGUeeKQtX0/IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg==
-----END PUBLIC KEY-----` -----END PUBLIC KEY-----`
func getPrivateKey(data string) interface{} { func getPrivateKey(data string) interface{} {
key, _ := certutil.ParsePrivateKeyPEM([]byte(data)) key, _ := keyutil.ParsePrivateKeyPEM([]byte(data))
return key return key
} }
func getPublicKey(data string) interface{} { func getPublicKey(data string) interface{} {
keys, _ := certutil.ParsePublicKeysPEM([]byte(data)) keys, _ := keyutil.ParsePublicKeysPEM([]byte(data))
return keys[0] return keys[0]
} }
func TestTokenGenerateAndValidate(t *testing.T) { func TestTokenGenerateAndValidate(t *testing.T) {
......
...@@ -181,6 +181,7 @@ filegroup( ...@@ -181,6 +181,7 @@ filegroup(
"//staging/src/k8s.io/client-go/util/flowcontrol:all-srcs", "//staging/src/k8s.io/client-go/util/flowcontrol:all-srcs",
"//staging/src/k8s.io/client-go/util/homedir:all-srcs", "//staging/src/k8s.io/client-go/util/homedir:all-srcs",
"//staging/src/k8s.io/client-go/util/jsonpath:all-srcs", "//staging/src/k8s.io/client-go/util/jsonpath:all-srcs",
"//staging/src/k8s.io/client-go/util/keyutil:all-srcs",
"//staging/src/k8s.io/client-go/util/retry:all-srcs", "//staging/src/k8s.io/client-go/util/retry:all-srcs",
"//staging/src/k8s.io/client-go/util/testing:all-srcs", "//staging/src/k8s.io/client-go/util/testing:all-srcs",
"//staging/src/k8s.io/client-go/util/workqueue:all-srcs", "//staging/src/k8s.io/client-go/util/workqueue:all-srcs",
......
...@@ -2207,6 +2207,10 @@ ...@@ -2207,6 +2207,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -1923,6 +1923,10 @@ ...@@ -1923,6 +1923,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
...@@ -2043,6 +2047,10 @@ ...@@ -2043,6 +2047,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/component-base/cli/flag", "ImportPath": "k8s.io/component-base/cli/flag",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -75,6 +75,7 @@ go_library( ...@@ -75,6 +75,7 @@ go_library(
"//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/component-base/cli/flag:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library",
"//vendor/github.com/pborman/uuid:go_default_library", "//vendor/github.com/pborman/uuid:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
......
...@@ -30,6 +30,7 @@ import ( ...@@ -30,6 +30,7 @@ import (
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
cliflag "k8s.io/component-base/cli/flag" cliflag "k8s.io/component-base/cli/flag"
) )
...@@ -305,7 +306,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str ...@@ -305,7 +306,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
if err := certutil.WriteCert(keyCert.CertFile, cert); err != nil { if err := certutil.WriteCert(keyCert.CertFile, cert); err != nil {
return err return err
} }
if err := certutil.WriteKey(keyCert.KeyFile, key); err != nil { if err := keyutil.WriteKey(keyCert.KeyFile, key); err != nil {
return err return err
} }
klog.Infof("Generated self-signed cert (%s, %s)", keyCert.CertFile, keyCert.KeyFile) klog.Infof("Generated self-signed cert (%s, %s)", keyCert.CertFile, keyCert.KeyFile)
......
...@@ -639,6 +639,10 @@ ...@@ -639,6 +639,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/klog", "ImportPath": "k8s.io/klog",
"Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f" "Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f"
}, },
......
...@@ -8,12 +8,10 @@ load( ...@@ -8,12 +8,10 @@ load(
go_test( go_test(
name = "go_default_test", name = "go_default_test",
srcs = [ srcs = ["csr_test.go"],
"csr_test.go",
"pem_test.go",
],
data = glob(["testdata/**"]), data = glob(["testdata/**"]),
embed = [":go_default_library"], embed = [":go_default_library"],
deps = ["//staging/src/k8s.io/client-go/util/keyutil:go_default_library"],
) )
go_library( go_library(
...@@ -26,6 +24,7 @@ go_library( ...@@ -26,6 +24,7 @@ go_library(
], ],
importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert", importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/util/cert",
importpath = "k8s.io/client-go/util/cert", importpath = "k8s.io/client-go/util/cert",
deps = ["//staging/src/k8s.io/client-go/util/keyutil:go_default_library"],
) )
filegroup( filegroup(
......
...@@ -19,8 +19,6 @@ package cert ...@@ -19,8 +19,6 @@ package cert
import ( import (
"bytes" "bytes"
"crypto" "crypto"
"crypto/ecdsa"
"crypto/elliptic"
cryptorand "crypto/rand" cryptorand "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
...@@ -33,12 +31,12 @@ import ( ...@@ -33,12 +31,12 @@ import (
"path" "path"
"strings" "strings"
"time" "time"
)
const ( "k8s.io/client-go/util/keyutil"
duration365d = time.Hour * 24 * 365
) )
const duration365d = time.Hour * 24 * 365
// Config contains the basic fields required for creating a certificate // Config contains the basic fields required for creating a certificate
type Config struct { type Config struct {
CommonName string CommonName string
...@@ -78,25 +76,6 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro ...@@ -78,25 +76,6 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
return x509.ParseCertificate(certDERBytes) return x509.ParseCertificate(certDERBytes)
} }
// MakeEllipticPrivateKeyPEM creates an ECDSA private key
func MakeEllipticPrivateKeyPEM() ([]byte, error) {
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
if err != nil {
return nil, err
}
derBytes, err := x509.MarshalECPrivateKey(privateKey)
if err != nil {
return nil, err
}
privateKeyPemBlock := &pem.Block{
Type: ECPrivateKeyBlockType,
Bytes: derBytes,
}
return pem.EncodeToMemory(privateKeyPemBlock), nil
}
// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. // GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name // Host may be an IP or a DNS name
// You may also specify additional subject alt names (either ip or dns names) for the certificate. // You may also specify additional subject alt names (either ip or dns names) for the certificate.
...@@ -202,7 +181,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a ...@@ -202,7 +181,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
// Generate key // Generate key
keyBuffer := bytes.Buffer{} keyBuffer := bytes.Buffer{}
if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { if err := pem.Encode(&keyBuffer, &pem.Block{Type: keyutil.RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
return nil, nil, err return nil, nil, err
} }
......
...@@ -23,6 +23,8 @@ import ( ...@@ -23,6 +23,8 @@ import (
"io/ioutil" "io/ioutil"
"net" "net"
"testing" "testing"
"k8s.io/client-go/util/keyutil"
) )
func TestMakeCSR(t *testing.T) { func TestMakeCSR(t *testing.T) {
...@@ -37,7 +39,7 @@ func TestMakeCSR(t *testing.T) { ...@@ -37,7 +39,7 @@ func TestMakeCSR(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
key, err := ParsePrivateKeyPEM(keyData) key, err := keyutil.ParsePrivateKeyPEM(keyData)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
......
...@@ -17,11 +17,7 @@ limitations under the License. ...@@ -17,11 +17,7 @@ limitations under the License.
package cert package cert
import ( import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/pem"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os" "os"
...@@ -73,60 +69,6 @@ func WriteCert(certPath string, data []byte) error { ...@@ -73,60 +69,6 @@ func WriteCert(certPath string, data []byte) error {
return ioutil.WriteFile(certPath, data, os.FileMode(0644)) return ioutil.WriteFile(certPath, data, os.FileMode(0644))
} }
// WriteKey writes the pem-encoded key data to keyPath.
// The key file will be created with file mode 0600.
// If the key file already exists, it will be overwritten.
// The parent directory of the keyPath will be created as needed with file mode 0755.
func WriteKey(keyPath string, data []byte) error {
if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
return err
}
return ioutil.WriteFile(keyPath, data, os.FileMode(0600))
}
// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
// can't find one, it will generate a new key and store it there.
func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
loadedData, err := ioutil.ReadFile(keyPath)
// Call verifyKeyData to ensure the file wasn't empty/corrupt.
if err == nil && verifyKeyData(loadedData) {
return loadedData, false, err
}
if !os.IsNotExist(err) {
return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
}
generatedData, err := MakeEllipticPrivateKeyPEM()
if err != nil {
return nil, false, fmt.Errorf("error generating key: %v", err)
}
if err := WriteKey(keyPath, generatedData); err != nil {
return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
}
return generatedData, true, nil
}
// MarshalPrivateKeyToPEM converts a known private key type of RSA or ECDSA to
// a PEM encoded block or returns an error.
func MarshalPrivateKeyToPEM(privateKey crypto.PrivateKey) ([]byte, error) {
switch t := privateKey.(type) {
case *ecdsa.PrivateKey:
derBytes, err := x509.MarshalECPrivateKey(t)
if err != nil {
return nil, err
}
privateKeyPemBlock := &pem.Block{
Type: ECPrivateKeyBlockType,
Bytes: derBytes,
}
return pem.EncodeToMemory(privateKeyPemBlock), nil
case *rsa.PrivateKey:
return EncodePrivateKeyPEM(t), nil
default:
return nil, fmt.Errorf("private key is not a recognized type: %T", privateKey)
}
}
// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates // Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
func NewPool(filename string) (*x509.CertPool, error) { func NewPool(filename string) (*x509.CertPool, error) {
...@@ -154,40 +96,3 @@ func CertsFromFile(file string) ([]*x509.Certificate, error) { ...@@ -154,40 +96,3 @@ func CertsFromFile(file string) ([]*x509.Certificate, error) {
} }
return certs, nil return certs, nil
} }
// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file.
// Returns an error if the file could not be read or if the private key could not be parsed.
func PrivateKeyFromFile(file string) (interface{}, error) {
data, err := ioutil.ReadFile(file)
if err != nil {
return nil, err
}
key, err := ParsePrivateKeyPEM(data)
if err != nil {
return nil, fmt.Errorf("error reading private key file %s: %v", file, err)
}
return key, nil
}
// PublicKeysFromFile returns the public keys in rsa.PublicKey or ecdsa.PublicKey format from a given PEM-encoded file.
// Reads public keys from both public and private key files.
func PublicKeysFromFile(file string) ([]interface{}, error) {
data, err := ioutil.ReadFile(file)
if err != nil {
return nil, err
}
keys, err := ParsePublicKeysPEM(data)
if err != nil {
return nil, fmt.Errorf("error reading public key file %s: %v", file, err)
}
return keys, nil
}
// verifyKeyData returns true if the provided data appears to be a valid private key.
func verifyKeyData(data []byte) bool {
if len(data) == 0 {
return false
}
_, err := ParsePrivateKeyPEM(data)
return err == nil
}
...@@ -17,113 +17,18 @@ limitations under the License. ...@@ -17,113 +17,18 @@ limitations under the License.
package cert package cert
import ( import (
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt"
) )
const ( const (
// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
ECPrivateKeyBlockType = "EC PRIVATE KEY"
// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
// CertificateRequestBlockType is a possible value for pem.Block.Type.
CertificateRequestBlockType = "CERTIFICATE REQUEST"
// CertificateBlockType is a possible value for pem.Block.Type. // CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType = "CERTIFICATE" CertificateBlockType = "CERTIFICATE"
// PrivateKeyBlockType is a possible value for pem.Block.Type. // CertificateRequestBlockType is a possible value for pem.Block.Type.
PrivateKeyBlockType = "PRIVATE KEY" CertificateRequestBlockType = "CERTIFICATE REQUEST"
) )
// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
var privateKeyPemBlock *pem.Block
for {
privateKeyPemBlock, keyData = pem.Decode(keyData)
if privateKeyPemBlock == nil {
break
}
switch privateKeyPemBlock.Type {
case ECPrivateKeyBlockType:
// ECDSA Private Key in ASN.1 format
if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
return key, nil
}
case RSAPrivateKeyBlockType:
// RSA Private Key in PKCS#1 format
if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
return key, nil
}
case PrivateKeyBlockType:
// RSA or ECDSA Private Key in unencrypted PKCS#8 format
if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
return key, nil
}
}
// tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
// originally, only the first PEM block was parsed and expected to be a key block
}
// we read all the PEM blocks and didn't recognize one
return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
}
// ParsePublicKeysPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array.
// Reads public keys from both public and private key files.
func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
var block *pem.Block
keys := []interface{}{}
for {
// read the next block
block, keyData = pem.Decode(keyData)
if block == nil {
break
}
// test block against parsing functions
if privateKey, err := parseRSAPrivateKey(block.Bytes); err == nil {
keys = append(keys, &privateKey.PublicKey)
continue
}
if publicKey, err := parseRSAPublicKey(block.Bytes); err == nil {
keys = append(keys, publicKey)
continue
}
if privateKey, err := parseECPrivateKey(block.Bytes); err == nil {
keys = append(keys, &privateKey.PublicKey)
continue
}
if publicKey, err := parseECPublicKey(block.Bytes); err == nil {
keys = append(keys, publicKey)
continue
}
// tolerate non-key PEM blocks for backwards compatibility
// originally, only the first PEM block was parsed and expected to be a key block
}
if len(keys) == 0 {
return nil, fmt.Errorf("data does not contain any valid RSA or ECDSA public keys")
}
return keys, nil
}
// EncodePrivateKeyPEM returns PEM-encoded private key data
func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
block := pem.Block{
Type: RSAPrivateKeyBlockType,
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
return pem.EncodeToMemory(&block)
}
// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array // ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates // Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
...@@ -154,93 +59,3 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { ...@@ -154,93 +59,3 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
} }
return certs, nil return certs, nil
} }
// parseRSAPublicKey parses a single RSA public key from the provided data
func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) {
var err error
// Parse the key
var parsedKey interface{}
if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
if cert, err := x509.ParseCertificate(data); err == nil {
parsedKey = cert.PublicKey
} else {
return nil, err
}
}
// Test if parsed key is an RSA Public Key
var pubKey *rsa.PublicKey
var ok bool
if pubKey, ok = parsedKey.(*rsa.PublicKey); !ok {
return nil, fmt.Errorf("data doesn't contain valid RSA Public Key")
}
return pubKey, nil
}
// parseRSAPrivateKey parses a single RSA private key from the provided data
func parseRSAPrivateKey(data []byte) (*rsa.PrivateKey, error) {
var err error
// Parse the key
var parsedKey interface{}
if parsedKey, err = x509.ParsePKCS1PrivateKey(data); err != nil {
if parsedKey, err = x509.ParsePKCS8PrivateKey(data); err != nil {
return nil, err
}
}
// Test if parsed key is an RSA Private Key
var privKey *rsa.PrivateKey
var ok bool
if privKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
return nil, fmt.Errorf("data doesn't contain valid RSA Private Key")
}
return privKey, nil
}
// parseECPublicKey parses a single ECDSA public key from the provided data
func parseECPublicKey(data []byte) (*ecdsa.PublicKey, error) {
var err error
// Parse the key
var parsedKey interface{}
if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
if cert, err := x509.ParseCertificate(data); err == nil {
parsedKey = cert.PublicKey
} else {
return nil, err
}
}
// Test if parsed key is an ECDSA Public Key
var pubKey *ecdsa.PublicKey
var ok bool
if pubKey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
return nil, fmt.Errorf("data doesn't contain valid ECDSA Public Key")
}
return pubKey, nil
}
// parseECPrivateKey parses a single ECDSA private key from the provided data
func parseECPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {
var err error
// Parse the key
var parsedKey interface{}
if parsedKey, err = x509.ParseECPrivateKey(data); err != nil {
return nil, err
}
// Test if parsed key is an ECDSA Private Key
var privKey *ecdsa.PrivateKey
var ok bool
if privKey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
return nil, fmt.Errorf("data doesn't contain valid ECDSA Private Key")
}
return privKey, nil
}
...@@ -42,6 +42,7 @@ go_library( ...@@ -42,6 +42,7 @@ go_library(
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/certificate/csr:go_default_library", "//staging/src/k8s.io/client-go/util/certificate/csr:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/k8s.io/klog:go_default_library", "//vendor/k8s.io/klog:go_default_library",
], ],
) )
......
...@@ -38,6 +38,7 @@ import ( ...@@ -38,6 +38,7 @@ import (
certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
"k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr" "k8s.io/client-go/util/certificate/csr"
"k8s.io/client-go/util/keyutil"
) )
// certificateWaitTimeout controls the amount of time we wait for certificate // certificateWaitTimeout controls the amount of time we wait for certificate
...@@ -547,7 +548,7 @@ func (m *manager) generateCSR() (template *x509.CertificateRequest, csrPEM []byt ...@@ -547,7 +548,7 @@ func (m *manager) generateCSR() (template *x509.CertificateRequest, csrPEM []byt
return nil, nil, nil, nil, fmt.Errorf("unable to marshal the new key to DER: %v", err) return nil, nil, nil, nil, fmt.Errorf("unable to marshal the new key to DER: %v", err)
} }
keyPEM = pem.EncodeToMemory(&pem.Block{Type: cert.ECPrivateKeyBlockType, Bytes: der}) keyPEM = pem.EncodeToMemory(&pem.Block{Type: keyutil.ECPrivateKeyBlockType, Bytes: der})
template = m.getTemplate() template = m.getTemplate()
if template == nil { if template == nil {
......
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["key_test.go"],
embed = [":go_default_library"],
)
go_library(
name = "go_default_library",
srcs = ["key.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/client-go/util/keyutil",
importpath = "k8s.io/client-go/util/keyutil",
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
approvers:
- sig-auth-certificates-approvers
reviewers:
- sig-auth-certificates-reviewers
labels:
- sig/auth
/* /*
Copyright 2014 The Kubernetes Authors. Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and ...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package cert package keyutil
import ( import (
"io/ioutil" "io/ioutil"
......
...@@ -951,6 +951,10 @@ ...@@ -951,6 +951,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -519,6 +519,10 @@ ...@@ -519,6 +519,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -1759,6 +1759,10 @@ ...@@ -1759,6 +1759,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -499,6 +499,10 @@ ...@@ -499,6 +499,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/klog", "ImportPath": "k8s.io/klog",
"Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f" "Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f"
}, },
......
...@@ -519,6 +519,10 @@ ...@@ -519,6 +519,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -1719,6 +1719,10 @@ ...@@ -1719,6 +1719,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -575,6 +575,10 @@ ...@@ -575,6 +575,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/klog", "ImportPath": "k8s.io/klog",
"Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f" "Rev": "8139d8cb77af419532b33dfa7dd09fbc5f1d344f"
}, },
......
...@@ -1123,6 +1123,10 @@ ...@@ -1123,6 +1123,10 @@
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
{ {
"ImportPath": "k8s.io/client-go/util/keyutil",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
{
"ImportPath": "k8s.io/client-go/util/retry", "ImportPath": "k8s.io/client-go/util/retry",
"Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "Rev": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}, },
......
...@@ -67,6 +67,7 @@ go_library( ...@@ -67,6 +67,7 @@ go_library(
"//staging/src/k8s.io/client-go/dynamic:go_default_library", "//staging/src/k8s.io/client-go/dynamic:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/client-go/util/workqueue:go_default_library", "//staging/src/k8s.io/client-go/util/workqueue:go_default_library",
"//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1:go_default_library",
"//staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset:go_default_library",
......
...@@ -21,7 +21,8 @@ import ( ...@@ -21,7 +21,8 @@ import (
"io/ioutil" "io/ioutil"
"os" "os"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
) )
...@@ -44,7 +45,7 @@ func setupServerCert(namespaceName, serviceName string) *certContext { ...@@ -44,7 +45,7 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
if err != nil { if err != nil {
framework.Failf("Failed to create CA private key %v", err) framework.Failf("Failed to create CA private key %v", err)
} }
signingCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "e2e-server-cert-ca"}, signingKey) signingCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "e2e-server-cert-ca"}, signingKey)
if err != nil { if err != nil {
framework.Failf("Failed to create CA cert for apiserver %v", err) framework.Failf("Failed to create CA cert for apiserver %v", err)
} }
...@@ -60,7 +61,7 @@ func setupServerCert(namespaceName, serviceName string) *certContext { ...@@ -60,7 +61,7 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
framework.Failf("Failed to create private key for %v", err) framework.Failf("Failed to create private key for %v", err)
} }
signedCert, err := pkiutil.NewSignedCert( signedCert, err := pkiutil.NewSignedCert(
&certutil.Config{ &cert.Config{
CommonName: serviceName + "." + namespaceName + ".svc", CommonName: serviceName + "." + namespaceName + ".svc",
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
}, },
...@@ -80,12 +81,16 @@ func setupServerCert(namespaceName, serviceName string) *certContext { ...@@ -80,12 +81,16 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
if err = ioutil.WriteFile(certFile.Name(), pkiutil.EncodeCertPEM(signedCert), 0600); err != nil { if err = ioutil.WriteFile(certFile.Name(), pkiutil.EncodeCertPEM(signedCert), 0600); err != nil {
framework.Failf("Failed to write cert file %v", err) framework.Failf("Failed to write cert file %v", err)
} }
if err = ioutil.WriteFile(keyFile.Name(), certutil.EncodePrivateKeyPEM(key), 0644); err != nil { privateKeyPEM, err := keyutil.MarshalPrivateKeyToPEM(key)
if err != nil {
framework.Failf("Failed to marshal key %v", err)
}
if err = ioutil.WriteFile(keyFile.Name(), privateKeyPEM, 0644); err != nil {
framework.Failf("Failed to write key file %v", err) framework.Failf("Failed to write key file %v", err)
} }
return &certContext{ return &certContext{
cert: pkiutil.EncodeCertPEM(signedCert), cert: pkiutil.EncodeCertPEM(signedCert),
key: certutil.EncodePrivateKeyPEM(key), key: privateKeyPEM,
signingCert: pkiutil.EncodeCertPEM(signingCert), signingCert: pkiutil.EncodeCertPEM(signingCert),
} }
} }
...@@ -22,14 +22,15 @@ import ( ...@@ -22,14 +22,15 @@ import (
"encoding/pem" "encoding/pem"
"time" "time"
. "github.com/onsi/ginkgo"
"k8s.io/api/certificates/v1beta1" "k8s.io/api/certificates/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
v1beta1client "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" v1beta1client "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
"k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
pkiutil "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/e2e/framework"
. "github.com/onsi/ginkgo"
) )
var _ = SIGDescribe("Certificates API", func() { var _ = SIGDescribe("Certificates API", func() {
......
...@@ -85,7 +85,7 @@ go_test( ...@@ -85,7 +85,7 @@ go_test(
"//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library",
"//staging/src/k8s.io/client-go/tools/watch:go_default_library", "//staging/src/k8s.io/client-go/tools/watch:go_default_library",
"//staging/src/k8s.io/client-go/transport:go_default_library", "//staging/src/k8s.io/client-go/transport:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library", "//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library",
"//staging/src/k8s.io/csi-api/pkg/apis/csi/v1alpha1:go_default_library", "//staging/src/k8s.io/csi-api/pkg/apis/csi/v1alpha1:go_default_library",
"//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned:go_default_library", "//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned:go_default_library",
......
...@@ -41,7 +41,7 @@ import ( ...@@ -41,7 +41,7 @@ import (
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
v1listers "k8s.io/client-go/listers/core/v1" v1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/keyutil"
"k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/apis/core"
serviceaccountgetter "k8s.io/kubernetes/pkg/controller/serviceaccount" serviceaccountgetter "k8s.io/kubernetes/pkg/controller/serviceaccount"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
...@@ -59,7 +59,7 @@ func TestServiceAccountTokenCreate(t *testing.T) { ...@@ -59,7 +59,7 @@ func TestServiceAccountTokenCreate(t *testing.T) {
defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequest, true)() defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequest, true)()
// Build client config, clientset, and informers // Build client config, clientset, and informers
sk, err := certutil.ParsePrivateKeyPEM([]byte(ecdsaPrivateKey)) sk, err := keyutil.ParsePrivateKeyPEM([]byte(ecdsaPrivateKey))
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
......
...@@ -36,6 +36,7 @@ go_test( ...@@ -36,6 +36,7 @@ go_test(
"//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
"//staging/src/k8s.io/client-go/tools/clientcmd/api:go_default_library", "//staging/src/k8s.io/client-go/tools/clientcmd/api:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1:go_default_library",
"//staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset:go_default_library",
"//staging/src/k8s.io/kube-aggregator/pkg/cmd/server:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/cmd/server:go_default_library",
......
...@@ -42,13 +42,14 @@ import ( ...@@ -42,13 +42,14 @@ import (
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api" clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1" apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset" aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
kubeaggregatorserver "k8s.io/kube-aggregator/pkg/cmd/server" kubeaggregatorserver "k8s.io/kube-aggregator/pkg/cmd/server"
"k8s.io/kubernetes/cmd/kube-apiserver/app" "k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
pkiutil "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/integration/framework" "k8s.io/kubernetes/test/integration/framework"
wardlev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1" wardlev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
wardlev1beta1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1" wardlev1beta1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1"
...@@ -66,7 +67,7 @@ func TestAggregatedAPIServer(t *testing.T) { ...@@ -66,7 +67,7 @@ func TestAggregatedAPIServer(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
proxySigningCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "front-proxy-ca"}, proxySigningKey) proxySigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "front-proxy-ca"}, proxySigningKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
...@@ -78,7 +79,7 @@ func TestAggregatedAPIServer(t *testing.T) { ...@@ -78,7 +79,7 @@ func TestAggregatedAPIServer(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
clientSigningCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "client-ca"}, clientSigningKey) clientSigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "client-ca"}, clientSigningKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
...@@ -240,7 +241,7 @@ func TestAggregatedAPIServer(t *testing.T) { ...@@ -240,7 +241,7 @@ func TestAggregatedAPIServer(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
proxyClientCert, err := pkiutil.NewSignedCert( proxyClientCert, err := pkiutil.NewSignedCert(
&certutil.Config{ &cert.Config{
CommonName: "kube-aggregator", CommonName: "kube-aggregator",
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}, },
...@@ -251,7 +252,11 @@ func TestAggregatedAPIServer(t *testing.T) { ...@@ -251,7 +252,11 @@ func TestAggregatedAPIServer(t *testing.T) {
if err := ioutil.WriteFile(proxyClientCertFile.Name(), pkiutil.EncodeCertPEM(proxyClientCert), 0600); err != nil { if err := ioutil.WriteFile(proxyClientCertFile.Name(), pkiutil.EncodeCertPEM(proxyClientCert), 0600); err != nil {
t.Fatal(err) t.Fatal(err)
} }
if err := ioutil.WriteFile(proxyClientKeyFile.Name(), certutil.EncodePrivateKeyPEM(proxyClientKey), 0644); err != nil { proxyClientKeyPEM, err := keyutil.MarshalPrivateKeyToPEM(proxyClientKey)
if err != nil {
t.Fatal(err)
}
if err := ioutil.WriteFile(proxyClientKeyFile.Name(), proxyClientKeyPEM, 0644); err != nil {
t.Fatal(err) t.Fatal(err)
} }
aggregatorPort := new(int32) aggregatorPort := new(int32)
......
...@@ -32,11 +32,10 @@ import ( ...@@ -32,11 +32,10 @@ import (
genericapiserveroptions "k8s.io/apiserver/pkg/server/options" genericapiserveroptions "k8s.io/apiserver/pkg/server/options"
client "k8s.io/client-go/kubernetes" client "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/cert"
"k8s.io/kubernetes/cmd/kube-apiserver/app" "k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
pkiutil "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil" "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/master"
) )
...@@ -58,7 +57,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup ...@@ -58,7 +57,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
proxySigningCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "front-proxy-ca"}, proxySigningKey) proxySigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "front-proxy-ca"}, proxySigningKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
...@@ -70,7 +69,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup ...@@ -70,7 +69,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
clientSigningCert, err := certutil.NewSelfSignedCACert(certutil.Config{CommonName: "client-ca"}, clientSigningKey) clientSigningCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "client-ca"}, clientSigningKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment