Commit 5b1d57f7 authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson

Remove unused Certificate field from Node struct

parent 2e4e7cf2
...@@ -238,27 +238,23 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string) ...@@ -238,27 +238,23 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string)
} }
} }
func getServingCert(nodeName string, nodeIPs []net.IP, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) (*tls.Certificate, error) { func getServingCert(nodeName string, nodeIPs []net.IP, servingCertFile, servingKeyFile, nodePasswordFile string, info *clientaccess.Info) error {
servingCert, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodeIPs, nodePasswordFile)) body, err := Request("/v1-"+version.Program+"/serving-kubelet.crt", info, getNodeNamedCrt(nodeName, nodeIPs, nodePasswordFile))
if err != nil { if err != nil {
return nil, err return err
} }
servingCert, servingKey := splitCertKeyPEM(servingCert) servingCert, servingKey := splitCertKeyPEM(body)
if err := os.WriteFile(servingCertFile, servingCert, 0600); err != nil { if err := os.WriteFile(servingCertFile, servingCert, 0600); err != nil {
return nil, errors.Wrapf(err, "failed to write node cert") return errors.Wrapf(err, "failed to write node cert")
} }
if err := os.WriteFile(servingKeyFile, servingKey, 0600); err != nil { if err := os.WriteFile(servingKeyFile, servingKey, 0600); err != nil {
return nil, errors.Wrapf(err, "failed to write node key") return errors.Wrapf(err, "failed to write node key")
} }
cert, err := tls.X509KeyPair(servingCert, servingKey) return nil
if err != nil {
return nil, err
}
return &cert, nil
} }
func getHostFile(filename, keyFile string, info *clientaccess.Info) error { func getHostFile(filename, keyFile string, info *clientaccess.Info) error {
...@@ -303,11 +299,11 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) { ...@@ -303,11 +299,11 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) {
func getNodeNamedHostFile(filename, keyFile, nodeName string, nodeIPs []net.IP, nodePasswordFile string, info *clientaccess.Info) error { func getNodeNamedHostFile(filename, keyFile, nodeName string, nodeIPs []net.IP, nodePasswordFile string, info *clientaccess.Info) error {
basename := filepath.Base(filename) basename := filepath.Base(filename)
fileBytes, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodeIPs, nodePasswordFile)) body, err := Request("/v1-"+version.Program+"/"+basename, info, getNodeNamedCrt(nodeName, nodeIPs, nodePasswordFile))
if err != nil { if err != nil {
return err return err
} }
fileBytes, keyBytes := splitCertKeyPEM(fileBytes) fileBytes, keyBytes := splitCertKeyPEM(body)
if err := os.WriteFile(filename, fileBytes, 0600); err != nil { if err := os.WriteFile(filename, fileBytes, 0600); err != nil {
return errors.Wrapf(err, "failed to write cert %s", filename) return errors.Wrapf(err, "failed to write cert %s", filename)
...@@ -499,8 +495,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N ...@@ -499,8 +495,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
nodeExternalAndInternalIPs := append(nodeIPs, nodeExternalIPs...) nodeExternalAndInternalIPs := append(nodeIPs, nodeExternalIPs...)
// Ask the server to generate a kubelet server cert+key. These files are unique to this node. // Ask the server to generate a kubelet server cert+key. These files are unique to this node.
servingCert, err := getServingCert(nodeName, nodeExternalAndInternalIPs, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info) if err := getServingCert(nodeName, nodeExternalAndInternalIPs, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info); err != nil {
if err != nil {
return nil, errors.Wrap(err, servingKubeletCert) return nil, errors.Wrap(err, servingKubeletCert)
} }
...@@ -625,7 +620,6 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N ...@@ -625,7 +620,6 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
applyCRIDockerdAddress(nodeConfig) applyCRIDockerdAddress(nodeConfig)
applyContainerdQoSClassConfigFileIfPresent(envInfo, &nodeConfig.Containerd) applyContainerdQoSClassConfigFileIfPresent(envInfo, &nodeConfig.Containerd)
nodeConfig.Containerd.Template = filepath.Join(envInfo.DataDir, "agent", "etc", "containerd", "config.toml.tmpl") nodeConfig.Containerd.Template = filepath.Join(envInfo.DataDir, "agent", "etc", "containerd", "config.toml.tmpl")
nodeConfig.Certificate = servingCert
if envInfo.BindAddress != "" { if envInfo.BindAddress != "" {
nodeConfig.AgentConfig.ListenAddress = envInfo.BindAddress nodeConfig.AgentConfig.ListenAddress = envInfo.BindAddress
......
...@@ -62,7 +62,7 @@ func Test_createFlannelConf(t *testing.T) { ...@@ -62,7 +62,7 @@ func Test_createFlannelConf(t *testing.T) {
var agent = config.Agent{} var agent = config.Agent{}
agent.ClusterCIDR = stringToCIDR(tt.args)[0] agent.ClusterCIDR = stringToCIDR(tt.args)[0]
agent.ClusterCIDRs = stringToCIDR(tt.args) agent.ClusterCIDRs = stringToCIDR(tt.args)
var nodeConfig = &config.Node{Docker: false, ContainerRuntimeEndpoint: "", SELinux: false, FlannelBackend: "vxlan", FlannelConfFile: "test_file", FlannelConfOverride: false, FlannelIface: nil, Containerd: containerd, Images: "", AgentConfig: agent, Token: "", Certificate: nil, ServerHTTPSPort: 0} var nodeConfig = &config.Node{Docker: false, ContainerRuntimeEndpoint: "", SELinux: false, FlannelBackend: "vxlan", FlannelConfFile: "test_file", FlannelConfOverride: false, FlannelIface: nil, Containerd: containerd, Images: "", AgentConfig: agent, Token: "", ServerHTTPSPort: 0}
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if err := createFlannelConf(nodeConfig); (err != nil) != tt.wantErr { if err := createFlannelConf(nodeConfig); (err != nil) != tt.wantErr {
......
package config package config
import ( import (
"crypto/tls"
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
...@@ -57,7 +56,6 @@ type Node struct { ...@@ -57,7 +56,6 @@ type Node struct {
Images string Images string
AgentConfig Agent AgentConfig Agent
Token string Token string
Certificate *tls.Certificate
ServerHTTPSPort int ServerHTTPSPort int
SupervisorPort int SupervisorPort int
DefaultRuntime string DefaultRuntime string
......
...@@ -5,6 +5,7 @@ import ( ...@@ -5,6 +5,7 @@ import (
"crypto" "crypto"
"crypto/x509" "crypto/x509"
"fmt" "fmt"
"io"
"net" "net"
"net/http" "net/http"
"os" "os"
...@@ -63,13 +64,6 @@ func ServingKubeletCert(control *config.Control, auth nodepassword.NodeAuthValid ...@@ -63,13 +64,6 @@ func ServingKubeletCert(control *config.Control, auth nodepassword.NodeAuthValid
return return
} }
keyFile := control.Runtime.ServingKubeletKey
caCerts, caKey, key, err := getCACertAndKeys(control.Runtime.ServerCA, control.Runtime.ServerCAKey, keyFile)
if err != nil {
util.SendError(err, resp, req)
return
}
ips := []net.IP{net.ParseIP("127.0.0.1")} ips := []net.IP{net.ParseIP("127.0.0.1")}
program := mux.Vars(req)["program"] program := mux.Vars(req)["program"]
if nodeIP := req.Header.Get(program + "-Node-IP"); nodeIP != "" { if nodeIP := req.Header.Get(program + "-Node-IP"); nodeIP != "" {
...@@ -83,27 +77,14 @@ func ServingKubeletCert(control *config.Control, auth nodepassword.NodeAuthValid ...@@ -83,27 +77,14 @@ func ServingKubeletCert(control *config.Control, auth nodepassword.NodeAuthValid
} }
} }
cert, err := certutil.NewSignedCert(certutil.Config{ signAndSend(resp, req, control.Runtime.ServerCA, control.Runtime.ServerCAKey, control.Runtime.ServingKubeletKey, certutil.Config{
CommonName: nodeName, CommonName: nodeName,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
AltNames: certutil.AltNames{ AltNames: certutil.AltNames{
DNSNames: []string{nodeName, "localhost"}, DNSNames: []string{nodeName, "localhost"},
IPs: ips, IPs: ips,
}, },
}, key, caCerts[0], caKey) })
if err != nil {
util.SendError(err, resp, req)
return
}
keyBytes, err := os.ReadFile(keyFile)
if err != nil {
http.Error(resp, err.Error(), http.StatusInternalServerError)
return
}
resp.Write(util.EncodeCertsPEM(cert, caCerts))
resp.Write(keyBytes)
}) })
} }
...@@ -114,92 +95,30 @@ func ClientKubeletCert(control *config.Control, auth nodepassword.NodeAuthValida ...@@ -114,92 +95,30 @@ func ClientKubeletCert(control *config.Control, auth nodepassword.NodeAuthValida
util.SendError(err, resp, req, errCode) util.SendError(err, resp, req, errCode)
return return
} }
signAndSend(resp, req, control.Runtime.ClientCA, control.Runtime.ClientCAKey, control.Runtime.ClientKubeProxyKey, certutil.Config{
keyFile := control.Runtime.ClientKubeletKey
caCerts, caKey, key, err := getCACertAndKeys(control.Runtime.ClientCA, control.Runtime.ClientCAKey, keyFile)
if err != nil {
util.SendError(err, resp, req)
return
}
cert, err := certutil.NewSignedCert(certutil.Config{
CommonName: "system:node:" + nodeName, CommonName: "system:node:" + nodeName,
Organization: []string{user.NodesGroup}, Organization: []string{user.NodesGroup},
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}, key, caCerts[0], caKey) })
if err != nil {
util.SendError(err, resp, req)
return
}
keyBytes, err := os.ReadFile(keyFile)
if err != nil {
http.Error(resp, err.Error(), http.StatusInternalServerError)
return
}
resp.Write(util.EncodeCertsPEM(cert, caCerts))
resp.Write(keyBytes)
}) })
} }
func ClientKubeProxyCert(control *config.Control) http.Handler { func ClientKubeProxyCert(control *config.Control) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
keyFile := control.Runtime.ClientKubeProxyKey signAndSend(resp, req, control.Runtime.ClientCA, control.Runtime.ClientCAKey, control.Runtime.ClientKubeProxyKey, certutil.Config{
caCerts, caKey, key, err := getCACertAndKeys(control.Runtime.ClientCA, control.Runtime.ClientCAKey, keyFile)
if err != nil {
util.SendError(err, resp, req)
return
}
cert, err := certutil.NewSignedCert(certutil.Config{
CommonName: user.KubeProxy, CommonName: user.KubeProxy,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}, key, caCerts[0], caKey) })
if err != nil {
util.SendError(err, resp, req)
return
}
keyBytes, err := os.ReadFile(keyFile)
if err != nil {
http.Error(resp, err.Error(), http.StatusInternalServerError)
return
}
resp.Write(util.EncodeCertsPEM(cert, caCerts))
resp.Write(keyBytes)
}) })
} }
func ClientControllerCert(control *config.Control) http.Handler { func ClientControllerCert(control *config.Control) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
keyFile := control.Runtime.ClientK3sControllerKey
caCerts, caKey, key, err := getCACertAndKeys(control.Runtime.ClientCA, control.Runtime.ClientCAKey, keyFile)
if err != nil {
util.SendError(err, resp, req)
return
}
// This user (system:k3s-controller by default) must be bound to a role in rolebindings.yaml or the downstream equivalent
program := mux.Vars(req)["program"] program := mux.Vars(req)["program"]
cert, err := certutil.NewSignedCert(certutil.Config{ signAndSend(resp, req, control.Runtime.ClientCA, control.Runtime.ClientCAKey, control.Runtime.ClientK3sControllerKey, certutil.Config{
CommonName: "system:" + program + "-controller", CommonName: "system:" + program + "-controller",
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}, key, caCerts[0], caKey) })
if err != nil {
util.SendError(err, resp, req)
return
}
keyBytes, err := os.ReadFile(keyFile)
if err != nil {
http.Error(resp, err.Error(), http.StatusInternalServerError)
return
}
resp.Write(util.EncodeCertsPEM(cert, caCerts))
resp.Write(keyBytes)
}) })
} }
...@@ -293,38 +212,104 @@ func Static(urlPrefix, staticDir string) http.Handler { ...@@ -293,38 +212,104 @@ func Static(urlPrefix, staticDir string) http.Handler {
return http.StripPrefix(urlPrefix, http.FileServer(http.Dir(staticDir))) return http.StripPrefix(urlPrefix, http.FileServer(http.Dir(staticDir)))
} }
func getCACertAndKeys(caCertFile, caKeyFile, signingKeyFile string) ([]*x509.Certificate, crypto.Signer, crypto.Signer, error) { // csrSigner wraps a CSR with a Public() method and dummy Sign() method to satisfy the
keyBytes, err := os.ReadFile(signingKeyFile) // crypto.Signer interface required by dynamiclistener's cert helpers.
type csrSigner struct {
csr *x509.CertificateRequest
}
func (c *csrSigner) Public() crypto.PublicKey {
return c.csr.PublicKey
}
func (c csrSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte, error) {
return nil, errors.New("not implemented")
}
// signAndSend generates a signed certificate using the requested CA cert/key and config,
// and sends it to the client. If the client request is a POST with a signing request as
// the body, the public key from the CSR is used to generate the certificate. If the
// client did not submit a signing request, the legacy shared key is used to generate the
// certificate, and the key is sent along with the certificate.
func signAndSend(resp http.ResponseWriter, req *http.Request, caCertFile, caKeyFile, signingKeyFile string, certConfig certutil.Config) {
caCerts, caKey, err := getCACertAndKey(caCertFile, caKeyFile)
if err != nil { if err != nil {
return nil, nil, nil, err util.SendError(err, resp, req)
return
}
var key crypto.Signer
var keyBytes []byte
if csr, err := getCSR(req); err == nil {
// If the client sent a valid CSR, use the CSR to retrieve the public key
key = &csrSigner{csr: csr}
} else {
// For legacy clients, just use the common key
keyBytes, err = os.ReadFile(signingKeyFile)
if err != nil {
util.SendError(err, resp, req)
return
}
pk, err := certutil.ParsePrivateKeyPEM(keyBytes)
if err != nil {
util.SendError(err, resp, req)
return
}
key = pk.(crypto.Signer)
} }
key, err := certutil.ParsePrivateKeyPEM(keyBytes) // create the signed cert using dynamiclistener cert utils
cert, err := certutil.NewSignedCert(certConfig, key, caCerts[0], caKey)
if err != nil { if err != nil {
return nil, nil, nil, err util.SendError(err, resp, req)
return
}
// send the cert and CA bundle
resp.Write(util.EncodeCertsPEM(cert, caCerts))
// also send the common private key, if the client didn't send a CSR
if len(keyBytes) > 0 {
resp.Write(keyBytes)
} }
}
// getCACertAndKey loads the CA bundle and key at the specified paths.
func getCACertAndKey(caCertFile, caKeyFile string) ([]*x509.Certificate, crypto.Signer, error) {
caKeyBytes, err := os.ReadFile(caKeyFile) caKeyBytes, err := os.ReadFile(caKeyFile)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, err
} }
caKey, err := certutil.ParsePrivateKeyPEM(caKeyBytes) caKey, err := certutil.ParsePrivateKeyPEM(caKeyBytes)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, err
} }
caBytes, err := os.ReadFile(caCertFile) caBytes, err := os.ReadFile(caCertFile)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, err
} }
caCert, err := certutil.ParseCertsPEM(caBytes) caCert, err := certutil.ParseCertsPEM(caBytes)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, err
} }
return caCert, caKey.(crypto.Signer), key.(crypto.Signer), nil return caCert, caKey.(crypto.Signer), nil
}
// getCSR decodes a x509.CertificateRequest from a POST request body.
// If the request is not a POST, or cannot be parsed as a request, an error is returned.
func getCSR(req *http.Request) (*x509.CertificateRequest, error) {
if req.Method != http.MethodPost {
return nil, mux.ErrMethodMismatch
}
csrBytes, err := io.ReadAll(req.Body)
if err != nil {
return nil, err
}
return x509.ParseCertificateRequest(csrBytes)
} }
// addressGetter is a common signature for functions that return an address channel // addressGetter is a common signature for functions that return an address channel
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment