Commit 6c08aab9 authored by Brad Davidson's avatar Brad Davidson Committed by Brad Davidson

Use core constants for cert user/group values

Also update cert gen to ensure leaf certs are regenerated if other key fields change. Signed-off-by: 's avatarBrad Davidson <brad.davidson@rancher.com> (cherry picked from commit 99851b0f)
parent 405ca3ca
...@@ -28,6 +28,7 @@ import ( ...@@ -28,6 +28,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1" apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1"
"k8s.io/apiserver/pkg/authentication/user"
) )
const ( const (
...@@ -311,7 +312,7 @@ func genClientCerts(config *config.Control) error { ...@@ -311,7 +312,7 @@ func genClientCerts(config *config.Control) error {
var certGen bool var certGen bool
apiEndpoint := fmt.Sprintf("https://127.0.0.1:%d", config.APIServerPort) apiEndpoint := fmt.Sprintf("https://127.0.0.1:%d", config.APIServerPort)
certGen, err = factory("system:admin", []string{"system:masters"}, runtime.ClientAdminCert, runtime.ClientAdminKey) certGen, err = factory("system:admin", []string{user.SystemPrivilegedGroup}, runtime.ClientAdminCert, runtime.ClientAdminKey)
if err != nil { if err != nil {
return err return err
} }
...@@ -321,7 +322,7 @@ func genClientCerts(config *config.Control) error { ...@@ -321,7 +322,7 @@ func genClientCerts(config *config.Control) error {
} }
} }
certGen, err = factory("system:kube-controller-manager", nil, runtime.ClientControllerCert, runtime.ClientControllerKey) certGen, err = factory(user.KubeControllerManager, nil, runtime.ClientControllerCert, runtime.ClientControllerKey)
if err != nil { if err != nil {
return err return err
} }
...@@ -331,7 +332,7 @@ func genClientCerts(config *config.Control) error { ...@@ -331,7 +332,7 @@ func genClientCerts(config *config.Control) error {
} }
} }
certGen, err = factory("system:kube-scheduler", nil, runtime.ClientSchedulerCert, runtime.ClientSchedulerKey) certGen, err = factory(user.KubeScheduler, nil, runtime.ClientSchedulerCert, runtime.ClientSchedulerKey)
if err != nil { if err != nil {
return err return err
} }
...@@ -341,7 +342,7 @@ func genClientCerts(config *config.Control) error { ...@@ -341,7 +342,7 @@ func genClientCerts(config *config.Control) error {
} }
} }
certGen, err = factory("kube-apiserver", nil, runtime.ClientKubeAPICert, runtime.ClientKubeAPIKey) certGen, err = factory(user.APIServerUser, []string{user.SystemPrivilegedGroup}, runtime.ClientKubeAPICert, runtime.ClientKubeAPIKey)
if err != nil { if err != nil {
return err return err
} }
...@@ -351,7 +352,7 @@ func genClientCerts(config *config.Control) error { ...@@ -351,7 +352,7 @@ func genClientCerts(config *config.Control) error {
} }
} }
if _, err = factory("system:kube-proxy", nil, runtime.ClientKubeProxyCert, runtime.ClientKubeProxyKey); err != nil { if _, err = factory(user.KubeProxy, nil, runtime.ClientKubeProxyCert, runtime.ClientKubeProxyKey); err != nil {
return err return err
} }
// This user (system:k3s-controller by default) must be bound to a role in rolebindings.yaml or the downstream equivalent // This user (system:k3s-controller by default) must be bound to a role in rolebindings.yaml or the downstream equivalent
...@@ -490,23 +491,22 @@ func addSANs(altNames *certutil.AltNames, sans []string) { ...@@ -490,23 +491,22 @@ func addSANs(altNames *certutil.AltNames, sans []string) {
} }
} }
func sansChanged(certFile string, sans *certutil.AltNames) bool { func fieldsChanged(certFile string, commonName string, organization []string, sans *certutil.AltNames, caCertFile string) bool {
if sans == nil { if sans == nil {
return false sans = &certutil.AltNames{}
} }
certBytes, err := ioutil.ReadFile(certFile) certificates, err := certutil.CertsFromFile(certFile)
if err != nil { if err != nil || len(certificates) == 0 {
return false return false
} }
certificates, err := certutil.ParseCertsPEM(certBytes) if certificates[0].Subject.CommonName != commonName {
if err != nil { return true
return false
} }
if len(certificates) == 0 { if !sets.NewString(certificates[0].Subject.Organization...).Equal(sets.NewString(organization...)) {
return false return true
} }
if !sets.NewString(certificates[0].DNSNames...).HasAll(sans.DNSNames...) { if !sets.NewString(certificates[0].DNSNames...).HasAll(sans.DNSNames...) {
...@@ -524,44 +524,45 @@ func sansChanged(certFile string, sans *certutil.AltNames) bool { ...@@ -524,44 +524,45 @@ func sansChanged(certFile string, sans *certutil.AltNames) bool {
} }
} }
return false caCertificates, err := certutil.CertsFromFile(caCertFile)
} if err != nil || len(caCertificates) == 0 {
return false
func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) {
caBytes, err := ioutil.ReadFile(caCertFile)
if err != nil {
return false, err
} }
pool := x509.NewCertPool() verifyOpts := x509.VerifyOptions{
pool.AppendCertsFromPEM(caBytes) Roots: x509.NewCertPool(),
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageAny,
},
}
// check for certificate expiration for _, cert := range caCertificates {
if !regen { verifyOpts.Roots.AddCert(cert)
regen = expired(certFile, pool)
} }
if !regen { if _, err := certificates[0].Verify(verifyOpts); err != nil {
regen = sansChanged(certFile, altNames) return true
} }
return false
}
func createClientCertKey(regen bool, commonName string, organization []string, altNames *certutil.AltNames, extKeyUsage []x509.ExtKeyUsage, caCertFile, caKeyFile, certFile, keyFile string) (bool, error) {
// check for reasons to renew the certificate even if not manually requested.
regen = regen || expired(certFile) || fieldsChanged(certFile, commonName, organization, altNames, caCertFile)
if !regen { if !regen {
if exists(certFile, keyFile) { if exists(certFile, keyFile) {
return false, nil return false, nil
} }
} }
caKeyBytes, err := ioutil.ReadFile(caKeyFile) caKey, err := certutil.PrivateKeyFromFile(caKeyFile)
if err != nil {
return false, err
}
caKey, err := certutil.ParsePrivateKeyPEM(caKeyBytes)
if err != nil { if err != nil {
return false, err return false, err
} }
caCert, err := certutil.ParseCertsPEM(caBytes) caCert, err := certutil.CertsFromFile(caCertFile)
if err != nil { if err != nil {
return false, err return false, err
} }
...@@ -645,24 +646,11 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) { ...@@ -645,24 +646,11 @@ func createSigningCertKey(prefix, certFile, keyFile string) (bool, error) {
return true, nil return true, nil
} }
func expired(certFile string, pool *x509.CertPool) bool { func expired(certFile string) bool {
certBytes, err := ioutil.ReadFile(certFile) certificates, err := certutil.CertsFromFile(certFile)
if err != nil { if err != nil {
return false return false
} }
certificates, err := certutil.ParseCertsPEM(certBytes)
if err != nil {
return false
}
_, err = certificates[0].Verify(x509.VerifyOptions{
Roots: pool,
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageAny,
},
})
if err != nil {
return true
}
return certutil.IsCertExpired(certificates[0], config.CertificateRenewDays) return certutil.IsCertExpired(certificates[0], config.CertificateRenewDays)
} }
......
...@@ -28,6 +28,7 @@ import ( ...@@ -28,6 +28,7 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/json" "k8s.io/apimachinery/pkg/util/json"
"k8s.io/apiserver/pkg/authentication/user"
) )
const ( const (
...@@ -58,7 +59,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler ...@@ -58,7 +59,7 @@ func router(ctx context.Context, config *Config, cfg *cmds.Server) http.Handler
} }
nodeAuthed := mux.NewRouter() nodeAuthed := mux.NewRouter()
nodeAuthed.Use(authMiddleware(serverConfig, "system:nodes")) nodeAuthed.Use(authMiddleware(serverConfig, user.NodesGroup))
nodeAuthed.Path(prefix + "/connect").Handler(serverConfig.Runtime.Tunnel) nodeAuthed.Path(prefix + "/connect").Handler(serverConfig.Runtime.Tunnel)
nodeAuthed.NotFoundHandler = authed nodeAuthed.NotFoundHandler = authed
...@@ -247,7 +248,7 @@ func clientKubeletCert(server *config.Control, keyFile string, auth nodePassBoot ...@@ -247,7 +248,7 @@ func clientKubeletCert(server *config.Control, keyFile string, auth nodePassBoot
cert, err := certutil.NewSignedCert(certutil.Config{ cert, err := certutil.NewSignedCert(certutil.Config{
CommonName: "system:node:" + nodeName, CommonName: "system:node:" + nodeName,
Organization: []string{"system:nodes"}, Organization: []string{user.NodesGroup},
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
}, key, caCert[0], caKey) }, key, caCert[0], caKey)
if err != nil { if err != nil {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment