Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
7c37e91a
Commit
7c37e91a
authored
Jan 23, 2019
by
mourya007
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Re-Organize the pkutil library
parent
5c4b536f
Hide whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
152 additions
and
130 deletions
+152
-130
certs.go
cmd/kubeadm/app/phases/certs/certs.go
+3
-2
certsapi.go
cmd/kubeadm/app/phases/certs/renewal/certsapi.go
+2
-1
renewal_test.go
cmd/kubeadm/app/phases/certs/renewal/renewal_test.go
+1
-1
kubeconfig.go
cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
+5
-4
util.go
cmd/kubeadm/app/util/certs/util.go
+3
-3
pki_helpers.go
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+82
-6
cert.go
staging/src/k8s.io/client-go/util/cert/cert.go
+0
-42
pem.go
staging/src/k8s.io/client-go/util/cert/pem.go
+14
-37
BUILD
test/e2e/apimachinery/BUILD
+1
-0
certs.go
test/e2e/apimachinery/certs.go
+13
-12
BUILD
test/e2e/auth/BUILD
+1
-0
certificates.go
test/e2e/auth/certificates.go
+3
-3
BUILD
test/integration/examples/BUILD
+1
-0
apiserver_test.go
test/integration/examples/apiserver_test.go
+13
-12
BUILD
test/integration/framework/BUILD
+1
-0
test_server.go
test/integration/framework/test_server.go
+9
-7
No files found.
cmd/kubeadm/app/phases/certs/certs.go
View file @
7c37e91a
...
@@ -27,8 +27,9 @@ import (
...
@@ -27,8 +27,9 @@ import (
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
"k8s.io/klog"
"k8s.io/klog"
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
)
)
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane.
// CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane.
...
@@ -81,7 +82,7 @@ func CreateServiceAccountKeyAndPublicKeyFiles(cfg *kubeadmapi.InitConfiguration)
...
@@ -81,7 +82,7 @@ func CreateServiceAccountKeyAndPublicKeyFiles(cfg *kubeadmapi.InitConfiguration)
// NewServiceAccountSigningKey generate public/private key pairs for signing service account tokens.
// NewServiceAccountSigningKey generate public/private key pairs for signing service account tokens.
func
NewServiceAccountSigningKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
func
NewServiceAccountSigningKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
// The key does NOT exist, let's generate it now
// The key does NOT exist, let's generate it now
saSigningKey
,
err
:=
cert
util
.
NewPrivateKey
()
saSigningKey
,
err
:=
pki
util
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
errors
.
Wrap
(
err
,
"failure while creating service account token signing key"
)
return
nil
,
errors
.
Wrap
(
err
,
"failure while creating service account token signing key"
)
}
}
...
...
cmd/kubeadm/app/phases/certs/renewal/certsapi.go
View file @
7c37e91a
...
@@ -31,6 +31,7 @@ import (
...
@@ -31,6 +31,7 @@ import (
certstype
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certstype
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
csrutil
"k8s.io/client-go/util/certificate/csr"
csrutil
"k8s.io/client-go/util/certificate/csr"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
)
)
const
certAPIPrefixName
=
"kubeadm-cert"
const
certAPIPrefixName
=
"kubeadm-cert"
...
@@ -60,7 +61,7 @@ func (r *CertsAPIRenewal) Renew(cfg *certutil.Config) (*x509.Certificate, *rsa.P
...
@@ -60,7 +61,7 @@ func (r *CertsAPIRenewal) Renew(cfg *certutil.Config) (*x509.Certificate, *rsa.P
IPAddresses
:
cfg
.
AltNames
.
IPs
,
IPAddresses
:
cfg
.
AltNames
.
IPs
,
}
}
key
,
err
:=
cert
util
.
NewPrivateKey
()
key
,
err
:=
pki
util
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"couldn't create new private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"couldn't create new private key"
)
}
}
...
...
cmd/kubeadm/app/phases/certs/renewal/renewal_test.go
View file @
7c37e91a
...
@@ -136,7 +136,7 @@ func getCertReq(t *testing.T, caCert *x509.Certificate, caKey *rsa.PrivateKey) *
...
@@ -136,7 +136,7 @@ func getCertReq(t *testing.T, caCert *x509.Certificate, caKey *rsa.PrivateKey) *
Type
:
certsapi
.
CertificateApproved
,
Type
:
certsapi
.
CertificateApproved
,
},
},
},
},
Certificate
:
cert
util
.
EncodeCertPEM
(
cert
),
Certificate
:
pki
util
.
EncodeCertPEM
(
cert
),
},
},
}
}
}
}
...
...
cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
View file @
7c37e91a
...
@@ -33,8 +33,9 @@ import (
...
@@ -33,8 +33,9 @@ import (
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmutil
"k8s.io/kubernetes/cmd/kubeadm/app/util"
kubeadmutil
"k8s.io/kubernetes/cmd/kubeadm/app/util"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
kubeconfigutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
kubeconfigutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
)
)
// clientCertAuth struct holds info required to build a client certificate to provide authentication info in a kubeconfig object
// clientCertAuth struct holds info required to build a client certificate to provide authentication info in a kubeconfig object
...
@@ -189,7 +190,7 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc
...
@@ -189,7 +190,7 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc
spec
.
APIServer
,
spec
.
APIServer
,
clustername
,
clustername
,
spec
.
ClientName
,
spec
.
ClientName
,
cert
util
.
EncodeCertPEM
(
spec
.
CACert
),
pki
util
.
EncodeCertPEM
(
spec
.
CACert
),
spec
.
TokenAuth
.
Token
,
spec
.
TokenAuth
.
Token
,
),
nil
),
nil
}
}
...
@@ -210,9 +211,9 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc
...
@@ -210,9 +211,9 @@ func buildKubeConfigFromSpec(spec *kubeConfigSpec, clustername string) (*clientc
spec
.
APIServer
,
spec
.
APIServer
,
clustername
,
clustername
,
spec
.
ClientName
,
spec
.
ClientName
,
cert
util
.
EncodeCertPEM
(
spec
.
CACert
),
pki
util
.
EncodeCertPEM
(
spec
.
CACert
),
certutil
.
EncodePrivateKeyPEM
(
clientKey
),
certutil
.
EncodePrivateKeyPEM
(
clientKey
),
cert
util
.
EncodeCertPEM
(
clientCert
),
pki
util
.
EncodeCertPEM
(
clientCert
),
),
nil
),
nil
}
}
...
...
cmd/kubeadm/app/util/certs/util.go
View file @
7c37e91a
...
@@ -24,7 +24,7 @@ import (
...
@@ -24,7 +24,7 @@ import (
"testing"
"testing"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
)
)
// SetupCertificateAuthorithy is a utility function for kubeadm testing that creates a
// SetupCertificateAuthorithy is a utility function for kubeadm testing that creates a
...
@@ -229,11 +229,11 @@ func WritePKIFiles(t *testing.T, dir string, files PKIFiles) {
...
@@ -229,11 +229,11 @@ func WritePKIFiles(t *testing.T, dir string, files PKIFiles) {
for
filename
,
body
:=
range
files
{
for
filename
,
body
:=
range
files
{
switch
body
:=
body
.
(
type
)
{
switch
body
:=
body
.
(
type
)
{
case
*
x509
.
Certificate
:
case
*
x509
.
Certificate
:
if
err
:=
certutil
.
WriteCert
(
path
.
Join
(
dir
,
filename
),
cert
util
.
EncodeCertPEM
(
body
));
err
!=
nil
{
if
err
:=
certutil
.
WriteCert
(
path
.
Join
(
dir
,
filename
),
pki
util
.
EncodeCertPEM
(
body
));
err
!=
nil
{
t
.
Errorf
(
"unable to write certificate to file %q: [%v]"
,
dir
,
err
)
t
.
Errorf
(
"unable to write certificate to file %q: [%v]"
,
dir
,
err
)
}
}
case
*
rsa
.
PublicKey
:
case
*
rsa
.
PublicKey
:
publicKeyBytes
,
err
:=
cert
util
.
EncodePublicKeyPEM
(
body
)
publicKeyBytes
,
err
:=
pki
util
.
EncodePublicKeyPEM
(
body
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"unable to write public key to file %q: [%v]"
,
filename
,
err
)
t
.
Errorf
(
"unable to write public key to file %q: [%v]"
,
filename
,
err
)
}
}
...
...
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View file @
7c37e91a
...
@@ -18,6 +18,7 @@ package pkiutil
...
@@ -18,6 +18,7 @@ package pkiutil
import
(
import
(
"crypto"
"crypto"
"crypto/rand"
cryptorand
"crypto/rand"
cryptorand
"crypto/rand"
"crypto/rsa"
"crypto/rsa"
"crypto/x509"
"crypto/x509"
...
@@ -25,6 +26,8 @@ import (
...
@@ -25,6 +26,8 @@ import (
"encoding/pem"
"encoding/pem"
"fmt"
"fmt"
"io/ioutil"
"io/ioutil"
"math"
"math/big"
"net"
"net"
"os"
"os"
"path/filepath"
"path/filepath"
...
@@ -40,9 +43,22 @@ import (
...
@@ -40,9 +43,22 @@ import (
"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
)
)
const
(
// PrivateKeyBlockType is a possible value for pem.Block.Type.
PrivateKeyBlockType
=
"PRIVATE KEY"
// PublicKeyBlockType is a possible value for pem.Block.Type.
PublicKeyBlockType
=
"PUBLIC KEY"
// CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType
=
"CERTIFICATE"
// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
RSAPrivateKeyBlockType
=
"RSA PRIVATE KEY"
rsaKeySize
=
2048
duration365d
=
time
.
Hour
*
24
*
365
)
// NewCertificateAuthority creates new certificate and private key for the certificate authority
// NewCertificateAuthority creates new certificate and private key for the certificate authority
func
NewCertificateAuthority
(
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCertificateAuthority
(
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
key
,
err
:=
certutil
.
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
}
}
...
@@ -57,12 +73,12 @@ func NewCertificateAuthority(config *certutil.Config) (*x509.Certificate, *rsa.P
...
@@ -57,12 +73,12 @@ func NewCertificateAuthority(config *certutil.Config) (*x509.Certificate, *rsa.P
// NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
// NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
func
NewCertAndKey
(
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCertAndKey
(
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
key
,
err
:=
certutil
.
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
}
}
cert
,
err
:=
certutil
.
NewSignedCert
(
*
config
,
key
,
caCert
,
caKey
)
cert
,
err
:=
NewSignedCert
(
config
,
key
,
caCert
,
caKey
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to sign certificate"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to sign certificate"
)
}
}
...
@@ -72,7 +88,7 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert
...
@@ -72,7 +88,7 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert
// NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate
// NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate
func
NewCSRAndKey
(
config
*
certutil
.
Config
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCSRAndKey
(
config
*
certutil
.
Config
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
,
error
)
{
key
,
err
:=
certutil
.
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
}
}
...
@@ -111,7 +127,7 @@ func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
...
@@ -111,7 +127,7 @@ func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
}
}
certificatePath
:=
pathForCert
(
pkiPath
,
name
)
certificatePath
:=
pathForCert
(
pkiPath
,
name
)
if
err
:=
certutil
.
WriteCert
(
certificatePath
,
certutil
.
EncodeCertPEM
(
cert
));
err
!=
nil
{
if
err
:=
certutil
.
WriteCert
(
certificatePath
,
EncodeCertPEM
(
cert
));
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"unable to write certificate to file %s"
,
certificatePath
)
return
errors
.
Wrapf
(
err
,
"unable to write certificate to file %s"
,
certificatePath
)
}
}
...
@@ -159,7 +175,7 @@ func WritePublicKey(pkiPath, name string, key *rsa.PublicKey) error {
...
@@ -159,7 +175,7 @@ func WritePublicKey(pkiPath, name string, key *rsa.PublicKey) error {
return
errors
.
New
(
"public key cannot be nil when writing to file"
)
return
errors
.
New
(
"public key cannot be nil when writing to file"
)
}
}
publicKeyBytes
,
err
:=
certutil
.
EncodePublicKeyPEM
(
key
)
publicKeyBytes
,
err
:=
EncodePublicKeyPEM
(
key
)
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
...
@@ -504,3 +520,63 @@ func NewCSR(cfg certutil.Config, key crypto.Signer) (*x509.CertificateRequest, e
...
@@ -504,3 +520,63 @@ func NewCSR(cfg certutil.Config, key crypto.Signer) (*x509.CertificateRequest, e
return
x509
.
ParseCertificateRequest
(
csrBytes
)
return
x509
.
ParseCertificateRequest
(
csrBytes
)
}
}
// EncodeCertPEM returns PEM-endcoded certificate data
func
EncodeCertPEM
(
cert
*
x509
.
Certificate
)
[]
byte
{
block
:=
pem
.
Block
{
Type
:
CertificateBlockType
,
Bytes
:
cert
.
Raw
,
}
return
pem
.
EncodeToMemory
(
&
block
)
}
// EncodePublicKeyPEM returns PEM-encoded public data
func
EncodePublicKeyPEM
(
key
*
rsa
.
PublicKey
)
([]
byte
,
error
)
{
der
,
err
:=
x509
.
MarshalPKIXPublicKey
(
key
)
if
err
!=
nil
{
return
[]
byte
{},
err
}
block
:=
pem
.
Block
{
Type
:
PublicKeyBlockType
,
Bytes
:
der
,
}
return
pem
.
EncodeToMemory
(
&
block
),
nil
}
// NewPrivateKey creates an RSA private key
func
NewPrivateKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
return
rsa
.
GenerateKey
(
cryptorand
.
Reader
,
rsaKeySize
)
}
// NewSignedCert creates a signed certificate using the given CA certificate and key
func
NewSignedCert
(
cfg
*
certutil
.
Config
,
key
crypto
.
Signer
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
(
*
x509
.
Certificate
,
error
)
{
serial
,
err
:=
rand
.
Int
(
rand
.
Reader
,
new
(
big
.
Int
)
.
SetInt64
(
math
.
MaxInt64
))
if
err
!=
nil
{
return
nil
,
err
}
if
len
(
cfg
.
CommonName
)
==
0
{
return
nil
,
errors
.
New
(
"must specify a CommonName"
)
}
if
len
(
cfg
.
Usages
)
==
0
{
return
nil
,
errors
.
New
(
"must specify at least one ExtKeyUsage"
)
}
certTmpl
:=
x509
.
Certificate
{
Subject
:
pkix
.
Name
{
CommonName
:
cfg
.
CommonName
,
Organization
:
cfg
.
Organization
,
},
DNSNames
:
cfg
.
AltNames
.
DNSNames
,
IPAddresses
:
cfg
.
AltNames
.
IPs
,
SerialNumber
:
serial
,
NotBefore
:
caCert
.
NotBefore
,
NotAfter
:
time
.
Now
()
.
Add
(
duration365d
)
.
UTC
(),
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
,
ExtKeyUsage
:
cfg
.
Usages
,
}
certDERBytes
,
err
:=
x509
.
CreateCertificate
(
cryptorand
.
Reader
,
&
certTmpl
,
caCert
,
key
.
Public
(),
caKey
)
if
err
!=
nil
{
return
nil
,
err
}
return
x509
.
ParseCertificate
(
certDERBytes
)
}
staging/src/k8s.io/client-go/util/cert/cert.go
View file @
7c37e91a
...
@@ -21,16 +21,13 @@ import (
...
@@ -21,16 +21,13 @@ import (
"crypto"
"crypto"
"crypto/ecdsa"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/elliptic"
"crypto/rand"
cryptorand
"crypto/rand"
cryptorand
"crypto/rand"
"crypto/rsa"
"crypto/rsa"
"crypto/x509"
"crypto/x509"
"crypto/x509/pkix"
"crypto/x509/pkix"
"encoding/pem"
"encoding/pem"
"errors"
"fmt"
"fmt"
"io/ioutil"
"io/ioutil"
"math"
"math/big"
"math/big"
"net"
"net"
"path"
"path"
...
@@ -39,7 +36,6 @@ import (
...
@@ -39,7 +36,6 @@ import (
)
)
const
(
const
(
rsaKeySize
=
2048
duration365d
=
time
.
Hour
*
24
*
365
duration365d
=
time
.
Hour
*
24
*
365
)
)
...
@@ -59,11 +55,6 @@ type AltNames struct {
...
@@ -59,11 +55,6 @@ type AltNames struct {
IPs
[]
net
.
IP
IPs
[]
net
.
IP
}
}
// NewPrivateKey creates an RSA private key
func
NewPrivateKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
return
rsa
.
GenerateKey
(
cryptorand
.
Reader
,
rsaKeySize
)
}
// NewSelfSignedCACert creates a CA certificate
// NewSelfSignedCACert creates a CA certificate
func
NewSelfSignedCACert
(
cfg
Config
,
key
crypto
.
Signer
)
(
*
x509
.
Certificate
,
error
)
{
func
NewSelfSignedCACert
(
cfg
Config
,
key
crypto
.
Signer
)
(
*
x509
.
Certificate
,
error
)
{
now
:=
time
.
Now
()
now
:=
time
.
Now
()
...
@@ -87,39 +78,6 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
...
@@ -87,39 +78,6 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
return
x509
.
ParseCertificate
(
certDERBytes
)
return
x509
.
ParseCertificate
(
certDERBytes
)
}
}
// NewSignedCert creates a signed certificate using the given CA certificate and key
func
NewSignedCert
(
cfg
Config
,
key
crypto
.
Signer
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
(
*
x509
.
Certificate
,
error
)
{
serial
,
err
:=
rand
.
Int
(
rand
.
Reader
,
new
(
big
.
Int
)
.
SetInt64
(
math
.
MaxInt64
))
if
err
!=
nil
{
return
nil
,
err
}
if
len
(
cfg
.
CommonName
)
==
0
{
return
nil
,
errors
.
New
(
"must specify a CommonName"
)
}
if
len
(
cfg
.
Usages
)
==
0
{
return
nil
,
errors
.
New
(
"must specify at least one ExtKeyUsage"
)
}
certTmpl
:=
x509
.
Certificate
{
Subject
:
pkix
.
Name
{
CommonName
:
cfg
.
CommonName
,
Organization
:
cfg
.
Organization
,
},
DNSNames
:
cfg
.
AltNames
.
DNSNames
,
IPAddresses
:
cfg
.
AltNames
.
IPs
,
SerialNumber
:
serial
,
NotBefore
:
caCert
.
NotBefore
,
NotAfter
:
time
.
Now
()
.
Add
(
duration365d
)
.
UTC
(),
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
,
ExtKeyUsage
:
cfg
.
Usages
,
}
certDERBytes
,
err
:=
x509
.
CreateCertificate
(
cryptorand
.
Reader
,
&
certTmpl
,
caCert
,
key
.
Public
(),
caKey
)
if
err
!=
nil
{
return
nil
,
err
}
return
x509
.
ParseCertificate
(
certDERBytes
)
}
// MakeEllipticPrivateKeyPEM creates an ECDSA private key
// MakeEllipticPrivateKeyPEM creates an ECDSA private key
func
MakeEllipticPrivateKeyPEM
()
([]
byte
,
error
)
{
func
MakeEllipticPrivateKeyPEM
()
([]
byte
,
error
)
{
privateKey
,
err
:=
ecdsa
.
GenerateKey
(
elliptic
.
P256
(),
cryptorand
.
Reader
)
privateKey
,
err
:=
ecdsa
.
GenerateKey
(
elliptic
.
P256
(),
cryptorand
.
Reader
)
...
...
staging/src/k8s.io/client-go/util/cert/pem.go
View file @
7c37e91a
...
@@ -26,51 +26,19 @@ import (
...
@@ -26,51 +26,19 @@ import (
)
)
const
(
const
(
// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
ECPrivateKeyBlockType
=
"EC PRIVATE KEY"
ECPrivateKeyBlockType
=
"EC PRIVATE KEY"
// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
RSAPrivateKeyBlockType
=
"RSA PRIVATE KEY"
RSAPrivateKeyBlockType
=
"RSA PRIVATE KEY"
// PrivateKeyBlockType is a possible value for pem.Block.Type.
PrivateKeyBlockType
=
"PRIVATE KEY"
// PublicKeyBlockType is a possible value for pem.Block.Type.
PublicKeyBlockType
=
"PUBLIC KEY"
// CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType
=
"CERTIFICATE"
// CertificateRequestBlockType is a possible value for pem.Block.Type.
// CertificateRequestBlockType is a possible value for pem.Block.Type.
CertificateRequestBlockType
=
"CERTIFICATE REQUEST"
CertificateRequestBlockType
=
"CERTIFICATE REQUEST"
// CertificateBlockType is a possible value for pem.Block.Type.
CertificateBlockType
=
"CERTIFICATE"
// PrivateKeyBlockType is a possible value for pem.Block.Type.
PrivateKeyBlockType
=
"PRIVATE KEY"
)
)
// EncodePublicKeyPEM returns PEM-encoded public data
func
EncodePublicKeyPEM
(
key
*
rsa
.
PublicKey
)
([]
byte
,
error
)
{
der
,
err
:=
x509
.
MarshalPKIXPublicKey
(
key
)
if
err
!=
nil
{
return
[]
byte
{},
err
}
block
:=
pem
.
Block
{
Type
:
PublicKeyBlockType
,
Bytes
:
der
,
}
return
pem
.
EncodeToMemory
(
&
block
),
nil
}
// EncodePrivateKeyPEM returns PEM-encoded private key data
func
EncodePrivateKeyPEM
(
key
*
rsa
.
PrivateKey
)
[]
byte
{
block
:=
pem
.
Block
{
Type
:
RSAPrivateKeyBlockType
,
Bytes
:
x509
.
MarshalPKCS1PrivateKey
(
key
),
}
return
pem
.
EncodeToMemory
(
&
block
)
}
// EncodeCertPEM returns PEM-endcoded certificate data
func
EncodeCertPEM
(
cert
*
x509
.
Certificate
)
[]
byte
{
block
:=
pem
.
Block
{
Type
:
CertificateBlockType
,
Bytes
:
cert
.
Raw
,
}
return
pem
.
EncodeToMemory
(
&
block
)
}
// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
func
ParsePrivateKeyPEM
(
keyData
[]
byte
)
(
interface
{},
error
)
{
func
ParsePrivateKeyPEM
(
keyData
[]
byte
)
(
interface
{},
error
)
{
...
@@ -147,6 +115,15 @@ func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
...
@@ -147,6 +115,15 @@ func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
return
keys
,
nil
return
keys
,
nil
}
}
// EncodePrivateKeyPEM returns PEM-encoded private key data
func
EncodePrivateKeyPEM
(
key
*
rsa
.
PrivateKey
)
[]
byte
{
block
:=
pem
.
Block
{
Type
:
RSAPrivateKeyBlockType
,
Bytes
:
x509
.
MarshalPKCS1PrivateKey
(
key
),
}
return
pem
.
EncodeToMemory
(
&
block
)
}
// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
func
ParseCertsPEM
(
pemCerts
[]
byte
)
([]
*
x509
.
Certificate
,
error
)
{
func
ParseCertsPEM
(
pemCerts
[]
byte
)
([]
*
x509
.
Certificate
,
error
)
{
...
...
test/e2e/apimachinery/BUILD
View file @
7c37e91a
...
@@ -27,6 +27,7 @@ go_library(
...
@@ -27,6 +27,7 @@ go_library(
],
],
importpath = "k8s.io/kubernetes/test/e2e/apimachinery",
importpath = "k8s.io/kubernetes/test/e2e/apimachinery",
deps = [
deps = [
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//pkg/api/v1/pod:go_default_library",
"//pkg/api/v1/pod:go_default_library",
"//pkg/apis/rbac/v1beta1:go_default_library",
"//pkg/apis/rbac/v1beta1:go_default_library",
"//pkg/printers:go_default_library",
"//pkg/printers:go_default_library",
...
...
test/e2e/apimachinery/certs.go
View file @
7c37e91a
...
@@ -21,7 +21,8 @@ import (
...
@@ -21,7 +21,8 @@ import (
"io/ioutil"
"io/ioutil"
"os"
"os"
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/e2e/framework"
)
)
...
@@ -39,11 +40,11 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
...
@@ -39,11 +40,11 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
framework
.
Failf
(
"Failed to create a temp dir for cert generation %v"
,
err
)
framework
.
Failf
(
"Failed to create a temp dir for cert generation %v"
,
err
)
}
}
defer
os
.
RemoveAll
(
certDir
)
defer
os
.
RemoveAll
(
certDir
)
signingKey
,
err
:=
cert
.
NewPrivateKey
()
signingKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
framework
.
Failf
(
"Failed to create CA private key %v"
,
err
)
framework
.
Failf
(
"Failed to create CA private key %v"
,
err
)
}
}
signingCert
,
err
:=
cert
.
NewSelfSignedCACert
(
cert
.
Config
{
CommonName
:
"e2e-server-cert-ca"
},
signingKey
)
signingCert
,
err
:=
cert
util
.
NewSelfSignedCACert
(
certutil
.
Config
{
CommonName
:
"e2e-server-cert-ca"
},
signingKey
)
if
err
!=
nil
{
if
err
!=
nil
{
framework
.
Failf
(
"Failed to create CA cert for apiserver %v"
,
err
)
framework
.
Failf
(
"Failed to create CA cert for apiserver %v"
,
err
)
}
}
...
@@ -51,15 +52,15 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
...
@@ -51,15 +52,15 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
if
err
!=
nil
{
if
err
!=
nil
{
framework
.
Failf
(
"Failed to create a temp file for ca cert generation %v"
,
err
)
framework
.
Failf
(
"Failed to create a temp file for ca cert generation %v"
,
err
)
}
}
if
err
:=
ioutil
.
WriteFile
(
caCertFile
.
Name
(),
cert
.
EncodeCertPEM
(
signingCert
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
caCertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
signingCert
),
0644
);
err
!=
nil
{
framework
.
Failf
(
"Failed to write CA cert %v"
,
err
)
framework
.
Failf
(
"Failed to write CA cert %v"
,
err
)
}
}
key
,
err
:=
cert
.
NewPrivateKey
()
key
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
framework
.
Failf
(
"Failed to create private key for %v"
,
err
)
framework
.
Failf
(
"Failed to create private key for %v"
,
err
)
}
}
signedCert
,
err
:=
cert
.
NewSignedCert
(
signedCert
,
err
:=
pkiutil
.
NewSignedCert
(
cert
.
Config
{
&
certutil
.
Config
{
CommonName
:
serviceName
+
"."
+
namespaceName
+
".svc"
,
CommonName
:
serviceName
+
"."
+
namespaceName
+
".svc"
,
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
},
},
...
@@ -76,15 +77,15 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
...
@@ -76,15 +77,15 @@ func setupServerCert(namespaceName, serviceName string) *certContext {
if
err
!=
nil
{
if
err
!=
nil
{
framework
.
Failf
(
"Failed to create a temp file for key generation %v"
,
err
)
framework
.
Failf
(
"Failed to create a temp file for key generation %v"
,
err
)
}
}
if
err
=
ioutil
.
WriteFile
(
certFile
.
Name
(),
cert
.
EncodeCertPEM
(
signedCert
),
0600
);
err
!=
nil
{
if
err
=
ioutil
.
WriteFile
(
certFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
signedCert
),
0600
);
err
!=
nil
{
framework
.
Failf
(
"Failed to write cert file %v"
,
err
)
framework
.
Failf
(
"Failed to write cert file %v"
,
err
)
}
}
if
err
=
ioutil
.
WriteFile
(
keyFile
.
Name
(),
cert
.
EncodePrivateKeyPEM
(
key
),
0644
);
err
!=
nil
{
if
err
=
ioutil
.
WriteFile
(
keyFile
.
Name
(),
cert
util
.
EncodePrivateKeyPEM
(
key
),
0644
);
err
!=
nil
{
framework
.
Failf
(
"Failed to write key file %v"
,
err
)
framework
.
Failf
(
"Failed to write key file %v"
,
err
)
}
}
return
&
certContext
{
return
&
certContext
{
cert
:
cert
.
EncodeCertPEM
(
signedCert
),
cert
:
pkiutil
.
EncodeCertPEM
(
signedCert
),
key
:
cert
.
EncodePrivateKeyPEM
(
key
),
key
:
cert
util
.
EncodePrivateKeyPEM
(
key
),
signingCert
:
cert
.
EncodeCertPEM
(
signingCert
),
signingCert
:
pkiutil
.
EncodeCertPEM
(
signingCert
),
}
}
}
}
test/e2e/auth/BUILD
View file @
7c37e91a
...
@@ -19,6 +19,7 @@ go_library(
...
@@ -19,6 +19,7 @@ go_library(
],
],
importpath = "k8s.io/kubernetes/test/e2e/auth",
importpath = "k8s.io/kubernetes/test/e2e/auth",
deps = [
deps = [
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//pkg/master/ports:go_default_library",
"//pkg/master/ports:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/apparmor:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
"//pkg/security/podsecuritypolicy/seccomp:go_default_library",
...
...
test/e2e/auth/certificates.go
View file @
7c37e91a
...
@@ -22,14 +22,14 @@ import (
...
@@ -22,14 +22,14 @@ import (
"encoding/pem"
"encoding/pem"
"time"
"time"
.
"github.com/onsi/ginkgo"
"k8s.io/api/certificates/v1beta1"
"k8s.io/api/certificates/v1beta1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/util/wait"
v1beta1client
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
v1beta1client
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/cert"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/e2e/framework"
"k8s.io/kubernetes/test/e2e/framework"
.
"github.com/onsi/ginkgo"
)
)
var
_
=
SIGDescribe
(
"Certificates API"
,
func
()
{
var
_
=
SIGDescribe
(
"Certificates API"
,
func
()
{
...
@@ -38,7 +38,7 @@ var _ = SIGDescribe("Certificates API", func() {
...
@@ -38,7 +38,7 @@ var _ = SIGDescribe("Certificates API", func() {
It
(
"should support building a client with a CSR"
,
func
()
{
It
(
"should support building a client with a CSR"
,
func
()
{
const
commonName
=
"tester-csr"
const
commonName
=
"tester-csr"
pk
,
err
:=
cert
.
NewPrivateKey
()
pk
,
err
:=
pkiutil
.
NewPrivateKey
()
framework
.
ExpectNoError
(
err
)
framework
.
ExpectNoError
(
err
)
pkder
:=
x509
.
MarshalPKCS1PrivateKey
(
pk
)
pkder
:=
x509
.
MarshalPKCS1PrivateKey
(
pk
)
...
...
test/integration/examples/BUILD
View file @
7c37e91a
...
@@ -17,6 +17,7 @@ go_test(
...
@@ -17,6 +17,7 @@ go_test(
deps = [
deps = [
"//cmd/kube-apiserver/app:go_default_library",
"//cmd/kube-apiserver/app:go_default_library",
"//cmd/kube-apiserver/app/options:go_default_library",
"//cmd/kube-apiserver/app/options:go_default_library",
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//pkg/master:go_default_library",
"//pkg/master:go_default_library",
"//pkg/master/reconcilers:go_default_library",
"//pkg/master/reconcilers:go_default_library",
"//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library",
"//staging/src/k8s.io/api/admissionregistration/v1beta1:go_default_library",
...
...
test/integration/examples/apiserver_test.go
View file @
7c37e91a
...
@@ -42,12 +42,13 @@ import (
...
@@ -42,12 +42,13 @@ import (
"k8s.io/client-go/rest"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi
"k8s.io/client-go/tools/clientcmd/api"
clientcmdapi
"k8s.io/client-go/tools/clientcmd/api"
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
apiregistrationv1beta1
"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
apiregistrationv1beta1
"k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
aggregatorclient
"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
aggregatorclient
"k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
kubeaggregatorserver
"k8s.io/kube-aggregator/pkg/cmd/server"
kubeaggregatorserver
"k8s.io/kube-aggregator/pkg/cmd/server"
"k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/test/integration/framework"
"k8s.io/kubernetes/test/integration/framework"
wardlev1alpha1
"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
wardlev1alpha1
"k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
wardlev1beta1
"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1"
wardlev1beta1
"k8s.io/sample-apiserver/pkg/apis/wardle/v1beta1"
...
@@ -61,28 +62,28 @@ func TestAggregatedAPIServer(t *testing.T) {
...
@@ -61,28 +62,28 @@ func TestAggregatedAPIServer(t *testing.T) {
certDir
,
_
:=
ioutil
.
TempDir
(
""
,
"test-integration-apiserver"
)
certDir
,
_
:=
ioutil
.
TempDir
(
""
,
"test-integration-apiserver"
)
defer
os
.
RemoveAll
(
certDir
)
defer
os
.
RemoveAll
(
certDir
)
_
,
defaultServiceClusterIPRange
,
_
:=
net
.
ParseCIDR
(
"10.0.0.0/24"
)
_
,
defaultServiceClusterIPRange
,
_
:=
net
.
ParseCIDR
(
"10.0.0.0/24"
)
proxySigningKey
,
err
:=
cert
.
NewPrivateKey
()
proxySigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
proxySigningCert
,
err
:=
cert
.
NewSelfSignedCACert
(
cert
.
Config
{
CommonName
:
"front-proxy-ca"
},
proxySigningKey
)
proxySigningCert
,
err
:=
cert
util
.
NewSelfSignedCACert
(
certutil
.
Config
{
CommonName
:
"front-proxy-ca"
},
proxySigningKey
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
proxyCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"proxy-ca.crt"
)
proxyCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"proxy-ca.crt"
)
if
err
:=
ioutil
.
WriteFile
(
proxyCACertFile
.
Name
(),
cert
.
EncodeCertPEM
(
proxySigningCert
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
proxyCACertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
proxySigningCert
),
0644
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientSigningKey
,
err
:=
cert
.
NewPrivateKey
()
clientSigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientSigningCert
,
err
:=
cert
.
NewSelfSignedCACert
(
cert
.
Config
{
CommonName
:
"client-ca"
},
clientSigningKey
)
clientSigningCert
,
err
:=
cert
util
.
NewSelfSignedCACert
(
certutil
.
Config
{
CommonName
:
"client-ca"
},
clientSigningKey
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"client-ca.crt"
)
clientCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"client-ca.crt"
)
if
err
:=
ioutil
.
WriteFile
(
clientCACertFile
.
Name
(),
cert
.
EncodeCertPEM
(
clientSigningCert
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
clientCACertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
clientSigningCert
),
0644
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
...
@@ -234,12 +235,12 @@ func TestAggregatedAPIServer(t *testing.T) {
...
@@ -234,12 +235,12 @@ func TestAggregatedAPIServer(t *testing.T) {
// start the aggregator
// start the aggregator
aggregatorCertDir
,
_
:=
ioutil
.
TempDir
(
""
,
"test-integration-aggregator"
)
aggregatorCertDir
,
_
:=
ioutil
.
TempDir
(
""
,
"test-integration-aggregator"
)
defer
os
.
RemoveAll
(
aggregatorCertDir
)
defer
os
.
RemoveAll
(
aggregatorCertDir
)
proxyClientKey
,
err
:=
cert
.
NewPrivateKey
()
proxyClientKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
proxyClientCert
,
err
:=
cert
.
NewSignedCert
(
proxyClientCert
,
err
:=
pkiutil
.
NewSignedCert
(
cert
.
Config
{
&
certutil
.
Config
{
CommonName
:
"kube-aggregator"
,
CommonName
:
"kube-aggregator"
,
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageClientAuth
},
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageClientAuth
},
},
},
...
@@ -247,10 +248,10 @@ func TestAggregatedAPIServer(t *testing.T) {
...
@@ -247,10 +248,10 @@ func TestAggregatedAPIServer(t *testing.T) {
)
)
proxyClientCertFile
,
_
:=
ioutil
.
TempFile
(
aggregatorCertDir
,
"proxy-client.crt"
)
proxyClientCertFile
,
_
:=
ioutil
.
TempFile
(
aggregatorCertDir
,
"proxy-client.crt"
)
proxyClientKeyFile
,
_
:=
ioutil
.
TempFile
(
aggregatorCertDir
,
"proxy-client.key"
)
proxyClientKeyFile
,
_
:=
ioutil
.
TempFile
(
aggregatorCertDir
,
"proxy-client.key"
)
if
err
:=
ioutil
.
WriteFile
(
proxyClientCertFile
.
Name
(),
cert
.
EncodeCertPEM
(
proxyClientCert
),
0600
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
proxyClientCertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
proxyClientCert
),
0600
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
if
err
:=
ioutil
.
WriteFile
(
proxyClientKeyFile
.
Name
(),
cert
.
EncodePrivateKeyPEM
(
proxyClientKey
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
proxyClientKeyFile
.
Name
(),
cert
util
.
EncodePrivateKeyPEM
(
proxyClientKey
),
0644
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
aggregatorPort
:=
new
(
int32
)
aggregatorPort
:=
new
(
int32
)
...
...
test/integration/framework/BUILD
View file @
7c37e91a
...
@@ -22,6 +22,7 @@ go_library(
...
@@ -22,6 +22,7 @@ go_library(
deps = [
deps = [
"//cmd/kube-apiserver/app:go_default_library",
"//cmd/kube-apiserver/app:go_default_library",
"//cmd/kube-apiserver/app/options:go_default_library",
"//cmd/kube-apiserver/app/options:go_default_library",
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//pkg/api/legacyscheme:go_default_library",
"//pkg/api/legacyscheme:go_default_library",
"//pkg/api/testapi:go_default_library",
"//pkg/api/testapi:go_default_library",
"//pkg/apis/batch:go_default_library",
"//pkg/apis/batch:go_default_library",
...
...
test/integration/framework/test_server.go
View file @
7c37e91a
...
@@ -32,9 +32,11 @@ import (
...
@@ -32,9 +32,11 @@ import (
genericapiserveroptions
"k8s.io/apiserver/pkg/server/options"
genericapiserveroptions
"k8s.io/apiserver/pkg/server/options"
client
"k8s.io/client-go/kubernetes"
client
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/rest"
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
"k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
pkiutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
"k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/master"
)
)
...
@@ -52,28 +54,28 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
...
@@ -52,28 +54,28 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
}()
}()
_
,
defaultServiceClusterIPRange
,
_
:=
net
.
ParseCIDR
(
"10.0.0.0/24"
)
_
,
defaultServiceClusterIPRange
,
_
:=
net
.
ParseCIDR
(
"10.0.0.0/24"
)
proxySigningKey
,
err
:=
cert
.
NewPrivateKey
()
proxySigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
proxySigningCert
,
err
:=
cert
.
NewSelfSignedCACert
(
cert
.
Config
{
CommonName
:
"front-proxy-ca"
},
proxySigningKey
)
proxySigningCert
,
err
:=
cert
util
.
NewSelfSignedCACert
(
certutil
.
Config
{
CommonName
:
"front-proxy-ca"
},
proxySigningKey
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
proxyCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"proxy-ca.crt"
)
proxyCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"proxy-ca.crt"
)
if
err
:=
ioutil
.
WriteFile
(
proxyCACertFile
.
Name
(),
cert
.
EncodeCertPEM
(
proxySigningCert
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
proxyCACertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
proxySigningCert
),
0644
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientSigningKey
,
err
:=
cert
.
NewPrivateKey
()
clientSigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientSigningCert
,
err
:=
cert
.
NewSelfSignedCACert
(
cert
.
Config
{
CommonName
:
"client-ca"
},
clientSigningKey
)
clientSigningCert
,
err
:=
cert
util
.
NewSelfSignedCACert
(
certutil
.
Config
{
CommonName
:
"client-ca"
},
clientSigningKey
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
clientCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"client-ca.crt"
)
clientCACertFile
,
_
:=
ioutil
.
TempFile
(
certDir
,
"client-ca.crt"
)
if
err
:=
ioutil
.
WriteFile
(
clientCACertFile
.
Name
(),
cert
.
EncodeCertPEM
(
clientSigningCert
),
0644
);
err
!=
nil
{
if
err
:=
ioutil
.
WriteFile
(
clientCACertFile
.
Name
(),
pkiutil
.
EncodeCertPEM
(
clientSigningCert
),
0644
);
err
!=
nil
{
t
.
Fatal
(
err
)
t
.
Fatal
(
err
)
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment