From f21402b93adae2162b2cf6d57dda5c3350bd9995 Mon Sep 17 00:00:00 2001
From: haozi007 <liuhao27@huawei.com>
Date: Sat, 11 Sep 2021 11:04:10 +0100
Subject: [PATCH 4/4] update cert of ca

1. support external ca;
2. default expired time change to 100 years;
3. support remote yaml;

Signed-off-by: haozi007 <liuhao27@huawei.com>
---
 .../binary/controlplane/controlplane.go       | 20 +++++++++++++++++--
 .../binary/etcdcluster/etcdcerts.go           | 13 ++++++++++++
 pkg/utils/certs/certs.go                      |  4 ++--
 pkg/utils/certs/localcerts.go                 |  2 +-
 pkg/utils/dependency/dependency.go            |  8 ++++++++
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/pkg/clusterdeployment/binary/controlplane/controlplane.go b/pkg/clusterdeployment/binary/controlplane/controlplane.go
index 2296c57..9c591c4 100644
--- a/pkg/clusterdeployment/binary/controlplane/controlplane.go
+++ b/pkg/clusterdeployment/binary/controlplane/controlplane.go
@@ -284,7 +284,7 @@ func generateCerts(savePath string, cg certs.CertGenerator, ccfg *api.ClusterCon
 	return generateFrontProxyClientCertificate(savePath, cg)
 }
 
-func prepareCAs(lcg certs.CertGenerator, savePath string) error {
+func prepareCAs(lcg certs.CertGenerator, savePath string, ccfg *api.ClusterConfig) error {
 	if _, err := lcg.RunCommand(fmt.Sprintf("mkdir -p -m 0700 %s", savePath)); err != nil {
 		logrus.Errorf("prepare certificates store path failed: %v", err)
 		return err
@@ -293,6 +293,22 @@ func prepareCAs(lcg certs.CertGenerator, savePath string) error {
 	if err := lcg.CreateServiceAccount(savePath); err != nil {
 		return err
 	}
+
+	if ccfg.Certificate.ExternalCA {
+		getStrCmd := func(name string) string {
+			return fmt.Sprintf("cp -f %s/%s %s/%s %s", ccfg.Certificate.ExternalCAPath, certs.GetKeyName(name),
+				ccfg.Certificate.ExternalCAPath, certs.GetCertName(name), savePath)
+		}
+
+		if _, err := lcg.RunCommand(getStrCmd(RootCAName)); err != nil {
+			return err
+		}
+
+		if _, err := lcg.RunCommand(getStrCmd(FrontProxyCAName)); err != nil {
+			return err
+		}
+	}
+
 	// create root ca
 	caConfig := &certs.CertConfig{
 		CommonName: "kubernetes",
@@ -342,7 +358,7 @@ func createAdminKubeConfigForEggo(lcg certs.CertGenerator, caPath string, savePa
 func prepareCredentials(clusterName string, ccfg *api.ClusterConfig) error {
 	lcg := certs.NewLocalCertGenerator()
 	caPath := api.GetCertificateStorePath(clusterName)
-	if err := prepareCAs(lcg, caPath); err != nil {
+	if err := prepareCAs(lcg, caPath, ccfg); err != nil {
 		return err
 	}
 	return createAdminKubeConfigForEggo(lcg, caPath, api.GetClusterHomePath(clusterName), ccfg)
diff --git a/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go b/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
index 00f6116..29aeea7 100644
--- a/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
+++ b/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
@@ -17,6 +17,7 @@ package etcdcluster
 
 import (
 	"crypto/x509"
+	"fmt"
 	"path/filepath"
 
 	"isula.org/eggo/pkg/api"
@@ -98,6 +99,18 @@ func generateCaAndApiserverEtcdCerts(ccfg *api.ClusterConfig) error {
 	caConfig := &certs.CertConfig{
 		CommonName: "etcd-ca",
 	}
+
+	if ccfg.Certificate.ExternalCA {
+		_, err := lcg.RunCommand(fmt.Sprintf("mkdir -p -m 0700 %s && cp -f %s/etcd/%s %s", etcdCertsPath, ccfg.Certificate.ExternalCAPath, certs.GetCertName("ca"), etcdCertsPath))
+		if err != nil {
+			return err
+		}
+		_, err = lcg.RunCommand(fmt.Sprintf("cp -f %s/etcd/%s %s", ccfg.Certificate.ExternalCAPath, certs.GetKeyName("ca"), etcdCertsPath))
+		if err != nil {
+			return err
+		}
+	}
+
 	if err := lcg.CreateCA(caConfig, etcdCertsPath, "ca"); err != nil {
 		return err
 	}
diff --git a/pkg/utils/certs/certs.go b/pkg/utils/certs/certs.go
index 0f16f7f..e57cfe8 100644
--- a/pkg/utils/certs/certs.go
+++ b/pkg/utils/certs/certs.go
@@ -123,7 +123,7 @@ func (o *OpensshBinCertGenerator) CreateCA(config *CertConfig, savePath string,
 	sb.WriteString("sudo -E /bin/sh -c \"")
 	sb.WriteString(fmt.Sprintf("mkdir -p %s && cd %s", savePath, savePath))
 	sb.WriteString(fmt.Sprintf(" && openssl genrsa -out %s.key 4096", name))
-	sb.WriteString(fmt.Sprintf(" && openssl req -x509 -new -nodes -key %s.key -subj \"%s\" -days 10000 -out %s.crt", name, getSubject(config), name))
+	sb.WriteString(fmt.Sprintf(" && openssl req -x509 -new -nodes -key %s.key -subj \"%s\" -days 36500 -out %s.crt", name, getSubject(config), name))
 	sb.WriteString("\"")
 
 	_, err := o.r.RunCommand(sb.String())
@@ -184,7 +184,7 @@ func (o *OpensshBinCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string,
 	sb.WriteString("sudo -E /bin/sh -c \"")
 	sb.WriteString(fmt.Sprintf("cd %s && openssl genrsa -out %s.key 4096", savePath, name))
 	sb.WriteString(fmt.Sprintf(" && openssl req -new -key %s.key -out %s.csr -config %s/%s-csr.conf", name, name, savePath, name))
-	sb.WriteString(fmt.Sprintf(" && openssl x509 -req -in %s.csr -CA %s -CAkey %s -CAcreateserial -out %s.crt -days 10000 -extensions v3_ext -extfile %s-csr.conf", name, caCertPath, caKeyPath, name, name))
+	sb.WriteString(fmt.Sprintf(" && openssl x509 -req -in %s.csr -CA %s -CAkey %s -CAcreateserial -out %s.crt -days 36500 -extensions v3_ext -extfile %s-csr.conf", name, caCertPath, caKeyPath, name, name))
 	sb.WriteString(fmt.Sprintf(" && rm -f %s/%s-csr.conf", savePath, name))
 	sb.WriteString(fmt.Sprintf(" && rm -f %s.csr", name))
 	sb.WriteString("\"")
diff --git a/pkg/utils/certs/localcerts.go b/pkg/utils/certs/localcerts.go
index 7feca10..c5fe2e5 100644
--- a/pkg/utils/certs/localcerts.go
+++ b/pkg/utils/certs/localcerts.go
@@ -151,7 +151,7 @@ func (l *LocalCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string, conf
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  config.Usages,
 		NotBefore:    caCert.NotBefore,
-		NotAfter:     time.Now().Add(time.Hour * 24 * 365).UTC(),
+		NotAfter:     time.Now().Add(time.Hour * 24 * 36500).UTC(),
 	}
 
 	certBytes, err := x509.CreateCertificate(rand.Reader, &certConf, caCert, signer.Public(), caKey)
diff --git a/pkg/utils/dependency/dependency.go b/pkg/utils/dependency/dependency.go
index 1c24a2e..870b938 100644
--- a/pkg/utils/dependency/dependency.go
+++ b/pkg/utils/dependency/dependency.go
@@ -247,6 +247,10 @@ func (dy *dependencyYaml) Install(r runner.Runner) error {
 	var sb strings.Builder
 	sb.WriteString(fmt.Sprintf("sudo -E /bin/sh -c \"export KUBECONFIG=%s ", dy.kubeconfig))
 	for _, y := range dy.yaml {
+		if strings.HasPrefix(y.Name, "http://") || strings.HasPrefix(y.Name, "https://") {
+			sb.WriteString(fmt.Sprintf("&& kubectl apply -f %s ", y.Name))
+			continue
+		}
 		sb.WriteString(fmt.Sprintf("&& kubectl apply -f %s/%s ", dy.srcPath, y.Name))
 	}
 	sb.WriteString("\"")
@@ -262,6 +266,10 @@ func (dy *dependencyYaml) Remove(r runner.Runner) error {
 	var sb strings.Builder
 	sb.WriteString(fmt.Sprintf("sudo -E /bin/sh -c \"export KUBECONFIG=%s ", dy.kubeconfig))
 	for _, y := range dy.yaml {
+		if strings.HasPrefix(y.Name, "http://") || strings.HasPrefix(y.Name, "https://") {
+			sb.WriteString(fmt.Sprintf("&& kubectl delete -f %s ", y.Name))
+			continue
+		}
 		sb.WriteString(fmt.Sprintf("&& kubectl delete -f %s/%s ", dy.srcPath, y.Name))
 	}
 	sb.WriteString("\"")
-- 
2.25.1