159 lines
7.2 KiB
Diff
159 lines
7.2 KiB
Diff
From f21402b93adae2162b2cf6d57dda5c3350bd9995 Mon Sep 17 00:00:00 2001
|
|
From: haozi007 <liuhao27@huawei.com>
|
|
Date: Sat, 11 Sep 2021 11:04:10 +0100
|
|
Subject: [PATCH 4/4] update cert of ca
|
|
|
|
1. support external ca;
|
|
2. default expired time change to 100 years;
|
|
3. support remote yaml;
|
|
|
|
Signed-off-by: haozi007 <liuhao27@huawei.com>
|
|
---
|
|
.../binary/controlplane/controlplane.go | 20 +++++++++++++++++--
|
|
.../binary/etcdcluster/etcdcerts.go | 13 ++++++++++++
|
|
pkg/utils/certs/certs.go | 4 ++--
|
|
pkg/utils/certs/localcerts.go | 2 +-
|
|
pkg/utils/dependency/dependency.go | 8 ++++++++
|
|
5 files changed, 42 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/pkg/clusterdeployment/binary/controlplane/controlplane.go b/pkg/clusterdeployment/binary/controlplane/controlplane.go
|
|
index 2296c57..9c591c4 100644
|
|
--- a/pkg/clusterdeployment/binary/controlplane/controlplane.go
|
|
+++ b/pkg/clusterdeployment/binary/controlplane/controlplane.go
|
|
@@ -284,7 +284,7 @@ func generateCerts(savePath string, cg certs.CertGenerator, ccfg *api.ClusterCon
|
|
return generateFrontProxyClientCertificate(savePath, cg)
|
|
}
|
|
|
|
-func prepareCAs(lcg certs.CertGenerator, savePath string) error {
|
|
+func prepareCAs(lcg certs.CertGenerator, savePath string, ccfg *api.ClusterConfig) error {
|
|
if _, err := lcg.RunCommand(fmt.Sprintf("mkdir -p -m 0700 %s", savePath)); err != nil {
|
|
logrus.Errorf("prepare certificates store path failed: %v", err)
|
|
return err
|
|
@@ -293,6 +293,22 @@ func prepareCAs(lcg certs.CertGenerator, savePath string) error {
|
|
if err := lcg.CreateServiceAccount(savePath); err != nil {
|
|
return err
|
|
}
|
|
+
|
|
+ if ccfg.Certificate.ExternalCA {
|
|
+ getStrCmd := func(name string) string {
|
|
+ return fmt.Sprintf("cp -f %s/%s %s/%s %s", ccfg.Certificate.ExternalCAPath, certs.GetKeyName(name),
|
|
+ ccfg.Certificate.ExternalCAPath, certs.GetCertName(name), savePath)
|
|
+ }
|
|
+
|
|
+ if _, err := lcg.RunCommand(getStrCmd(RootCAName)); err != nil {
|
|
+ return err
|
|
+ }
|
|
+
|
|
+ if _, err := lcg.RunCommand(getStrCmd(FrontProxyCAName)); err != nil {
|
|
+ return err
|
|
+ }
|
|
+ }
|
|
+
|
|
// create root ca
|
|
caConfig := &certs.CertConfig{
|
|
CommonName: "kubernetes",
|
|
@@ -342,7 +358,7 @@ func createAdminKubeConfigForEggo(lcg certs.CertGenerator, caPath string, savePa
|
|
func prepareCredentials(clusterName string, ccfg *api.ClusterConfig) error {
|
|
lcg := certs.NewLocalCertGenerator()
|
|
caPath := api.GetCertificateStorePath(clusterName)
|
|
- if err := prepareCAs(lcg, caPath); err != nil {
|
|
+ if err := prepareCAs(lcg, caPath, ccfg); err != nil {
|
|
return err
|
|
}
|
|
return createAdminKubeConfigForEggo(lcg, caPath, api.GetClusterHomePath(clusterName), ccfg)
|
|
diff --git a/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go b/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
|
|
index 00f6116..29aeea7 100644
|
|
--- a/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
|
|
+++ b/pkg/clusterdeployment/binary/etcdcluster/etcdcerts.go
|
|
@@ -17,6 +17,7 @@ package etcdcluster
|
|
|
|
import (
|
|
"crypto/x509"
|
|
+ "fmt"
|
|
"path/filepath"
|
|
|
|
"isula.org/eggo/pkg/api"
|
|
@@ -98,6 +99,18 @@ func generateCaAndApiserverEtcdCerts(ccfg *api.ClusterConfig) error {
|
|
caConfig := &certs.CertConfig{
|
|
CommonName: "etcd-ca",
|
|
}
|
|
+
|
|
+ if ccfg.Certificate.ExternalCA {
|
|
+ _, err := lcg.RunCommand(fmt.Sprintf("mkdir -p -m 0700 %s && cp -f %s/etcd/%s %s", etcdCertsPath, ccfg.Certificate.ExternalCAPath, certs.GetCertName("ca"), etcdCertsPath))
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ _, err = lcg.RunCommand(fmt.Sprintf("cp -f %s/etcd/%s %s", ccfg.Certificate.ExternalCAPath, certs.GetKeyName("ca"), etcdCertsPath))
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ }
|
|
+
|
|
if err := lcg.CreateCA(caConfig, etcdCertsPath, "ca"); err != nil {
|
|
return err
|
|
}
|
|
diff --git a/pkg/utils/certs/certs.go b/pkg/utils/certs/certs.go
|
|
index 0f16f7f..e57cfe8 100644
|
|
--- a/pkg/utils/certs/certs.go
|
|
+++ b/pkg/utils/certs/certs.go
|
|
@@ -123,7 +123,7 @@ func (o *OpensshBinCertGenerator) CreateCA(config *CertConfig, savePath string,
|
|
sb.WriteString("sudo -E /bin/sh -c \"")
|
|
sb.WriteString(fmt.Sprintf("mkdir -p %s && cd %s", savePath, savePath))
|
|
sb.WriteString(fmt.Sprintf(" && openssl genrsa -out %s.key 4096", name))
|
|
- sb.WriteString(fmt.Sprintf(" && openssl req -x509 -new -nodes -key %s.key -subj \"%s\" -days 10000 -out %s.crt", name, getSubject(config), name))
|
|
+ sb.WriteString(fmt.Sprintf(" && openssl req -x509 -new -nodes -key %s.key -subj \"%s\" -days 36500 -out %s.crt", name, getSubject(config), name))
|
|
sb.WriteString("\"")
|
|
|
|
_, err := o.r.RunCommand(sb.String())
|
|
@@ -184,7 +184,7 @@ func (o *OpensshBinCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string,
|
|
sb.WriteString("sudo -E /bin/sh -c \"")
|
|
sb.WriteString(fmt.Sprintf("cd %s && openssl genrsa -out %s.key 4096", savePath, name))
|
|
sb.WriteString(fmt.Sprintf(" && openssl req -new -key %s.key -out %s.csr -config %s/%s-csr.conf", name, name, savePath, name))
|
|
- sb.WriteString(fmt.Sprintf(" && openssl x509 -req -in %s.csr -CA %s -CAkey %s -CAcreateserial -out %s.crt -days 10000 -extensions v3_ext -extfile %s-csr.conf", name, caCertPath, caKeyPath, name, name))
|
|
+ sb.WriteString(fmt.Sprintf(" && openssl x509 -req -in %s.csr -CA %s -CAkey %s -CAcreateserial -out %s.crt -days 36500 -extensions v3_ext -extfile %s-csr.conf", name, caCertPath, caKeyPath, name, name))
|
|
sb.WriteString(fmt.Sprintf(" && rm -f %s/%s-csr.conf", savePath, name))
|
|
sb.WriteString(fmt.Sprintf(" && rm -f %s.csr", name))
|
|
sb.WriteString("\"")
|
|
diff --git a/pkg/utils/certs/localcerts.go b/pkg/utils/certs/localcerts.go
|
|
index 7feca10..c5fe2e5 100644
|
|
--- a/pkg/utils/certs/localcerts.go
|
|
+++ b/pkg/utils/certs/localcerts.go
|
|
@@ -151,7 +151,7 @@ func (l *LocalCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string, conf
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: config.Usages,
|
|
NotBefore: caCert.NotBefore,
|
|
- NotAfter: time.Now().Add(time.Hour * 24 * 365).UTC(),
|
|
+ NotAfter: time.Now().Add(time.Hour * 24 * 36500).UTC(),
|
|
}
|
|
|
|
certBytes, err := x509.CreateCertificate(rand.Reader, &certConf, caCert, signer.Public(), caKey)
|
|
diff --git a/pkg/utils/dependency/dependency.go b/pkg/utils/dependency/dependency.go
|
|
index 1c24a2e..870b938 100644
|
|
--- a/pkg/utils/dependency/dependency.go
|
|
+++ b/pkg/utils/dependency/dependency.go
|
|
@@ -247,6 +247,10 @@ func (dy *dependencyYaml) Install(r runner.Runner) error {
|
|
var sb strings.Builder
|
|
sb.WriteString(fmt.Sprintf("sudo -E /bin/sh -c \"export KUBECONFIG=%s ", dy.kubeconfig))
|
|
for _, y := range dy.yaml {
|
|
+ if strings.HasPrefix(y.Name, "http://") || strings.HasPrefix(y.Name, "https://") {
|
|
+ sb.WriteString(fmt.Sprintf("&& kubectl apply -f %s ", y.Name))
|
|
+ continue
|
|
+ }
|
|
sb.WriteString(fmt.Sprintf("&& kubectl apply -f %s/%s ", dy.srcPath, y.Name))
|
|
}
|
|
sb.WriteString("\"")
|
|
@@ -262,6 +266,10 @@ func (dy *dependencyYaml) Remove(r runner.Runner) error {
|
|
var sb strings.Builder
|
|
sb.WriteString(fmt.Sprintf("sudo -E /bin/sh -c \"export KUBECONFIG=%s ", dy.kubeconfig))
|
|
for _, y := range dy.yaml {
|
|
+ if strings.HasPrefix(y.Name, "http://") || strings.HasPrefix(y.Name, "https://") {
|
|
+ sb.WriteString(fmt.Sprintf("&& kubectl delete -f %s ", y.Name))
|
|
+ continue
|
|
+ }
|
|
sb.WriteString(fmt.Sprintf("&& kubectl delete -f %s/%s ", dy.srcPath, y.Name))
|
|
}
|
|
sb.WriteString("\"")
|
|
--
|
|
2.25.1
|
|
|