in pkg/helpers/pki.go [73:231]
func CreatePki(pkiParams PkiParams) (*PkiKeyCertPair, *PkiKeyCertPair, *PkiKeyCertPair, *PkiKeyCertPair, *PkiKeyCertPair, []*PkiKeyCertPair, error) {
start := time.Now()
defer func(s time.Time) {
log.Debugf("pki: PKI asset creation took %s", time.Since(s))
}(start)
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, "kubernetes")
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, "kubernetes.default")
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, "kubernetes.default.svc")
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, fmt.Sprintf("kubernetes.default.svc.%s", pkiParams.ClusterDomain))
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, "kubernetes.kube-system")
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, "kubernetes.kube-system.svc")
pkiParams.ExtraFQDNs = append(pkiParams.ExtraFQDNs, fmt.Sprintf("kubernetes.kube-system.svc.%s", pkiParams.ClusterDomain))
var (
caCertificate *x509.Certificate
caPrivateKey *rsa.PrivateKey
apiServerCertificate *x509.Certificate
apiServerPrivateKey *rsa.PrivateKey
clientCertificate *x509.Certificate
clientPrivateKey *rsa.PrivateKey
kubeConfigCertificate *x509.Certificate
kubeConfigPrivateKey *rsa.PrivateKey
etcdServerCertificate *x509.Certificate
etcdServerPrivateKey *rsa.PrivateKey
etcdClientCertificate *x509.Certificate
etcdClientPrivateKey *rsa.PrivateKey
etcdPeerCertPairs []*PkiKeyCertPair
)
var group errgroup.Group
var err error
caCertificate, err = pemToCertificate(pkiParams.CaPair.CertificatePem)
if err != nil {
return nil, nil, nil, nil, nil, nil, err
}
caPrivateKey, err = pemToKey(pkiParams.CaPair.PrivateKeyPem)
if err != nil {
return nil, nil, nil, nil, nil, nil, err
}
group.Go(func() (err error) {
certPram := certParams{
commonName: "apiserver",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: false,
isServer: true,
extraFQDNs: pkiParams.ExtraFQDNs,
extraIPs: pkiParams.ExtraIPs,
organization: nil,
keySize: pkiParams.PkiKeySize,
}
apiServerCertificate, apiServerPrivateKey, err = createCertificate(certPram)
return err
})
group.Go(func() (err error) {
organization := make([]string, 1)
organization[0] = "system:masters"
certPram := certParams{
commonName: "client",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: false,
isServer: false,
extraFQDNs: nil,
extraIPs: nil,
organization: organization,
keySize: pkiParams.PkiKeySize,
}
clientCertificate, clientPrivateKey, err = createCertificate(certPram)
return err
})
group.Go(func() (err error) {
organization := make([]string, 1)
organization[0] = "system:masters"
certPram := certParams{
commonName: "client",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: false,
isServer: false,
extraFQDNs: nil,
extraIPs: nil,
organization: organization,
keySize: pkiParams.PkiKeySize,
}
kubeConfigCertificate, kubeConfigPrivateKey, err = createCertificate(certPram)
return err
})
group.Go(func() (err error) {
certPram := certParams{
commonName: "etcdserver",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: true,
isServer: true,
extraFQDNs: nil,
extraIPs: pkiParams.ExtraIPs,
organization: nil,
keySize: pkiParams.PkiKeySize,
}
etcdServerCertificate, etcdServerPrivateKey, err = createCertificate(certPram)
return err
})
group.Go(func() (err error) {
certPram := certParams{
commonName: "etcdclient",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: true,
isServer: false,
extraFQDNs: nil,
extraIPs: pkiParams.ExtraIPs,
organization: nil,
keySize: pkiParams.PkiKeySize,
}
etcdClientCertificate, etcdClientPrivateKey, err = createCertificate(certPram)
return err
})
etcdPeerCertPairs = make([]*PkiKeyCertPair, pkiParams.MasterCount)
for i := 0; i < pkiParams.MasterCount; i++ {
i := i
group.Go(func() (err error) {
certPram := certParams{
commonName: "etcdpeer",
caCertificate: caCertificate,
caPrivateKey: caPrivateKey,
isEtcd: true,
isServer: false,
extraFQDNs: nil,
extraIPs: pkiParams.ExtraIPs,
organization: nil,
keySize: pkiParams.PkiKeySize,
}
etcdPeerCertificate, etcdPeerPrivateKey, err := createCertificate(certPram)
etcdPeerCertPairs[i] = &PkiKeyCertPair{CertificatePem: string(certificateToPem(etcdPeerCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(etcdPeerPrivateKey))}
return err
})
}
if err := group.Wait(); err != nil {
return nil, nil, nil, nil, nil, nil, err
}
return &PkiKeyCertPair{CertificatePem: string(certificateToPem(apiServerCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(apiServerPrivateKey))},
&PkiKeyCertPair{CertificatePem: string(certificateToPem(clientCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(clientPrivateKey))},
&PkiKeyCertPair{CertificatePem: string(certificateToPem(kubeConfigCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(kubeConfigPrivateKey))},
&PkiKeyCertPair{CertificatePem: string(certificateToPem(etcdServerCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(etcdServerPrivateKey))},
&PkiKeyCertPair{CertificatePem: string(certificateToPem(etcdClientCertificate.Raw)), PrivateKeyPem: string(privateKeyToPem(etcdClientPrivateKey))},
etcdPeerCertPairs,
nil
}