in pkg/minikube/bootstrapper/certs.go [197:332]
func generateProfileCerts(cfg config.ClusterConfig, n config.Node, ccs CACerts, regen bool) ([]string, error) {
// Only generate these certs for the api server
if !n.ControlPlane {
return []string{}, nil
}
k8s := cfg.KubernetesConfig
profilePath := localpath.Profile(k8s.ClusterName)
serviceIP, err := util.GetServiceClusterIP(k8s.ServiceCIDR)
if err != nil {
return nil, errors.Wrap(err, "getting service cluster ip")
}
apiServerIPs := k8s.APIServerIPs
apiServerIPs = append(apiServerIPs,
net.ParseIP(n.IP), serviceIP, net.ParseIP(oci.DefaultBindIPV4), net.ParseIP("10.0.0.1"))
apiServerNames := k8s.APIServerNames
apiServerNames = append(apiServerNames, k8s.APIServerName, constants.ControlPlaneAlias)
apiServerAlternateNames := apiServerNames
apiServerAlternateNames = append(apiServerAlternateNames,
util.GetAlternateDNS(k8s.DNSDomain)...)
daemonHost := oci.DaemonHost(k8s.ContainerRuntime)
if daemonHost != oci.DefaultBindIPV4 {
daemonHostIP := net.ParseIP(daemonHost)
// if daemonHost is an IP we add it to the certificate's IPs, otherwise we assume it's an hostname and add it to the alternate names
if daemonHostIP != nil {
apiServerIPs = append(apiServerIPs, daemonHostIP)
} else {
apiServerAlternateNames = append(apiServerAlternateNames, daemonHost)
}
}
// Generate a hash input for certs that depend on ip/name combinations
hi := []string{}
hi = append(hi, apiServerAlternateNames...)
for _, ip := range apiServerIPs {
hi = append(hi, ip.String())
}
sort.Strings(hi)
specs := []struct {
certPath string
keyPath string
hash string
subject string
ips []net.IP
alternateNames []string
caCertPath string
caKeyPath string
}{
{ // Client cert
certPath: localpath.ClientCert(k8s.ClusterName),
keyPath: localpath.ClientKey(k8s.ClusterName),
subject: "minikube-user",
ips: []net.IP{},
alternateNames: []string{},
caCertPath: ccs.caCert,
caKeyPath: ccs.caKey,
},
{ // apiserver serving cert
hash: fmt.Sprintf("%x", sha1.Sum([]byte(strings.Join(hi, "/"))))[0:8],
certPath: filepath.Join(profilePath, "apiserver.crt"),
keyPath: filepath.Join(profilePath, "apiserver.key"),
subject: "minikube",
ips: apiServerIPs,
alternateNames: apiServerAlternateNames,
caCertPath: ccs.caCert,
caKeyPath: ccs.caKey,
},
{ // aggregator proxy-client cert
certPath: filepath.Join(profilePath, "proxy-client.crt"),
keyPath: filepath.Join(profilePath, "proxy-client.key"),
subject: "aggregator",
ips: []net.IP{},
alternateNames: []string{},
caCertPath: ccs.proxyCert,
caKeyPath: ccs.proxyKey,
},
}
xfer := []string{}
for _, spec := range specs {
if spec.subject != "minikube-user" {
xfer = append(xfer, spec.certPath)
xfer = append(xfer, spec.keyPath)
}
cp := spec.certPath
kp := spec.keyPath
if spec.hash != "" {
cp = cp + "." + spec.hash
kp = kp + "." + spec.hash
}
if !regen && isValid(cp, kp) {
klog.Infof("skipping %s signed cert generation: %s", spec.subject, kp)
continue
}
klog.Infof("generating %s signed cert: %s", spec.subject, kp)
if canRead(cp) {
os.Remove(cp)
}
if canRead(kp) {
os.Remove(kp)
}
err := util.GenerateSignedCert(
cp, kp, spec.subject,
spec.ips, spec.alternateNames,
spec.caCertPath, spec.caKeyPath,
cfg.CertExpiration,
)
if err != nil {
return xfer, errors.Wrapf(err, "generate signed cert for %q", spec.subject)
}
if spec.hash != "" {
klog.Infof("copying %s -> %s", cp, spec.certPath)
if err := copy.Copy(cp, spec.certPath); err != nil {
return xfer, errors.Wrap(err, "copy cert")
}
klog.Infof("copying %s -> %s", kp, spec.keyPath)
if err := copy.Copy(kp, spec.keyPath); err != nil {
return xfer, errors.Wrap(err, "copy key")
}
}
}
return xfer, nil
}