bootstrap

package
v0.0.1-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 28, 2018 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Cmd = &cobra.Command{
	Use:   "bootstrap",
	Short: "create bootstrap certificate using vault",
	Args:  cobra.NoArgs,
	Long: `Create certificates with the "system:bootstrappers" group.

  By default the role should be pre-configured in vault in such a way that it has 
  "O=system:bootstrappers" and can be used as a client cert. This tool then needs 
  permissions in vault to issue a cert with that role.

  Alternatively this tool can use the sign-verbatim endpoint, but it is 
  discoraged as it requires giving access to the sign-verbatim endpoint to this 
  tool, which is a lot of power.

  Complete documentation of the RBAC required to have the generated certs work 
  can be found here:
  https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/`,
	Run: func(cmd *cobra.Command, args []string) {
		client, err := api.NewClient(&api.Config{
			Address:    vaultAddr,
			MaxRetries: 10,
		})

		if err != nil {
			glog.Exitf("create vault client: %s", err)
		}

		err = token.NewRenewer(client, vaultAuth).RunOnce()

		if err != nil {
			glog.Exitf("renew vault token: %s", err)
		}

		var key, cert, ca []byte

		if signVerbatim {
			key, cert, ca, err = bootstrap.CreateBootstrapCertWithSignVerbatim(client, pkiMount, pkiRole, pkiTTL, nodeName, groupName)
		} else {
			key, cert, ca, err = bootstrap.CreateBootstrapCertWithIssue(client, pkiMount, pkiRole, pkiTTL, nodeName)
		}

		if err != nil {
			glog.Exitf("generate bootstrap certificate: %s", err)
		}

		kubeconfigData := clientcmdapi.Config{

			Clusters: map[string]*clientcmdapi.Cluster{"default-cluster": {
				Server:                   masterAddr,
				InsecureSkipTLSVerify:    insecure,
				CertificateAuthorityData: ca,
			}},

			AuthInfos: map[string]*clientcmdapi.AuthInfo{"default-auth": {
				ClientCertificateData: cert,
				ClientKeyData:         key,
			}},

			Contexts: map[string]*clientcmdapi.Context{"default-context": {
				Cluster:   "default-cluster",
				AuthInfo:  "default-auth",
				Namespace: "default",
			}},
			CurrentContext: "default-context",
		}

		err = clientcmd.WriteToFile(kubeconfigData, kubeconfig)
		if err != nil {
			glog.Exitf("write kubeconfig to disk: %s", err)
		}
	},
}

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.