pki

package

v0.0.0-...-5fb8a3f Latest Latest Go to latest Published: Sep 30, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

Documentation ¶

Overview ¶

package pki builds upon osbase/pki/ to provide an etcd-backed implementation of all x509 PKI Certificates/CAs required to run Kubernetes. Most elements of the PKI are 'static' long-standing certificates/credentials stored within etcd. However, this package also provides a method to generate 'volatile' (in-memory) certificates/credentials for per-node Kubelets and any client certificates.

Index ¶

Variables
func Kubeconfig(ctx context.Context, kv clientv3.KV, c *opki.Certificate, ...) ([]byte, error)
func KubeconfigRaw(cacert, cert []byte, priv ed25519.PrivateKey, endpoint KubernetesAPIEndpoint) ([]byte, error)
type KubeCertificateName
type KubernetesAPIEndpoint
type PKI
- func FromLocalConsensus(ctx context.Context, svc consensus.ServiceHandle) (*PKI, error)
- func New(kv clientv3.KV, clusterDomain string) *PKI

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// KubernetesAPIEndpointForWorker points Kubernetes workers to connect to a
	// locally-running apiproxy, which in turn loadbalances the connection to
	// controller nodes running in the cluster.
	KubernetesAPIEndpointForWorker = KubernetesAPIEndpoint(fmt.Sprintf("https://127.0.0.1:%d", common.KubernetesWorkerLocalAPIPort))
	// KubernetesAPIEndpointForController points Kubernetes controllers to connect to
	// the locally-running API server.
	KubernetesAPIEndpointForController = KubernetesAPIEndpoint(fmt.Sprintf("https://127.0.0.1:%d", common.KubernetesAPIPort))
)

Functions ¶

func Kubeconfig ¶

func Kubeconfig(ctx context.Context, kv clientv3.KV, c *opki.Certificate, endpoint KubernetesAPIEndpoint) ([]byte, error)

Kubeconfig generates a kubeconfig blob for this certificate. The same lifetime semantics as in .Ensure apply.

func KubeconfigRaw ¶

func KubeconfigRaw(cacert, cert []byte, priv ed25519.PrivateKey, endpoint KubernetesAPIEndpoint) ([]byte, error)

KubeconfigRaw emits a Kubeconfig for a given set of certificates, private key, and a KubernetesAPIEndpoint. This function does not rely on the rest of the (K)PKI infrastructure.

Types ¶

type KubeCertificateName ¶

type KubeCertificateName string

KubeCertificateName is an enum-like unique name of a static Kubernetes certificate. The value of the name is used as the unique part of an etcd path where the certificate and key are stored.

const (
	// The main Kubernetes CA, used to authenticate API consumers, and servers.
	IdCA KubeCertificateName = "id-ca"

	// Kubernetes apiserver server certificate.
	APIServer KubeCertificateName = "apiserver"

	// APIServer client certificate used to authenticate to kubelets.
	APIServerKubeletClient KubeCertificateName = "apiserver-kubelet-client"

	// Kubernetes Controller manager client certificate, used to authenticate
	// to the apiserver.
	ControllerManagerClient KubeCertificateName = "controller-manager-client"
	// Kubernetes Controller manager server certificate, used to run its HTTP
	// server.
	ControllerManager KubeCertificateName = "controller-manager"

	// Kubernetes Scheduler client certificate, used to authenticate to the apiserver.
	SchedulerClient KubeCertificateName = "scheduler-client"
	// Kubernetes scheduler server certificate, used to run its HTTP server.
	Scheduler KubeCertificateName = "scheduler"

	// Root-on-kube (system:masters) client certificate. Used to control the
	// apiserver (and resources) by Metropolis internally.
	Master KubeCertificateName = "master"

	// OpenAPI Kubernetes Aggregation CA.
	//   https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#ca-reusage-and-conflicts
	AggregationCA    KubeCertificateName = "aggregation-ca"
	FrontProxyClient KubeCertificateName = "front-proxy-client"
	// The Metropolis authentication proxy needs to be able to proxy requests
	// and assert the established identity to the Kubernetes API server.
	MetropolisAuthProxyClient KubeCertificateName = "metropolis-auth-proxy-client"
)

type KubernetesAPIEndpoint ¶

type KubernetesAPIEndpoint string

A KubernetesAPIEndpoint describes where a Kubeconfig will make a client attempt to connect to reach the Kubernetes apiservers(s).

type PKI ¶

type PKI struct {
	KV           clientv3.KV
	Certificates map[KubeCertificateName]*opki.Certificate
	// contains filtered or unexported fields
}

PKI manages all PKI resources required to run Kubernetes on Metropolis. It contains all static certificates, which can be retrieved, or be used to generate Kubeconfigs from.

func FromLocalConsensus ¶

func FromLocalConsensus(ctx context.Context, svc consensus.ServiceHandle) (*PKI, error)

FromLocalConsensus returns a PKI stored on the given local consensus instance, in the correct etcd namespace.

func New ¶

func New(kv clientv3.KV, clusterDomain string) *PKI

func (*PKI) CSIProvisioner ¶

func (k *PKI) CSIProvisioner(ctx context.Context, name string, pubkey ed25519.PublicKey) (client *opki.Certificate, err error)

CSIProvisioner returns a certificate to be used by the CSI provisioner running on a worker node.

func (*PKI) Certificate ¶

func (k *PKI) Certificate(ctx context.Context, name KubeCertificateName) (cert, key []byte, err error)

Certificate retrieves an x509 DER-encoded (but not PEM-wrapped) key and certificate for a given certificate name. If the requested certificate is volatile, it will be created on demand. Otherwise it will be created on etcd (if not present), and retrieved from there.

func (*PKI) EnsureAll ¶

func (k *PKI) EnsureAll(ctx context.Context) error

EnsureAll ensures that all static certificates (and the serviceaccount key) are present on etcd.

func (*PKI) Kubeconfig ¶

func (k *PKI) Kubeconfig(ctx context.Context, name KubeCertificateName, endpoint KubernetesAPIEndpoint) ([]byte, error)

Kubeconfig generates a kubeconfig blob for a given certificate name. The same lifetime semantics as in .Certificate apply.

func (*PKI) Kubelet ¶

func (k *PKI) Kubelet(ctx context.Context, name string, pubkey ed25519.PublicKey) (server *opki.Certificate, client *opki.Certificate, err error)

Kubelet returns a pair of server/client ceritficates for the Kubelet to use.

func (*PKI) NetServices ¶

func (k *PKI) NetServices(ctx context.Context, name string, pubkey ed25519.PublicKey) (client *opki.Certificate, err error)

NetServices returns a certificate to be used by nfproxy and clusternet running on a worker node.

func (*PKI) ServiceAccountKey ¶

func (k *PKI) ServiceAccountKey(ctx context.Context) ([]byte, error)

ServiceAccountKey retrieves (and possibly generates and stores on etcd) the Kubernetes service account key. The returned data is ready to be used by Kubernetes components (in PKIX form).

func (*PKI) VolatileClient ¶

func (k *PKI) VolatileClient(ctx context.Context, identity string, groups []string) (*opki.Certificate, error)

VolatileClient returns a client certificate for Kubernetes clients to use. The generated certificate will place the user in the given groups, and with a given identiy as the certificate's CN.

Source Files ¶

View all Source files

kubernetes.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL