master.go

package pki

import (
	"net"

	"forge.tedomum.net/acides/hepto/hepto/pkg/pekahi"
)

// Master certs
type MasterCerts struct {
	// Certificate for exposing the apiserver
	TLS *pekahi.Certificate
	// Certificate for signing tokens
	Tokens *pekahi.Certificate
	// Certificate for authenticating against kubelets
	Kubelet *pekahi.Certificate
	// Service certificate for the controller manager
	ControllersTLS *pekahi.Certificate
	// API client certificate for the controller manager
	ControllersAPI *pekahi.Certificate
	// API client certificate for the scheduler
	SchedulerAPI *pekahi.Certificate
	// Root access to the API server
	RootClient *pekahi.Certificate
}

func NewMasterCerts(path string, ip net.IP) (*MasterCerts, error) {
	bundle, err := pekahi.NewFileBundle(path)
	if err != nil {
		return nil, err
	}
	// TLS certificate
	tlsCert, err := bundle.GetCertOrCSR("tls",
		pekahi.NewServerTemplate([]string{"apiserver"}, []net.IP{ip}),
	)
	if err != nil {
		return nil, err
	}
	// Tokens key
	tokenKey, err := bundle.GetCertWithKey("tokens")
	if err != nil {
		return nil, err
	}
	// Kubelet certificate
	kubeletCert, err := bundle.GetCertOrCSR("kubelet",
		pekahi.NewClientTemplate("apiserver", ""),
	)
	if err != nil {
		return nil, err
	}
	// Controller manager certificate
	controllersTLSCert, err := bundle.GetCertOrCSR("controllers-tls",
		pekahi.NewServerTemplate([]string{"controllers"}, []net.IP{ip}),
	)
	if err != nil {
		return nil, err
	}
	// Controller manager API client certificate
	controllersAPICert, err := bundle.GetCertOrCSR("controllers-api",
		pekahi.NewClientTemplate("system:kube-controller-manager", ""),
	)
	if err != nil {
		return nil, err
	}
	// Scheduler API client certificate
	schedulerAPICert, err := bundle.GetCertOrCSR("scheduler-api",
		pekahi.NewClientTemplate("system:kube-scheduler", ""),
	)
	if err != nil {
		return nil, err
	}
	// Root client certificate
	rootClientCert, err := bundle.GetCertOrCSR("root",
		pekahi.NewClientTemplate("root", "system:masters"),
	)
	return &MasterCerts{
		TLS:            tlsCert,
		Tokens:         tokenKey,
		Kubelet:        kubeletCert,
		ControllersTLS: controllersTLSCert,
		ControllersAPI: controllersAPICert,
		SchedulerAPI:   schedulerAPICert,
		RootClient:     rootClientCert,
	}, nil
}

func (ca *ClusterCA) SignMasterCerts(m *MasterCerts) {
	signCert(ca.TLS, m.TLS, pekahi.NewServerTemplate(m.TLS.CSR.DNSNames, m.TLS.CSR.IPAddresses))
	signCert(ca.Kubelet, m.Kubelet, pekahi.NewClientTemplate(m.Kubelet.CSR.Subject.CommonName, ""))
	signCert(ca.TLS, m.ControllersTLS, pekahi.NewServerTemplate(m.ControllersTLS.CSR.DNSNames, m.ControllersTLS.CSR.IPAddresses))
	signCert(ca.API, m.ControllersAPI, pekahi.NewClientTemplate(m.ControllersAPI.CSR.Subject.CommonName, ""))
	signCert(ca.API, m.SchedulerAPI, pekahi.NewClientTemplate(m.SchedulerAPI.CSR.Subject.CommonName, ""))
	signCert(ca.API, m.RootClient, pekahi.NewClientTemplate(m.RootClient.CSR.Subject.CommonName, "system:masters"))
}