mirror of https://github.com/kubernetes/kops.git
Remove dead code
This commit is contained in:
John Gardiner Myers
parent
8768178082
commit
e0c32a3fae
|
|
@ -182,7 +182,6 @@ k8s.io/kops/upup/pkg/fi/cloudup/terraform
|
|||
k8s.io/kops/upup/pkg/fi/cloudup/vsphere
|
||||
k8s.io/kops/upup/pkg/fi/cloudup/vspheretasks
|
||||
k8s.io/kops/upup/pkg/fi/fitasks
|
||||
k8s.io/kops/upup/pkg/fi/k8sapi
|
||||
k8s.io/kops/upup/pkg/fi/loader
|
||||
k8s.io/kops/upup/pkg/fi/nodeup
|
||||
k8s.io/kops/upup/pkg/fi/nodeup/cloudinit
|
||||
|
|
|
|||
|
|
@ -1,21 +0,0 @@
|
|||
load("@io_bazel_rules_go//go:def.bzl", "go_library")
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = [
|
||||
"cert_secret.go",
|
||||
"k8s_keystore.go",
|
||||
],
|
||||
importpath = "k8s.io/kops/upup/pkg/fi/k8sapi",
|
||||
visibility = ["//visibility:public"],
|
||||
deps = [
|
||||
"//pkg/pki:go_default_library",
|
||||
"//upup/pkg/fi:go_default_library",
|
||||
"//util/pkg/vfs:go_default_library",
|
||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//vendor/k8s.io/klog:go_default_library",
|
||||
],
|
||||
)
|
||||
|
|
@ -1,87 +0,0 @@
|
|||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package k8sapi
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
"k8s.io/kops/pkg/pki"
|
||||
)
|
||||
|
||||
// KeypairSecret is a wrapper around a k8s Secret object that holds a TLS keypair
|
||||
type KeypairSecret struct {
|
||||
Namespace string
|
||||
Name string
|
||||
|
||||
Certificate *pki.Certificate
|
||||
PrivateKey *pki.PrivateKey
|
||||
}
|
||||
|
||||
// ParseKeypairSecret parses the secret object, decoding the certificate & private-key, if present
|
||||
func ParseKeypairSecret(secret *v1.Secret) (*KeypairSecret, error) {
|
||||
k := &KeypairSecret{}
|
||||
k.Namespace = secret.Namespace
|
||||
k.Name = secret.Name
|
||||
|
||||
certData := secret.Data[v1.TLSCertKey]
|
||||
if certData != nil {
|
||||
cert, err := pki.ParsePEMCertificate(certData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing certificate in %s/%s: %q", k.Namespace, k.Name, err)
|
||||
}
|
||||
k.Certificate = cert
|
||||
}
|
||||
keyData := secret.Data[v1.TLSPrivateKeyKey]
|
||||
if keyData != nil {
|
||||
key, err := pki.ParsePEMPrivateKey(keyData)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing key in %s/%s: %q", k.Namespace, k.Name, err)
|
||||
}
|
||||
k.PrivateKey = key
|
||||
}
|
||||
|
||||
return k, nil
|
||||
}
|
||||
|
||||
// Encode maps a KeypairSecret into a k8s Secret
|
||||
func (k *KeypairSecret) Encode() (*v1.Secret, error) {
|
||||
secret := &v1.Secret{}
|
||||
secret.Namespace = k.Namespace
|
||||
secret.Name = k.Name
|
||||
secret.Type = v1.SecretTypeTLS
|
||||
|
||||
secret.Data = make(map[string][]byte)
|
||||
|
||||
if k.Certificate != nil {
|
||||
data, err := k.Certificate.AsBytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
secret.Data[v1.TLSCertKey] = data
|
||||
}
|
||||
|
||||
if k.PrivateKey != nil {
|
||||
data, err := k.PrivateKey.AsBytes()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
secret.Data[v1.TLSPrivateKeyKey] = data
|
||||
}
|
||||
|
||||
return secret, nil
|
||||
}
|
||||
|
|
@ -1,158 +0,0 @@
|
|||
/*
|
||||
Copyright 2019 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package k8sapi
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"time"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/klog"
|
||||
"k8s.io/kops/pkg/pki"
|
||||
"k8s.io/kops/upup/pkg/fi"
|
||||
"k8s.io/kops/util/pkg/vfs"
|
||||
)
|
||||
|
||||
type KubernetesKeystore struct {
|
||||
client kubernetes.Interface
|
||||
namespace string
|
||||
|
||||
//mutex sync.Mutex
|
||||
//cacheCaCertificates *certificates
|
||||
//cacheCaPrivateKeys *privateKeys
|
||||
}
|
||||
|
||||
var _ fi.Keystore = &KubernetesKeystore{}
|
||||
|
||||
func NewKubernetesKeystore(client kubernetes.Interface, namespace string) fi.Keystore {
|
||||
c := &KubernetesKeystore{
|
||||
client: client,
|
||||
namespace: namespace,
|
||||
}
|
||||
|
||||
return c
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) issueCert(signer string, id string, serial *big.Int, privateKey *pki.PrivateKey, template *x509.Certificate) (*pki.Certificate, error) {
|
||||
klog.Infof("Issuing new certificate: %q", id)
|
||||
|
||||
template.SerialNumber = serial
|
||||
|
||||
caCert, caKey, _, err := c.FindKeypair(signer)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if caCert == nil || caCert.Certificate == nil || caKey == nil || caKey.Key == nil {
|
||||
return nil, fmt.Errorf("CA keypair was not found; cannot issue certificates")
|
||||
}
|
||||
|
||||
cert, err := pki.SignNewCertificate(privateKey, template, caCert.Certificate, caKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = c.StoreKeypair(id, cert, privateKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return cert, nil
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) findSecret(ctx context.Context, id string) (*v1.Secret, error) {
|
||||
secret, err := c.client.CoreV1().Secrets(c.namespace).Get(ctx, id, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return nil, nil
|
||||
}
|
||||
return nil, fmt.Errorf("error reading secret %s/%s from kubernetes: %v", c.namespace, id, err)
|
||||
}
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, fi.KeysetFormat, error) {
|
||||
ctx := context.TODO()
|
||||
|
||||
secret, err := c.findSecret(ctx, id)
|
||||
if err != nil {
|
||||
return nil, nil, "", err
|
||||
}
|
||||
|
||||
if secret == nil {
|
||||
return nil, nil, "", nil
|
||||
}
|
||||
|
||||
keypair, err := ParseKeypairSecret(secret)
|
||||
if err != nil {
|
||||
return nil, nil, "", fmt.Errorf("error parsing secret %s/%s from kubernetes: %v", c.namespace, id, err)
|
||||
}
|
||||
|
||||
return keypair.Certificate, keypair.PrivateKey, fi.KeysetFormatV1Alpha2, nil
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) CreateKeypair(signer string, id string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) {
|
||||
t := time.Now().UnixNano()
|
||||
serial := pki.BuildPKISerial(t)
|
||||
|
||||
cert, err := c.issueCert(signer, id, serial, privateKey, template)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return cert, nil
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
|
||||
ctx := context.TODO()
|
||||
|
||||
keypair := &KeypairSecret{
|
||||
Namespace: c.namespace,
|
||||
Name: id,
|
||||
Certificate: cert,
|
||||
PrivateKey: privateKey,
|
||||
}
|
||||
|
||||
secret, err := keypair.Encode()
|
||||
if err != nil {
|
||||
return fmt.Errorf("error encoding keypair: %+v err: %s", keypair, err)
|
||||
}
|
||||
createdSecret, err := c.client.CoreV1().Secrets(c.namespace).Create(ctx, secret, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return fmt.Errorf("error creating secret %s/%s: %v", secret.Namespace, secret.Name, err)
|
||||
}
|
||||
|
||||
created, err := ParseKeypairSecret(createdSecret)
|
||||
if err != nil {
|
||||
return fmt.Errorf("created secret did not round-trip (%s/%s): %v", c.namespace, id, err)
|
||||
}
|
||||
if created == nil || created.Certificate == nil || created.PrivateKey == nil {
|
||||
return fmt.Errorf("created secret did not round-trip (%s/%s): could not read back", c.namespace, id)
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
func (c *KubernetesKeystore) MirrorTo(dest vfs.Path) error {
|
||||
return fmt.Errorf("KubernetesKeystore does not implement MirrorTo")
|
||||
}
|
||||
Loading…
Reference in New Issue