Merge pull request #9812 from justinsb/write_full_certificate_chain

Support writing a full certificate chain
2020-08-25 22:32:02 -07:00 · 2020-08-25 22:32:02 -07:00 · f8a89b54db
parent 5b80bb8147 2be21562a9
commit f8a89b54db
4 changed files with 22 additions and 1 deletions
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -446,7 +446,6 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n
 	if err != nil {
 		return err
 	}
-
 	p := filename
 	if !filepath.IsAbs(p) {
 		p = filepath.Join(c.PathSrvKubernetes(), filename)
--- a/nodeup/pkg/model/secrets.go
+++ b/nodeup/pkg/model/secrets.go
@ -120,6 +120,10 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 			Subject:        nodetasks.PKIXName{CommonName: "kubernetes-master"},
 			AlternateNames: alternateNames,
 		}
+
+		// Including the CA certificate is more correct, and is needed for e.g. AWS WebIdentity federation
+		issueCert.IncludeRootCertificate = true
+
 		c.AddTask(issueCert)
 		err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "server", "", nil)
 		if err != nil {
--- a/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
+++ b/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
@ -70,6 +70,7 @@ contents:
    - api.internal.minimal.example.com
    - 100.64.0.1
    - 127.0.0.1
+    includeRootCertificate: true
    signer: ca
    subject:
      CommonName: kubernetes-master
@ -90,6 +91,7 @@ contents:
    - api.internal.minimal.example.com
    - 100.64.0.1
    - 127.0.0.1
+    includeRootCertificate: true
    signer: ca
    subject:
      CommonName: kubernetes-master
@ -146,6 +148,7 @@ alternateNames:
 - api.internal.minimal.example.com
 - 100.64.0.1
 - 127.0.0.1
+includeRootCertificate: true
 signer: ca
 subject:
  CommonName: kubernetes-master
--- a/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
+++ b/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
@ -54,6 +54,9 @@ type IssueCert struct {
 	Subject        PKIXName `json:"subject"`
 	AlternateNames []string `json:"alternateNames,omitempty"`

+	// IncludeRootCertificate will force the certificate data to include the full chain, not just the leaf
+	IncludeRootCertificate bool `json:"includeRootCertificate,omitempty"`
+
 	cert *fi.TaskDependentResource
 	key  *fi.TaskDependentResource
 	ca   *fi.TaskDependentResource
@ -160,6 +163,18 @@ func (e *IssueCert) Run(c *fi.Context) error {
 	keyResource.Resource = &asBytesResource{privateKey}
 	caResource.Resource = &asBytesResource{caCertificate}

+	if e.IncludeRootCertificate {
+		var b bytes.Buffer
+		if _, err := certificate.WriteTo(&b); err != nil {
+			return err
+		}
+		b.WriteString("\n")
+		if _, err := caCertificate.WriteTo(&b); err != nil {
+			return err
+		}
+		certResource.Resource = fi.NewBytesResource(b.Bytes())
+	}
+
 	return nil
 }