kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9812 from justinsb/write_full_certificate_chain 

Support writing a full certificate chain
This commit is contained in:
Kubernetes Prow Robot 2020-08-25 22:32:02 -07:00 committed by GitHub
parent 5b80bb8147 2be21562a9
commit f8a89b54db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nodeup/pkg/model/context.go
View File

@ -446,7 +446,6 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n
if err != nil { if err != nil {
return err return err
} }
p := filename p := filename
if !filepath.IsAbs(p) { if !filepath.IsAbs(p) {
p = filepath.Join(c.PathSrvKubernetes(), filename) p = filepath.Join(c.PathSrvKubernetes(), filename)

4
nodeup/pkg/model/secrets.go
View File

@ -120,6 +120,10 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: nodetasks.PKIXName{CommonName: "kubernetes-master"}, Subject: nodetasks.PKIXName{CommonName: "kubernetes-master"},
AlternateNames: alternateNames, AlternateNames: alternateNames,
} }
// Including the CA certificate is more correct, and is needed for e.g. AWS WebIdentity federation
issueCert.IncludeRootCertificate = true
c.AddTask(issueCert) c.AddTask(issueCert)
err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "server", "", nil) err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "server", "", nil)
if err != nil { if err != nil {

3
nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
View File

@ -70,6 +70,7 @@ contents:
- api.internal.minimal.example.com - api.internal.minimal.example.com
- 100.64.0.1 - 100.64.0.1
- 127.0.0.1 - 127.0.0.1
includeRootCertificate: true
signer: ca signer: ca
subject: subject:
CommonName: kubernetes-master CommonName: kubernetes-master
@ -90,6 +91,7 @@ contents:
- api.internal.minimal.example.com - api.internal.minimal.example.com
- 100.64.0.1 - 100.64.0.1
- 127.0.0.1 - 127.0.0.1
includeRootCertificate: true
signer: ca signer: ca
subject: subject:
CommonName: kubernetes-master CommonName: kubernetes-master
@ -146,6 +148,7 @@ alternateNames:
- api.internal.minimal.example.com - api.internal.minimal.example.com
- 100.64.0.1 - 100.64.0.1
- 127.0.0.1 - 127.0.0.1
includeRootCertificate: true
signer: ca signer: ca
subject: subject:
CommonName: kubernetes-master CommonName: kubernetes-master

15
upup/pkg/fi/nodeup/nodetasks/issue_cert.go
View File

@ -54,6 +54,9 @@ type IssueCert struct {
Subject PKIXName `json:"subject"` Subject PKIXName `json:"subject"`
AlternateNames []string `json:"alternateNames,omitempty"` AlternateNames []string `json:"alternateNames,omitempty"`
// IncludeRootCertificate will force the certificate data to include the full chain, not just the leaf
IncludeRootCertificate bool `json:"includeRootCertificate,omitempty"`
cert *fi.TaskDependentResource cert *fi.TaskDependentResource
key *fi.TaskDependentResource key *fi.TaskDependentResource
ca *fi.TaskDependentResource ca *fi.TaskDependentResource
@ -160,6 +163,18 @@ func (e *IssueCert) Run(c *fi.Context) error {
keyResource.Resource = &asBytesResource{privateKey} keyResource.Resource = &asBytesResource{privateKey}
caResource.Resource = &asBytesResource{caCertificate} caResource.Resource = &asBytesResource{caCertificate}
if e.IncludeRootCertificate {
var b bytes.Buffer
if _, err := certificate.WriteTo(&b); err != nil {
return err
}
b.WriteString("\n")
if _, err := caCertificate.WriteTo(&b); err != nil {
return err
}
certResource.Resource = fi.NewBytesResource(b.Bytes())
}
return nil return nil
} }