diff --git a/pkg/cert/K8sCertGenerator.go b/pkg/cert/K8sCertGenerator.go new file mode 100644 index 0000000000000000000000000000000000000000..8f571e7c32d9d587203f236ad390f7a64afb8d1c --- /dev/null +++ b/pkg/cert/K8sCertGenerator.go @@ -0,0 +1,73 @@ +/* +Copyright 2023 KylinSoft Co., Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cert + +import ( + "crypto/x509" + "crypto/x509/pkix" +) + +// 用于创建apiserver.crt,是kube-apiserver 对外提供服务的服务器证书及私钥 + +func GenerateApiServer() error { + a := SignedCertKey{} + + ca := &RootCA{} //仍需在资产管理模块完善,未来可以直接调用 + + cfg := &CertConfig{ + Subject: pkix.Name{CommonName: "apiserver server", Organization: []string{"NestOS"}}, + KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + Validity: 3650, + } + + return a.Generate(cfg, ca, "apiserver.crt") //这里的ca会报错,因为类型不符合原先定义的接口,需搭配资产管理修改 +} + +//用于创建apiserver-kubelet-client.crt,是kube-apiserver 访问 kubelet 所需的客户端证书及私钥。 + +func GenerateApiServerToKubeletclient() error { + a := SignedCertKey{} + + ca := &RootCA{} //仍需在资产管理模块完善,未来可以直接调用 + + cfg := &CertConfig{ + Subject: pkix.Name{CommonName: "apiserver-kubelet-client", Organization: []string{"NestOS"}}, + KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + Validity: 3650, + } + + return a.Generate(cfg, ca, "apiserver-kubelet-client.crt") +} + +//用于创建apiserver-Etcd-client.crt,是kube-apiserver 访问 Etcd 所需的客户端证书及私钥 +func GenerateApiServerToEtcdclient() error { + + a := SignedCertKey{} + + ca := &RootCA{} //仍需在资产管理模块完善,未来可以直接调用 + + cfg := &CertConfig{ + Subject: pkix.Name{CommonName: "apiserver-etcd-client", Organization: []string{"NestOS"}}, + KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + Validity: 3650, + } + + return a.Generate(cfg, ca, "apiserver-etcd-client.crt") +} diff --git a/pkg/cert/cacert.go b/pkg/cert/cacert.go index 0e1227ec01fe78f18f64d8ef22bccad3c2f8ea85..09e708f328b1d26512505a48d286a894053db9fa 100644 --- a/pkg/cert/cacert.go +++ b/pkg/cert/cacert.go @@ -33,5 +33,5 @@ func (c *RootCA) Generate() error { IsCA: true, } - return c.SelfSignedCertKey.Generate(cfg, "rootca") + return c.SelfSignedCertKey.Generate(cfg, "rootca.crt") } diff --git a/pkg/cert/selfsignedcert.go b/pkg/cert/selfsignedcert.go index 91f9d4c3323f4fe576cf368724a1a3e50a326c77..aa339c70fd33e853f5adbed3065774a475be5f24 100644 --- a/pkg/cert/selfsignedcert.go +++ b/pkg/cert/selfsignedcert.go @@ -83,6 +83,7 @@ type SelfSignedCertKey struct { //自签名证书生成器,封装后该方法用于所有自签名的证书,并将证书和私钥转换格式后保存 func (c *SelfSignedCertKey) Generate(cfg *CertConfig, filename string) error { + c.CertKey.SavePath = "/tmp" key, crt, err := GenerateSelfSignedCertificate(cfg) if err != nil { return errors.Wrap(err, "Failed to generate self-signed cert/key pair")