talos
152 строки · 4.1 Кб
1// This Source Code Form is subject to the terms of the Mozilla Public
2// License, v. 2.0. If a copy of the MPL was not distributed with this
3// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
5package kubeconfig
6
7import (
8"bytes"
9stdlibx509 "crypto/x509"
10"encoding/base64"
11"fmt"
12"io"
13"net/url"
14"text/template"
15"time"
16
17"github.com/siderolabs/crypto/x509"
18"github.com/siderolabs/gen/xslices"
19
20"github.com/siderolabs/talos/pkg/machinery/config/config"
21)
22
23const kubeConfigTemplate = `apiVersion: v1
24kind: Config
25clusters:
26- name: {{ .ClusterName }}
27cluster:
28server: {{ .Endpoint }}
29certificate-authority-data: {{ .CACert | base64Encode }}
30users:
31- name: {{ .Username }}@{{ .ClusterName }}
32user:
33client-certificate-data: {{ .ClientCert | base64Encode }}
34client-key-data: {{ .ClientKey | base64Encode }}
35contexts:
36- context:
37cluster: {{ .ClusterName }}
38namespace: default
39user: {{ .Username }}@{{ .ClusterName }}
40name: {{ .ContextName }}@{{ .ClusterName }}
41current-context: {{ .ContextName }}@{{ .ClusterName }}
42`
43
44// GenerateAdminInput is the interface for the GenerateAdmin function.
45//
46// This interface is implemented by config.Cluster().
47type GenerateAdminInput interface {
48Name() string
49Endpoint() *url.URL
50IssuingCA() *x509.PEMEncodedCertificateAndKey
51AcceptedCAs() []*x509.PEMEncodedCertificate
52AdminKubeconfig() config.AdminKubeconfig
53}
54
55// GenerateAdmin generates admin kubeconfig for the cluster.
56func GenerateAdmin(config GenerateAdminInput, out io.Writer) error {
57acceptedCAs := config.AcceptedCAs()
58
59if config.IssuingCA() != nil {
60acceptedCAs = append(acceptedCAs, &x509.PEMEncodedCertificate{Crt: config.IssuingCA().Crt})
61}
62
63return Generate(
64&GenerateInput{
65ClusterName: config.Name(),
66IssuingCA: config.IssuingCA(),
67AcceptedCAs: acceptedCAs,
68CertificateLifetime: config.AdminKubeconfig().CertLifetime(),
69
70CommonName: config.AdminKubeconfig().CommonName(),
71Organization: config.AdminKubeconfig().CertOrganization(),
72
73Endpoint: config.Endpoint().String(),
74Username: "admin",
75ContextName: "admin",
76},
77out,
78)
79}
80
81// GenerateInput are input parameters for Generate.
82type GenerateInput struct {
83ClusterName string
84
85IssuingCA *x509.PEMEncodedCertificateAndKey
86AcceptedCAs []*x509.PEMEncodedCertificate
87CertificateLifetime time.Duration
88
89CommonName string
90Organization string
91
92Endpoint string
93Username string
94ContextName string
95}
96
97const allowedTimeSkew = 10 * time.Second
98
99// Generate a kubeconfig for the cluster from the given Input.
100func Generate(in *GenerateInput, out io.Writer) error {
101tpl, err := template.New("kubeconfig").Funcs(template.FuncMap{
102"base64Encode": base64Encode,
103}).Parse(kubeConfigTemplate)
104if err != nil {
105return fmt.Errorf("error parsing kubeconfig template: %w", err)
106}
107
108k8sCA, err := x509.NewCertificateAuthorityFromCertificateAndKey(in.IssuingCA)
109if err != nil {
110return fmt.Errorf("error getting Kubernetes CA: %w", err)
111}
112
113clientCert, err := x509.NewKeyPair(k8sCA,
114x509.CommonName(in.CommonName),
115x509.Organization(in.Organization),
116x509.NotBefore(time.Now().Add(-allowedTimeSkew)),
117x509.NotAfter(time.Now().Add(in.CertificateLifetime)),
118x509.KeyUsage(stdlibx509.KeyUsageDigitalSignature|stdlibx509.KeyUsageKeyEncipherment),
119x509.ExtKeyUsage([]stdlibx509.ExtKeyUsage{
120stdlibx509.ExtKeyUsageClientAuth,
121}),
122)
123if err != nil {
124return fmt.Errorf("error generating Kubernetes client certificate: %w", err)
125}
126
127clientCertPEM := x509.NewCertificateAndKeyFromKeyPair(clientCert)
128
129serverCAs := bytes.Join(xslices.Map(in.AcceptedCAs, func(ca *x509.PEMEncodedCertificate) []byte { return ca.Crt }), nil)
130
131return tpl.Execute(out, struct {
132GenerateInput
133
134CACert string
135ClientCert string
136ClientKey string
137}{
138GenerateInput: *in,
139CACert: string(serverCAs),
140ClientCert: string(clientCertPEM.Crt),
141ClientKey: string(clientCertPEM.Key),
142})
143}
144
145func base64Encode(content interface{}) (string, error) {
146str, ok := content.(string)
147if !ok {
148return "", fmt.Errorf("argument to base64 encode is not a string: %v", content)
149}
150
151return base64.StdEncoding.EncodeToString([]byte(str)), nil
152}
153