kubadm运行逻辑——init-certs证书的生成与创建
作者:互联网
前言
认证体系知识繁杂,因此需要较多的基础理论才能明白认证的一个基本逻辑。
1、非对称加密体系:这块是加密解密、认证的基本原理以及知识点。有了这些基本数学基础,才能明白具体为什么非对称加密可以做认证。相关知识点如下所示:
http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html
https://www.ruanyifeng.com/blog/2013/07/rsa_algorithm_part_two.html
2、另外就是需要了解加密认证的基本协议规范。即使有了上面的加密解密理论知识,但是应用到实践当中,还是要有规范以及相关的约定。比如说公钥如何给到相关的机构,相关机构如何二次签发,签发的认证证书如何验证真实性等等。这块涉及到互联网的相关的知识点,用的比较多的是X.509协议,如下:
https://blog.csdn.net/blue0bird/article/details/78656536
3、有了这些协议密码之后,需要一些现成的工具来完成这些信息的生成以及证书的只做。openssl就是一个很好的工具。使用它来完成具体的证书生成操作。
4、生成后具体证书在https中的应用逻辑。其实非对称加密算法只能加解密数字,因此无法直接对较大的文本进行加密传输。所以https就是使用证书进行秘钥的传递,传递之后再用相关秘钥进行数据传输,进而保证传输信息保密。
https://www.runoob.com/w3cnote/https-ssl-intro.html
一、kubernetes需要的证书列表
kubeadm用于生成各个证书的重要代码段,他把各个证书的的生成封装成一个个的对象。然后放到我们subPhases中,上层的逻辑会挨个调用对象中的run函数。
74 func newCertSubPhases() []workflow.Phase {
75 subPhases := []workflow.Phase{}
76
77 // All subphase
78 allPhase := workflow.Phase{
79 Name: "all",
80 Short: "Generate all certificates",
81 InheritFlags: getCertPhaseFlags("all"),
82 RunAllSiblings: true,
83 }
84
85 subPhases = append(subPhases, allPhase)
86
87 // This loop assumes that GetDefaultCertList() always returns a list of
88 // certificate that is preceded by the CAs that sign them.
89 var lastCACert *certsphase.KubeadmCert
90 for _, cert := range certsphase.GetDefaultCertList() {
91 var phase workflow.Phase
92 if cert.CAName == "" {
93 phase = newCertSubPhase(cert, runCAPhase(cert))
94 lastCACert = cert
95 } else {
96 phase = newCertSubPhase(cert, runCertPhase(cert, lastCACert))
97 phase.LocalFlags = localFlags()
98 }
99 subPhases = append(subPhases, phase)
100 }
101
102 // SA creates the private/public key pair, which doesn't use x509 at all
103 saPhase := workflow.Phase{
104 Name: "sa",
105 Short: "Generate a private key for signing service account tokens along with its public key",
106 Long: saKeyLongDesc,
107 Run: runCertsSa,
108 InheritFlags: []string{options.CertificatesDir},
109 }
110
111 subPhases = append(subPhases, saPhase)
112
113 return subPhases
114 }具体生成的相关证书逻辑。加上上面的SA。共同组成了kubernetes的所有证书。
208 func GetDefaultCertList() Certificates {
209 return Certificates{
210 &KubeadmCertRootCA, //根证书
211 &KubeadmCertAPIServer, // apiserver的认证证书
212 &KubeadmCertKubeletClient, // kublete clietn的证书
213 // Front Proxy certs
214 &KubeadmCertFrontProxyCA, //前置proxy的证书
215 &KubeadmCertFrontProxyClient, //前置proxy client的证书
216 // etcd certs
217 &KubeadmCertEtcdCA, // etcd 的认证文件
218 &KubeadmCertEtcdServer, // etcd服务的认证文件
219 &KubeadmCertEtcdPeer, // etcd之间交互的认证文件
220 &KubeadmCertEtcdHealthcheck, //etcd 健康监测的认证文件
221 &KubeadmCertEtcdAPIClient, //etcd提供给api 的客户端认证文件
222 }
223 }二、各个证书的生成逻辑
2.1 KubeadmCertRootCA
相关的对象片段:
239 KubeadmCertRootCA = KubeadmCert{
240 Name: "ca",
241 LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components",
242 BaseName: kubeadmconstants.CACertAndKeyBaseName,
243 config: pkiutil.CertConfig{
244 Config: certutil.Config{
245 CommonName: "kubernetes",
246 },
247 },
248 }2.2 KubeadmCertAPIServer
249 // KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
250 KubeadmCertAPIServer = KubeadmCert{
251 Name: "apiserver",
252 LongName: "certificate for serving the Kubernetes API",
253 BaseName: kubeadmconstants.APIServerCertAndKeyBaseName,
254 CAName: "ca",
255 config: pkiutil.CertConfig{
256 Config: certutil.Config{
257 CommonName: kubeadmconstants.APIServerCertCommonName,
258 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
259 },
260 },
261 configMutators: []configMutatorsFunc{
262 makeAltNamesMutator(pkiutil.GetAPIServerAltNames),
263 },
264 }2.3 KubeadmCertKubeletClient
265 // KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
266 KubeadmCertKubeletClient = KubeadmCert{
267 Name: "apiserver-kubelet-client",
268 LongName: "certificate for the API server to connect to kubelet",
269 BaseName: kubeadmconstants.APIServerKubeletClientCertAndKeyBaseName,
270 CAName: "ca",
271 config: pkiutil.CertConfig{
272 Config: certutil.Config{
273 CommonName: kubeadmconstants.APIServerKubeletClientCertCommonName,
274 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
275 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
276 },
277 },
278 }2.4 KubeadmCertFrontProxyCA
280 // KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
281 KubeadmCertFrontProxyCA = KubeadmCert{
282 Name: "front-proxy-ca",
283 LongName: "self-signed CA to provision identities for front proxy",
284 BaseName: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
285 config: pkiutil.CertConfig{
286 Config: certutil.Config{
287 CommonName: "front-proxy-ca",
288 },
289 },
290 }2.5 KubeadmCertFrontProxyClient
293 KubeadmCertFrontProxyClient = KubeadmCert{
294 Name: "front-proxy-client",
295 BaseName: kubeadmconstants.FrontProxyClientCertAndKeyBaseName,
296 LongName: "certificate for the front proxy client",
297 CAName: "front-proxy-ca",
298 config: pkiutil.CertConfig{
299 Config: certutil.Config{
300 CommonName: kubeadmconstants.FrontProxyClientCertCommonName,
301 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
302 },
303 },
304 }2.6 KubeadmCertEtcdCA
06 // KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
307 KubeadmCertEtcdCA = KubeadmCert{
308 Name: "etcd-ca",
309 LongName: "self-signed CA to provision identities for etcd",
310 BaseName: kubeadmconstants.EtcdCACertAndKeyBaseName,
311 config: pkiutil.CertConfig{
312 Config: certutil.Config{
313 CommonName: "etcd-ca",
314 },
315 },
316 }2.7 KubeadmCertEtcdServer
317 // KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
318 KubeadmCertEtcdServer = KubeadmCert{
319 Name: "etcd-server",
320 LongName: "certificate for serving etcd",
321 BaseName: kubeadmconstants.EtcdServerCertAndKeyBaseName,
322 CAName: "etcd-ca",
323 config: pkiutil.CertConfig{
324 Config: certutil.Config{
325 // TODO: etcd 3.2 introduced an undocumented requirement for ClientAuth usage on the
326 // server cert: https://github.com/coreos/etcd/issues/9785#issuecomment-396715692
327 // Once the upstream issue is resolved, this should be returned to only allowing
328 // ServerAuth usage.
329 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
330 },
331 },
332 configMutators: []configMutatorsFunc{
333 makeAltNamesMutator(pkiutil.GetEtcdAltNames),
334 setCommonNameToNodeName(),
335 },
336 }2.8 KubeadmCertEtcdPeer
337 // KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
338 KubeadmCertEtcdPeer = KubeadmCert{
339 Name: "etcd-peer",
340 LongName: "certificate for etcd nodes to communicate with each other",
341 BaseName: kubeadmconstants.EtcdPeerCertAndKeyBaseName,
342 CAName: "etcd-ca",
343 config: pkiutil.CertConfig{
344 Config: certutil.Config{
345 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
346 },
347 },
348 configMutators: []configMutatorsFunc{
349 makeAltNamesMutator(pkiutil.GetEtcdPeerAltNames),
350 setCommonNameToNodeName(),
351 },
352 }2.9 KubeadmCertEtcdHealthcheck
353 // KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
354 KubeadmCertEtcdHealthcheck = KubeadmCert{
355 Name: "etcd-healthcheck-client",
356 LongName: "certificate for liveness probes to healthcheck etcd",
357 BaseName: kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName,
358 CAName: "etcd-ca",
359 config: pkiutil.CertConfig{
360 Config: certutil.Config{
361 CommonName: kubeadmconstants.EtcdHealthcheckClientCertCommonName,
362 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
363 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
364 },
365 },
366 }2.10 KubeadmCertEtcdAPIClient
367 // KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
368 KubeadmCertEtcdAPIClient = KubeadmCert{
369 Name: "apiserver-etcd-client",
370 LongName: "certificate the apiserver uses to access etcd",
371 BaseName: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
372 CAName: "etcd-ca",
373 config: pkiutil.CertConfig{
374 Config: certutil.Config{
375 CommonName: kubeadmconstants.APIServerEtcdClientCertCommonName,
376 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
377 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
378 },
379 },
380 }三、生成证书的实现函数
3.1 runCAPhase 生成CA证书
216 func runCAPhase(ca *certsphase.KubeadmCert) func(c workflow.RunData) error {
217 return func(c workflow.RunData) error {
218 data, ok := c.(InitData)
219 if !ok {
220 return errors.New("certs phase invoked with an invalid data struct")
221 }
222
223 // if using external etcd, skips etcd certificate authority generation
224 if data.Cfg().Etcd.External != nil && ca.Name == "etcd-ca" {
225 fmt.Printf("[certs] External etcd mode: Skipping %s certificate authority generation\n", ca.BaseName)
226 return nil
227 }
228
229 if _, err := pkiutil.TryLoadCertFromDisk(data.CertificateDir(), ca.BaseName); err == nil {
230 if _, err := pkiutil.TryLoadKeyFromDisk(data.CertificateDir(), ca.BaseName); err == nil {
231 fmt.Printf("[certs] Using existing %s certificate authority\n", ca.BaseName)
232 return nil
233 }
234 fmt.Printf("[certs] Using existing %s keyless certificate authority\n", ca.BaseName)
235 return nil
236 }
237
238 // if dryrunning, write certificates authority to a temporary folder (and defer restore to the path originally specified by the user)
239 cfg := data.Cfg()
240 cfg.CertificatesDir = data.CertificateWriteDir()
241 defer func() { cfg.CertificatesDir = data.CertificateDir() }()
242
243 // create the new certificate authority (or use existing)
244 return certsphase.CreateCACertAndKeyFiles(ca, cfg)
245 }
246 }3.2 runCertPhase 生成其他证书
248 func runCertPhase(cert *certsphase.KubeadmCert, caCert *certsphase.KubeadmCert) func(c workflow.RunData) error {
249 return func(c workflow.RunData) error {
250 data, ok := c.(InitData)
251 if !ok {
252 return errors.New("certs phase invoked with an invalid data struct")
253 }
254
255 // if using external etcd, skips etcd certificates generation
256 if data.Cfg().Etcd.External != nil && cert.CAName == "etcd-ca" {
257 fmt.Printf("[certs] External etcd mode: Skipping %s certificate generation\n", cert.BaseName)
258 return nil
259 }
260
261 if certData, _, err := pkiutil.TryLoadCertAndKeyFromDisk(data.CertificateDir(), cert.BaseName); err == nil {
262 caCertData, err := pkiutil.TryLoadCertFromDisk(data.CertificateDir(), caCert.BaseName)
263 if err != nil {
264 return errors.Wrapf(err, "couldn't load CA certificate %s", caCert.Name)
265 }
266
267 if err := certData.CheckSignatureFrom(caCertData); err != nil {
268 return errors.Wrapf(err, "[certs] certificate %s not signed by CA certificate %s", cert.BaseName, caCert.BaseName)
269 }
270
271 fmt.Printf("[certs] Using existing %s certificate and key on disk\n", cert.BaseName)
272 return nil
273 }
274
275 if csrOnly {
276 fmt.Printf("[certs] Generating CSR for %s instead of certificate\n", cert.BaseName)
277 if csrDir == "" {
278 csrDir = data.CertificateWriteDir()
279 }
280
281 return certsphase.CreateCSR(cert, data.Cfg(), csrDir)
282 }
283
284 // if dryrunning, write certificates to a temporary folder (and defer restore to the path originally specified by the user)
285 cfg := data.Cfg()
286 cfg.CertificatesDir = data.CertificateWriteDir()
287 defer func() { cfg.CertificatesDir = data.CertificateDir() }()
288
289 // create the new certificate (or use existing)
290 return certsphase.CreateCertAndKeyFilesWithCA(cert, caCert, cfg)
291 }
292 }标签:certificate,ca,cert,init,kubadm,etcd,certs,Config,BaseName 来源: https://blog.csdn.net/baiyvwuxia/article/details/117280604