Merge pull request #1232 from abhinavdahiya/separate_chains

Create separate chains of trust for separate actors
openshift · Feb 21, 2019 · 0be3dfc · 0be3dfc
2 parents e7debfc + 91dfe76
commit 0be3dfc
Show file tree

Hide file tree

Showing 30 changed files with 1,738 additions and 540 deletions.
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -62,23 +62,50 @@ var _ asset.WritableAsset = (*Bootstrap)(nil)
 func (a *Bootstrap) Dependencies() []asset.Asset {
 	return []asset.Asset{
 		&installconfig.InstallConfig{},
-		&tls.RootCA{},
-		&tls.EtcdCA{},
-		&tls.KubeCA{},
+		&kubeconfig.Admin{},
+		&kubeconfig.AdminClient{},
+		&kubeconfig.Kubelet{},
+		&kubeconfig.KubeletClient{},
+		&machines.Master{},
+		&manifests.Manifests{},
+		&manifests.Openshift{},
 		&tls.AggregatorCA{},
-		&tls.EtcdClientCertKey{},
+		&tls.AggregatorCABundle{},
+		&tls.AggregatorClientCertKey{},
+		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerCertKey{},
 		&tls.APIServerProxyCertKey{},
-		&tls.AdminCertKey{},
+		&tls.EtcdCA{},
+		&tls.EtcdCABundle{},
+		&tls.EtcdClientCertKey{},
+		&tls.EtcdSignerCertKey{},
+		&tls.EtcdSignerClientCertKey{},
+		&tls.JournalCertKey{},
+		&tls.KubeAPIServerLBCABundle{},
+		&tls.KubeAPIServerLBServerCertKey{},
+		&tls.KubeAPIServerLBSignerCertKey{},
+		&tls.KubeAPIServerLocalhostCABundle{},
+		&tls.KubeAPIServerLocalhostServerCertKey{},
+		&tls.KubeAPIServerLocalhostSignerCertKey{},
+		&tls.KubeAPIServerServiceNetworkCABundle{},
+		&tls.KubeAPIServerServiceNetworkServerCertKey{},
+		&tls.KubeAPIServerServiceNetworkSignerCertKey{},
+		&tls.KubeAPIServerToKubeletCABundle{},
+		&tls.KubeAPIServerToKubeletClientCertKey{},
+		&tls.KubeAPIServerToKubeletSignerCertKey{},
+		&tls.KubeCA{},
+		&tls.KubeControlPlaneCABundle{},
+		&tls.KubeControlPlaneKubeControllerManagerClientCertKey{},
+		&tls.KubeControlPlaneKubeSchedulerClientCertKey{},
+		&tls.KubeControlPlaneSignerCertKey{},
 		&tls.KubeletCertKey{},
+		&tls.KubeletClientCABundle{},
+		&tls.KubeletClientCertKey{},
+		&tls.KubeletCSRSignerCertKey{},
+		&tls.KubeletServingCABundle{},
 		&tls.MCSCertKey{},
+		&tls.RootCA{},
 		&tls.ServiceAccountKeyPair{},
-		&tls.JournalCertKey{},
-		&kubeconfig.Admin{},
-		&kubeconfig.Kubelet{},
-		&machines.Master{},
-		&manifests.Manifests{},
-		&manifests.Openshift{},
 	}
 }
 
@@ -333,31 +360,54 @@ func readFile(name string, reader io.Reader, templateData interface{}) (finalNam
 }
 
 func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
-	mfsts := &manifests.Manifests{}
-	openshiftManifests := &manifests.Openshift{}
-	dependencies.Get(mfsts, openshiftManifests)
-
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FilesFromAsset(rootDir, "root", 0644, mfsts)...,
-	)
-	a.Config.Storage.Files = append(
-		a.Config.Storage.Files,
-		ignition.FilesFromAsset(rootDir, "root", 0644, openshiftManifests)...,
-	)
+	for _, asset := range []asset.WritableAsset{
+		&manifests.Manifests{},
+		&manifests.Openshift{},
+		&machines.Master{},
+	} {
+		dependencies.Get(asset)
+		a.Config.Storage.Files = append(a.Config.Storage.Files, ignition.FilesFromAsset(rootDir, "root", 0644, asset)...)
+	}
 
 	for _, asset := range []asset.WritableAsset{
 		&kubeconfig.Admin{},
+		&kubeconfig.AdminClient{},
 		&kubeconfig.Kubelet{},
-		&machines.Master{},
-		&tls.KubeCA{},
+		&kubeconfig.KubeletClient{},
+		&kubeconfig.KubeletClient{},
 		&tls.AggregatorCA{},
-		&tls.EtcdCA{},
-		&tls.EtcdClientCertKey{},
+		&tls.AggregatorCABundle{},
+		&tls.AggregatorClientCertKey{},
+		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerCertKey{},
 		&tls.APIServerProxyCertKey{},
-		&tls.AdminCertKey{},
+		&tls.EtcdCA{},
+		&tls.EtcdCABundle{},
+		&tls.EtcdClientCertKey{},
+		&tls.EtcdSignerCertKey{},
+		&tls.EtcdSignerClientCertKey{},
+		&tls.KubeAPIServerLBCABundle{},
+		&tls.KubeAPIServerLBServerCertKey{},
+		&tls.KubeAPIServerLBSignerCertKey{},
+		&tls.KubeAPIServerLocalhostCABundle{},
+		&tls.KubeAPIServerLocalhostServerCertKey{},
+		&tls.KubeAPIServerLocalhostSignerCertKey{},
+		&tls.KubeAPIServerServiceNetworkCABundle{},
+		&tls.KubeAPIServerServiceNetworkServerCertKey{},
+		&tls.KubeAPIServerServiceNetworkSignerCertKey{},
+		&tls.KubeAPIServerToKubeletCABundle{},
+		&tls.KubeAPIServerToKubeletClientCertKey{},
+		&tls.KubeAPIServerToKubeletSignerCertKey{},
+		&tls.KubeCA{},
+		&tls.KubeControlPlaneCABundle{},
+		&tls.KubeControlPlaneKubeControllerManagerClientCertKey{},
+		&tls.KubeControlPlaneKubeSchedulerClientCertKey{},
+		&tls.KubeControlPlaneSignerCertKey{},
 		&tls.KubeletCertKey{},
+		&tls.KubeletClientCABundle{},
+		&tls.KubeletClientCertKey{},
+		&tls.KubeletCSRSignerCertKey{},
+		&tls.KubeletServingCABundle{},
 		&tls.MCSCertKey{},
 		&tls.ServiceAccountKeyPair{},
 	} {

diff --git a/pkg/asset/kubeconfig/admin.go b/pkg/asset/kubeconfig/admin.go
@@ -9,10 +9,12 @@ import (
 )
 
 var (
-	kubeconfigAdminPath = filepath.Join("auth", "kubeconfig")
+	kubeconfigAdminPath       = filepath.Join("auth", "kubeconfig")
+	kubeconfigAdminClientPath = filepath.Join("auth", "kubeconfig-admin")
 )
 
 // Admin is the asset for the admin kubeconfig.
+// [DEPRECATED]
 type Admin struct {
 	kubeconfig
 }
@@ -53,3 +55,45 @@ func (k *Admin) Name() string {
 func (k *Admin) Load(f asset.FileFetcher) (found bool, err error) {
 	return k.load(f, kubeconfigAdminPath)
 }
+
+// AdminClient is the asset for the admin kubeconfig.
+type AdminClient struct {
+	kubeconfig
+}
+
+var _ asset.WritableAsset = (*AdminClient)(nil)
+
+// Dependencies returns the dependency of the kubeconfig.
+func (k *AdminClient) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&tls.AdminKubeConfigClientCertKey{},
+		&tls.AdminKubeConfigCABundle{},
+		&installconfig.InstallConfig{},
+	}
+}
+
+// Generate generates the kubeconfig.
+func (k *AdminClient) Generate(parents asset.Parents) error {
+	ca := &tls.AdminKubeConfigCABundle{}
+	clientCertKey := &tls.AdminKubeConfigClientCertKey{}
+	installConfig := &installconfig.InstallConfig{}
+	parents.Get(ca, clientCertKey, installConfig)
+
+	return k.kubeconfig.generate(
+		ca,
+		clientCertKey,
+		installConfig.Config,
+		"admin",
+		kubeconfigAdminClientPath,
+	)
+}
+
+// Name returns the human-friendly name of the asset.
+func (k *AdminClient) Name() string {
+	return "Kubeconfig Admin Client"
+}
+
+// Load returns the kubeconfig from disk.
+func (k *AdminClient) Load(f asset.FileFetcher) (found bool, err error) {
+	return k.load(f, kubeconfigAdminClientPath)
+}
diff --git a/pkg/asset/kubeconfig/kubeconfig.go b/pkg/asset/kubeconfig/kubeconfig.go
@@ -20,7 +20,7 @@ type kubeconfig struct {
 
 // generate generates the kubeconfig.
 func (k *kubeconfig) generate(
-	rootCA tls.CertKeyInterface,
+	ca tls.CertInterface,
 	clientCertKey tls.CertKeyInterface,
 	installConfig *types.InstallConfig,
 	userName string,
@@ -32,16 +32,16 @@ func (k *kubeconfig) generate(
 				Name: installConfig.ObjectMeta.Name,
 				Cluster: clientcmd.Cluster{
 					Server: fmt.Sprintf("https://api.%s:6443", installConfig.ClusterDomain()),
-					CertificateAuthorityData: []byte(rootCA.Cert()),
+					CertificateAuthorityData: ca.Cert(),
 				},
 			},
 		},
 		AuthInfos: []clientcmd.NamedAuthInfo{
 			{
 				Name: userName,
 				AuthInfo: clientcmd.AuthInfo{
-					ClientCertificateData: []byte(clientCertKey.Cert()),
-					ClientKeyData:         []byte(clientCertKey.Key()),
+					ClientCertificateData: clientCertKey.Cert(),
+					ClientKeyData:         clientCertKey.Key(),
 				},
 			},
 		},

diff --git a/pkg/asset/kubeconfig/kubelet.go b/pkg/asset/kubeconfig/kubelet.go
@@ -9,10 +9,12 @@ import (
 )
 
 var (
-	kubeconfigKubeletPath = filepath.Join("auth", "kubeconfig-kubelet")
+	kubeconfigKubeletPath       = filepath.Join("auth", "kubeconfig-kubelet")
+	kubeconfigKubeletClientPath = filepath.Join("auth", "kubeconfig-kubelet-client")
 )
 
 // Kubelet is the asset for the kubelet kubeconfig.
+// [DEPRECATED]
 type Kubelet struct {
 	kubeconfig
 }
@@ -53,3 +55,45 @@ func (k *Kubelet) Name() string {
 func (k *Kubelet) Load(asset.FileFetcher) (bool, error) {
 	return false, nil
 }
+
+// KubeletClient is the asset for the kubelet kubeconfig.
+type KubeletClient struct {
+	kubeconfig
+}
+
+var _ asset.WritableAsset = (*KubeletClient)(nil)
+
+// Dependencies returns the dependency of the kubeconfig.
+func (k *KubeletClient) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&tls.KubeletClientCABundle{},
+		&tls.KubeletClientCertKey{},
+		&installconfig.InstallConfig{},
+	}
+}
+
+// Generate generates the kubeconfig.
+func (k *KubeletClient) Generate(parents asset.Parents) error {
+	ca := &tls.KubeletClientCABundle{}
+	clientcertkey := &tls.KubeletClientCertKey{}
+	installConfig := &installconfig.InstallConfig{}
+	parents.Get(ca, clientcertkey, installConfig)
+
+	return k.kubeconfig.generate(
+		ca,
+		clientcertkey,
+		installConfig.Config,
+		"kubelet",
+		kubeconfigKubeletClientPath,
+	)
+}
+
+// Name returns the human-friendly name of the asset.
+func (k *KubeletClient) Name() string {
+	return "Kubeconfig Kubelet Client"
+}
+
+// Load is a no-op because kubelet kubeconfig is not written to disk.
+func (k *KubeletClient) Load(asset.FileFetcher) (bool, error) {
+	return false, nil
+}
diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go
@@ -60,11 +60,8 @@ func (m *Manifests) Dependencies() []asset.Asset {
 		&Networking{},
 		&tls.RootCA{},
 		&tls.EtcdCA{},
-		&tls.IngressCertKey{},
-		&tls.KubeCA{},
 		&tls.EtcdClientCertKey{},
 		&tls.MCSCertKey{},
-		&tls.KubeletCertKey{},
 
 		&bootkube.KubeCloudConfig{},
 		&bootkube.MachineConfigServerTLSSecret{},
@@ -126,7 +123,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 	clusterID := &installconfig.ClusterID{}
 	installConfig := &installconfig.InstallConfig{}
 	etcdCA := &tls.EtcdCA{}
-	kubeCA := &tls.KubeCA{}
 	mcsCertKey := &tls.MCSCertKey{}
 	etcdClientCertKey := &tls.EtcdClientCertKey{}
 	rootCA := &tls.RootCA{}
@@ -135,7 +131,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		installConfig,
 		etcdCA,
 		etcdClientCertKey,
-		kubeCA,
 		mcsCertKey,
 		rootCA,
 	)
@@ -150,8 +145,6 @@ func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*ass
 		EtcdCaCert:                      string(etcdCA.Cert()),
 		EtcdClientCert:                  base64.StdEncoding.EncodeToString(etcdClientCertKey.Cert()),
 		EtcdClientKey:                   base64.StdEncoding.EncodeToString(etcdClientCertKey.Key()),
-		KubeCaCert:                      base64.StdEncoding.EncodeToString(kubeCA.Cert()),
-		KubeCaKey:                       base64.StdEncoding.EncodeToString(kubeCA.Key()),
 		McsTLSCert:                      base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
 		McsTLSKey:                       base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
 		PullSecretBase64:                base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),

diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go
@@ -21,8 +21,6 @@ type bootkubeTemplateData struct {
 	EtcdCaCert                      string
 	EtcdClientCert                  string
 	EtcdClientKey                   string
-	KubeCaCert                      string
-	KubeCaKey                       string
 	McsTLSCert                      string
 	McsTLSKey                       string
 	PullSecretBase64                string

diff --git a/pkg/asset/tls/admincertkey.go b/pkg/asset/tls/admincertkey.go