Documentation ¶
Index ¶
- Constants
- Variables
- func AddClusterConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta3.ClusterConfiguration, ...)
- func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta3.InitConfiguration)
- func AddInitOtherFlags(flagSet *flag.FlagSet, initOptions *initOptions)
- func AddResetFlags(flagSet *flag.FlagSet, resetOptions *resetOptions)
- func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
- func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error
- func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, ...) error
- func CreateEdgePKIAssets(cfg *kubeadmapi.InitConfiguration) error
- func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error
- func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error)
- func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, crypto.Signer, error)
- func NewCmdToken(out io.Writer, errW io.Writer) *cobra.Command
- func NewCmdTokenGenerate(out io.Writer) *cobra.Command
- func NewEdgeCertsPhase(config *cmd.EdgeadmConfig) workflow.Phase
- func NewEdgeConfPhase(config *cmd.EdgeadmConfig) workflow.Phase
- func NewInitCMD(out io.Writer, edgeConfig *cmd.EdgeadmConfig) *cobra.Command
- func NewJoinCMD(out io.Writer, edgeConfig *cmd.EdgeadmConfig) *cobra.Command
- func NewResetCMD(in io.Reader, out io.Writer, edgeConfig *cmd.EdgeadmConfig) *cobra.Command
- func RunCreateToken(out io.Writer, client clientset.Interface, cfgPath string, ...) error
- func RunDeleteTokens(out io.Writer, client clientset.Interface, tokenIDsOrTokens []string) error
- func RunGenerateToken(out io.Writer) error
- func RunListTokens(out io.Writer, errW io.Writer, client clientset.Interface, ...) error
- func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
- func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
- func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
- type CertificateMap
- type CertificateTree
- type Certificates
- type KubeadmCert
- func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, crypto.Signer, error)
- func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, ...) error
- func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*pkiutil.CertConfig, error)
Constants ¶
const ( IngressYaml = `` /* 439-byte string literal not displayed */ IngressYamlPath = "/etc/kubernetes/kube-apiserver-conf/egress-selector-configuration.yaml" )
const (
IngressClientCertAndKeyBaseName = "tunnel-anp-client"
)
Variables ¶
var ( // KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet. KubeadmCertRootCA = KubeadmCert{ Name: "ca", LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components", BaseName: kubeadmconstants.CACertAndKeyBaseName, // contains filtered or unexported fields } KubeadmIngress = KubeadmCert{ Name: "ingress-client", LongName: "self-signed CA to provision identities for etcd", BaseName: IngressClientCertAndKeyBaseName, CAName: "ca", // contains filtered or unexported fields } )
Functions ¶
func AddClusterConfigFlags ¶
func AddClusterConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta3.ClusterConfiguration, featureGatesString *string)
AddClusterConfigFlags adds cluster flags bound to the config to the specified flagset
func AddInitConfigFlags ¶
func AddInitConfigFlags(flagSet *flag.FlagSet, cfg *kubeadmapiv1beta3.InitConfiguration)
AddInitConfigFlags adds init flags bound to the config to the specified flagset
func AddInitOtherFlags ¶
AddInitOtherFlags adds init flags that are not bound to a configuration file to the given flagset Note: All flags that are not bound to the cfg object should be allowed in cmd/kubeadm/app/apis/kubeadm/validation/validation.go
func AddResetFlags ¶
AddResetFlags adds reset flags
func CreateCACertAndKeyFiles ¶
func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCACertAndKeyFiles generates and writes out a given certificate authority. The certSpec should be one of the variables from this package.
func CreateCSR ¶
func CreateCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration, path string) error
CreateCSR creates a certificate signing request
func CreateCertAndKeyFilesWithCA ¶
func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error
CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. The certSpec and caCertSpec should both be one of the variables from this package.
func CreateEdgePKIAssets ¶ added in v0.9.0
func CreateEdgePKIAssets(cfg *kubeadmapi.InitConfiguration) error
func CreateServiceAccountKeyAndPublicKeyFiles ¶
func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType x509.PublicKeyAlgorithm) error
CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned.
func LoadCertificateAuthority ¶
func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error)
LoadCertificateAuthority tries to load a CA in the given directory with the given name.
func NewCSR ¶
func NewCSR(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) (*x509.CertificateRequest, crypto.Signer, error)
NewCSR will generate a new CSR and accompanying key
func NewCmdToken ¶
NewCmdToken returns cobra.Command for token management
func NewCmdTokenGenerate ¶
NewCmdTokenGenerate returns cobra.Command to generate new token
func NewEdgeCertsPhase ¶
func NewEdgeCertsPhase(config *cmd.EdgeadmConfig) workflow.Phase
NewCertsPhase returns the phase for the certs
func NewEdgeConfPhase ¶
func NewEdgeConfPhase(config *cmd.EdgeadmConfig) workflow.Phase
NewCertsPhase returns the phase for the certs
func NewInitCMD ¶
func NewJoinCMD ¶
func NewResetCMD ¶
func RunCreateToken ¶
func RunCreateToken(out io.Writer, client clientset.Interface, cfgPath string, initCfg *kubeadmapiv1beta3.InitConfiguration, printJoinCommand bool, certificateKey string, kubeConfigFile string) error
RunCreateToken generates a new bootstrap token and stores it as a secret on the server.
func RunDeleteTokens ¶
RunDeleteTokens removes a bootstrap tokens from the server.
func RunGenerateToken ¶
RunGenerateToken just generates a random token for the user
func RunListTokens ¶
func RunListTokens(out io.Writer, errW io.Writer, client clientset.Interface, printer output.Printer) error
RunListTokens lists details on all existing bootstrap tokens on the server.
func SharedCertificateExists ¶
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
SharedCertificateExists verifies if the shared certificates - the certificates that must be equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub + etcd/ca.key, etcd/ca.crt if local/stacked etcd
func UsingExternalCA ¶
func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case when the CA Cert is present but the CA Key is not. This allows us to, e.g., skip generating certs or not start the csr signing controller. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.
func UsingExternalFrontProxyCA ¶
func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error)
UsingExternalFrontProxyCA determines whether the user is relying on an external front-proxy CA. We currently implicitly determine this is the case when the front proxy CA Cert is present but the front proxy CA Key is not. In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user.
Types ¶
type CertificateMap ¶
type CertificateMap map[string]*KubeadmCert
CertificateMap is a flat map of certificates, keyed by Name.
func (CertificateMap) CertTree ¶
func (m CertificateMap) CertTree() (CertificateTree, error)
CertTree returns a one-level-deep tree, mapping a CA cert to an array of certificates that should be signed by it.
type CertificateTree ¶
type CertificateTree map[*KubeadmCert]Certificates
CertificateTree is represents a one-level-deep tree, mapping a CA to the certs that depend on it.
func (CertificateTree) CreateTree ¶
func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error
CreateTree creates the CAs, certs signed by the CAs, and writes them all to disk.
type Certificates ¶
type Certificates []*KubeadmCert
Certificates is a list of Certificates that Kubeadm should create.
func GetEdgeCertList ¶
func GetEdgeCertList() Certificates
GetDefaultCertList returns all of the certificates kubeadm requires to function.
func (Certificates) AsMap ¶
func (c Certificates) AsMap() CertificateMap
AsMap returns the list of certificates as a map, keyed by name.
type KubeadmCert ¶
type KubeadmCert struct { Name string LongName string BaseName string CAName string // contains filtered or unexported fields }
KubeadmCert represents a certificate that Kubeadm will create to function properly.
func (*KubeadmCert) CreateAsCA ¶
func (k *KubeadmCert) CreateAsCA(ic *kubeadmapi.InitConfiguration) (*x509.Certificate, crypto.Signer, error)
CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.
func (*KubeadmCert) CreateFromCA ¶
func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x509.Certificate, caKey crypto.Signer) error
CreateFromCA makes and writes a certificate using the given CA cert and key.
func (*KubeadmCert) GetConfig ¶
func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*pkiutil.CertConfig, error)
GetConfig returns the definition for the given cert given the provided InitConfiguration