bootstrap

package

v0.0.1-alpha.1 Latest Latest Go to latest Published: Aug 28, 2018 License: MIT Imports: 8 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/thatsmrtalbot/k8s-vault-csr

Documentation ¶

Index ¶

Variables

Constants ¶

This section is empty.

Variables ¶

View Source

var Cmd = &cobra.Command{
	Use:   "bootstrap",
	Short: "create bootstrap certificate using vault",
	Args:  cobra.NoArgs,
	Long: `Create certificates with the "system:bootstrappers" group.

  By default the role should be pre-configured in vault in such a way that it has 
  "O=system:bootstrappers" and can be used as a client cert. This tool then needs 
  permissions in vault to issue a cert with that role.

  Alternatively this tool can use the sign-verbatim endpoint, but it is 
  discoraged as it requires giving access to the sign-verbatim endpoint to this 
  tool, which is a lot of power.

  Complete documentation of the RBAC required to have the generated certs work 
  can be found here:
  https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/`,
	Run: func(cmd *cobra.Command, args []string) {
		client, err := api.NewClient(&api.Config{
			Address:    vaultAddr,
			MaxRetries: 10,
		})

		if err != nil {
			glog.Exitf("create vault client: %s", err)
		}

		err = token.NewRenewer(client, vaultAuth).RunOnce()

		if err != nil {
			glog.Exitf("renew vault token: %s", err)
		}

		var key, cert, ca []byte

		if signVerbatim {
			key, cert, ca, err = bootstrap.CreateBootstrapCertWithSignVerbatim(client, pkiMount, pkiRole, pkiTTL, nodeName, groupName)
		} else {
			key, cert, ca, err = bootstrap.CreateBootstrapCertWithIssue(client, pkiMount, pkiRole, pkiTTL, nodeName)
		}

		if err != nil {
			glog.Exitf("generate bootstrap certificate: %s", err)
		}

		kubeconfigData := clientcmdapi.Config{

			Clusters: map[string]*clientcmdapi.Cluster{"default-cluster": {
				Server:                   masterAddr,
				InsecureSkipTLSVerify:    insecure,
				CertificateAuthorityData: ca,
			}},

			AuthInfos: map[string]*clientcmdapi.AuthInfo{"default-auth": {
				ClientCertificateData: cert,
				ClientKeyData:         key,
			}},

			Contexts: map[string]*clientcmdapi.Context{"default-context": {
				Cluster:   "default-cluster",
				AuthInfo:  "default-auth",
				Namespace: "default",
			}},
			CurrentContext: "default-context",
		}

		err = clientcmd.WriteToFile(kubeconfigData, kubeconfig)
		if err != nil {
			glog.Exitf("write kubeconfig to disk: %s", err)
		}
	},
}

Functions ¶

This section is empty.

Types ¶

This section is empty.

Source Files ¶

View all Source files

cmd.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL