kubadm运行逻辑——init-certs证书的生成与创建
2024-04-08 17:09:12
前言
认证体系知识繁杂,因此需要较多的基础理论才能明白认证的一个基本逻辑。
1、非对称加密体系:这块是加密解密、认证的基本原理以及知识点。有了这些基本数学基础,才能明白具体为什么非对称加密可以做认证。相关知识点如下所示:
http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html
https://www.ruanyifeng.com/blog/2013/07/rsa_algorithm_part_two.html
2、另外就是需要了解加密认证的基本协议规范。即使有了上面的加密解密理论知识,但是应用到实践当中,还是要有规范以及相关的约定。比如说公钥如何给到相关的机构,相关机构如何二次签发,签发的认证证书如何验证真实性等等。这块涉及到互联网的相关的知识点,用的比较多的是X.509协议,如下:
https://blog.csdn.net/blue0bird/article/details/78656536
3、有了这些协议密码之后,需要一些现成的工具来完成这些信息的生成以及证书的只做。openssl就是一个很好的工具。使用它来完成具体的证书生成操作。
4、生成后具体证书在https中的应用逻辑。其实非对称加密算法只能加解密数字,因此无法直接对较大的文本进行加密传输。所以https就是使用证书进行秘钥的传递,传递之后再用相关秘钥进行数据传输,进而保证传输信息保密。
https://www.runoob.com/w3cnote/https-ssl-intro.html
一、kubernetes需要的证书列表
kubeadm用于生成各个证书的重要代码段,他把各个证书的的生成封装成一个个的对象。然后放到我们subPhases中,上层的逻辑会挨个调用对象中的run函数。
74 func newCertSubPhases() []workflow.Phase {75 subPhases := []workflow.Phase{}7677 // All subphase78 allPhase := workflow.Phase{79 Name: "all",80 Short: "Generate all certificates",81 InheritFlags: getCertPhaseFlags("all"),82 RunAllSiblings: true,83 }8485 subPhases = append(subPhases, allPhase)8687 // This loop assumes that GetDefaultCertList() always returns a list of88 // certificate that is preceded by the CAs that sign them.89 var lastCACert *certsphase.KubeadmCert90 for _, cert := range certsphase.GetDefaultCertList() {91 var phase workflow.Phase92 if cert.CAName == "" {93 phase = newCertSubPhase(cert, runCAPhase(cert))94 lastCACert = cert95 } else {96 phase = newCertSubPhase(cert, runCertPhase(cert, lastCACert))97 phase.LocalFlags = localFlags()98 }99 subPhases = append(subPhases, phase)
100 }
101
102 // SA creates the private/public key pair, which doesn't use x509 at all
103 saPhase := workflow.Phase{
104 Name: "sa",
105 Short: "Generate a private key for signing service account tokens along with its public key",
106 Long: saKeyLongDesc,
107 Run: runCertsSa,
108 InheritFlags: []string{options.CertificatesDir},
109 }
110
111 subPhases = append(subPhases, saPhase)
112
113 return subPhases
114 }具体生成的相关证书逻辑。加上上面的SA。共同组成了kubernetes的所有证书。
208 func GetDefaultCertList() Certificates {
209 return Certificates{
210 &KubeadmCertRootCA, //根证书
211 &KubeadmCertAPIServer, // apiserver的认证证书
212 &KubeadmCertKubeletClient, // kublete clietn的证书
213 // Front Proxy certs
214 &KubeadmCertFrontProxyCA, //前置proxy的证书
215 &KubeadmCertFrontProxyClient, //前置proxy client的证书
216 // etcd certs
217 &KubeadmCertEtcdCA, // etcd 的认证文件
218 &KubeadmCertEtcdServer, // etcd服务的认证文件
219 &KubeadmCertEtcdPeer, // etcd之间交互的认证文件
220 &KubeadmCertEtcdHealthcheck, //etcd 健康监测的认证文件
221 &KubeadmCertEtcdAPIClient, //etcd提供给api 的客户端认证文件
222 }
223 }二、各个证书的生成逻辑
2.1 KubeadmCertRootCA
相关的对象片段:
239 KubeadmCertRootCA = KubeadmCert{
240 Name: "ca",
241 LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components",
242 BaseName: kubeadmconstants.CACertAndKeyBaseName,
243 config: pkiutil.CertConfig{
244 Config: certutil.Config{
245 CommonName: "kubernetes",
246 },
247 },
248 }2.2 KubeadmCertAPIServer
249 // KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
250 KubeadmCertAPIServer = KubeadmCert{
251 Name: "apiserver",
252 LongName: "certificate for serving the Kubernetes API",
253 BaseName: kubeadmconstants.APIServerCertAndKeyBaseName,
254 CAName: "ca",
255 config: pkiutil.CertConfig{
256 Config: certutil.Config{
257 CommonName: kubeadmconstants.APIServerCertCommonName,
258 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
259 },
260 },
261 configMutators: []configMutatorsFunc{
262 makeAltNamesMutator(pkiutil.GetAPIServerAltNames),
263 },
264 }2.3 KubeadmCertKubeletClient
265 // KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
266 KubeadmCertKubeletClient = KubeadmCert{
267 Name: "apiserver-kubelet-client",
268 LongName: "certificate for the API server to connect to kubelet",
269 BaseName: kubeadmconstants.APIServerKubeletClientCertAndKeyBaseName,
270 CAName: "ca",
271 config: pkiutil.CertConfig{
272 Config: certutil.Config{
273 CommonName: kubeadmconstants.APIServerKubeletClientCertCommonName,
274 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
275 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
276 },
277 },
278 }2.4 KubeadmCertFrontProxyCA
280 // KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
281 KubeadmCertFrontProxyCA = KubeadmCert{
282 Name: "front-proxy-ca",
283 LongName: "self-signed CA to provision identities for front proxy",
284 BaseName: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
285 config: pkiutil.CertConfig{
286 Config: certutil.Config{
287 CommonName: "front-proxy-ca",
288 },
289 },
290 }2.5 KubeadmCertFrontProxyClient
293 KubeadmCertFrontProxyClient = KubeadmCert{
294 Name: "front-proxy-client",
295 BaseName: kubeadmconstants.FrontProxyClientCertAndKeyBaseName,
296 LongName: "certificate for the front proxy client",
297 CAName: "front-proxy-ca",
298 config: pkiutil.CertConfig{
299 Config: certutil.Config{
300 CommonName: kubeadmconstants.FrontProxyClientCertCommonName,
301 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
302 },
303 },
304 }2.6 KubeadmCertEtcdCA
06 // KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
307 KubeadmCertEtcdCA = KubeadmCert{
308 Name: "etcd-ca",
309 LongName: "self-signed CA to provision identities for etcd",
310 BaseName: kubeadmconstants.EtcdCACertAndKeyBaseName,
311 config: pkiutil.CertConfig{
312 Config: certutil.Config{
313 CommonName: "etcd-ca",
314 },
315 },
316 }2.7 KubeadmCertEtcdServer
317 // KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
318 KubeadmCertEtcdServer = KubeadmCert{
319 Name: "etcd-server",
320 LongName: "certificate for serving etcd",
321 BaseName: kubeadmconstants.EtcdServerCertAndKeyBaseName,
322 CAName: "etcd-ca",
323 config: pkiutil.CertConfig{
324 Config: certutil.Config{
325 // TODO: etcd 3.2 introduced an undocumented requirement for ClientAuth usage on the
326 // server cert: https://github.com/coreos/etcd/issues/9785#issuecomment-396715692
327 // Once the upstream issue is resolved, this should be returned to only allowing
328 // ServerAuth usage.
329 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
330 },
331 },
332 configMutators: []configMutatorsFunc{
333 makeAltNamesMutator(pkiutil.GetEtcdAltNames),
334 setCommonNameToNodeName(),
335 },
336 }2.8 KubeadmCertEtcdPeer
337 // KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
338 KubeadmCertEtcdPeer = KubeadmCert{
339 Name: "etcd-peer",
340 LongName: "certificate for etcd nodes to communicate with each other",
341 BaseName: kubeadmconstants.EtcdPeerCertAndKeyBaseName,
342 CAName: "etcd-ca",
343 config: pkiutil.CertConfig{
344 Config: certutil.Config{
345 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
346 },
347 },
348 configMutators: []configMutatorsFunc{
349 makeAltNamesMutator(pkiutil.GetEtcdPeerAltNames),
350 setCommonNameToNodeName(),
351 },
352 }2.9 KubeadmCertEtcdHealthcheck
353 // KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
354 KubeadmCertEtcdHealthcheck = KubeadmCert{
355 Name: "etcd-healthcheck-client",
356 LongName: "certificate for liveness probes to healthcheck etcd",
357 BaseName: kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName,
358 CAName: "etcd-ca",
359 config: pkiutil.CertConfig{
360 Config: certutil.Config{
361 CommonName: kubeadmconstants.EtcdHealthcheckClientCertCommonName,
362 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
363 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
364 },
365 },
366 }2.10 KubeadmCertEtcdAPIClient
367 // KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
368 KubeadmCertEtcdAPIClient = KubeadmCert{
369 Name: "apiserver-etcd-client",
370 LongName: "certificate the apiserver uses to access etcd",
371 BaseName: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
372 CAName: "etcd-ca",
373 config: pkiutil.CertConfig{
374 Config: certutil.Config{
375 CommonName: kubeadmconstants.APIServerEtcdClientCertCommonName,
376 Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
377 Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
378 },
379 },
380 }三、生成证书的实现函数
3.1 runCAPhase 生成CA证书
216 func runCAPhase(ca *certsphase.KubeadmCert) func(c workflow.RunData) error {
217 return func(c workflow.RunData) error {
218 data, ok := c.(InitData)
219 if !ok {
220 return errors.New("certs phase invoked with an invalid data struct")
221 }
222
223 // if using external etcd, skips etcd certificate authority generation
224 if data.Cfg().Etcd.External != nil && ca.Name == "etcd-ca" {
225 fmt.Printf("[certs] External etcd mode: Skipping %s certificate authority generation\n", ca.BaseName)
226 return nil
227 }
228
229 if _, err := pkiutil.TryLoadCertFromDisk(data.CertificateDir(), ca.BaseName); err == nil {
230 if _, err := pkiutil.TryLoadKeyFromDisk(data.CertificateDir(), ca.BaseName); err == nil {
231 fmt.Printf("[certs] Using existing %s certificate authority\n", ca.BaseName)
232 return nil
233 }
234 fmt.Printf("[certs] Using existing %s keyless certificate authority\n", ca.BaseName)
235 return nil
236 }
237
238 // if dryrunning, write certificates authority to a temporary folder (and defer restore to the path originally specified by the user)
239 cfg := data.Cfg()
240 cfg.CertificatesDir = data.CertificateWriteDir()
241 defer func() { cfg.CertificatesDir = data.CertificateDir() }()
242
243 // create the new certificate authority (or use existing)
244 return certsphase.CreateCACertAndKeyFiles(ca, cfg)
245 }
246 }3.2 runCertPhase 生成其他证书
248 func runCertPhase(cert *certsphase.KubeadmCert, caCert *certsphase.KubeadmCert) func(c workflow.RunData) error {
249 return func(c workflow.RunData) error {
250 data, ok := c.(InitData)
251 if !ok {
252 return errors.New("certs phase invoked with an invalid data struct")
253 }
254
255 // if using external etcd, skips etcd certificates generation
256 if data.Cfg().Etcd.External != nil && cert.CAName == "etcd-ca" {
257 fmt.Printf("[certs] External etcd mode: Skipping %s certificate generation\n", cert.BaseName)
258 return nil
259 }
260
261 if certData, _, err := pkiutil.TryLoadCertAndKeyFromDisk(data.CertificateDir(), cert.BaseName); err == nil {
262 caCertData, err := pkiutil.TryLoadCertFromDisk(data.CertificateDir(), caCert.BaseName)
263 if err != nil {
264 return errors.Wrapf(err, "couldn't load CA certificate %s", caCert.Name)
265 }
266
267 if err := certData.CheckSignatureFrom(caCertData); err != nil {
268 return errors.Wrapf(err, "[certs] certificate %s not signed by CA certificate %s", cert.BaseName, caCert.BaseName)
269 }
270
271 fmt.Printf("[certs] Using existing %s certificate and key on disk\n", cert.BaseName)
272 return nil
273 }
274
275 if csrOnly {
276 fmt.Printf("[certs] Generating CSR for %s instead of certificate\n", cert.BaseName)
277 if csrDir == "" {
278 csrDir = data.CertificateWriteDir()
279 }
280
281 return certsphase.CreateCSR(cert, data.Cfg(), csrDir)
282 }
283
284 // if dryrunning, write certificates to a temporary folder (and defer restore to the path originally specified by the user)
285 cfg := data.Cfg()
286 cfg.CertificatesDir = data.CertificateWriteDir()
287 defer func() { cfg.CertificatesDir = data.CertificateDir() }()
288
289 // create the new certificate (or use existing)
290 return certsphase.CreateCertAndKeyFilesWithCA(cert, caCert, cfg)
291 }
292 }kubadm运行逻辑——init-certs证书的生成与创建相关推荐
- Android签名证书的生成
本节只针对如何从零开始实现简单的打包签名 目录 概要 Keytool生成JKS签名证书 Android Studio生成JKS签名证书 AS版本信息 签名证书的生成 签名打包 概要 debug.key ...
- java apk签名证书_Android签名证书的生成
本节只针对如何从零开始实现简单的打包签名 概要 debug.keystore:使用Android Studio直接编译运行时默认使用的签名证书,存放路径C:\Users.android app-deb ...
- Window+Java环境证书生成说明,pfx证书已经生成
Window+Java环境证书生成说明 阅读说明:给具备基本开发能力的人提供自制证书的生成步骤,证书属于敏感信息,生产证书请勿泄漏. 前置条件:Windows系统.JDK1.6以上版本.java编译工 ...
- 生成自签名证书:生成证书和秘钥
生成证书和秘钥 简单生成的方法: 1.mkdir /certs 2.cd /certs 3.生成自签名证书 sudo openssl req -newkey rsa:2048 -new -node ...
- 签名证书(.keystore)生成指南
签名证书(.keystore)生成指南 1.window电脑生成指南 1)安装JRE环境(推荐使用JRE8环境,如已有可跳过) 2)生成签名证书 使用keytool -genkey命令生成 ...
- PowerApps教程02-了解软件运行逻辑
一.回顾 上次我们讲述了如何创建我们的第一个App,那么今天我们就来熟悉这个软件的一些基本信息和概念,以及它的运行逻辑,那么学完今天的课程,理论上你就可以开始你自己的软件开发之路了. 二.如何打开我的 ...
- Android平台签名证书(.keystore)生成指南
来源:https://ask.dcloud.net.cn/article/35777 Android平台签名证书(.keystore)生成指南 分类:HTML5+ Android证书 Android平 ...
- 苹果开发者平台-《测试证书》生成流程
前言:想在苹果设备上测试开发好的IOS程序或者上传应用程序到APP STORE都需要在苹果开发者平台中生成证书 这里讲解测试证书的生成并在xcode上运行应用程序到真机上 1.首先注册苹果开发者账号( ...
- Android平台签名证书(.keystore)生成
1.简介 Android平台打包发布apk应用,需要使用数字证书(.keystore文件)进行签名,用于表明开发者身份. Android证书的生成是自助和免费的,不需要审批或付费. 可以使用JRE环境 ...
- 「移动端」Android平台签名证书(.keystore)生成指南
前些天发现了一个巨牛的人工智能学习网站,通俗易懂,风趣幽默,忍不住分享一下给大家.点击跳转到网站.→传送门 本文主要介绍Android平台签名证书(.keystore)生成指南 Android平台打包 ...
最新文章
- ROS必须理解的概念
- 关于appcan自动升级功能
- 我是清华新任教授张亚勤,现在只想做成这一件事
- fastjson 1.1.71.android 版本发布,优化部分场景性能
- 1加6投屏_今天说说投屏那点事,建议大家选购投屏器,要关注这些点
- Winform控件扩展
- Java弱引用(WeakReference)的理解与使用
- Spark源码剖析(一):如何将spark源码导入到IDEA中
- 【软件项目管理】用例分析方法采用一种面向对象的情景分析方法
- 内置对象 API Math对象、Data对象、Array对象、String对象
- 原始LBP算法 代码
- 人工智能|人工智能语音识别系统的重要性
- 计算机网络2021题库
- PT100铂电阻温度传感器详解
- ES6---数组的spread扩展运算符
- The server encountered an unexpected condition that prevented it from fulfilling the request
- 软件测试周刊(第12期):程序员在晋升之后会发生什么?
- uni-app 中如何打开外部应用,如:浏览器、淘宝、京东、微博等
- 【C语言】三子棋(智能下棋 + 阻拦玩家)
- C#代码CRUD操作MySQL数据库
热门文章
- CTF比赛中关于zip的总结
- 单片机c语言控制直流电机转速,一个用单片机控制直流电机的PWM调速程序
- 求cosx计算公式 【问题描述】 已知cosx的近似计算公式如下: cosx = 1 - x2/2! + x4/4! - x6/6! + ... + (-1)nx2n/(2n)!
- 下雪软件_Excel下雪天
- 各行各业,各种资源,淘宝售卖的各种资料,全部分享了 !
- Android应用程序开发(第三版)-课后习题解答
- 2021年安全员-C证(安徽省)考试试卷及安全员-C证(安徽省)试题及解析
- 用计算机弹出记事本,为何电脑开机会弹出desktop的记事本出来的
- 大数据hadoop培训总结
- SQL语言入门学习,这一篇就够了