Class: Porkadot::Assets::Certs::Kubernetes

Inherits:

Object

• Object
• Porkadot::Assets::Certs::Kubernetes

Includes:

Porkadot::Assets::CertsUtils

Defined in:

lib/porkadot/assets/certs/k8s.rb

Instance Attribute Summary

• #config ⇒ Object readonly

  Returns the value of attribute config.

• #global_config ⇒ Object readonly

  Returns the value of attribute global_config.

• #logger ⇒ Object readonly

  Returns the value of attribute logger.

Instance Method Summary

• #_apiserver_cert(path, client_key, ca_cert, ca_key) ⇒ Object
• #apiserver_cert(refresh = false) ⇒ Object
• #apiserver_key ⇒ Object
• #ca_name ⇒ Object
• #client_name ⇒ Object
• #initialize(global_config) ⇒ Kubernetes constructor

  A new instance of Kubernetes.

• #kubelet_client_cert(refresh = false) ⇒ Object
• #kubelet_client_key ⇒ Object
• #sa_private_key ⇒ Object
• #sa_public_key ⇒ Object

Methods included from Porkadot::Assets::CertsUtils

#_ca_cert, #_client_cert, #ca_cert, #ca_key, #client_cert, #client_key, #private_key, #public_key, #random_number, #to_base64, #to_pem, #unsigned_cert

Constructor Details

#initialize(global_config) ⇒ Kubernetes

Returns a new instance of Kubernetes.

# File 'lib/porkadot/assets/certs/k8s.rb', line 8

def initialize global_config
  @config = Porkadot::Configs::Certs::Kubernetes.new(global_config)
  @logger = config.logger
  @global_config = config.config
end

Instance Attribute Details

#config ⇒ Object (readonly)

Returns the value of attribute config.

# File 'lib/porkadot/assets/certs/k8s.rb', line 5

def config
  @config
end

#global_config ⇒ Object (readonly)

Returns the value of attribute global_config.

# File 'lib/porkadot/assets/certs/k8s.rb', line 4

def global_config
  @global_config
end

#logger ⇒ Object (readonly)

Returns the value of attribute logger.

# File 'lib/porkadot/assets/certs/k8s.rb', line 6

def logger
  @logger
end

Instance Method Details

#_apiserver_cert(path, client_key, ca_cert, ca_key) ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 70

def _apiserver_cert(path, client_key, ca_cert, ca_key)
  cert = unsigned_cert('/CN=apiserver', client_key, ca_cert, 1 * 365 * 24 * 60 * 60)

  ef = OpenSSL::X509::ExtensionFactory.new
  ef.subject_certificate = cert
  ef.issuer_certificate = ca_cert
  cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
  cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
  cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth, serverAuth",true))

  cert.add_extension(ef.create_extension("subjectAltName", self.config.additional_sans.join(','), true))
  cert.sign(ca_key, OpenSSL::Digest::SHA256.new)

  File.open path, 'wb' do |f|
    f.write cert.to_pem
  end

  return cert
end

#apiserver_cert(refresh = false) ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 27

def apiserver_cert(refresh=false)
  return @apiserver_cert if defined?(@apiserver_cert)
  if File.file?(config.apiserver_cert_path) and !refresh
    self.logger.debug("--> APIserver cert already exists, skipping: #{config.apiserver_cert_path}")
    @apiserver_cert = OpenSSL::X509::Certificate.new(File.read(config.apiserver_cert_path))
  else
    @apiserver_cert = _apiserver_cert(config.apiserver_cert_path, self.apiserver_key, self.ca_cert, self.ca_key)
  end
  return @apiserver_cert
end

#apiserver_key ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 22

def apiserver_key
  @apiserver_key ||= private_key(config.apiserver_key_path)
  return @apiserver_key
end

#ca_name ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 14

def ca_name
  '/CN=kube-ca'
end

#client_name ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 18

def client_name
  '/O=system:masters/CN=admin'
end

#kubelet_client_cert(refresh = false) ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 43

def kubelet_client_cert(refresh=false)
  return @kubelet_client_cert if defined?(@kubelet_client_cert)
  if File.file?(config.kubelet_client_cert_path) and !refresh
    self.logger.debug("--> Kubelet client cert already exists, skipping: #{config.kubelet_client_cert_path}")
    @kubelet_client_cert = OpenSSL::X509::Certificate.new(File.read(config.kubelet_client_cert_path))
  else
    @kubelet_client_cert = _client_cert(
      config.kubelet_client_cert_path,
      '/O=system:masters/CN=kube-kubelet-client',
      self.kubelet_client_key,
      self.ca_cert(false),
      self.ca_key
    )
  end
  return @kubelet_client_cert
end

#kubelet_client_key ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 38

def kubelet_client_key
  @kubelet_client_key ||= private_key(config.kubelet_client_key_path)
  return @kubelet_client_key
end

#sa_private_key ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 60

def sa_private_key
  @sa_private_key ||= private_key(config.sa_private_key_path)
  return @sa_private_key
end

#sa_public_key ⇒ Object

# File 'lib/porkadot/assets/certs/k8s.rb', line 65

def sa_public_key
  @sa_public_key ||= public_key(config.sa_public_key_path, self.sa_private_key)
  return @sa_public_key
end