Create internal package for joinservice

2025-05-04 23:35:11 -04:00 · 2022-07-05 13:42:07 +02:00 · 2022-07-05 13:42:07 +02:00 · 2083d37b11
commit 2083d37b11
parent 43eb94b6dc
10 changed files with 25 additions and 33 deletions
--- a/joinservice/kubernetesca/kubernetesca.go
+++ b/joinservice/kubernetesca/kubernetesca.go
@ -1,119 +0,0 @@
-package kubernetesca
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"fmt"
-	"time"
-
-	"github.com/edgelesssys/constellation/bootstrapper/util"
-	"github.com/edgelesssys/constellation/internal/file"
-	"github.com/edgelesssys/constellation/internal/logger"
-)
-
-const (
-	caCertFilename = "/etc/kubernetes/pki/ca.crt"
-	caKeyFilename  = "/etc/kubernetes/pki/ca.key"
-)
-
-// KubernetesCA handles signing of certificates using the Kubernetes root CA.
-type KubernetesCA struct {
-	log  *logger.Logger
-	file file.Handler
-}
-
-// New creates a new KubernetesCA.
-func New(log *logger.Logger, fileHandler file.Handler) *KubernetesCA {
-	return &KubernetesCA{
-		log:  log,
-		file: fileHandler,
-	}
-}
-
-// GetCertificate creates a certificate for a node and signs it using the Kubernetes root CA.
-func (c KubernetesCA) GetCertificate(nodeName string) (cert []byte, key []byte, err error) {
-	c.log.Debugf("Loading Kubernetes CA certificate")
-	parentCertRaw, err := c.file.Read(caCertFilename)
-	if err != nil {
-		return nil, nil, err
-	}
-	parentCertPEM, _ := pem.Decode(parentCertRaw)
-	parentCert, err := x509.ParseCertificate(parentCertPEM.Bytes)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c.log.Debugf("Loading Kubernetes CA private key")
-	parentKeyRaw, err := c.file.Read(caKeyFilename)
-	if err != nil {
-		return nil, nil, err
-	}
-	parentKeyPEM, _ := pem.Decode(parentKeyRaw)
-	var parentKey any
-	switch parentKeyPEM.Type {
-	case "EC PRIVATE KEY":
-		parentKey, err = x509.ParseECPrivateKey(parentKeyPEM.Bytes)
-	case "RSA PRIVATE KEY":
-		parentKey, err = x509.ParsePKCS1PrivateKey(parentKeyPEM.Bytes)
-	case "PRIVATE KEY":
-		parentKey, err = x509.ParsePKCS8PrivateKey(parentKeyPEM.Bytes)
-	default:
-		return nil, nil, fmt.Errorf("unsupported key type %q", parentCertPEM.Type)
-	}
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c.log.Infof("Creating kubelet private key")
-	privK, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	keyBytes, err := x509.MarshalECPrivateKey(privK)
-	if err != nil {
-		return nil, nil, err
-	}
-	kubeletKey := pem.EncodeToMemory(&pem.Block{
-		Type:  "EC PRIVATE KEY",
-		Bytes: keyBytes,
-	})
-
-	c.log.Infof("Creating kubelet certificate")
-	serialNumber, err := util.GenerateCertificateSerialNumber()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	now := time.Now()
-	// Create the kubelet certificate
-	// For a reference on the certificate fields, see: https://kubernetes.io/docs/setup/best-practices/certificates/
-	certTmpl := &x509.Certificate{
-		SerialNumber: serialNumber,
-		NotBefore:    now.Add(-2 * time.Hour),
-		NotAfter:     now.Add(24 * 365 * time.Hour),
-		Subject: pkix.Name{
-			Organization: []string{"system:nodes"},
-			CommonName:   fmt.Sprintf("system:node:%s", nodeName),
-		},
-		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageClientAuth,
-		},
-		IsCA:                  false,
-		BasicConstraintsValid: true,
-	}
-	certRaw, err := x509.CreateCertificate(rand.Reader, certTmpl, parentCert, &privK.PublicKey, parentKey)
-	if err != nil {
-		return nil, nil, err
-	}
-	kubeletCert := pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: certRaw,
-	})
-
-	return kubeletCert, kubeletKey, nil
-}