Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 52304a8aa84604846e316e28c955b67e68c52f34 / . / metropolis / node / kubernetes / pki / kubernetes.go
blob: 0c795f22732676da3fda1081f7ca4fb9a85b9291 [file] [log] [blame]
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]1// Copyright 2020 The Monogon Project Authors.
2//
3// SPDX-License-Identifier: Apache-2.0
4//
5// Licensed under the Apache License, Version 2.0 (the "License");
6// you may not use this file except in compliance with the License.
7// You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing, software
12// distributed under the License is distributed on an "AS IS" BASIS,
13// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14// See the License for the specific language governing permissions and
15// limitations under the License.
16
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]17// package pki builds upon metropolis/pkg/pki/ to provide an
18// etcd-backed implementation of all x509 PKI Certificates/CAs required to run
19// Kubernetes.
20// Most elements of the PKI are 'static' long-standing certificates/credentials
21// stored within etcd. However, this package also provides a method to generate
22// 'volatile' (in-memory) certificates/credentials for per-node Kubelets and
23// any client certificates.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]24package pki
25
26import (
27 "context"
28 "crypto/rand"
29 "crypto/rsa"
30 "crypto/x509"
31 "encoding/pem"
32 "fmt"
33 "net"
34
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]35 "go.etcd.io/etcd/clientv3"
36 "k8s.io/client-go/tools/clientcmd"
37 configapi "k8s.io/client-go/tools/clientcmd/api"
38
Serge Bazanski31370b02021-01-07 16:31:14 +0100[diff] [blame]39 common "source.monogon.dev/metropolis/node"
40 "source.monogon.dev/metropolis/pkg/logtree"
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]41 opki "source.monogon.dev/metropolis/pkg/pki"
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]42)
43
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]44// KubeCertificateName is an enum-like unique name of a static Kubernetes
45// certificate. The value of the name is used as the unique part of an etcd
46// path where the certificate and key are stored.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]47type KubeCertificateName string
48
49const (
50 // The main Kubernetes CA, used to authenticate API consumers, and servers.
51 IdCA KubeCertificateName = "id-ca"
52
53 // Kubernetes apiserver server certificate.
54 APIServer KubeCertificateName = "apiserver"
55
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]56 // APIServer client certificate used to authenticate to kubelets.
57 APIServerKubeletClient KubeCertificateName = "apiserver-kubelet-client"
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]58
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]59 // Kubernetes Controller manager client certificate, used to authenticate
60 // to the apiserver.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]61 ControllerManagerClient KubeCertificateName = "controller-manager-client"
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]62 // Kubernetes Controller manager server certificate, used to run its HTTP
63 // server.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]64 ControllerManager KubeCertificateName = "controller-manager"
65
66 // Kubernetes Scheduler client certificate, used to authenticate to the apiserver.
67 SchedulerClient KubeCertificateName = "scheduler-client"
68 // Kubernetes scheduler server certificate, used to run its HTTP server.
69 Scheduler KubeCertificateName = "scheduler"
70
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]71 // Root-on-kube (system:masters) client certificate. Used to control the
72 // apiserver (and resources) by Metropolis internally.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]73 Master KubeCertificateName = "master"
74
75 // OpenAPI Kubernetes Aggregation CA.
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]76 // https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#ca-reusage-and-conflicts
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]77 AggregationCA KubeCertificateName = "aggregation-ca"
78 FrontProxyClient KubeCertificateName = "front-proxy-client"
79)
80
81const (
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]82 // etcdPrefix is where all the PKI data is stored in etcd.
83 etcdPrefix = "/kube-pki/"
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]84 // serviceAccountKeyName is the etcd path part that is used to store the
85 // ServiceAccount authentication secret. This is not a certificate, just an
86 // RSA key.
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]87 serviceAccountKeyName = "service-account-privkey"
88)
89
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]90// PKI manages all PKI resources required to run Kubernetes on Metropolis. It
91// contains all static certificates, which can be retrieved, or be used to
92// generate Kubeconfigs from.
93type PKI struct {
94 namespace opki.Namespace
Serge Bazanskic7359672020-10-30 16:38:57 +0100[diff] [blame]95 logger logtree.LeveledLogger
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]96 KV clientv3.KV
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]97 Certificates map[KubeCertificateName]*opki.Certificate
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]98}
99
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]100func New(l logtree.LeveledLogger, kv clientv3.KV) *PKI {
101 pki := PKI{
102 namespace: opki.Namespaced(etcdPrefix),
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]103 logger: l,
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]104 KV: kv,
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]105 Certificates: make(map[KubeCertificateName]*opki.Certificate),
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]106 }
107
108 make := func(i, name KubeCertificateName, template x509.Certificate) {
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]109 pki.Certificates[name] = &opki.Certificate{
110 Namespace: &pki.namespace,
111 Issuer: pki.Certificates[i],
112 Name: string(name),
113 Template: template,
114 Mode: opki.CertificateManaged,
115 }
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]116 }
117
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]118 pki.Certificates[IdCA] = &opki.Certificate{
119 Namespace: &pki.namespace,
120 Issuer: opki.SelfSigned,
121 Name: string(IdCA),
122 Template: opki.CA("Metropolis Kubernetes ID CA"),
123 Mode: opki.CertificateManaged,
124 }
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]125 make(IdCA, APIServer, opki.Server(
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]126 []string{
127 "kubernetes",
128 "kubernetes.default",
129 "kubernetes.default.svc",
130 "kubernetes.default.svc.cluster",
131 "kubernetes.default.svc.cluster.local",
132 "localhost",
133 },
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]134 // TODO(q3k): add service network internal apiserver address
135 []net.IP{{10, 0, 255, 1}, {127, 0, 0, 1}},
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]136 ))
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]137 make(IdCA, APIServerKubeletClient, opki.Client("metropolis:apiserver-kubelet-client", nil))
138 make(IdCA, ControllerManagerClient, opki.Client("system:kube-controller-manager", nil))
139 make(IdCA, ControllerManager, opki.Server([]string{"kube-controller-manager.local"}, nil))
140 make(IdCA, SchedulerClient, opki.Client("system:kube-scheduler", nil))
141 make(IdCA, Scheduler, opki.Server([]string{"kube-scheduler.local"}, nil))
142 make(IdCA, Master, opki.Client("metropolis:master", []string{"system:masters"}))
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]143
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]144 pki.Certificates[AggregationCA] = &opki.Certificate{
145 Namespace: &pki.namespace,
146 Issuer: opki.SelfSigned,
147 Name: string(AggregationCA),
148 Template: opki.CA("Metropolis OpenAPI Aggregation CA"),
149 Mode: opki.CertificateManaged,
150 }
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]151 make(AggregationCA, FrontProxyClient, opki.Client("front-proxy-client", nil))
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]152
153 return &pki
154}
155
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]156// EnsureAll ensures that all static certificates (and the serviceaccount key)
157// are present on etcd.
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]158func (k *PKI) EnsureAll(ctx context.Context) error {
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]159 for n, v := range k.Certificates {
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]160 _, err := v.Ensure(ctx, k.KV)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]161 if err != nil {
162 return fmt.Errorf("could not ensure certificate %q exists: %w", n, err)
163 }
164 }
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]165 _, err := k.ServiceAccountKey(ctx)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]166 if err != nil {
167 return fmt.Errorf("could not ensure service account key exists: %w", err)
168 }
169 return nil
170}
171
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]172// Kubeconfig generates a kubeconfig blob for a given certificate name. The
173// same lifetime semantics as in .Certificate apply.
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]174func (k *PKI) Kubeconfig(ctx context.Context, name KubeCertificateName) ([]byte, error) {
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]175 c, ok := k.Certificates[name]
176 if !ok {
177 return nil, fmt.Errorf("no certificate %q", name)
178 }
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]179 return Kubeconfig(ctx, k.KV, c)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]180}
181
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]182// Certificate retrieves an x509 DER-encoded (but not PEM-wrapped) key and
183// certificate for a given certificate name.
184// If the requested certificate is volatile, it will be created on demand.
185// Otherwise it will be created on etcd (if not present), and retrieved from
186// there.
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]187func (k *PKI) Certificate(ctx context.Context, name KubeCertificateName) (cert, key []byte, err error) {
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]188 c, ok := k.Certificates[name]
189 if !ok {
190 return nil, nil, fmt.Errorf("no certificate %q", name)
191 }
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]192 cert, err = c.Ensure(ctx, k.KV)
193 if err != nil {
194 return
195 }
196 key, err = c.PrivateKeyX509()
197 return
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]198}
199
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]200// Kubeconfig generates a kubeconfig blob for this certificate. The same
201// lifetime semantics as in .Ensure apply.
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]202func Kubeconfig(ctx context.Context, kv clientv3.KV, c *opki.Certificate) ([]byte, error) {
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]203
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]204 cert, err := c.Ensure(ctx, kv)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]205 if err != nil {
206 return nil, fmt.Errorf("could not ensure certificate exists: %w", err)
207 }
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]208 key, err := c.PrivateKeyX509()
209 if err != nil {
210 return nil, fmt.Errorf("could not get certificate's private key: %w", err)
211 }
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]212
213 kubeconfig := configapi.NewConfig()
214
215 cluster := configapi.NewCluster()
Serge Bazanski52304a82021-10-29 16:56:18 +0200[diff] [blame^]216 cluster.Server = fmt.Sprintf("https://127.0.0.1:%d", common.KubernetesAPIPort)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]217
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]218 ca, err := c.Issuer.CACertificate(ctx, kv)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]219 if err != nil {
220 return nil, fmt.Errorf("could not get CA certificate: %w", err)
221 }
222 if ca != nil {
223 cluster.CertificateAuthorityData = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca})
224 }
225 kubeconfig.Clusters["default"] = cluster
226
227 authInfo := configapi.NewAuthInfo()
228 authInfo.ClientCertificateData = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert})
229 authInfo.ClientKeyData = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: key})
230 kubeconfig.AuthInfos["default"] = authInfo
231
232 ct := configapi.NewContext()
233 ct.Cluster = "default"
234 ct.AuthInfo = "default"
235 kubeconfig.Contexts["default"] = ct
236
237 kubeconfig.CurrentContext = "default"
238 return clientcmd.Write(*kubeconfig)
239}
240
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]241// ServiceAccountKey retrieves (and possibly generates and stores on etcd) the
242// Kubernetes service account key. The returned data is ready to be used by
243// Kubernetes components (in PKIX form).
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]244func (k *PKI) ServiceAccountKey(ctx context.Context) ([]byte, error) {
Serge Bazanski216fe7b2021-05-21 18:36:16 +0200[diff] [blame]245 // TODO(q3k): this should be abstracted away once we abstract away etcd
246 // access into a library with try-or-create semantics.
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]247 path := fmt.Sprintf("%s%s.der", etcdPrefix, serviceAccountKeyName)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]248
249 // Try loading key from etcd.
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]250 keyRes, err := k.KV.Get(ctx, path)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]251 if err != nil {
252 return nil, fmt.Errorf("failed to get key from etcd: %w", err)
253 }
254
255 if len(keyRes.Kvs) == 1 {
256 // Certificate and key exists in etcd, return that.
257 return keyRes.Kvs[0].Value, nil
258 }
259
260 // No key found - generate one.
261 keyRaw, err := rsa.GenerateKey(rand.Reader, 2048)
262 if err != nil {
263 panic(err)
264 }
265 key, err := x509.MarshalPKCS8PrivateKey(keyRaw)
266 if err != nil {
267 panic(err) // Always a programmer error
268 }
269
270 // Save to etcd.
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]271 _, err = k.KV.Put(ctx, path, string(key))
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]272 if err != nil {
273 err = fmt.Errorf("failed to write newly generated key: %w", err)
274 }
275 return key, nil
276}
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]277
278// VolatileKubelet returns a pair of server/client ceritficates for the Kubelet
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]279// to use. The certificates are ephemeral, meaning they are not stored in etcd,
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]280// and instead are regenerated any time this function is called.
281func (k *PKI) VolatileKubelet(ctx context.Context, name string) (server *opki.Certificate, client *opki.Certificate, err error) {
282 name = fmt.Sprintf("system:node:%s", name)
283 err = k.EnsureAll(ctx)
284 if err != nil {
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]285 return nil, nil, fmt.Errorf("could not ensure certificates exist: %w", err)
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]286 }
287 kubeCA := k.Certificates[IdCA]
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]288 server = &opki.Certificate{
289 Namespace: &k.namespace,
290 Issuer: kubeCA,
291 Template: opki.Server([]string{name}, nil),
292 Mode: opki.CertificateEphemeral,
293 }
294 client = &opki.Certificate{
295 Namespace: &k.namespace,
296 Issuer: kubeCA,
297 Template: opki.Client(name, []string{"system:nodes"}),
298 Mode: opki.CertificateEphemeral,
299 }
300 return server, client, nil
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]301}
302
303// VolatileClient returns a client certificate for Kubernetes clients to use.
304// The generated certificate will place the user in the given groups, and with
305// a given identiy as the certificate's CN.
306func (k *PKI) VolatileClient(ctx context.Context, identity string, groups []string) (*opki.Certificate, error) {
307 if err := k.EnsureAll(ctx); err != nil {
308 return nil, fmt.Errorf("could not ensure certificates exist: %w", err)
309 }
Serge Bazanski52538842021-08-11 16:22:41 +0200[diff] [blame]310 return &opki.Certificate{
311 Namespace: &k.namespace,
312 Issuer: k.Certificates[IdCA],
313 Template: opki.Client(identity, groups),
314 Mode: opki.CertificateEphemeral,
315 }, nil
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]316}