Merge pull request kubernetes#77180 from fabriziopandini/renew-embedded-certs

kubeadm: renew certificates embedded in kubeconfig files

Author: k8s-ci-robot

cmd/kubeadm/app/cmd/alpha/BUILD

@@ -62,7 +62,7 @@ go_test(
     deps = [
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/phases/certs:go_default_library",
-        "//cmd/kubeadm/app/util/certs:go_default_library",
+        "//cmd/kubeadm/app/phases/kubeconfig:go_default_library",
         "//cmd/kubeadm/app/util/pkiutil:go_default_library",
         "//cmd/kubeadm/test:go_default_library",
         "//cmd/kubeadm/test/cmd:go_default_library",

cmd/kubeadm/app/cmd/alpha/certs.go

@@ -24,6 +24,7 @@ import (
 	kubeadmapiv1beta2 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2"
 	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
 	cmdutil "k8s.io/kubernetes/cmd/kubeadm/app/cmd/util"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	certsphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal"
@@ -34,11 +35,17 @@ import (
 )
 
 var (
-	genericLongDesc = normalizer.LongDesc(`
+	genericCertRenewLongDesc = normalizer.LongDesc(`
 		Renew the %[1]s, and save them into %[2]s.cert and %[2]s.key files.
 
     Extra attributes such as SANs will be based on the existing certificates, there is no need to resupply them.
 `)
+	genericCertRenewEmbeddedLongDesc = normalizer.LongDesc(`
+Renew the certificate embedded in the kubeconfig file %s.
+
+Kubeconfig attributes and certificate extra attributes such as SANs will be based on the existing kubeconfig/certificates, there is no need to resupply them.
+`)
+
 	allLongDesc = normalizer.LongDesc(`
     Renew all known certificates necessary to run the control plane. Renewals are run unconditionally, regardless
     of expiration date. Renewals can also be run individually for more control.
@@ -66,7 +73,7 @@ func newCmdCertsRenewal() *cobra.Command {
 		RunE:  cmdutil.SubCmdRunE("renew"),
 	}
 
-	cmd.AddCommand(getRenewSubCommands()...)
+	cmd.AddCommand(getRenewSubCommands(kubeadmconstants.KubernetesDir)...)
 
 	return cmd
 }
@@ -80,8 +87,15 @@ type renewConfig struct {
 	csrPath        string
 }
 
-func getRenewSubCommands() []*cobra.Command {
-	cfg := &renewConfig{}
+func getRenewSubCommands(kdir string) []*cobra.Command {
+	cfg := &renewConfig{
+		cfg: kubeadmapiv1beta2.InitConfiguration{
+			ClusterConfiguration: kubeadmapiv1beta2.ClusterConfiguration{
+				// Setting kubernetes version to a default value in order to allow a not necessary internet lookup
+				KubernetesVersion: constants.CurrentKubernetesVersion.String(),
+			},
+		},
+	}
 	// Default values for the cobra help text
 	kubeadmscheme.Scheme.Default(&cfg.cfg)
 
@@ -95,9 +109,11 @@ func getRenewSubCommands() []*cobra.Command {
 		// Don't offer to renew CAs; would cause serious consequences
 		for _, cert := range certs {
 			// get the cobra.Command skeleton for this command
-			cmd := generateRenewalCommand(cert, cfg)
+			cmd := generateCertRenewalCommand(cert, cfg)
 			// get the implementation of renewing this certificate
-			renewalFunc := generateRenewalFunction(cert, caCert, cfg)
+			renewalFunc := func(cert *certsphase.KubeadmCert, caCert *certsphase.KubeadmCert) func() {
+				return func() { renewCert(cert, caCert, cfg) }
+			}(cert, caCert)
 			// install the implementation into the command
 			cmd.Run = func(*cobra.Command, []string) { renewalFunc() }
 			cmdList = append(cmdList, cmd)
@@ -106,6 +122,27 @@ func getRenewSubCommands() []*cobra.Command {
 		}
 	}
 
+	kubeconfigs := []string{
+		kubeadmconstants.AdminKubeConfigFileName,
+		kubeadmconstants.ControllerManagerKubeConfigFileName,
+		kubeadmconstants.SchedulerKubeConfigFileName,
+		//NB. we are escluding KubeletKubeConfig from renewal because management of this certificate is delegated to kubelet
+	}
+
+	for _, k := range kubeconfigs {
+		// get the cobra.Command skeleton for this command
+		cmd := generateEmbeddedCertRenewalCommand(k, cfg)
+		// get the implementation of renewing this certificate
+		renewalFunc := func(kdir, k string) func() {
+			return func() { renewEmbeddedCert(kdir, k, cfg) }
+		}(kdir, k)
+		// install the implementation into the command
+		cmd.Run = func(*cobra.Command, []string) { renewalFunc() }
+		cmdList = append(cmdList, cmd)
+		// Collect renewal functions for `renew all`
+		funcList = append(funcList, renewalFunc)
+	}
+
 	allCmd := &cobra.Command{
 		Use:   "all",
 		Short: "Renew all available certificates",
@@ -131,53 +168,100 @@ func addFlags(cmd *cobra.Command, cfg *renewConfig) {
 	cmd.Flags().BoolVar(&cfg.useAPI, "use-api", cfg.useAPI, "Use the Kubernetes certificate API to renew certificates")
 }
 
-func generateRenewalFunction(cert *certsphase.KubeadmCert, caCert *certsphase.KubeadmCert, cfg *renewConfig) func() {
-	return func() {
-		internalcfg, err := configutil.LoadOrDefaultInitConfiguration(cfg.cfgPath, &cfg.cfg)
-		kubeadmutil.CheckErr(err)
+func renewCert(cert *certsphase.KubeadmCert, caCert *certsphase.KubeadmCert, cfg *renewConfig) {
+	internalcfg, err := configutil.LoadOrDefaultInitConfiguration(cfg.cfgPath, &cfg.cfg)
+	kubeadmutil.CheckErr(err)
 
-		if cfg.useCSR {
-			path := cfg.csrPath
-			if path == "" {
-				path = cfg.cfg.CertificatesDir
-			}
-			err := certsphase.CreateCSR(cert, internalcfg, path)
-			kubeadmutil.CheckErr(err)
-			return
+	// if the renewal operation is set to generate only CSR request
+	if cfg.useCSR {
+		// trigger CSR generation in the csrPath, or if this one is missing, in the CertificateDir
+		path := cfg.csrPath
+		if path == "" {
+			path = cfg.cfg.CertificatesDir
 		}
+		err := certsphase.CreateCSR(cert, internalcfg, path)
+		kubeadmutil.CheckErr(err)
+		return
+	}
 
-		var externalCA bool
-		switch caCert.BaseName {
-		case kubeadmconstants.CACertAndKeyBaseName:
-			// Check if an external CA is provided by the user (when the CA Cert is present but the CA Key is not)
-			externalCA, _ = certsphase.UsingExternalCA(&internalcfg.ClusterConfiguration)
-		case kubeadmconstants.FrontProxyCACertAndKeyBaseName:
-			// Check if an external Front-Proxy CA is provided by the user (when the Front-Proxy CA Cert is present but the Front-Proxy CA Key is not)
-			externalCA, _ = certsphase.UsingExternalFrontProxyCA(&internalcfg.ClusterConfiguration)
-		default:
-			externalCA = false
-		}
+	// otherwise, the renewal operation has to actually renew a certificate
+
+	var externalCA bool
+	switch caCert.BaseName {
+	case kubeadmconstants.CACertAndKeyBaseName:
+		// Check if an external CA is provided by the user (when the CA Cert is present but the CA Key is not)
+		externalCA, _ = certsphase.UsingExternalCA(&internalcfg.ClusterConfiguration)
+	case kubeadmconstants.FrontProxyCACertAndKeyBaseName:
+		// Check if an external Front-Proxy CA is provided by the user (when the Front-Proxy CA Cert is present but the Front-Proxy CA Key is not)
+		externalCA, _ = certsphase.UsingExternalFrontProxyCA(&internalcfg.ClusterConfiguration)
+	default:
+		externalCA = false
+	}
 
-		if !externalCA {
-			renewer, err := getRenewer(cfg, caCert.BaseName)
-			kubeadmutil.CheckErr(err)
+	if !externalCA {
+		renewer, err := getRenewer(cfg, caCert.BaseName)
+		kubeadmutil.CheckErr(err)
 
-			err = renewal.RenewExistingCert(internalcfg.CertificatesDir, cert.BaseName, renewer)
-			kubeadmutil.CheckErr(err)
+		err = renewal.RenewExistingCert(internalcfg.CertificatesDir, cert.BaseName, renewer)
+		kubeadmutil.CheckErr(err)
+
+		fmt.Printf("Certificate %s renewed\n", cert.Name)
+		return
+	}
 
-			fmt.Printf("Certificate %s renewed\n", cert.Name)
-			return
+	fmt.Printf("Detected external %s, certificate %s can't be renewed\n", cert.CAName, cert.Name)
+}
+
+func renewEmbeddedCert(kdir, k string, cfg *renewConfig) {
+	internalcfg, err := configutil.LoadOrDefaultInitConfiguration(cfg.cfgPath, &cfg.cfg)
+	kubeadmutil.CheckErr(err)
+
+	// if the renewal operation is set to generate only CSR request
+	if cfg.useCSR {
+		// trigger CSR generation in the csrPath, or if this one is missing, in the CertificateDir
+		path := cfg.csrPath
+		if path == "" {
+			path = cfg.cfg.CertificatesDir
 		}
+		err := certsphase.CreateCSR(nil, internalcfg, path)
+		kubeadmutil.CheckErr(err)
+		return
+	}
+
+	// otherwise, the renewal operation has to actually renew a certificate
+
+	// Check if an external CA is provided by the user (when the CA Cert is present but the CA Key is not)
+	externalCA, _ := certsphase.UsingExternalCA(&internalcfg.ClusterConfiguration)
+
+	if !externalCA {
+		renewer, err := getRenewer(cfg, certsphase.KubeadmCertRootCA.BaseName)
+		kubeadmutil.CheckErr(err)
 
-		fmt.Printf("Detected external %s, certificate %s can't be renewed\n", cert.CAName, cert.Name)
+		err = renewal.RenewEmbeddedClientCert(kdir, k, renewer)
+		kubeadmutil.CheckErr(err)
+
+		fmt.Printf("Certificate embedded in %s renewed\n", k)
+		return
 	}
+
+	fmt.Printf("Detected external CA, certificate embedded in %s can't be renewed\n", k)
 }
 
-func generateRenewalCommand(cert *certsphase.KubeadmCert, cfg *renewConfig) *cobra.Command {
+func generateCertRenewalCommand(cert *certsphase.KubeadmCert, cfg *renewConfig) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   cert.Name,
-		Short: fmt.Sprintf("Generate the %s", cert.LongName),
-		Long:  fmt.Sprintf(genericLongDesc, cert.LongName, cert.BaseName),
+		Short: fmt.Sprintf("Renew the %s", cert.LongName),
+		Long:  fmt.Sprintf(genericCertRenewLongDesc, cert.LongName, cert.BaseName),
+	}
+	addFlags(cmd, cfg)
+	return cmd
+}
+
+func generateEmbeddedCertRenewalCommand(k string, cfg *renewConfig) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   k,
+		Short: fmt.Sprintf("Renew the certificate embedded in %s", k),
+		Long:  fmt.Sprintf(genericCertRenewEmbeddedLongDesc, k),
 	}
 	addFlags(cmd, cfg)
 	return cmd