def create_ssh_keypair(self):
"""Generates a keypair for the first master node.
The master node needs a keypair which is uploaded to OpenStack. This
keypair is then used for adding master nodes to the cluster.
This key pair is also added as a secret to the master-adder-pod.
Returns:
An OpenStack keypair.
"""
ssh_key = create_key()
pub_key_ascii = ssh_key.public_key().public_bytes(
serialization.Encoding.OpenSSH,
serialization.PublicFormat.OpenSSH).decode()
try:
self.info.conn.compute.create_keypair(name=self.info.name,
public_key=pub_key_ascii)
except openstack.exceptions.ConflictException:
self.info.conn.compute.delete_keypair(self.info.name)
self.info.conn.compute.create_keypair(name=self.info.name,
public_key=pub_key_ascii)
return ssh_key
def test_first_master(ci_first_master):
ci = ci_first_master
assert ci is not None
with pytest.raises(ValueError):
ci = FirstMasterInit(create_key(),
CERTS['ca'],
CLOUD_CONFIG,
koris_env={})
def create_certs(self):
"""Create a CA and client cert for Dex.
Will first create a CA bundle, then use this to sign a client certificate.
The Client cert will have the following Key Usage parameters: Digital Signature,
Content Commitment, Key Encipherment.
Will also set the attributes ``ca_bundle`` and ``client_bundle``.
Returns:
Tuple consisting of root CA bundle and cert bundle
"""
if not self.issuer:
raise ValidationError("dex certificates needs an issuer")
dex_ca_key = create_key()
key_usage = [
False, False, False, False, False, False, False, False, False
]
dex_ca = create_ca(dex_ca_key,
dex_ca_key.public_key(),
"DE",
"BY",
"NUE",
"Kubernetes",
"dex",
"kube-ca",
key_usage=key_usage)
dex_ca_bundle = CertBundle(dex_ca_key, dex_ca)
if is_ip(self.issuer):
hosts, ips = "", [self.issuer]
else:
hosts, ips = [self.issuer], ""
# digital_signature, content_commitment, key_encipherment
key_usage = [
True, True, True, False, False, False, False, False, False
]
dex_client_bundle = CertBundle.create_signed(dex_ca_bundle,
"DE",
"BY",
"NUE",
"Kubernetes",
"dex-client",
"kube-ca",
hosts=hosts,
ips=ips,
key_usage=key_usage)
self.ca_bundle = dex_ca_bundle
self.client_bundle = dex_client_bundle
return dex_ca_bundle, dex_client_bundle
def create_etcd_certs(names, ips):
"""create certificated for dummy servers"""
_key = create_key(size=2048)
_ca = create_ca(_key, _key.public_key(), "DE", "BY", "NUE", "Kubernetes",
"CDA-PI", "kubernetes")
ca_bundle = CertBundle(_key, _ca)
api_etcd_client = CertBundle.create_signed(
ca_bundle=ca_bundle,
country="", # country
state="", # state
locality="", # locality
orga="system:masters", # orga
unit="", # unit
name="kube-apiserver-etcd-client",
hosts=[],
ips=[])
for host, ip in zip(names, ips):
peer = CertBundle.create_signed(
ca_bundle,
"", # country
"", # state
"", # locality
"", # orga
"", # unit
"kubernetes", # name
[host, 'localhost', host],
[ip, '127.0.0.1', ip])
server = CertBundle.create_signed(
ca_bundle,
"", # country
"", # state
"", # locality
"", # orga
"", # unit
host, # name CN
[host, 'localhost', host],
[ip, '127.0.0.1', ip])
yield {'%s-server' % host: server, '%s-peer' % host: peer}
yield {'apiserver-etcd-client': api_etcd_client}
yield {'etcd_ca': ca_bundle}
def create_ca():
"""create a self signed CA"""
_key = create_key(size=2048)
_ca = create_ca(_key, _key.public_key(), "DE", "BY", "NUE",
"Kubernetes", "CDA-RT", "kubernetes-ca")
return CertBundle(_key, _ca)
def ci_nth_master():
ci = NthMasterInit(CLOUD_CONFIG, create_key(), koris_env={"a": "b"})
return ci
def ci_first_master():
ci = FirstMasterInit(create_key(),
CERTS['ca'],
CLOUD_CONFIG,
koris_env={"a": "b"})
return ci
import os
from koris.ssl import CertBundle, create_key, create_ca
parser = argparse.ArgumentParser(description='create ssl certs + keys for etcd')
parser.add_argument('--ips', metavar='ips', type=str, nargs='+',
help='the ips')
parser.add_argument('--hosts', metavar='hosts', type=str, nargs='+',
help='the host names')
args = parser.parse_args()
# create a self signed ca
key = create_key(size=2048)
ca = create_ca(key, key.public_key(),
"DE", "BY", "NUE", "Kubernetes", "CDA-PI",
"kubernetes")
ca_bundle = CertBundle(key, ca)
# create a self signed ca for etcd
etcd_key = create_key(size=2048)
etcd_ca = create_ca(key, key.public_key(),
"DE", "BY", "NUE", "Kubernetes", "CDA-PI",
"kubernetes")
ca_bundle = CertBundle(key, ca)
etcd_ca_bundle = CertBundle(etcd_key, etcd_ca)