Skip to content
This repository has been archived by the owner on Feb 9, 2024. It is now read-only.

Commit

Permalink
generate separate keys for each certificate (#979)
Browse files Browse the repository at this point in the history
  • Loading branch information
Kevin Nisbet authored Dec 20, 2019
1 parent 8c47a35 commit 8516b0f
Showing 1 changed file with 14 additions and 9 deletions.
23 changes: 14 additions & 9 deletions lib/ops/opsservice/configure.go
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,8 @@ func (s *site) configurePlanetCertAuthority(ctx *operationContext) error {
// we have to share the same private key for various apiservers
// due to this issue:
// https://github.com/kubernetes/kubernetes/issues/11000#issuecomment-232469678
// TODO(security) separate this out to a separate secret for serviceaccounttokens
// For reference: https://github.com/kelseyhightower/kubernetes-the-hard-way/issues/248
apiServer, err := authority.GenerateCertificate(csr.CertificateRequest{
CN: constants.APIServerKeyPair,
Hosts: []string{"127.0.0.1"},
Expand Down Expand Up @@ -599,7 +601,9 @@ func (s *site) getPlanetMasterSecretsPackage(ctx *operationContext, p planetMast
return nil, trace.Wrap(err)
}

baseKeyPair, err := archive.GetKeyPair(constants.APIServerKeyPair)
// Don't rotate apiserver secrets, as this secret is currently used to authenticate service account tokens
// TODO(securty) support rotation of apiserver / serviceaccount secrets
apiserverKeyPair, err := archive.GetKeyPair(constants.APIServerKeyPair)
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -648,6 +652,8 @@ func (s *site) getPlanetMasterSecretsPackage(ctx *operationContext, p planetMast
if config.group != "" {
req.Names = []csr.Name{{O: config.group}}
}

var privateKeyPEM []byte
switch name {
case constants.APIServerKeyPair:
req.Hosts = append(req.Hosts,
Expand All @@ -673,6 +679,10 @@ func (s *site) getPlanetMasterSecretsPackage(ctx *operationContext, p planetMast
s.domainName, host}, "."))
}
}

// Don't rotate the APIServer key, the secret is currently used for validating serviceaccounttokens
// TODO(security) enable rotation of secret for apiserver/serviceaccounttokens
privateKeyPEM = apiserverKeyPair.KeyPEM
case constants.ProxyKeyPair:
req.Hosts = append(req.Hosts,
constants.APIServerDomainNameGravity,
Expand All @@ -682,7 +692,8 @@ func (s *site) getPlanetMasterSecretsPackage(ctx *operationContext, p planetMast
defaults.LograngeAggregatorServiceName,
defaults.KubeSystemNamespace)...)
}
keyPair, err := authority.GenerateCertificate(req, caKeyPair, baseKeyPair.KeyPEM, defaults.CertificateExpiry)

keyPair, err := authority.GenerateCertificate(req, caKeyPair, privateKeyPEM, defaults.CertificateExpiry)
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -749,7 +760,6 @@ func (s *site) getPlanetNodeSecretsPackage(ctx *operationContext, node *Provisio
constants.LograngeCollectorKeyPair: {},
}

var privateKeyPEM []byte
for keyName, config := range keyPairTypes {
req := csr.CertificateRequest{
Hosts: []string{constants.LoopbackIP, node.AdvertiseIP, node.Hostname},
Expand All @@ -770,15 +780,10 @@ func (s *site) getPlanetNodeSecretsPackage(ctx *operationContext, node *Provisio
if config.group != "" {
req.Names = []csr.Name{{O: config.group}}
}
keyPair, err := authority.GenerateCertificate(req, caKeyPair, privateKeyPEM, defaults.CertificateExpiry)
keyPair, err := authority.GenerateCertificate(req, caKeyPair, nil, defaults.CertificateExpiry)
if err != nil {
return nil, trace.Wrap(err)
}
// Store the private key from the first generated key pair and re-use
// it on subsequent requests to speed up certificate generation
if len(privateKeyPEM) == 0 {
privateKeyPEM = keyPair.KeyPEM
}
if err := newArchive.AddKeyPair(keyName, *keyPair); err != nil {
return nil, trace.Wrap(err)
}
Expand Down

0 comments on commit 8516b0f

Please sign in to comment.