pkg/asset/tls: self-sign cluster CAs

pkg/asset/tls/aggregatorca.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509/pkix"
 
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/pkg/errors"
 )
 
 // AggregatorCA is the asset that generates the aggregator-ca key/cert pair.
@@ -18,24 +19,29 @@ var _ asset.Asset = (*AggregatorCA)(nil)
 // the parent CA, and install config if it depends on the install config for
 // DNS names, etc.
 func (a *AggregatorCA) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&RootCA{},
-	}
+	return []asset.Asset{}
 }
 
 // Generate generates the cert/key pair based on its dependencies.
 func (a *AggregatorCA) Generate(dependencies asset.Parents) error {
-	rootCA := &RootCA{}
-	dependencies.Get(rootCA)
-
 	cfg := &CertCfg{
 		Subject:   pkix.Name{CommonName: "aggregator", OrganizationalUnit: []string{"bootkube"}},
 		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		Validity:  ValidityTenYears,
 		IsCA:      true,
 	}
 
-	return a.CertKey.Generate(cfg, rootCA, "aggregator-ca", DoNotAppendParent)
+	key, crt, err := GenerateRootCertKey(cfg)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate Aggregator CA")
+	}
+
+	a.KeyRaw = PrivateKeyToPem(key)
+	a.CertRaw = CertToPem(crt)
+
+	a.generateFiles("aggregator-ca")
+
+	return nil
 }
 
 // Name returns the human-friendly name of the asset.

pkg/asset/tls/etcdca.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509/pkix"
 
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/pkg/errors"
 )
 
 // EtcdCA is the asset that generates the etcd-ca key/cert pair.
@@ -18,24 +19,29 @@ var _ asset.Asset = (*EtcdCA)(nil)
 // the parent CA, and install config if it depends on the install config for
 // DNS names, etc.
 func (a *EtcdCA) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&RootCA{},
-	}
+	return []asset.Asset{}
 }
 
 // Generate generates the cert/key pair based on its dependencies.
 func (a *EtcdCA) Generate(dependencies asset.Parents) error {
-	rootCA := &RootCA{}
-	dependencies.Get(rootCA)
-
 	cfg := &CertCfg{
 		Subject:   pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}},
 		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		Validity:  ValidityTenYears,
 		IsCA:      true,
 	}
 
-	return a.CertKey.Generate(cfg, rootCA, "etcd-client-ca", DoNotAppendParent)
+	key, crt, err := GenerateRootCertKey(cfg)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate ETCD client CA")
+	}
+
+	a.KeyRaw = PrivateKeyToPem(key)
+	a.CertRaw = CertToPem(crt)
+
+	a.generateFiles("etcd-client-ca")
+
+	return nil
 }
 
 // Name returns the human-friendly name of the asset.

pkg/asset/tls/kubeca.go

@@ -5,6 +5,7 @@ import (
 	"crypto/x509/pkix"
 
 	"github.com/openshift/installer/pkg/asset"
+	"github.com/pkg/errors"
 )
 
 // KubeCA is the asset that generates the kube-ca key/cert pair.
@@ -18,24 +19,29 @@ var _ asset.Asset = (*KubeCA)(nil)
 // the parent CA, and install config if it depends on the install config for
 // DNS names, etc.
 func (a *KubeCA) Dependencies() []asset.Asset {
-	return []asset.Asset{
-		&RootCA{},
-	}
+	return []asset.Asset{}
 }
 
 // Generate generates the cert/key pair based on its dependencies.
 func (a *KubeCA) Generate(dependencies asset.Parents) error {
-	rootCA := &RootCA{}
-	dependencies.Get(rootCA)
-
 	cfg := &CertCfg{
 		Subject:   pkix.Name{CommonName: "kube-ca", OrganizationalUnit: []string{"bootkube"}},
 		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		Validity:  ValidityTenYears,
 		IsCA:      true,
 	}
 
-	return a.CertKey.Generate(cfg, rootCA, "kube-ca", DoNotAppendParent)
+	key, crt, err := GenerateRootCertKey(cfg)
+	if err != nil {
+		return errors.Wrap(err, "failed to generate Kube CA")
+	}
+
+	a.KeyRaw = PrivateKeyToPem(key)
+	a.CertRaw = CertToPem(crt)
+
+	a.generateFiles("kube-ca")
+
+	return nil
 }
 
 // Name returns the human-friendly name of the asset.