var certPeriodValidationMutex … var certPeriodValidation … // CreatePKIAssets will create and write to disk all PKI assets necessary to establish the control plane. // If the PKI assets already exists in the target folder, they are used only if evaluated equal; otherwise an error is returned. func CreatePKIAssets(cfg *kubeadmapi.InitConfiguration) error { … } // CreateServiceAccountKeyAndPublicKeyFiles creates new public/private key files for signing service account users. // If the sa public/private key files already exist in the target folder, they are used only if evaluated equals; otherwise an error is returned. func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string, keyType kubeadmapi.EncryptionAlgorithmType) error { … } // CreateCACertAndKeyFiles generates and writes out a given certificate authority. // The certSpec should be one of the variables from this package. func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error { … } // CreateCertAndKeyFilesWithCA loads the given certificate authority from disk, then generates and writes out the given certificate and key. // The certSpec and caCertSpec should both be one of the variables from this package. func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert, cfg *kubeadmapi.InitConfiguration) error { … } // LoadCertificateAuthority tries to load a CA in the given directory with the given name. func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate, crypto.Signer, error) { … } // writeCertificateAuthorityFilesIfNotExist write a new certificate Authority to the given path. // If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the // existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date, // otherwise this function returns an error. func writeCertificateAuthorityFilesIfNotExist(pkiDir string, baseName string, caCert *x509.Certificate, caKey crypto.Signer) error { … } // writeCertificateFilesIfNotExist write a new certificate to the given path. // If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the // existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date, // otherwise this function returns an error. func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert *x509.Certificate, cert *x509.Certificate, key crypto.Signer, cfg *pkiutil.CertConfig) error { … } type certKeyLocation … // SharedCertificateExists verifies if the shared certificates exist and are still valid - the certificates must be // equal across control-plane nodes: ca.key, ca.crt, sa.key, sa.pub, front-proxy-ca.key, front-proxy-ca.crt and etcd/ca.key, etcd/ca.crt if local/stacked etcd // Missing private keys of CA are non-fatal and produce warnings. func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error) { … } // UsingExternalCA determines whether the user is relying on an external CA. We currently implicitly determine this is the case // when the CA Cert is present but the CA Key is not. // This allows us to, e.g., skip generating certs or not start the csr signing controller. // In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user. func UsingExternalCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error) { … } // UsingExternalFrontProxyCA determines whether the user is relying on an external front-proxy CA. We currently implicitly determine this is the case // when the front proxy CA Cert is present but the front proxy CA Key is not. // In case we are using an external front-proxy CA, the function validates the certificates signed by front-proxy CA that should be provided by the user. func UsingExternalFrontProxyCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error) { … } // UsingExternalEtcdCA determines whether the user is relying on an external etcd CA. We currently implicitly determine this is the case // when the etcd CA Cert is present but the etcd CA Key is not. // In case we are using an external etcd CA, the function validates the certificates signed by etcd CA that should be provided by the user. func UsingExternalEtcdCA(cfg *kubeadmapi.ClusterConfiguration) (bool, error) { … } // validateCACert tries to load a x509 certificate from pkiDir and validates that it is a CA func validateCACert(l certKeyLocation) error { … } // validateCACertAndKey tries to load a x509 certificate and private key from pkiDir, // and validates that the cert is a CA. Failure to load the key produces a warning. func validateCACertAndKey(l certKeyLocation) error { … } // validateSignedCert tries to load a x509 certificate and private key from pkiDir and validates // that the cert is signed by a given CA func validateSignedCert(l certKeyLocation) error { … } // validateSignedCertWithCA tries to load a certificate and private key and // validates that the cert is signed by the given caCert func validateSignedCertWithCA(l certKeyLocation, caCert *x509.Certificate) error { … } // validatePrivatePublicKey tries to load a private key from pkiDir func validatePrivatePublicKey(l certKeyLocation) error { … } // validateCertificateWithConfig makes sure that a given certificate is valid at // least for the SANs defined in the configuration. func validateCertificateWithConfig(cert *x509.Certificate, baseName string, cfg *pkiutil.CertConfig) error { … } // CheckCertificatePeriodValidity takes a certificate and prints a warning if its period // is not valid related to the current time. It does so only if the certificate was not validated already // by keeping track with a cache. func CheckCertificatePeriodValidity(baseName string, cert *x509.Certificate) { … }