const tmpPrivateKeyFile … // LoadClientConfig tries to load the appropriate client config for retrieving certs and for use by users. // If bootstrapPath is empty, only kubeconfigPath is checked. If bootstrap path is set and the contents // of kubeconfigPath are valid, both certConfig and userConfig will point to that file. Otherwise the // kubeconfigPath on disk is populated based on bootstrapPath but pointing to the location of the client cert // in certDir. This preserves the historical behavior of bootstrapping where on subsequent restarts the // most recent client cert is used to request new client certs instead of the initial token. func LoadClientConfig(kubeconfigPath, bootstrapPath, certDir string) (certConfig, userConfig *restclient.Config, err error) { … } // LoadClientCert requests a client cert for kubelet if the kubeconfigPath file does not exist. // The kubeconfig at bootstrapPath is used to request a client certificate from the API server. // On success, a kubeconfig file referencing the generated key and obtained certificate is written to kubeconfigPath. // The certificate and key file are stored in certDir. func LoadClientCert(ctx context.Context, kubeconfigPath, bootstrapPath, certDir string, nodeName types.NodeName) error { … } func writeKubeconfigFromBootstrapping(bootstrapClientConfig *restclient.Config, kubeconfigPath, pemPath string) error { … } func loadRESTClientConfig(kubeconfig string) (*restclient.Config, error) { … } // isClientConfigStillValid checks the provided kubeconfig to see if it has a valid // client certificate. It returns true if the kubeconfig is valid, or an error if bootstrapping // should stop immediately. func isClientConfigStillValid(kubeconfigPath string) (bool, error) { … } // verifyKeyData returns true if the provided data appears to be a valid private key. func verifyKeyData(data []byte) bool { … } func waitForServer(ctx context.Context, cfg restclient.Config, deadline time.Duration) error { … } // requestNodeCertificate will create a certificate signing request for a node // (Organization and CommonName for the CSR will be set as expected for node // certificates) and send it to API server, then it will watch the object's // status, once approved by API server, it will return the API server's issued // certificate (pem-encoded). If there is any errors, or the watch timeouts, it // will return an error. This is intended for use on nodes (kubelet and // kubeadm). func requestNodeCertificate(ctx context.Context, client clientset.Interface, privateKeyData []byte, nodeName types.NodeName) (certData []byte, err error) { … } // This digest should include all the relevant pieces of the CSR we care about. // We can't directly hash the serialized CSR because of random padding that we // regenerate every loop and we include usages which are not contained in the // CSR. This needs to be kept up to date as we add new fields to the node // certificates and with ensureCompatible. func digestedName(publicKey interface{ … }