Skip to content

Commit

Permalink
add custom trusted cert bundles (#5625)
Browse files Browse the repository at this point in the history 
* add custom trusted cert bundles

* resolve comments
  • Loading branch information
@ahreehong
ahreehong committed May 25, 2023
1 parent 315568c commit e63a2d6
Show file tree
Hide file tree
Showing 23 changed files with 2,793 additions and 0 deletions.
16 changes: 16 additions & 0 deletions config/crd/bases/anywhere.eks.amazonaws.com_snowmachineconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down
16 changes: 16 additions & 0 deletions config/crd/bases/anywhere.eks.amazonaws.com_tinkerbellmachineconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down
16 changes: 16 additions & 0 deletions config/crd/bases/anywhere.eks.amazonaws.com_vspheremachineconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down
48 changes: 48 additions & 0 deletions config/manifest/eksa-components.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5161,6 +5161,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down Expand Up @@ -5465,6 +5481,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down Expand Up @@ -5851,6 +5883,22 @@ spec:
type: integer
type: object
type: object
certBundles:
items:
description: Cert defines additional trusted cert bundles on
the host OS.
properties:
data:
description: Data defines the cert bundle data.
type: string
name:
description: Name defines the cert bundle name.
type: string
required:
- data
- name
type: object
type: array
ntpConfiguration:
description: NTPConfiguration defines the NTP configuration on
the host OS.
Expand Down
58 changes: 58 additions & 0 deletions pkg/api/v1alpha1/hostosconfig.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package v1alpha1

import (
"crypto/x509"
"encoding/pem"
"fmt"
"net"
"net/url"
Expand All @@ -19,6 +21,12 @@ func validateHostOSConfig(config *HostOSConfiguration, osFamily OSFamily) error
return err
}

for _, certBundle := range config.CertBundles {
if err := validateCertBundles(&certBundle, osFamily); err != nil {
return err
}
}

return validateBotterocketConfig(config.BottlerocketConfiguration, osFamily)
}

Expand Down Expand Up @@ -52,6 +60,24 @@ func addNTPScheme(server string) string {
return fmt.Sprintf("udp://%s", server)
}

func validateCertBundles(config *certBundle, osFamily OSFamily) error {
if config == nil {
return nil
}

if osFamily != Bottlerocket {
return fmt.Errorf("CertBundles can only be used with osFamily: \"%s\"", Bottlerocket)
}

if config.Name == "" {
return errors.New("certBundles name cannot be empty")
}
if err := validateTrustedCertBundle(config.Data); err != nil {
return err
}
return nil
}

func validateBotterocketConfig(config *BottlerocketConfiguration, osFamily OSFamily) error {
if config == nil {
return nil
Expand Down Expand Up @@ -122,3 +148,35 @@ func validateBottlerocketBootSettingsConfiguration(config *v1beta1.BottlerocketB

return nil
}

// validateTrustedCertBundle validates that the cert is valid.
func validateTrustedCertBundle(certBundle string) error {
var blocks []byte
rest := []byte(certBundle)

// cert bundles could contain more than one certificate
for {
var block *pem.Block
block, rest = pem.Decode(rest)

// no more PEM structed objects
if block == nil {
break
}
blocks = append(blocks, block.Bytes...)
if len(rest) == 0 {
break
}
}

if len(blocks) == 0 {
return fmt.Errorf("failed to parse certificate PEM")
}

_, err := x509.ParseCertificates(blocks)
if err != nil {
return fmt.Errorf("failed to parse certificate: %v", err)
}

return nil
}
Loading

0 comments on commit e63a2d6

Please sign in to comment.