-
Notifications
You must be signed in to change notification settings - Fork 24
/
signer.go
102 lines (82 loc) · 2.78 KB
/
signer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package certrotation
import (
"bytes"
"fmt"
"time"
"github.com/openshift/library-go/pkg/crypto"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/grafana/tempo-operator/internal/manifests/manifestutils"
)
// SigningCAExpired returns true if the signer certificate expired and the reason of expiry.
func SigningCAExpired(opts Options) error {
// Skip as secret not created or loaded
if opts.Signer.Secret == nil {
return nil
}
reason := opts.Signer.Rotation.NeedNewCertificate(opts.Signer.Secret.Annotations, opts.Rotation.CACertRefresh)
if reason != "" {
return &CertExpiredError{Message: "signing CA certificate expired", Reasons: []string{reason}}
}
return nil
}
// buildSigningCASecret returns a k8s Secret holding the signing CA certificate.
func buildSigningCASecret(opts *Options) (client.Object, error) {
signingCertKeyPairSecret := newSigningCASecret(*opts)
opts.Signer.Rotation.Issuer = fmt.Sprintf("%s_%s", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name)
if reason := opts.Signer.Rotation.NeedNewCertificate(signingCertKeyPairSecret.Annotations, opts.Rotation.CACertRefresh); reason != "" {
if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, opts.Rotation.CACertValidity, opts.Signer.Rotation); err != nil {
return nil, err
}
}
var (
cert = signingCertKeyPairSecret.Data[corev1.TLSCertKey]
key = signingCertKeyPairSecret.Data[corev1.TLSPrivateKeyKey]
)
rawCA, err := crypto.GetCAFromBytes(cert, key)
if err != nil {
return nil, err
}
opts.Signer.RawCA = rawCA
return signingCertKeyPairSecret, nil
}
func newSigningCASecret(opts Options) *corev1.Secret {
current := opts.Signer.Secret.DeepCopy()
s := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: SigningCASecretName(opts.StackName),
Namespace: opts.StackNamespace,
Labels: manifestutils.CommonLabels(opts.StackName),
},
Type: corev1.SecretTypeTLS,
}
if current != nil {
s.Annotations = current.Annotations
s.Labels = current.Labels
s.Data = current.Data
}
return s
}
// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret.
func setSigningCertKeyPairSecret(s *corev1.Secret, validity time.Duration, caCreator signerRotation) error {
if s.Annotations == nil {
s.Annotations = map[string]string{}
}
if s.Data == nil {
s.Data = map[string][]byte{}
}
ca, err := caCreator.NewCertificate(validity)
if err != nil {
return err
}
certBytes := &bytes.Buffer{}
keyBytes := &bytes.Buffer{}
if err := ca.WriteCertConfig(certBytes, keyBytes); err != nil {
return err
}
s.Data[corev1.TLSCertKey] = certBytes.Bytes()
s.Data[corev1.TLSPrivateKeyKey] = keyBytes.Bytes()
caCreator.SetAnnotations(ca, s.Annotations)
return nil
}