-
Notifications
You must be signed in to change notification settings - Fork 40
/
signer.go
113 lines (96 loc) · 3.45 KB
/
signer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package certrotation
import (
"bytes"
"context"
"fmt"
"time"
"github.com/openshift/library-go/pkg/crypto"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/util/cert"
"open-cluster-management.io/addon-framework/pkg/utils"
)
// SigningRotation rotates a self-signed signing CA stored in a secret. It creates a new one when 80%
// of the lifetime of the old CA has passed.
type SigningRotation struct {
Namespace string
Name string
SignerNamePrefix string
Validity time.Duration
Lister corev1listers.SecretLister
Client corev1client.SecretsGetter
}
func (c SigningRotation) EnsureSigningCertKeyPair() (*crypto.CA, error) {
originalSigningCertKeyPairSecret, err := c.Lister.Secrets(c.Namespace).Get(c.Name)
if err != nil && !apierrors.IsNotFound(err) {
return nil, err
}
signingCertKeyPairSecret := originalSigningCertKeyPairSecret.DeepCopy()
if apierrors.IsNotFound(err) {
// create an empty one
signingCertKeyPairSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: c.Namespace, Name: c.Name}}
}
signingCertKeyPairSecret.Type = corev1.SecretTypeTLS
if reason := needNewSigningCertKeyPair(signingCertKeyPairSecret); len(reason) > 0 {
if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.SignerNamePrefix, c.Validity); err != nil {
return nil, err
}
actualSigningCertKeyPairSecret, _, err := utils.ApplySecret(context.TODO(), c.Client, signingCertKeyPairSecret)
if err != nil {
return nil, err
}
signingCertKeyPairSecret = actualSigningCertKeyPairSecret
}
// at this point, the secret has the correct signer, so we should read that signer to be able to sign
signingCertKeyPair, err := crypto.GetCAFromBytes(signingCertKeyPairSecret.Data["tls.crt"], signingCertKeyPairSecret.Data["tls.key"])
if err != nil {
return nil, err
}
return signingCertKeyPair, nil
}
func needNewSigningCertKeyPair(secret *corev1.Secret) string {
certData := secret.Data["tls.crt"]
if len(certData) == 0 {
return "missing tls.crt"
}
certificates, err := cert.ParseCertsPEM(certData)
if err != nil {
return "bad certificate"
}
if len(certificates) == 0 {
return "missing certificate"
}
cert := certificates[0]
if time.Now().After(cert.NotAfter) {
return "already expired"
}
maxWait := cert.NotAfter.Sub(cert.NotBefore) / 5
latestTime := cert.NotAfter.Add(-maxWait)
now := time.Now()
if now.After(latestTime) {
return fmt.Sprintf("expired in %6.3f seconds", cert.NotAfter.Sub(now).Seconds())
}
return ""
}
// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret
func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, signerNamePrefix string, validity time.Duration) error {
signerName := fmt.Sprintf("%s@%d", signerNamePrefix, time.Now().Unix())
ca, err := crypto.MakeSelfSignedCAConfigForDuration(signerName, validity)
if err != nil {
return err
}
certBytes := &bytes.Buffer{}
keyBytes := &bytes.Buffer{}
if err := ca.WriteCertConfig(certBytes, keyBytes); err != nil {
return err
}
if signingCertKeyPairSecret.Data == nil {
signingCertKeyPairSecret.Data = map[string][]byte{}
}
signingCertKeyPairSecret.Data["tls.crt"] = certBytes.Bytes()
signingCertKeyPairSecret.Data["tls.key"] = keyBytes.Bytes()
return nil
}