Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: edebc35d0d
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
pkg
/
controller
/
certificates
/
signer
/
cfssl_signer.go

cfssl_signer.go 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package signer implements a CA signer that uses keys stored on local disk.
    18. 

  18. package signer
    19. 

  19. 

  20. import (
    21. 

  21. 	"crypto"
    22. 

  22. 	"crypto/x509"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io/ioutil"
    25. 

  25. 	"os"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	capi "k8s.io/api/certificates/v1beta1"
    29. 

  29. 	certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1"
    30. 

  30. 	clientset "k8s.io/client-go/kubernetes"
    31. 

  31. 	"k8s.io/kubernetes/pkg/controller/certificates"
    32. 

  32. 

  33. 	"github.com/cloudflare/cfssl/config"
    34. 

  34. 	"github.com/cloudflare/cfssl/helpers"
    35. 

  35. 	"github.com/cloudflare/cfssl/signer"
    36. 

  36. 	"github.com/cloudflare/cfssl/signer/local"
    37. 

  37. )
    38. 

  38. 

  39. func NewCSRSigningController(
    40. 

  40. 	client clientset.Interface,
    41. 

  41. 	csrInformer certificatesinformers.CertificateSigningRequestInformer,
    42. 

  42. 	caFile, caKeyFile string,
    43. 

  43. 	certificateDuration time.Duration,
    44. 

  44. ) (*certificates.CertificateController, error) {
    45. 

  45. 	signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
    46. 

  46. 	if err != nil {
    47. 

  47. 		return nil, err
    48. 

  48. 	}
    49. 

  49. 	return certificates.NewCertificateController(
    50. 

  50. 		client,
    51. 

  51. 		csrInformer,
    52. 

  52. 		signer.handle,
    53. 

  53. 	), nil
    54. 

  54. }
    55. 

  55. 

  56. type cfsslSigner struct {
    57. 

  57. 	ca                  *x509.Certificate
    58. 

  58. 	priv                crypto.Signer
    59. 

  59. 	sigAlgo             x509.SignatureAlgorithm
    60. 

  60. 	client              clientset.Interface
    61. 

  61. 	certificateDuration time.Duration
    62. 

  62. 

  63. 	// nowFn returns the current time.  We have here for unit testing
    64. 

  64. 	nowFn func() time.Time
    65. 

  65. }
    66. 

  66. 

  67. func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
    68. 

  68. 	ca, err := ioutil.ReadFile(caFile)
    69. 

  69. 	if err != nil {
    70. 

  70. 		return nil, fmt.Errorf("error reading CA cert file %q: %v", caFile, err)
    71. 

  71. 	}
    72. 

  72. 	cakey, err := ioutil.ReadFile(caKeyFile)
    73. 

  73. 	if err != nil {
    74. 

  74. 		return nil, fmt.Errorf("error reading CA key file %q: %v", caKeyFile, err)
    75. 

  75. 	}
    76. 

  76. 

  77. 	parsedCa, err := helpers.ParseCertificatePEM(ca)
    78. 

  78. 	if err != nil {
    79. 

  79. 		return nil, fmt.Errorf("error parsing CA cert file %q: %v", caFile, err)
    80. 

  80. 	}
    81. 

  81. 

  82. 	strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
    83. 

  83. 	password := []byte(strPassword)
    84. 

  84. 	if strPassword == "" {
    85. 

  85. 		password = nil
    86. 

  86. 	}
    87. 

  87. 

  88. 	priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password)
    89. 

  89. 	if err != nil {
    90. 

  90. 		return nil, fmt.Errorf("Malformed private key %v", err)
    91. 

  91. 	}
    92. 

  92. 	return &cfsslSigner{
    93. 

  93. 		priv:                priv,
    94. 

  94. 		ca:                  parsedCa,
    95. 

  95. 		sigAlgo:             signer.DefaultSigAlgo(priv),
    96. 

  96. 		client:              client,
    97. 

  97. 		certificateDuration: certificateDuration,
    98. 

  98. 		nowFn:               time.Now,
    99. 

  99. 	}, nil
    100. 

  100. }
    101. 

  101. 

  102. func (s *cfsslSigner) handle(csr *capi.CertificateSigningRequest) error {
    103. 

  103. 	if !certificates.IsCertificateRequestApproved(csr) {
    104. 

  104. 		return nil
    105. 

  105. 	}
    106. 

  106. 	csr, err := s.sign(csr)
    107. 

  107. 	if err != nil {
    108. 

  108. 		return fmt.Errorf("error auto signing csr: %v", err)
    109. 

  109. 	}
    110. 

  110. 	_, err = s.client.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(csr)
    111. 

  111. 	if err != nil {
    112. 

  112. 		return fmt.Errorf("error updating signature for csr: %v", err)
    113. 

  113. 	}
    114. 

  114. 	return nil
    115. 

  115. }
    116. 

  116. 

  117. func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.CertificateSigningRequest, error) {
    118. 

  118. 	var usages []string
    119. 

  119. 	for _, usage := range csr.Spec.Usages {
    120. 

  120. 		usages = append(usages, string(usage))
    121. 

  121. 	}
    122. 

  122. 

  123. 	certExpiryDuration := s.certificateDuration
    124. 

  124. 	durationUntilExpiry := s.ca.NotAfter.Sub(s.nowFn())
    125. 

  125. 	if durationUntilExpiry <= 0 {
    126. 

  126. 		return nil, fmt.Errorf("the signer has expired: %v", s.ca.NotAfter)
    127. 

  127. 	}
    128. 

  128. 	if durationUntilExpiry < certExpiryDuration {
    129. 

  129. 		certExpiryDuration = durationUntilExpiry
    130. 

  130. 	}
    131. 

  131. 

  132. 	policy := &config.Signing{
    133. 

  133. 		Default: &config.SigningProfile{
    134. 

  134. 			Usage:        usages,
    135. 

  135. 			Expiry:       certExpiryDuration,
    136. 

  136. 			ExpiryString: certExpiryDuration.String(),
    137. 

  137. 		},
    138. 

  138. 	}
    139. 

  139. 	cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
    140. 

  140. 	if err != nil {
    141. 

  141. 		return nil, err
    142. 

  142. 	}
    143. 

  143. 

  144. 	csr.Status.Certificate, err = cfs.Sign(signer.SignRequest{
    145. 

  145. 		Request: string(csr.Spec.Request),
    146. 

  146. 	})
    147. 

  147. 	if err != nil {
    148. 

  148. 		return nil, err
    149. 

  149. 	}
    150. 

  150. 

  151. 	return csr, nil
    152. 

  152. }
    153. 

  153.