Commit 41689b15 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #34488 from mikedanese/signing-profile

Automatic merge from submit-queue certificates: add a signing profile to the internal types Here is a strawman of a CertificateSigningProfile type which would be used by the certificates controller when configuring cfssl. Side question: what magnitude of change warrants a design proposal? @liggitt @gtank
parents 495ab24f bc522113
...@@ -35833,6 +35833,13 @@ ...@@ -35833,6 +35833,13 @@
"uid": { "uid": {
"type": "string" "type": "string"
}, },
"usages": {
"description": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12",
"type": "array",
"items": {
"type": "string"
}
},
"username": { "username": {
"description": "Information about the requesting user (if relevant) See user.Info interface for details", "description": "Information about the requesting user (if relevant) See user.Info interface for details",
"type": "string" "type": "string"
...@@ -895,6 +895,13 @@ ...@@ -895,6 +895,13 @@
"type": "string", "type": "string",
"description": "Base64-encoded PKCS#10 CSR data" "description": "Base64-encoded PKCS#10 CSR data"
}, },
"usages": {
"type": "array",
"items": {
"$ref": "v1alpha1.KeyUsage"
},
"description": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12"
},
"username": { "username": {
"type": "string", "type": "string",
"description": "Information about the requesting user (if relevant) See user.Info interface for details" "description": "Information about the requesting user (if relevant) See user.Info interface for details"
...@@ -910,6 +917,10 @@ ...@@ -910,6 +917,10 @@
} }
} }
}, },
"v1alpha1.KeyUsage": {
"id": "v1alpha1.KeyUsage",
"properties": {}
},
"v1alpha1.CertificateSigningRequestStatus": { "v1alpha1.CertificateSigningRequestStatus": {
"id": "v1alpha1.CertificateSigningRequestStatus", "id": "v1alpha1.CertificateSigningRequestStatus",
"properties": { "properties": {
......
...@@ -588,6 +588,14 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; } ...@@ -588,6 +588,14 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
<td class="tableblock halign-left valign-top"></td> <td class="tableblock halign-left valign-top"></td>
</tr> </tr>
<tr> <tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">usages</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">allowedUsages specifies a set of usage contexts the key will be valid for. See: <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.3">https://tools.ietf.org/html/rfc5280#section-4.2.1.3</a><br>
<a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.12">https://tools.ietf.org/html/rfc5280#section-4.2.1.12</a></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1alpha1_keyusage">v1alpha1.KeyUsage</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">username</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">username</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Information about the requesting user (if relevant) See user.Info interface for details</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">Information about the requesting user (if relevant) See user.Info interface for details</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td> <td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
...@@ -985,6 +993,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; } ...@@ -985,6 +993,10 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_v1alpha1_keyusage">v1alpha1.KeyUsage</h3>
</div>
<div class="sect2">
<h3 id="_v1_watchevent">v1.WatchEvent</h3> <h3 id="_v1_watchevent">v1.WatchEvent</h3>
<table class="tableblock frame-all grid-all" style="width:100%; "> <table class="tableblock frame-all grid-all" style="width:100%; ">
<colgroup> <colgroup>
...@@ -1352,7 +1364,7 @@ Examples:<br> ...@@ -1352,7 +1364,7 @@ Examples:<br>
</div> </div>
<div id="footer"> <div id="footer">
<div id="footer-text"> <div id="footer-text">
Last updated 2017-01-06 18:14:37 UTC Last updated 2017-01-09 21:23:51 UTC
</div> </div>
</div> </div>
</body> </body>
......
...@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct { ...@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data // Base64-encoded PKCS#10 CSR data
Request []byte Request []byte
// usages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage
// Information about the requesting user (if relevant) // Information about the requesting user (if relevant)
// See user.Info interface for details // See user.Info interface for details
// +optional // +optional
...@@ -96,3 +102,34 @@ type CertificateSigningRequestList struct { ...@@ -96,3 +102,34 @@ type CertificateSigningRequestList struct {
// +optional // +optional
Items []CertificateSigningRequest Items []CertificateSigningRequest
} }
// KeyUsages specifies valid usage contexts for keys.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
type KeyUsage string
const (
UsageSigning KeyUsage = "signing"
UsageDigitalSignature KeyUsage = "digital signature"
UsageContentCommittment KeyUsage = "content committment"
UsageKeyEncipherment KeyUsage = "key encipherment"
UsageKeyAgreement KeyUsage = "key agreement"
UsageDataEncipherment KeyUsage = "data encipherment"
UsageCertSign KeyUsage = "cert sign"
UsageCRLSign KeyUsage = "crl sign"
UsageEncipherOnly KeyUsage = "encipher only"
UsageDecipherOnly KeyUsage = "decipher only"
UsageAny KeyUsage = "any"
UsageServerAuth KeyUsage = "server auth"
UsageClientAuth KeyUsage = "client auth"
UsageCodeSigning KeyUsage = "code signing"
UsageEmailProtection KeyUsage = "email protection"
UsageSMIME KeyUsage = "s/mime"
UsageIPsecEndSystem KeyUsage = "ipsec end system"
UsageIPsecTunnel KeyUsage = "ipsec tunnel"
UsageIPsecUser KeyUsage = "ipsec user"
UsageTimestamping KeyUsage = "timestamping"
UsageOCSPSigning KeyUsage = "ocsp signing"
UsageMicrosoftSGC KeyUsage = "microsoft sgc"
UsageNetscapSGC KeyUsage = "netscape sgc"
)
...@@ -76,6 +76,12 @@ message CertificateSigningRequestSpec { ...@@ -76,6 +76,12 @@ message CertificateSigningRequestSpec {
// Base64-encoded PKCS#10 CSR data // Base64-encoded PKCS#10 CSR data
optional bytes request = 1; optional bytes request = 1;
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
repeated string keyUsage = 5;
// Information about the requesting user (if relevant) // Information about the requesting user (if relevant)
// See user.Info interface for details // See user.Info interface for details
// +optional // +optional
......
...@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct { ...@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data // Base64-encoded PKCS#10 CSR data
Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"` Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`
// Information about the requesting user (if relevant) // Information about the requesting user (if relevant)
// See user.Info interface for details // See user.Info interface for details
// +optional // +optional
...@@ -95,3 +101,34 @@ type CertificateSigningRequestList struct { ...@@ -95,3 +101,34 @@ type CertificateSigningRequestList struct {
Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"` Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
} }
// KeyUsages specifies valid usage contexts for keys.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
type KeyUsage string
const (
UsageSigning KeyUsage = "signing"
UsageDigitalSignature KeyUsage = "digital signature"
UsageContentCommittment KeyUsage = "content committment"
UsageKeyEncipherment KeyUsage = "key encipherment"
UsageKeyAgreement KeyUsage = "key agreement"
UsageDataEncipherment KeyUsage = "data encipherment"
UsageCertSign KeyUsage = "cert sign"
UsageCRLSign KeyUsage = "crl sign"
UsageEncipherOnly KeyUsage = "encipher only"
UsageDecipherOnly KeyUsage = "decipher only"
UsageAny KeyUsage = "any"
UsageServerAuth KeyUsage = "server auth"
UsageClientAuth KeyUsage = "client auth"
UsageCodeSigning KeyUsage = "code signing"
UsageEmailProtection KeyUsage = "email protection"
UsageSMIME KeyUsage = "s/mime"
UsageIPsecEndSystem KeyUsage = "ipsec end system"
UsageIPsecTunnel KeyUsage = "ipsec tunnel"
UsageIPsecUser KeyUsage = "ipsec user"
UsageTimestamping KeyUsage = "timestamping"
UsageOCSPSigning KeyUsage = "ocsp signing"
UsageMicrosoftSGC KeyUsage = "microsoft sgc"
UsageNetscapSGC KeyUsage = "netscape sgc"
)
...@@ -51,6 +51,7 @@ func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string { ...@@ -51,6 +51,7 @@ func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string {
var map_CertificateSigningRequestSpec = map[string]string{ var map_CertificateSigningRequestSpec = map[string]string{
"": "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.", "": "This information is immutable after the request is created. Only the Request and ExtraInfo fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
"request": "Base64-encoded PKCS#10 CSR data", "request": "Base64-encoded PKCS#10 CSR data",
"usages": "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12",
"username": "Information about the requesting user (if relevant) See user.Info interface for details", "username": "Information about the requesting user (if relevant) See user.Info interface for details",
} }
......
...@@ -130,6 +130,7 @@ func Convert_certificates_CertificateSigningRequestList_To_v1alpha1_CertificateS ...@@ -130,6 +130,7 @@ func Convert_certificates_CertificateSigningRequestList_To_v1alpha1_CertificateS
func autoConvert_v1alpha1_CertificateSigningRequestSpec_To_certificates_CertificateSigningRequestSpec(in *CertificateSigningRequestSpec, out *certificates.CertificateSigningRequestSpec, s conversion.Scope) error { func autoConvert_v1alpha1_CertificateSigningRequestSpec_To_certificates_CertificateSigningRequestSpec(in *CertificateSigningRequestSpec, out *certificates.CertificateSigningRequestSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request)) out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.Usages = *(*[]certificates.KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username out.Username = in.Username
out.UID = in.UID out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups)) out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
...@@ -142,6 +143,7 @@ func Convert_v1alpha1_CertificateSigningRequestSpec_To_certificates_CertificateS ...@@ -142,6 +143,7 @@ func Convert_v1alpha1_CertificateSigningRequestSpec_To_certificates_CertificateS
func autoConvert_certificates_CertificateSigningRequestSpec_To_v1alpha1_CertificateSigningRequestSpec(in *certificates.CertificateSigningRequestSpec, out *CertificateSigningRequestSpec, s conversion.Scope) error { func autoConvert_certificates_CertificateSigningRequestSpec_To_v1alpha1_CertificateSigningRequestSpec(in *certificates.CertificateSigningRequestSpec, out *CertificateSigningRequestSpec, s conversion.Scope) error {
out.Request = *(*[]byte)(unsafe.Pointer(&in.Request)) out.Request = *(*[]byte)(unsafe.Pointer(&in.Request))
out.Usages = *(*[]KeyUsage)(unsafe.Pointer(&in.Usages))
out.Username = in.Username out.Username = in.Username
out.UID = in.UID out.UID = in.UID
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups)) out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
......
...@@ -99,6 +99,13 @@ func DeepCopy_v1alpha1_CertificateSigningRequestSpec(in interface{}, out interfa ...@@ -99,6 +99,13 @@ func DeepCopy_v1alpha1_CertificateSigningRequestSpec(in interface{}, out interfa
*out = make([]byte, len(*in)) *out = make([]byte, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
for i := range *in {
(*out)[i] = (*in)[i]
}
}
if in.Groups != nil { if in.Groups != nil {
in, out := &in.Groups, &out.Groups in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in)) *out = make([]string, len(*in))
......
...@@ -99,6 +99,13 @@ func DeepCopy_certificates_CertificateSigningRequestSpec(in interface{}, out int ...@@ -99,6 +99,13 @@ func DeepCopy_certificates_CertificateSigningRequestSpec(in interface{}, out int
*out = make([]byte, len(*in)) *out = make([]byte, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.Usages != nil {
in, out := &in.Usages, &out.Usages
*out = make([]KeyUsage, len(*in))
for i := range *in {
(*out)[i] = (*in)[i]
}
}
if in.Groups != nil { if in.Groups != nil {
in, out := &in.Groups, &out.Groups in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in)) *out = make([]string, len(*in))
......
...@@ -5,6 +5,7 @@ licenses(["notice"]) ...@@ -5,6 +5,7 @@ licenses(["notice"])
load( load(
"@io_bazel_rules_go//go:def.bzl", "@io_bazel_rules_go//go:def.bzl",
"go_library", "go_library",
"go_test",
) )
go_library( go_library(
...@@ -12,6 +13,7 @@ go_library( ...@@ -12,6 +13,7 @@ go_library(
srcs = [ srcs = [
"certificate_controller.go", "certificate_controller.go",
"certificate_controller_utils.go", "certificate_controller_utils.go",
"cfssl_signer.go",
"doc.go", "doc.go",
"groupapprove.go", "groupapprove.go",
], ],
...@@ -32,6 +34,7 @@ go_library( ...@@ -32,6 +34,7 @@ go_library(
"//pkg/util/workqueue:go_default_library", "//pkg/util/workqueue:go_default_library",
"//pkg/watch:go_default_library", "//pkg/watch:go_default_library",
"//vendor:github.com/cloudflare/cfssl/config", "//vendor:github.com/cloudflare/cfssl/config",
"//vendor:github.com/cloudflare/cfssl/helpers",
"//vendor:github.com/cloudflare/cfssl/signer", "//vendor:github.com/cloudflare/cfssl/signer",
"//vendor:github.com/cloudflare/cfssl/signer/local", "//vendor:github.com/cloudflare/cfssl/signer/local",
"//vendor:github.com/golang/glog", "//vendor:github.com/golang/glog",
...@@ -50,3 +53,19 @@ filegroup( ...@@ -50,3 +53,19 @@ filegroup(
srcs = [":package-srcs"], srcs = [":package-srcs"],
tags = ["automanaged"], tags = ["automanaged"],
) )
go_test(
name = "go_default_test",
srcs = ["cfssl_signer_test.go"],
data = [
"testdata/ca.crt",
"testdata/ca.key",
"testdata/kubelet.csr",
],
library = ":go_default_library",
tags = ["automanaged"],
deps = [
"//pkg/apis/certificates/v1alpha1:go_default_library",
"//pkg/util/cert:go_default_library",
],
)
...@@ -33,9 +33,6 @@ import ( ...@@ -33,9 +33,6 @@ import (
"k8s.io/kubernetes/pkg/util/workqueue" "k8s.io/kubernetes/pkg/util/workqueue"
"k8s.io/kubernetes/pkg/watch" "k8s.io/kubernetes/pkg/watch"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
"github.com/golang/glog" "github.com/golang/glog"
) )
...@@ -43,6 +40,10 @@ type AutoApprover interface { ...@@ -43,6 +40,10 @@ type AutoApprover interface {
AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error)
} }
type Signer interface {
Sign(csr *certificates.CertificateSigningRequest) ([]byte, error)
}
type CertificateController struct { type CertificateController struct {
kubeClient clientset.Interface kubeClient clientset.Interface
...@@ -53,8 +54,7 @@ type CertificateController struct { ...@@ -53,8 +54,7 @@ type CertificateController struct {
syncHandler func(csrKey string) error syncHandler func(csrKey string) error
approver AutoApprover approver AutoApprover
signer Signer
signer *local.Signer
queue workqueue.RateLimitingInterface queue workqueue.RateLimitingInterface
} }
...@@ -65,12 +65,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du ...@@ -65,12 +65,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
eventBroadcaster.StartLogging(glog.Infof) eventBroadcaster.StartLogging(glog.Infof)
eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.Core().Events("")}) eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.Core().Events("")})
// Configure cfssl signer s, err := NewCFSSLSigner(caCertFile, caKeyFile)
// TODO: support non-default policy and remote/pkcs11 signing
policy := &config.Signing{
Default: config.DefaultConfig(),
}
ca, err := local.NewSignerFromFile(caCertFile, caKeyFile, policy)
if err != nil { if err != nil {
return nil, err return nil, err
} }
...@@ -78,7 +73,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du ...@@ -78,7 +73,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
cc := &CertificateController{ cc := &CertificateController{
kubeClient: kubeClient, kubeClient: kubeClient,
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"), queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
signer: ca, signer: s,
approver: approver, approver: approver,
} }
...@@ -209,9 +204,7 @@ func (cc *CertificateController) maybeSignCertificate(key string) error { ...@@ -209,9 +204,7 @@ func (cc *CertificateController) maybeSignCertificate(key string) error {
// 3. Update the Status subresource // 3. Update the Status subresource
if csr.Status.Certificate == nil && IsCertificateRequestApproved(csr) { if csr.Status.Certificate == nil && IsCertificateRequestApproved(csr) {
pemBytes := csr.Spec.Request certBytes, err := cc.signer.Sign(csr)
req := signer.SignRequest{Request: string(pemBytes)}
certBytes, err := cc.signer.Sign(req)
if err != nil { if err != nil {
return err return err
} }
......
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"crypto"
"crypto/x509"
"fmt"
"io/ioutil"
"os"
certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
)
var onlySigningPolicy = &config.Signing{
Default: &config.SigningProfile{
Usage: []string{"signing"},
Expiry: helpers.OneYear,
ExpiryString: "8760h",
},
}
type CFSSLSigner struct {
ca *x509.Certificate
priv crypto.Signer
sigAlgo x509.SignatureAlgorithm
}
func NewCFSSLSigner(caFile, caKeyFile string) (*CFSSLSigner, error) {
ca, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
cakey, err := ioutil.ReadFile(caKeyFile)
if err != nil {
return nil, err
}
parsedCa, err := helpers.ParseCertificatePEM(ca)
if err != nil {
return nil, err
}
strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
password := []byte(strPassword)
if strPassword == "" {
password = nil
}
priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password)
if err != nil {
return nil, fmt.Errorf("Malformed private key %v", err)
}
return &CFSSLSigner{
priv: priv,
ca: parsedCa,
sigAlgo: signer.DefaultSigAlgo(priv),
}, nil
}
func (cs *CFSSLSigner) Sign(csr *certificates.CertificateSigningRequest) ([]byte, error) {
var usages []string
for _, usage := range csr.Spec.Usages {
usages = append(usages, string(usage))
}
policy := &config.Signing{
Default: &config.SigningProfile{
Usage: usages,
Expiry: helpers.OneYear,
ExpiryString: "8760h",
},
}
s, err := local.NewSigner(cs.priv, cs.ca, cs.sigAlgo, policy)
if err != nil {
return nil, err
}
return s.Sign(signer.SignRequest{
Request: string(csr.Spec.Request),
})
}
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package certificates
import (
"crypto/x509"
"io/ioutil"
"reflect"
"testing"
capi "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
"k8s.io/kubernetes/pkg/util/cert"
)
func TestSigner(t *testing.T) {
s, err := NewCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key")
if err != nil {
t.Fatalf("failed to create signer: %v", err)
}
csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
if err != nil {
t.Fatalf("failed to read CSR: %v", err)
}
csr := &capi.CertificateSigningRequest{
Spec: capi.CertificateSigningRequestSpec{
Request: []byte(csrb),
Usages: []capi.KeyUsage{
capi.UsageSigning,
capi.UsageKeyEncipherment,
capi.UsageServerAuth,
capi.UsageClientAuth,
},
},
}
certData, err := s.Sign(csr)
if err != nil {
t.Fatalf("failed to sign CSR: %v", err)
}
if len(certData) == 0 {
t.Fatalf("expected a certificate after signing")
}
certs, err := cert.ParseCertsPEM(certData)
if err != nil {
t.Fatalf("failed to parse certificate: %v", err)
}
if len(certs) != 1 {
t.Fatalf("expected one certificate")
}
crt := certs[0]
if crt.Subject.CommonName != "system:node:k-a-node-s36b" {
t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)
}
if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {
t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)
}
if crt.KeyUsage != x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment {
t.Errorf("bad key usage")
}
if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
t.Errorf("bad extended key usage")
}
}
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIJAOWJ8tWNUIsZMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTYxMjIyMDAyNTI5WhcNNDQwNTA5MDAyNTI5WjASMRAw
DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUTFMCw4t4Q/KQDDlvB
P19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2VgQm3tKZdydKiFvIo
fEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/inIX9JqeZZMpDk3N
lHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7G9MCP/zV8xKfs0lK
CMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfOgmM2eVg/nauU1ejv
zOJL7tDwUioLriw2hiGrFwIDAQABo1AwTjAdBgNVHQ4EFgQUbGJxJeW7BgZ4xSmW
d3Aw3gq8YZUwHwYDVR0jBBgwFoAUbGJxJeW7BgZ4xSmWd3Aw3gq8YZUwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAunzpYAxpzguzxG83pK5n3ObsGDwO
78d38qX1VRvMLPvioZxYgquqqFPdLI3xe8b8KdZNzb65549tgjAI17tTKGTRgJu5
yzLU1tO4vNaAFecMCtPvElYfkrAv2vbGCVJ1bYKTnjdu3083jG3sY9TDj0364A57
lNwKEd5uxHGWg4H+NbyHkDqfKmllzLvJ9XjSWBPmNVLSW50hV+h9fUXgz9LN+qVY
VEDfAEWqb6PVy9ANw8A8QLnuSRxbd7hAigtlC4MwzYJ6tyFIIH6bCIgfoZuA+brm
WGcpIxl4fKEGafSgjsK/6Yhb61mkhHmG16mzEUZNkNsjiYJuF2QxpOlQrw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUT
FMCw4t4Q/KQDDlvBP19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2V
gQm3tKZdydKiFvIofEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/
inIX9JqeZZMpDk3NlHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7
G9MCP/zV8xKfs0lKCMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfO
gmM2eVg/nauU1ejvzOJL7tDwUioLriw2hiGrFwIDAQABAoIBAFJCmEFE2bEYRajS
LusmCgSxt9PjyfUwrtyN7dF/gODZJLX42QqQEe3GTo2EdCp7HLiNGwKvmKo+Fp76
Rx82iJUSyyy9DPn/ogCvYWqU++LP7B2ZuOnd+WPZhzc+d8Sqv0JhTQjYrzaclaiG
B1syWalYRAJogMXOGR102MA4wovJrlHFuTVSWiDe0uguLxyjoTMIRqbib9ZAMSLX
bfcM2abGpXgq10abda3KKAJbZyr2fnBvqKTs4a4zYeHJpQT+NBPMiryb2WnPFg+b
93nrjDxUtPsx8NJz6HGkSQLagXkZX2J1JpT8loaNIdyQHab1LNXptc84LR8xxusy
bs5NowECgYEA+j+SwVgeC+NCUIfxr3F9zPAD9A0Tk3gD4z+j0opfLIMghX4jtK0e
9fQyglecAbojlkEUk/js5IVZ0IIhBNPWXxKtdShZO7EmJ6Z5IEmFrZK1xUomYBa2
BfysqSAkxVLsTDIfI0Q4DHQNDOV+iY3j8WoaR51cXr+IY+mYBGSNI80CgYEA2VS5
X5QHDxoh3r5ORiyab3ciubEofJ29D3NR1tCe9ZgSYRV5Y7T/4KPpZdpsEX/ydYD6
X4DyURuYNK7PUR8DSlX7/VuMzHThqGJMaT0LE+alU4bruiad33X1WXgtcPTGCic0
8il50TZTgba0CwxuCO1eVb3IijwgJBX/byM67nMCgYEA7As1KSwtwzbMoVtpa/xY
Fgu7HuOKuIn22M55fylH1puk/GXb1huJ3aNGVU2/+J0T3jFq8JxXDsJ90kA8Vupe
BXV/qceyS6yv+ax8Cilvbya4T+y+P9qMPR912V1Zccri2ohYeJJrb8uzV5vM/ICb
JmbXfP+AVlrBksSOwG37920CgYEAsSi2X6o8QtxLhdZd2ihbz8cu4G4AkezHhAO+
T70KBytquAcYR+Xwu38CMEvn0jAZRh3YeueTH/i9jxx81STRutPysSni0Xvpwyg2
H4dqM1PNqxQNrlXyVYlDciZb7HsrwHULXOfgbGG7mr6Db4o3XEGap4woID84+BGS
glcWn+8CgYEA36uulmZcodfet04qQvlDtr1d7mwLdTR/JAO0ZBIgFH7eGZdEVh8O
DoTJTdSSJGiv8J35PwEXfhKHjhgOjDocLYu+yCOwVj7jRdHqlDS1BaE36Hzdw0rb
mWkBRMGJtGhzhoRJEFHAnoLXc9danRfnHwVR58drlf7bjR5I9eU9u1I=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGdAgEAMDsxFTATBgNVBAoTDHN5c3RlbTpub2RlczEiMCAGA1UEAxMZc3lz
dGVtOm5vZGU6ay1hLW5vZGUtczM2YjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BJbxa5Y8SrUJVHpOoWD5ceqH+5R9mjIhwVP2sqfTcLkjvbitzOiLlxSq/LwJ+qq7
kVpf9f3GopZVhRWbYSCg0YGgADAKBggqhkjOPQQDAgNHADBEAiAabb6XFtPOJUCQ
+84NhxLEvPANhrtwFq3Q0qFZ9TzH5QIgc/697RTTcbri2lVj+10dLFIC3VYJ7br4
QjA7haCYXrA=
-----END CERTIFICATE REQUEST-----
...@@ -8930,6 +8930,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ ...@@ -8930,6 +8930,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
Format: "byte", Format: "byte",
}, },
}, },
"usages": {
SchemaProps: spec.SchemaProps{
Description: "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n https://tools.ietf.org/html/rfc5280#section-4.2.1.12",
Type: []string{"array"},
Items: &spec.SchemaOrArray{
Schema: &spec.Schema{
SchemaProps: spec.SchemaProps{
Type: []string{"string"},
Format: "",
},
},
},
},
},
"username": { "username": {
SchemaProps: spec.SchemaProps{ SchemaProps: spec.SchemaProps{
Description: "Information about the requesting user (if relevant) See user.Info interface for details", Description: "Information about the requesting user (if relevant) See user.Info interface for details",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment