Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
68fb529e
Unverified
Commit
68fb529e
authored
Nov 14, 2018
by
k8s-ci-robot
Committed by
GitHub
Nov 14, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #70969 from awly/node-csr-move
Move csr.RequestNodeCertificate into kubelet bootstrap package
parents
ca338b91
5c073abf
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
195 additions
and
229 deletions
+195
-229
BUILD
pkg/kubelet/certificate/bootstrap/BUILD
+6
-0
bootstrap.go
pkg/kubelet/certificate/bootstrap/bootstrap.go
+74
-3
bootstrap_test.go
pkg/kubelet/certificate/bootstrap/bootstrap_test.go
+114
-1
BUILD
staging/src/k8s.io/client-go/util/certificate/csr/BUILD
+1
-19
csr.go
staging/src/k8s.io/client-go/util/certificate/csr/csr.go
+0
-71
csr_test.go
...ing/src/k8s.io/client-go/util/certificate/csr/csr_test.go
+0
-135
No files found.
pkg/kubelet/certificate/bootstrap/BUILD
View file @
68fb529e
...
@@ -11,8 +11,13 @@ go_test(
...
@@ -11,8 +11,13 @@ go_test(
srcs = ["bootstrap_test.go"],
srcs = ["bootstrap_test.go"],
embed = [":go_default_library"],
embed = [":go_default_library"],
deps = [
deps = [
"//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
],
],
)
)
...
@@ -21,6 +26,7 @@ go_library(
...
@@ -21,6 +26,7 @@ go_library(
srcs = ["bootstrap.go"],
srcs = ["bootstrap.go"],
importpath = "k8s.io/kubernetes/pkg/kubelet/certificate/bootstrap",
importpath = "k8s.io/kubernetes/pkg/kubelet/certificate/bootstrap",
deps = [
deps = [
"//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/serializer:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
...
...
pkg/kubelet/certificate/bootstrap/bootstrap.go
View file @
68fb529e
...
@@ -18,6 +18,9 @@ package bootstrap
...
@@ -18,6 +18,9 @@ package bootstrap
import
(
import
(
"context"
"context"
"crypto/sha512"
"crypto/x509/pkix"
"encoding/base64"
"errors"
"errors"
"fmt"
"fmt"
"os"
"os"
...
@@ -26,12 +29,13 @@ import (
...
@@ -26,12 +29,13 @@ import (
"k8s.io/klog"
"k8s.io/klog"
certificates
"k8s.io/api/certificates/v1beta1"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/types"
utilruntime
"k8s.io/apimachinery/pkg/util/runtime"
utilruntime
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/kubernetes/scheme"
certificates
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certificates
v1beta1
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
restclient
"k8s.io/client-go/rest"
restclient
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi
"k8s.io/client-go/tools/clientcmd/api"
clientcmdapi
"k8s.io/client-go/tools/clientcmd/api"
...
@@ -65,7 +69,7 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
...
@@ -65,7 +69,7 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
return
fmt
.
Errorf
(
"unable to load bootstrap kubeconfig: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load bootstrap kubeconfig: %v"
,
err
)
}
}
bootstrapClient
,
err
:=
certificates
.
NewForConfig
(
bootstrapClientConfig
)
bootstrapClient
,
err
:=
certificates
v1beta1
.
NewForConfig
(
bootstrapClientConfig
)
if
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to create certificates signing request client: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to create certificates signing request client: %v"
,
err
)
}
}
...
@@ -102,7 +106,7 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
...
@@ -102,7 +106,7 @@ func LoadClientCert(kubeconfigPath string, bootstrapPath string, certDir string,
klog
.
Warningf
(
"Error waiting for apiserver to come up: %v"
,
err
)
klog
.
Warningf
(
"Error waiting for apiserver to come up: %v"
,
err
)
}
}
certData
,
err
:=
csr
.
R
equestNodeCertificate
(
bootstrapClient
.
CertificateSigningRequests
(),
keyData
,
nodeName
)
certData
,
err
:=
r
equestNodeCertificate
(
bootstrapClient
.
CertificateSigningRequests
(),
keyData
,
nodeName
)
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
...
@@ -244,3 +248,70 @@ func waitForServer(cfg restclient.Config, deadline time.Duration) error {
...
@@ -244,3 +248,70 @@ func waitForServer(cfg restclient.Config, deadline time.Duration) error {
}
}
return
nil
return
nil
}
}
// requestNodeCertificate will create a certificate signing request for a node
// (Organization and CommonName for the CSR will be set as expected for node
// certificates) and send it to API server, then it will watch the object's
// status, once approved by API server, it will return the API server's issued
// certificate (pem-encoded). If there is any errors, or the watch timeouts, it
// will return an error. This is intended for use on nodes (kubelet and
// kubeadm).
func
requestNodeCertificate
(
client
certificatesv1beta1
.
CertificateSigningRequestInterface
,
privateKeyData
[]
byte
,
nodeName
types
.
NodeName
)
(
certData
[]
byte
,
err
error
)
{
subject
:=
&
pkix
.
Name
{
Organization
:
[]
string
{
"system:nodes"
},
CommonName
:
"system:node:"
+
string
(
nodeName
),
}
privateKey
,
err
:=
certutil
.
ParsePrivateKeyPEM
(
privateKeyData
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"invalid private key for certificate request: %v"
,
err
)
}
csrData
,
err
:=
certutil
.
MakeCSR
(
privateKey
,
subject
,
nil
,
nil
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"unable to generate certificate request: %v"
,
err
)
}
usages
:=
[]
certificates
.
KeyUsage
{
certificates
.
UsageDigitalSignature
,
certificates
.
UsageKeyEncipherment
,
certificates
.
UsageClientAuth
,
}
name
:=
digestedName
(
privateKeyData
,
subject
,
usages
)
req
,
err
:=
csr
.
RequestCertificate
(
client
,
csrData
,
name
,
usages
,
privateKey
)
if
err
!=
nil
{
return
nil
,
err
}
return
csr
.
WaitForCertificate
(
client
,
req
,
3600
*
time
.
Second
)
}
// This digest should include all the relevant pieces of the CSR we care about.
// We can't direcly hash the serialized CSR because of random padding that we
// regenerate every loop and we include usages which are not contained in the
// CSR. This needs to be kept up to date as we add new fields to the node
// certificates and with ensureCompatible.
func
digestedName
(
privateKeyData
[]
byte
,
subject
*
pkix
.
Name
,
usages
[]
certificates
.
KeyUsage
)
string
{
hash
:=
sha512
.
New512_256
()
// Here we make sure two different inputs can't write the same stream
// to the hash. This delimiter is not in the base64.URLEncoding
// alphabet so there is no way to have spill over collisions. Without
// it 'CN:foo,ORG:bar' hashes to the same value as 'CN:foob,ORG:ar'
const
delimiter
=
'|'
encode
:=
base64
.
RawURLEncoding
.
EncodeToString
write
:=
func
(
data
[]
byte
)
{
hash
.
Write
([]
byte
(
encode
(
data
)))
hash
.
Write
([]
byte
{
delimiter
})
}
write
(
privateKeyData
)
write
([]
byte
(
subject
.
CommonName
))
for
_
,
v
:=
range
subject
.
Organization
{
write
([]
byte
(
v
))
}
for
_
,
v
:=
range
usages
{
write
([]
byte
(
v
))
}
return
"node-csr-"
+
encode
(
hash
.
Sum
(
nil
))
}
pkg/kubelet/certificate/bootstrap/bootstrap_test.go
View file @
68fb529e
...
@@ -17,13 +17,19 @@ limitations under the License.
...
@@ -17,13 +17,19 @@ limitations under the License.
package
bootstrap
package
bootstrap
import
(
import
(
"fmt"
"io/ioutil"
"io/ioutil"
"os"
"os"
"reflect"
"reflect"
"testing"
"testing"
certificates
"k8s.io/api/certificates/v1beta1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/watch"
certificatesclient
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
restclient
"k8s.io/client-go/rest"
restclient
"k8s.io/client-go/rest"
certutil
"k8s.io/client-go/util/cert"
)
)
func
TestLoadRESTClientConfig
(
t
*
testing
.
T
)
{
func
TestLoadRESTClientConfig
(
t
*
testing
.
T
)
{
...
@@ -36,7 +42,7 @@ clusters:
...
@@ -36,7 +42,7 @@ clusters:
server: https://cluster-a.com
server: https://cluster-a.com
name: cluster-a
name: cluster-a
- cluster:
- cluster:
certificate-authority-data: VGVzdA==
certificate-authority-data: VGVzdA==
server: https://cluster-b.com
server: https://cluster-b.com
name: cluster-b
name: cluster-b
contexts:
contexts:
...
@@ -83,3 +89,110 @@ users:
...
@@ -83,3 +89,110 @@ users:
t
.
Errorf
(
"Unexpected config: %s"
,
diff
.
ObjectDiff
(
config
,
expectedConfig
))
t
.
Errorf
(
"Unexpected config: %s"
,
diff
.
ObjectDiff
(
config
,
expectedConfig
))
}
}
}
}
func
TestRequestNodeCertificateNoKeyData
(
t
*
testing
.
T
)
{
certData
,
err
:=
requestNodeCertificate
(
&
fakeClient
{},
[]
byte
{},
"fake-node-name"
)
if
err
==
nil
{
t
.
Errorf
(
"Got no error, wanted error an error because there was an empty private key passed in."
)
}
if
certData
!=
nil
{
t
.
Errorf
(
"Got cert data, wanted nothing as there should have been an error."
)
}
}
func
TestRequestNodeCertificateErrorCreatingCSR
(
t
*
testing
.
T
)
{
client
:=
&
fakeClient
{
failureType
:
createError
,
}
privateKeyData
,
err
:=
certutil
.
MakeEllipticPrivateKeyPEM
()
if
err
!=
nil
{
t
.
Fatalf
(
"Unable to generate a new private key: %v"
,
err
)
}
certData
,
err
:=
requestNodeCertificate
(
client
,
privateKeyData
,
"fake-node-name"
)
if
err
==
nil
{
t
.
Errorf
(
"Got no error, wanted error an error because client.Create failed."
)
}
if
certData
!=
nil
{
t
.
Errorf
(
"Got cert data, wanted nothing as there should have been an error."
)
}
}
func
TestRequestNodeCertificate
(
t
*
testing
.
T
)
{
privateKeyData
,
err
:=
certutil
.
MakeEllipticPrivateKeyPEM
()
if
err
!=
nil
{
t
.
Fatalf
(
"Unable to generate a new private key: %v"
,
err
)
}
certData
,
err
:=
requestNodeCertificate
(
&
fakeClient
{},
privateKeyData
,
"fake-node-name"
)
if
err
!=
nil
{
t
.
Errorf
(
"Got %v, wanted no error."
,
err
)
}
if
certData
==
nil
{
t
.
Errorf
(
"Got nothing, expected a CSR."
)
}
}
type
failureType
int
const
(
noError
failureType
=
iota
createError
certificateSigningRequestDenied
)
type
fakeClient
struct
{
certificatesclient
.
CertificateSigningRequestInterface
watch
*
watch
.
FakeWatcher
failureType
failureType
}
func
(
c
*
fakeClient
)
Create
(
*
certificates
.
CertificateSigningRequest
)
(
*
certificates
.
CertificateSigningRequest
,
error
)
{
if
c
.
failureType
==
createError
{
return
nil
,
fmt
.
Errorf
(
"fakeClient failed creating request"
)
}
csr
:=
certificates
.
CertificateSigningRequest
{
ObjectMeta
:
metav1
.
ObjectMeta
{
UID
:
"fake-uid"
,
Name
:
"fake-certificate-signing-request-name"
,
},
}
return
&
csr
,
nil
}
func
(
c
*
fakeClient
)
List
(
opts
metav1
.
ListOptions
)
(
*
certificates
.
CertificateSigningRequestList
,
error
)
{
return
&
certificates
.
CertificateSigningRequestList
{},
nil
}
func
(
c
*
fakeClient
)
Watch
(
opts
metav1
.
ListOptions
)
(
watch
.
Interface
,
error
)
{
c
.
watch
=
watch
.
NewFakeWithChanSize
(
1
,
false
)
c
.
watch
.
Add
(
c
.
generateCSR
())
c
.
watch
.
Stop
()
return
c
.
watch
,
nil
}
func
(
c
*
fakeClient
)
generateCSR
()
*
certificates
.
CertificateSigningRequest
{
var
condition
certificates
.
CertificateSigningRequestCondition
if
c
.
failureType
==
certificateSigningRequestDenied
{
condition
=
certificates
.
CertificateSigningRequestCondition
{
Type
:
certificates
.
CertificateDenied
,
}
}
else
{
condition
=
certificates
.
CertificateSigningRequestCondition
{
Type
:
certificates
.
CertificateApproved
,
}
}
csr
:=
certificates
.
CertificateSigningRequest
{
ObjectMeta
:
metav1
.
ObjectMeta
{
UID
:
"fake-uid"
,
},
Status
:
certificates
.
CertificateSigningRequestStatus
{
Conditions
:
[]
certificates
.
CertificateSigningRequestCondition
{
condition
,
},
Certificate
:
[]
byte
{},
},
}
return
&
csr
}
staging/src/k8s.io/client-go/util/certificate/csr/BUILD
View file @
68fb529e
package(default_visibility = ["//visibility:public"])
package(default_visibility = ["//visibility:public"])
load(
load("@io_bazel_rules_go//go:def.bzl", "go_library")
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
go_library(
name = "go_default_library",
name = "go_default_library",
...
@@ -17,7 +13,6 @@ go_library(
...
@@ -17,7 +13,6 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
...
@@ -40,16 +35,3 @@ filegroup(
...
@@ -40,16 +35,3 @@ filegroup(
srcs = [":package-srcs"],
srcs = [":package-srcs"],
tags = ["automanaged"],
tags = ["automanaged"],
)
)
go_test(
name = "go_default_test",
srcs = ["csr_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/certificates/v1beta1:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
],
)
staging/src/k8s.io/client-go/util/certificate/csr/csr.go
View file @
68fb529e
...
@@ -18,10 +18,7 @@ package csr
...
@@ -18,10 +18,7 @@ package csr
import
(
import
(
"crypto"
"crypto"
"crypto/sha512"
"crypto/x509"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/pem"
"encoding/pem"
"fmt"
"fmt"
"reflect"
"reflect"
...
@@ -34,7 +31,6 @@ import (
...
@@ -34,7 +31,6 @@ import (
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/watch"
"k8s.io/apimachinery/pkg/watch"
certificatesclient
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certificatesclient
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
...
@@ -43,41 +39,6 @@ import (
...
@@ -43,41 +39,6 @@ import (
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
)
)
// RequestNodeCertificate will create a certificate signing request for a node
// (Organization and CommonName for the CSR will be set as expected for node
// certificates) and send it to API server, then it will watch the object's
// status, once approved by API server, it will return the API server's issued
// certificate (pem-encoded). If there is any errors, or the watch timeouts, it
// will return an error. This is intended for use on nodes (kubelet and
// kubeadm).
func
RequestNodeCertificate
(
client
certificatesclient
.
CertificateSigningRequestInterface
,
privateKeyData
[]
byte
,
nodeName
types
.
NodeName
)
(
certData
[]
byte
,
err
error
)
{
subject
:=
&
pkix
.
Name
{
Organization
:
[]
string
{
"system:nodes"
},
CommonName
:
"system:node:"
+
string
(
nodeName
),
}
privateKey
,
err
:=
certutil
.
ParsePrivateKeyPEM
(
privateKeyData
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"invalid private key for certificate request: %v"
,
err
)
}
csrData
,
err
:=
certutil
.
MakeCSR
(
privateKey
,
subject
,
nil
,
nil
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"unable to generate certificate request: %v"
,
err
)
}
usages
:=
[]
certificates
.
KeyUsage
{
certificates
.
UsageDigitalSignature
,
certificates
.
UsageKeyEncipherment
,
certificates
.
UsageClientAuth
,
}
name
:=
digestedName
(
privateKeyData
,
subject
,
usages
)
req
,
err
:=
RequestCertificate
(
client
,
csrData
,
name
,
usages
,
privateKey
)
if
err
!=
nil
{
return
nil
,
err
}
return
WaitForCertificate
(
client
,
req
,
3600
*
time
.
Second
)
}
// RequestCertificate will either use an existing (if this process has run
// RequestCertificate will either use an existing (if this process has run
// before but not to completion) or create a certificate signing request using the
// before but not to completion) or create a certificate signing request using the
// PEM encoded CSR and send it to API server, then it will watch the object's
// PEM encoded CSR and send it to API server, then it will watch the object's
...
@@ -168,38 +129,6 @@ func WaitForCertificate(client certificatesclient.CertificateSigningRequestInter
...
@@ -168,38 +129,6 @@ func WaitForCertificate(client certificatesclient.CertificateSigningRequestInter
return
event
.
Object
.
(
*
certificates
.
CertificateSigningRequest
)
.
Status
.
Certificate
,
nil
return
event
.
Object
.
(
*
certificates
.
CertificateSigningRequest
)
.
Status
.
Certificate
,
nil
}
}
// This digest should include all the relevant pieces of the CSR we care about.
// We can't direcly hash the serialized CSR because of random padding that we
// regenerate every loop and we include usages which are not contained in the
// CSR. This needs to be kept up to date as we add new fields to the node
// certificates and with ensureCompatible.
func
digestedName
(
privateKeyData
[]
byte
,
subject
*
pkix
.
Name
,
usages
[]
certificates
.
KeyUsage
)
string
{
hash
:=
sha512
.
New512_256
()
// Here we make sure two different inputs can't write the same stream
// to the hash. This delimiter is not in the base64.URLEncoding
// alphabet so there is no way to have spill over collisions. Without
// it 'CN:foo,ORG:bar' hashes to the same value as 'CN:foob,ORG:ar'
const
delimiter
=
'|'
encode
:=
base64
.
RawURLEncoding
.
EncodeToString
write
:=
func
(
data
[]
byte
)
{
hash
.
Write
([]
byte
(
encode
(
data
)))
hash
.
Write
([]
byte
{
delimiter
})
}
write
(
privateKeyData
)
write
([]
byte
(
subject
.
CommonName
))
for
_
,
v
:=
range
subject
.
Organization
{
write
([]
byte
(
v
))
}
for
_
,
v
:=
range
usages
{
write
([]
byte
(
v
))
}
return
"node-csr-"
+
encode
(
hash
.
Sum
(
nil
))
}
// ensureCompatible ensures that a CSR object is compatible with an original CSR
// ensureCompatible ensures that a CSR object is compatible with an original CSR
func
ensureCompatible
(
new
,
orig
*
certificates
.
CertificateSigningRequest
,
privateKey
interface
{})
error
{
func
ensureCompatible
(
new
,
orig
*
certificates
.
CertificateSigningRequest
,
privateKey
interface
{})
error
{
newCSR
,
err
:=
parseCSR
(
new
)
newCSR
,
err
:=
parseCSR
(
new
)
...
...
staging/src/k8s.io/client-go/util/certificate/csr/csr_test.go
deleted
100644 → 0
View file @
ca338b91
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
csr
import
(
"fmt"
"testing"
certificates
"k8s.io/api/certificates/v1beta1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
watch
"k8s.io/apimachinery/pkg/watch"
certificatesclient
"k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
certutil
"k8s.io/client-go/util/cert"
)
func
TestRequestNodeCertificateNoKeyData
(
t
*
testing
.
T
)
{
certData
,
err
:=
RequestNodeCertificate
(
&
fakeClient
{},
[]
byte
{},
"fake-node-name"
)
if
err
==
nil
{
t
.
Errorf
(
"Got no error, wanted error an error because there was an empty private key passed in."
)
}
if
certData
!=
nil
{
t
.
Errorf
(
"Got cert data, wanted nothing as there should have been an error."
)
}
}
func
TestRequestNodeCertificateErrorCreatingCSR
(
t
*
testing
.
T
)
{
client
:=
&
fakeClient
{
failureType
:
createError
,
}
privateKeyData
,
err
:=
certutil
.
MakeEllipticPrivateKeyPEM
()
if
err
!=
nil
{
t
.
Fatalf
(
"Unable to generate a new private key: %v"
,
err
)
}
certData
,
err
:=
RequestNodeCertificate
(
client
,
privateKeyData
,
"fake-node-name"
)
if
err
==
nil
{
t
.
Errorf
(
"Got no error, wanted error an error because client.Create failed."
)
}
if
certData
!=
nil
{
t
.
Errorf
(
"Got cert data, wanted nothing as there should have been an error."
)
}
}
func
TestRequestNodeCertificate
(
t
*
testing
.
T
)
{
privateKeyData
,
err
:=
certutil
.
MakeEllipticPrivateKeyPEM
()
if
err
!=
nil
{
t
.
Fatalf
(
"Unable to generate a new private key: %v"
,
err
)
}
certData
,
err
:=
RequestNodeCertificate
(
&
fakeClient
{},
privateKeyData
,
"fake-node-name"
)
if
err
!=
nil
{
t
.
Errorf
(
"Got %v, wanted no error."
,
err
)
}
if
certData
==
nil
{
t
.
Errorf
(
"Got nothing, expected a CSR."
)
}
}
type
FailureType
int
const
(
noError
FailureType
=
iota
createError
certificateSigningRequestDenied
)
type
fakeClient
struct
{
certificatesclient
.
CertificateSigningRequestInterface
watch
*
watch
.
FakeWatcher
failureType
FailureType
}
func
(
c
*
fakeClient
)
Create
(
*
certificates
.
CertificateSigningRequest
)
(
*
certificates
.
CertificateSigningRequest
,
error
)
{
if
c
.
failureType
==
createError
{
return
nil
,
fmt
.
Errorf
(
"fakeClient failed creating request"
)
}
csr
:=
certificates
.
CertificateSigningRequest
{
ObjectMeta
:
metav1
.
ObjectMeta
{
UID
:
"fake-uid"
,
Name
:
"fake-certificate-signing-request-name"
,
},
}
return
&
csr
,
nil
}
func
(
c
*
fakeClient
)
List
(
opts
metav1
.
ListOptions
)
(
*
certificates
.
CertificateSigningRequestList
,
error
)
{
return
&
certificates
.
CertificateSigningRequestList
{},
nil
}
func
(
c
*
fakeClient
)
Watch
(
opts
metav1
.
ListOptions
)
(
watch
.
Interface
,
error
)
{
c
.
watch
=
watch
.
NewFakeWithChanSize
(
1
,
false
)
c
.
watch
.
Add
(
c
.
generateCSR
())
c
.
watch
.
Stop
()
return
c
.
watch
,
nil
}
func
(
c
*
fakeClient
)
generateCSR
()
*
certificates
.
CertificateSigningRequest
{
var
condition
certificates
.
CertificateSigningRequestCondition
if
c
.
failureType
==
certificateSigningRequestDenied
{
condition
=
certificates
.
CertificateSigningRequestCondition
{
Type
:
certificates
.
CertificateDenied
,
}
}
else
{
condition
=
certificates
.
CertificateSigningRequestCondition
{
Type
:
certificates
.
CertificateApproved
,
}
}
csr
:=
certificates
.
CertificateSigningRequest
{
ObjectMeta
:
metav1
.
ObjectMeta
{
UID
:
"fake-uid"
,
},
Status
:
certificates
.
CertificateSigningRequestStatus
{
Conditions
:
[]
certificates
.
CertificateSigningRequestCondition
{
condition
,
},
Certificate
:
[]
byte
{},
},
}
return
&
csr
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment