Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
fb099ae3
Commit
fb099ae3
authored
Nov 07, 2016
by
Mike Danese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
certificates: support allowed usage
parent
ee177dbb
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
182 additions
and
15 deletions
+182
-15
types.go
pkg/apis/certificates/types.go
+37
-0
types.go
pkg/apis/certificates/v1alpha1/types.go
+37
-0
BUILD
pkg/controller/certificates/BUILD
+1
-0
certificate_controller.go
pkg/controller/certificates/certificate_controller.go
+8
-15
cfssl_signer.go
pkg/controller/certificates/cfssl_signer.go
+99
-0
No files found.
pkg/apis/certificates/types.go
View file @
fb099ae3
...
...
@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
Request
[]
byte
// usages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages
[]
KeyUsage
// Information about the requesting user (if relevant)
// See user.Info interface for details
// +optional
...
...
@@ -96,3 +102,34 @@ type CertificateSigningRequestList struct {
// +optional
Items
[]
CertificateSigningRequest
}
// KeyUsages specifies valid usage contexts for keys.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
type
KeyUsage
string
const
(
UsageSigning
KeyUsage
=
"signing"
UsageDigitalSignature
KeyUsage
=
"digital signature"
UsageContentCommittment
KeyUsage
=
"content committment"
UsageKeyEncipherment
KeyUsage
=
"key encipherment"
UsageKeyAgreement
KeyUsage
=
"key agreement"
UsageDataEncipherment
KeyUsage
=
"data encipherment"
UsageCertSign
KeyUsage
=
"cert sign"
UsageCRLSign
KeyUsage
=
"crl sign"
UsageEncipherOnly
KeyUsage
=
"encipher only"
UsageDecipherOnly
KeyUsage
=
"decipher only"
UsageAny
KeyUsage
=
"any"
UsageServerAuth
KeyUsage
=
"server auth"
UsageClientAuth
KeyUsage
=
"client auth"
UsageCodeSigning
KeyUsage
=
"code signing"
UsageEmailProtection
KeyUsage
=
"email protection"
UsageSMIME
KeyUsage
=
"s/mime"
UsageIPsecEndSystem
KeyUsage
=
"ipsec end system"
UsageIPsecTunnel
KeyUsage
=
"ipsec tunnel"
UsageIPsecUser
KeyUsage
=
"ipsec user"
UsageTimestamping
KeyUsage
=
"timestamping"
UsageOCSPSigning
KeyUsage
=
"ocsp signing"
UsageMicrosoftSGC
KeyUsage
=
"microsoft sgc"
UsageNetscapSGC
KeyUsage
=
"netscape sgc"
)
pkg/apis/certificates/v1alpha1/types.go
View file @
fb099ae3
...
...
@@ -46,6 +46,12 @@ type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
Request
[]
byte
`json:"request" protobuf:"bytes,1,opt,name=request"`
// allowedUsages specifies a set of usage contexts the key will be
// valid for.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages
[]
KeyUsage
`json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`
// Information about the requesting user (if relevant)
// See user.Info interface for details
// +optional
...
...
@@ -95,3 +101,34 @@ type CertificateSigningRequestList struct {
Items
[]
CertificateSigningRequest
`json:"items" protobuf:"bytes,2,rep,name=items"`
}
// KeyUsages specifies valid usage contexts for keys.
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
type
KeyUsage
string
const
(
UsageSigning
KeyUsage
=
"signing"
UsageDigitalSignature
KeyUsage
=
"digital signature"
UsageContentCommittment
KeyUsage
=
"content committment"
UsageKeyEncipherment
KeyUsage
=
"key encipherment"
UsageKeyAgreement
KeyUsage
=
"key agreement"
UsageDataEncipherment
KeyUsage
=
"data encipherment"
UsageCertSign
KeyUsage
=
"cert sign"
UsageCRLSign
KeyUsage
=
"crl sign"
UsageEncipherOnly
KeyUsage
=
"encipher only"
UsageDecipherOnly
KeyUsage
=
"decipher only"
UsageAny
KeyUsage
=
"any"
UsageServerAuth
KeyUsage
=
"server auth"
UsageClientAuth
KeyUsage
=
"client auth"
UsageCodeSigning
KeyUsage
=
"code signing"
UsageEmailProtection
KeyUsage
=
"email protection"
UsageSMIME
KeyUsage
=
"s/mime"
UsageIPsecEndSystem
KeyUsage
=
"ipsec end system"
UsageIPsecTunnel
KeyUsage
=
"ipsec tunnel"
UsageIPsecUser
KeyUsage
=
"ipsec user"
UsageTimestamping
KeyUsage
=
"timestamping"
UsageOCSPSigning
KeyUsage
=
"ocsp signing"
UsageMicrosoftSGC
KeyUsage
=
"microsoft sgc"
UsageNetscapSGC
KeyUsage
=
"netscape sgc"
)
pkg/controller/certificates/BUILD
View file @
fb099ae3
...
...
@@ -32,6 +32,7 @@ go_library(
"//pkg/util/workqueue:go_default_library",
"//pkg/watch:go_default_library",
"//vendor:github.com/cloudflare/cfssl/config",
"//vendor:github.com/cloudflare/cfssl/helpers",
"//vendor:github.com/cloudflare/cfssl/signer",
"//vendor:github.com/cloudflare/cfssl/signer/local",
"//vendor:github.com/golang/glog",
...
...
pkg/controller/certificates/certificate_controller.go
View file @
fb099ae3
...
...
@@ -33,9 +33,6 @@ import (
"k8s.io/kubernetes/pkg/util/workqueue"
"k8s.io/kubernetes/pkg/watch"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
"github.com/golang/glog"
)
...
...
@@ -43,6 +40,10 @@ type AutoApprover interface {
AutoApprove
(
csr
*
certificates
.
CertificateSigningRequest
)
(
*
certificates
.
CertificateSigningRequest
,
error
)
}
type
Signer
interface
{
Sign
(
csr
*
certificates
.
CertificateSigningRequest
)
([]
byte
,
error
)
}
type
CertificateController
struct
{
kubeClient
clientset
.
Interface
...
...
@@ -53,8 +54,7 @@ type CertificateController struct {
syncHandler
func
(
csrKey
string
)
error
approver
AutoApprover
signer
*
local
.
Signer
signer
Signer
queue
workqueue
.
RateLimitingInterface
}
...
...
@@ -65,12 +65,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
eventBroadcaster
.
StartLogging
(
glog
.
Infof
)
eventBroadcaster
.
StartRecordingToSink
(
&
v1core
.
EventSinkImpl
{
Interface
:
kubeClient
.
Core
()
.
Events
(
""
)})
// Configure cfssl signer
// TODO: support non-default policy and remote/pkcs11 signing
policy
:=
&
config
.
Signing
{
Default
:
config
.
DefaultConfig
(),
}
ca
,
err
:=
local
.
NewSignerFromFile
(
caCertFile
,
caKeyFile
,
policy
)
s
,
err
:=
NewCFSSLSigner
(
caCertFile
,
caKeyFile
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
@@ -78,7 +73,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
cc
:=
&
CertificateController
{
kubeClient
:
kubeClient
,
queue
:
workqueue
.
NewNamedRateLimitingQueue
(
workqueue
.
DefaultControllerRateLimiter
(),
"certificate"
),
signer
:
ca
,
signer
:
s
,
approver
:
approver
,
}
...
...
@@ -209,9 +204,7 @@ func (cc *CertificateController) maybeSignCertificate(key string) error {
// 3. Update the Status subresource
if
csr
.
Status
.
Certificate
==
nil
&&
IsCertificateRequestApproved
(
csr
)
{
pemBytes
:=
csr
.
Spec
.
Request
req
:=
signer
.
SignRequest
{
Request
:
string
(
pemBytes
)}
certBytes
,
err
:=
cc
.
signer
.
Sign
(
req
)
certBytes
,
err
:=
cc
.
signer
.
Sign
(
csr
)
if
err
!=
nil
{
return
err
}
...
...
pkg/controller/certificates/cfssl_signer.go
0 → 100644
View file @
fb099ae3
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
certificates
import
(
"crypto"
"crypto/x509"
"fmt"
"io/ioutil"
"os"
certificates
"k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
)
var
onlySigningPolicy
=
&
config
.
Signing
{
Default
:
&
config
.
SigningProfile
{
Usage
:
[]
string
{
"signing"
},
Expiry
:
helpers
.
OneYear
,
ExpiryString
:
"8760h"
,
},
}
type
CFSSLSigner
struct
{
ca
*
x509
.
Certificate
priv
crypto
.
Signer
sigAlgo
x509
.
SignatureAlgorithm
}
func
NewCFSSLSigner
(
caFile
,
caKeyFile
string
)
(
*
CFSSLSigner
,
error
)
{
ca
,
err
:=
ioutil
.
ReadFile
(
caFile
)
if
err
!=
nil
{
return
nil
,
err
}
cakey
,
err
:=
ioutil
.
ReadFile
(
caKeyFile
)
if
err
!=
nil
{
return
nil
,
err
}
parsedCa
,
err
:=
helpers
.
ParseCertificatePEM
(
ca
)
if
err
!=
nil
{
return
nil
,
err
}
strPassword
:=
os
.
Getenv
(
"CFSSL_CA_PK_PASSWORD"
)
password
:=
[]
byte
(
strPassword
)
if
strPassword
==
""
{
password
=
nil
}
priv
,
err
:=
helpers
.
ParsePrivateKeyPEMWithPassword
(
cakey
,
password
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"Malformed private key %v"
,
err
)
}
return
&
CFSSLSigner
{
priv
:
priv
,
ca
:
parsedCa
,
sigAlgo
:
signer
.
DefaultSigAlgo
(
priv
),
},
nil
}
func
(
cs
*
CFSSLSigner
)
Sign
(
csr
*
certificates
.
CertificateSigningRequest
)
([]
byte
,
error
)
{
var
usages
[]
string
for
_
,
usage
:=
range
csr
.
Spec
.
Usages
{
usages
=
append
(
usages
,
string
(
usage
))
}
policy
:=
&
config
.
Signing
{
Default
:
&
config
.
SigningProfile
{
Usage
:
usages
,
Expiry
:
helpers
.
OneYear
,
ExpiryString
:
"8760h"
,
},
}
s
,
err
:=
local
.
NewSigner
(
cs
.
priv
,
cs
.
ca
,
cs
.
sigAlgo
,
policy
)
if
err
!=
nil
{
return
nil
,
err
}
return
s
.
Sign
(
signer
.
SignRequest
{
Request
:
string
(
csr
.
Spec
.
Request
),
})
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment