Migrate the webhook-certgen program to inside ingress repo (#7475)

images/kube-webhook-certgen/rootfs/pkg/certs/certs.go

@@ -0,0 +1,99 @@
+package certs
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	log "github.com/sirupsen/logrus"
+	"math/big"
+	"net"
+	"strings"
+	"time"
+)
+
+// GenerateCerts venerates a ca with a leaf certificate and key and returns the ca, cert and key as PEM encoded slices
+func GenerateCerts(host string) (ca []byte, cert []byte, key []byte) {
+	notBefore := time.Now().Add(time.Minute * -5)
+	notAfter := notBefore.Add(100 * 365 * 24 * time.Hour)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed to generate serial number")
+	}
+	rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed scdsa.GenerateKey")
+	}
+
+	rootTemplate := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		Subject:               pkix.Name{Organization: []string{"nil1"}},
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &rootTemplate, &rootTemplate, &rootKey.PublicKey, rootKey)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createCertificate for Ca")
+	}
+
+	ca = encodeCert(derBytes)
+
+	leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createLeafKey for certificate")
+	}
+
+	key = encodeKey(leafKey)
+
+	serialNumber, err = rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed to generate serial number")
+	}
+	leafTemplate := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  false,
+		Subject:               pkix.Name{Organization: []string{"nil2"}},
+	}
+	hosts := strings.Split(host, ",")
+	for _, h := range hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			leafTemplate.IPAddresses = append(leafTemplate.IPAddresses, ip)
+		} else {
+			leafTemplate.DNSNames = append(leafTemplate.DNSNames, h)
+		}
+	}
+
+	derBytes, err = x509.CreateCertificate(rand.Reader, &leafTemplate, &rootTemplate, &leafKey.PublicKey, rootKey)
+	if err != nil {
+		log.WithField("err", err).Fatal("failed createLeaf certificate")
+	}
+
+	cert = encodeCert(derBytes)
+	return ca, cert, key
+}
+
+func encodeKey(key *ecdsa.PrivateKey) []byte {
+	b, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		log.WithField("err", err).Fatal("unable to marshal ECDSA private key")
+	}
+	return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
+}
+
+func encodeCert(derBytes []byte) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+}

images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go

@@ -0,0 +1,61 @@
+package certs
+
+import (
+	"bytes"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	_, _ = fmt.Fprintf(w, "Hello World")
+}
+
+func TestCertificateCreation(t *testing.T) {
+
+	ca, cert, key := GenerateCerts("localhost")
+
+	c, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(ca)
+
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:    caCertPool,
+			ServerName: "localhost"}}
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(handler))
+	ts.TLS = &tls.Config{Certificates: []tls.Certificate{c}}
+	ts.StartTLS()
+	defer ts.Close()
+
+	client := &http.Client{Transport: tr}
+	res, err := client.Get(ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		t.Errorf("Response code was %v; want 200", res.StatusCode)
+	}
+
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := []byte("Hello World")
+
+	if bytes.Compare(expected, body) != 0 {
+		t.Errorf("Response body was '%v'; want '%v'", expected, body)
+	}
+}

images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go

@@ -0,0 +1,138 @@
+package k8s
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+type k8s struct {
+	clientset kubernetes.Interface
+}
+
+func New(kubeconfig string) *k8s {
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		log.WithError(err).Fatal("error building kubernetes config")
+	}
+
+	c, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.WithError(err).Fatal("error creating kubernetes client")
+	}
+
+	return &k8s{clientset: c}
+}
+
+// PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with
+// the provided ca data. If failurePolicy is provided, patch all webhooks with this value
+func (k8s *k8s) PatchWebhookConfigurations(
+	configurationNames string, ca []byte,
+	failurePolicy *admissionv1.FailurePolicyType,
+	patchMutating bool, patchValidating bool) {
+
+	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationNames, patchMutating, patchValidating, *failurePolicy)
+
+	if patchValidating {
+		valHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range valHook.Webhooks {
+			h := &valHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched validating hook")
+	} else {
+		log.Debug("validating hook patching not required")
+	}
+
+	if patchMutating {
+		mutHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range mutHook.Webhooks {
+			h := &mutHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched mutating hook")
+	} else {
+		log.Debug("mutating hook patching not required")
+	}
+
+	log.Info("Patched hook(s)")
+}
+
+// GetCaFromSecret will check for the presence of a secret. If it exists, will return the content of the
+// "ca" from the secret, otherwise will return nil
+func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
+	log.Debugf("getting secret '%s' in namespace '%s'", secretName, namespace)
+	secret, err := k8s.clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			log.WithField("err", err).Info("no secret found")
+			return nil
+		}
+		log.WithField("err", err).Fatal("error getting secret")
+	}
+
+	data := secret.Data["ca"]
+	if data == nil {
+		log.Fatal("got secret, but it did not contain a 'ca' key")
+	}
+	log.Debug("got secret")
+	return data
+}
+
+// SaveCertsToSecret saves the provided ca, cert and key into a secret in the specified namespace.
+func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName string, ca, cert, key []byte) {
+
+	log.Debugf("saving to secret '%s' in namespace '%s'", secretName, namespace)
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secretName,
+		},
+		Data: map[string][]byte{"ca": ca, certName: cert, keyName: key},
+	}
+
+	log.Debug("saving secret")
+	_, err := k8s.clientset.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	if err != nil {
+		log.WithField("err", err).Fatal("failed creating secret")
+	}
+	log.Debug("saved secret")
+}

images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go

@@ -0,0 +1,159 @@
+package k8s
+
+import (
+	"bytes"
+	"context"
+	"math/rand"
+	"testing"
+
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+const (
+	testWebhookName = "c7c95710-d8c3-4cc3-a2a8-8d2b46909c76"
+	testSecretName  = "15906410-af2a-4f9b-8a2d-c08ffdd5e129"
+	testNamespace   = "7cad5f92-c0d5-4bc9-87a3-6f44d5a5619d"
+)
+
+var (
+	fail   = admissionv1.Fail
+	ignore = admissionv1.Ignore
+)
+
+func genSecretData() (ca, cert, key []byte) {
+	ca = make([]byte, 4)
+	cert = make([]byte, 4)
+	key = make([]byte, 4)
+	rand.Read(cert)
+	rand.Read(key)
+	return
+}
+
+func newTestSimpleK8s() *k8s {
+	return &k8s{
+		clientset: fake.NewSimpleClientset(),
+	}
+}
+
+func TestGetCaFromCertificate(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testSecretName,
+		},
+		Data: map[string][]byte{"ca": ca, "cert": cert, "key": key},
+	}
+
+	k.clientset.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+
+	retrievedCa := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCa, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestSaveCertsToSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+
+	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(context.Background(), testSecretName, metav1.GetOptions{})
+
+	if !bytes.Equal(secret.Data["cert"], cert) {
+		t.Error("'cert' saved data does not match retrieved")
+	}
+
+	if !bytes.Equal(secret.Data["key"], key) {
+		t.Error("'key' saved data does not match retrieved")
+	}
+}
+
+func TestSaveThenLoadSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+	ca, cert, key := genSecretData()
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	retrievedCert := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCert, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestPatchWebhookConfigurations(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, _, _ := genSecretData()
+
+	k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.MutatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}}}, metav1.CreateOptions{})
+
+	k.clientset.
+		AdmissionregistrationV1().
+		ValidatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.ValidatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}}}, metav1.CreateOptions{})
+
+	k.PatchWebhookConfigurations(testWebhookName, ca, &fail, true, true)
+
+	whmut, err := k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	whval, err := k.clientset.
+		AdmissionregistrationV1beta1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !bytes.Equal(whmut.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whmut.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first validating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second validating webhook configuration does not match")
+	}
+	if whmut.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first mutating webhook failure policy to be set to %s", fail)
+	}
+	if whmut.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second mutating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first validating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second validating webhook failure policy to be set to %s", fail)
+	}
+
+}