Migrate the webhook-certgen program to inside ingress repo (#7475)
This commit is contained in:
Ricardo Katz
GitHub
parent
9a9ad47857
commit
492c7b0d94
18 changed files with 1910 additions and 0 deletions
99
images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
Normal file
99
images/kube-webhook-certgen/rootfs/pkg/certs/certs.go
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
package certs
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"math/big"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
// GenerateCerts venerates a ca with a leaf certificate and key and returns the ca, cert and key as PEM encoded slices
|
||||
func GenerateCerts(host string) (ca []byte, cert []byte, key []byte) {
|
||||
notBefore := time.Now().Add(time.Minute * -5)
|
||||
notAfter := notBefore.Add(100 * 365 * 24 * time.Hour)
|
||||
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed to generate serial number")
|
||||
}
|
||||
rootKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed scdsa.GenerateKey")
|
||||
}
|
||||
|
||||
rootTemplate := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
KeyUsage: x509.KeyUsageCertSign,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
Subject: pkix.Name{Organization: []string{"nil1"}},
|
||||
}
|
||||
|
||||
derBytes, err := x509.CreateCertificate(rand.Reader, &rootTemplate, &rootTemplate, &rootKey.PublicKey, rootKey)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed createCertificate for Ca")
|
||||
}
|
||||
|
||||
ca = encodeCert(derBytes)
|
||||
|
||||
leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed createLeafKey for certificate")
|
||||
}
|
||||
|
||||
key = encodeKey(leafKey)
|
||||
|
||||
serialNumber, err = rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed to generate serial number")
|
||||
}
|
||||
leafTemplate := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
NotBefore: notBefore,
|
||||
NotAfter: notAfter,
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: false,
|
||||
Subject: pkix.Name{Organization: []string{"nil2"}},
|
||||
}
|
||||
hosts := strings.Split(host, ",")
|
||||
for _, h := range hosts {
|
||||
if ip := net.ParseIP(h); ip != nil {
|
||||
leafTemplate.IPAddresses = append(leafTemplate.IPAddresses, ip)
|
||||
} else {
|
||||
leafTemplate.DNSNames = append(leafTemplate.DNSNames, h)
|
||||
}
|
||||
}
|
||||
|
||||
derBytes, err = x509.CreateCertificate(rand.Reader, &leafTemplate, &rootTemplate, &leafKey.PublicKey, rootKey)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("failed createLeaf certificate")
|
||||
}
|
||||
|
||||
cert = encodeCert(derBytes)
|
||||
return ca, cert, key
|
||||
}
|
||||
|
||||
func encodeKey(key *ecdsa.PrivateKey) []byte {
|
||||
b, err := x509.MarshalECPrivateKey(key)
|
||||
if err != nil {
|
||||
log.WithField("err", err).Fatal("unable to marshal ECDSA private key")
|
||||
}
|
||||
return pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
|
||||
}
|
||||
|
||||
func encodeCert(derBytes []byte) []byte {
|
||||
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
||||
}
|
||||
61
images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
Normal file
61
images/kube-webhook-certgen/rootfs/pkg/certs/certs_test.go
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
package certs
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func handler(w http.ResponseWriter, r *http.Request) {
|
||||
_, _ = fmt.Fprintf(w, "Hello World")
|
||||
}
|
||||
|
||||
func TestCertificateCreation(t *testing.T) {
|
||||
|
||||
ca, cert, key := GenerateCerts("localhost")
|
||||
|
||||
c, err := tls.X509KeyPair(cert, key)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(ca)
|
||||
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
RootCAs: caCertPool,
|
||||
ServerName: "localhost"}}
|
||||
|
||||
ts := httptest.NewUnstartedServer(http.HandlerFunc(handler))
|
||||
ts.TLS = &tls.Config{Certificates: []tls.Certificate{c}}
|
||||
ts.StartTLS()
|
||||
defer ts.Close()
|
||||
|
||||
client := &http.Client{Transport: tr}
|
||||
res, err := client.Get(ts.URL)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer res.Body.Close()
|
||||
|
||||
if res.StatusCode != http.StatusOK {
|
||||
t.Errorf("Response code was %v; want 200", res.StatusCode)
|
||||
}
|
||||
|
||||
body, err := ioutil.ReadAll(res.Body)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
expected := []byte("Hello World")
|
||||
|
||||
if bytes.Compare(expected, body) != 0 {
|
||||
t.Errorf("Response body was '%v'; want '%v'", expected, body)
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue