Add support to CRL (#3164)
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br> Add support to CRL Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
This commit is contained in:
Ricardo Katz
Manuel Alejandro de Brito Fontes
parent
48c89cbe3c
commit
9c51676f17
8 changed files with 140 additions and 8 deletions
|
|
@ -84,6 +84,8 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
|
|||
key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
|
||||
ca := secret.Data["ca.crt"]
|
||||
|
||||
crl := secret.Data["ca.crl"]
|
||||
|
||||
auth := secret.Data["auth"]
|
||||
|
||||
// namespace/secretName -> namespace-secretName
|
||||
|
|
@ -117,12 +119,25 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
|
|||
if err != nil {
|
||||
return nil, fmt.Errorf("error configuring CA certificate: %v", err)
|
||||
}
|
||||
|
||||
if len(crl) > 0 {
|
||||
err = ssl.ConfigureCRL(nsSecName, crl, sslCert)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error configuring CRL certificate: %v", err)
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
msg := fmt.Sprintf("Configuring Secret %q for TLS encryption (CN: %v)", secretName, sslCert.CN)
|
||||
if ca != nil {
|
||||
msg += " and authentication"
|
||||
}
|
||||
|
||||
if crl != nil {
|
||||
msg += " and CRL"
|
||||
}
|
||||
|
||||
klog.V(3).Info(msg)
|
||||
} else if len(ca) > 0 {
|
||||
sslCert, err = ssl.CreateCACert(ca)
|
||||
|
|
@ -135,6 +150,12 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
|
|||
return nil, fmt.Errorf("error configuring CA certificate: %v", err)
|
||||
}
|
||||
|
||||
if len(crl) > 0 {
|
||||
err = ssl.ConfigureCRL(nsSecName, crl, sslCert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
// makes this secret in 'syncSecret' to be used for Certificate Authentication
|
||||
// this does not enable Certificate Authentication
|
||||
klog.V(3).Infof("Configuring Secret %q for TLS authentication", secretName)
|
||||
|
|
|
|||
|
|
@ -816,9 +816,11 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error
|
|||
}
|
||||
|
||||
return &resolver.AuthSSLCert{
|
||||
Secret: name,
|
||||
CAFileName: cert.CAFileName,
|
||||
CASHA: cert.CASHA,
|
||||
Secret: name,
|
||||
CAFileName: cert.CAFileName,
|
||||
CASHA: cert.CASHA,
|
||||
CRLFileName: cert.CRLFileName,
|
||||
CRLSHA: cert.CRLSHA,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -32,12 +32,11 @@ type Resolver interface {
|
|||
// GetSecret searches for secrets containing the namespace and name using a the character /
|
||||
GetSecret(string) (*apiv1.Secret, error)
|
||||
|
||||
// GetAuthCertificate resolves a given secret name into an SSL certificate.
|
||||
// The secret must contain 3 keys named:
|
||||
// GetAuthCertificate resolves a given secret name into an SSL certificate and CRL.
|
||||
// The secret must contain 2 keys named:
|
||||
|
||||
// ca.crt: contains the certificate chain used for authentication
|
||||
// tls.crt: contains the server certificate
|
||||
// tls.key: contains the server key
|
||||
// ca.crl: contains the revocation list used for authentication
|
||||
GetAuthCertificate(string) (*AuthSSLCert, error)
|
||||
|
||||
// GetService searches for services containing the namespace and name using a the character /
|
||||
|
|
@ -53,6 +52,10 @@ type AuthSSLCert struct {
|
|||
CAFileName string `json:"caFilename"`
|
||||
// CASHA contains the SHA1 hash of the 'ca.crt' or combinations of (tls.crt, tls.key, tls.crt) depending on certs in secret
|
||||
CASHA string `json:"caSha"`
|
||||
// CRLFileName contains the path to the secrets 'ca.crl'
|
||||
CRLFileName string `json:"crlFileName"`
|
||||
// CRLSHA contains the SHA1 hash of the 'ca.crl' file
|
||||
CRLSHA string `json:"crlSha"`
|
||||
}
|
||||
|
||||
// Equal tests for equality between two AuthSSLCert types
|
||||
|
|
@ -74,5 +77,12 @@ func (asslc1 *AuthSSLCert) Equal(assl2 *AuthSSLCert) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
if asslc1.CRLFileName != assl2.CRLFileName {
|
||||
return false
|
||||
}
|
||||
if asslc1.CRLSHA != assl2.CRLSHA {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,6 +37,11 @@ type SSLCert struct {
|
|||
// This is used to detect changes in the secret that contains certificates
|
||||
CASHA string `json:"caSha"`
|
||||
|
||||
// CRLFileName contains the path to the file with the Certificate Revocation List
|
||||
CRLFileName string `json:"crlFileName"`
|
||||
// CRLSHA contains the sha1 of the pem file.
|
||||
CRLSHA string `json:"crlSha"`
|
||||
|
||||
// PemFileName contains the path to the file with the certificate and key concatenated
|
||||
PemFileName string `json:"pemFileName"`
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue