github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-08-21 00:23:39 +00:00
Code Issues Projects Releases Wiki Activity

apiserver: use fixtures for self-signed certs in test server

Browse Source 
Kubernetes-commit: 7deccb5b7a7c5224d3d90e1391dd22b2d1f1b9b9
This commit is contained in:
Dr. Stefan Schimanski 2018-07-06 12:04:38 +02:00 committed by Kubernetes Publisher
parent f1995823ac
commit ad896870c5
1 changed files with 55 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
util/cert/cert.go
View File

@ -27,9 +27,12 @@ import (
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt" "fmt"
"io/ioutil"
"math" "math"
"math/big" "math/big"
"net" "net"
"path"
"strings"
"time" "time"
) )
@ -136,8 +139,38 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. // GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name // Host may be an IP or a DNS name
// You may also specify additional subject alt names (either ip or dns names) for the certificate // You may also specify additional subject alt names (either ip or dns names) for the certificate.
func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
}
// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
// for the certificate.
//
// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
// Certs/keys not existing in that directory are created.
func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
maxAge := time.Hour * 24 * 365 // one year self-signed certs
baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
if len(fixtureDirectory) > 0 {
cert, err := ioutil.ReadFile(certFixturePath)
if err == nil {
key, err := ioutil.ReadFile(keyFixturePath)
if err == nil {
return cert, key, nil
}
return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err)
}
maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
}
caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
@ -148,8 +181,8 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
}, },
NotBefore: time.Now(), NotBefore: validFrom,
NotAfter: time.Now().Add(time.Hour * 24 * 365), NotAfter: validFrom.Add(maxAge),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true, BasicConstraintsValid: true,
@ -176,8 +209,8 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
}, },
NotBefore: time.Now(), NotBefore: validFrom,
NotAfter: time.Now().Add(time.Hour * 24 * 365), NotAfter: validFrom.Add(maxAge),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
@ -213,6 +246,15 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
return nil, nil, err return nil, nil, err
} }
if len(fixtureDirectory) > 0 {
if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
}
if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
}
}
return certBuffer.Bytes(), keyBuffer.Bytes(), nil return certBuffer.Bytes(), keyBuffer.Bytes(), nil
} }
@ -243,3 +285,11 @@ func FormatCert(c *x509.Certificate) string {
} }
return res return res
} }
func ipsToStrings(ips []net.IP) []string {
ss := make([]string, 0, len(ips))
for _, ip := range ips {
ss = append(ss, ip.String())
}
return ss
}