mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #39702 from mikedanese/kubelet-csr
Automatic merge from submit-queue (batch tested with PRs 39684, 39577, 38989, 39534, 39702) kubelet: request client auth certificates from certificate API. This fixes kubeadm and --experiment-kubelet-bootstrap. cc @liggitt
This commit is contained in:
commit
1fbb22e115
@ -56,7 +56,10 @@ filegroup(
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["cfssl_signer_test.go"],
|
||||
srcs = [
|
||||
"cfssl_signer_test.go",
|
||||
"groupapprove_test.go",
|
||||
],
|
||||
data = [
|
||||
"testdata/ca.crt",
|
||||
"testdata/ca.key",
|
||||
|
@ -76,6 +76,9 @@ func (cc *groupApprover) AutoApprove(csr *certificates.CertificateSigningRequest
|
||||
if len(x509cr.DNSNames)+len(x509cr.EmailAddresses)+len(x509cr.IPAddresses) != 0 {
|
||||
return csr, nil
|
||||
}
|
||||
if !hasExactUsages(csr, kubeletClientUsages) {
|
||||
return csr, nil
|
||||
}
|
||||
|
||||
csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
|
||||
Type: certificates.CertificateApproved,
|
||||
@ -84,3 +87,28 @@ func (cc *groupApprover) AutoApprove(csr *certificates.CertificateSigningRequest
|
||||
})
|
||||
return cc.client.UpdateApproval(csr)
|
||||
}
|
||||
|
||||
var kubeletClientUsages = []certificates.KeyUsage{
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageDigitalSignature,
|
||||
certificates.UsageClientAuth,
|
||||
}
|
||||
|
||||
func hasExactUsages(csr *certificates.CertificateSigningRequest, usages []certificates.KeyUsage) bool {
|
||||
if len(usages) != len(csr.Spec.Usages) {
|
||||
return false
|
||||
}
|
||||
|
||||
usageMap := map[certificates.KeyUsage]struct{}{}
|
||||
for _, u := range usages {
|
||||
usageMap[u] = struct{}{}
|
||||
}
|
||||
|
||||
for _, u := range csr.Spec.Usages {
|
||||
if _, ok := usageMap[u]; !ok {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
71
pkg/controller/certificates/groupapprove_test.go
Normal file
71
pkg/controller/certificates/groupapprove_test.go
Normal file
@ -0,0 +1,71 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package certificates
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
certificates "k8s.io/kubernetes/pkg/apis/certificates/v1alpha1"
|
||||
)
|
||||
|
||||
func TestHasKubeletUsages(t *testing.T) {
|
||||
cases := []struct {
|
||||
usages []certificates.KeyUsage
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
usages: nil,
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []certificates.KeyUsage{},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []certificates.KeyUsage{
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageDigitalSignature,
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []certificates.KeyUsage{
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageDigitalSignature,
|
||||
certificates.UsageServerAuth,
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []certificates.KeyUsage{
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageDigitalSignature,
|
||||
certificates.UsageClientAuth,
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if hasExactUsages(&certificates.CertificateSigningRequest{
|
||||
Spec: certificates.CertificateSigningRequestSpec{
|
||||
Usages: c.usages,
|
||||
},
|
||||
}, kubeletClientUsages) != c.expected {
|
||||
t.Errorf("unexpected result of hasKubeletUsages(%v), expecting: %v", c.usages, c.expected)
|
||||
}
|
||||
}
|
||||
}
|
@ -54,9 +54,14 @@ func RequestNodeCertificate(client unversionedcertificates.CertificateSigningReq
|
||||
TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"},
|
||||
ObjectMeta: v1.ObjectMeta{GenerateName: "csr-"},
|
||||
|
||||
// TODO: For now, this is a request for a certificate with allowed usage of "TLS Web Client Authentication".
|
||||
// Need to figure out whether/how to surface the allowed usage in the spec.
|
||||
Spec: certificates.CertificateSigningRequestSpec{Request: csr},
|
||||
Spec: certificates.CertificateSigningRequestSpec{
|
||||
Request: csr,
|
||||
Usages: []certificates.KeyUsage{
|
||||
certificates.UsageDigitalSignature,
|
||||
certificates.UsageKeyEncipherment,
|
||||
certificates.UsageClientAuth,
|
||||
},
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("cannot create certificate signing request: %v", err)
|
||||
|
Loading…
Reference in New Issue
Block a user