From a4d04095d0e73c9b95b077c7f65153f55d9d4f80 Mon Sep 17 00:00:00 2001 From: Harry Zhang Date: Wed, 9 Mar 2016 22:03:24 +0800 Subject: [PATCH] Refactor crlf & crypto --- .../app/controllermanager.go | 3 +- cmd/kubelet/app/server.go | 3 +- .../controllermanager/controllermanager.go | 3 +- pkg/apiserver/authenticator/authn.go | 4 +- pkg/client/restclient/config.go | 4 +- pkg/genericapiserver/genericapiserver.go | 5 +- pkg/util/crlf/crlf.go | 57 +++++++++++++++++++ pkg/util/{ => crypto}/crypto.go | 2 +- .../pkg/auth/authenticator/token/oidc/oidc.go | 4 +- .../authenticator/token/oidc/oidc_test.go | 2 +- 10 files changed, 74 insertions(+), 13 deletions(-) create mode 100644 pkg/util/crlf/crlf.go rename pkg/util/{ => crypto}/crypto.go (99%) diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go index fe6b3caa89f..9824c58b97c 100644 --- a/cmd/kube-controller-manager/app/controllermanager.go +++ b/cmd/kube-controller-manager/app/controllermanager.go @@ -66,6 +66,7 @@ import ( "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/util" "k8s.io/kubernetes/pkg/util/configz" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/pkg/util/wait" "github.com/golang/glog" @@ -359,7 +360,7 @@ func StartControllers(s *options.CMServer, kubeClient *client.Client, kubeconfig if err != nil { return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err) } - if _, err := util.CertsFromPEM(rootCA); err != nil { + if _, err := crypto.CertsFromPEM(rootCA); err != nil { return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err) } } else { diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 19bb96049f2..80ae438fa85 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -60,6 +60,7 @@ import ( kubetypes "k8s.io/kubernetes/pkg/kubelet/types" "k8s.io/kubernetes/pkg/util" "k8s.io/kubernetes/pkg/util/configz" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/pkg/util/flock" "k8s.io/kubernetes/pkg/util/io" "k8s.io/kubernetes/pkg/util/mount" @@ -377,7 +378,7 @@ func InitializeTLS(s *options.KubeletServer) (*server.TLSOptions, error) { if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" { s.TLSCertFile = path.Join(s.CertDirectory, "kubelet.crt") s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "kubelet.key") - if err := util.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil { + if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(s.HostnameOverride), s.TLSCertFile, s.TLSPrivateKeyFile, nil, nil); err != nil { return nil, fmt.Errorf("unable to generate self signed cert: %v", err) } glog.V(4).Infof("Using self-signed cert (%s, %s)", s.TLSCertFile, s.TLSPrivateKeyFile) diff --git a/contrib/mesos/pkg/controllermanager/controllermanager.go b/contrib/mesos/pkg/controllermanager/controllermanager.go index e2ecdfad758..749f624f533 100644 --- a/contrib/mesos/pkg/controllermanager/controllermanager.go +++ b/contrib/mesos/pkg/controllermanager/controllermanager.go @@ -59,6 +59,7 @@ import ( quotainstall "k8s.io/kubernetes/pkg/quota/install" "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/pkg/util/wait" "k8s.io/kubernetes/contrib/mesos/pkg/profile" @@ -309,7 +310,7 @@ func (s *CMServer) Run(_ []string) error { if err != nil { return fmt.Errorf("error reading root-ca-file at %s: %v", s.RootCAFile, err) } - if _, err := util.CertsFromPEM(rootCA); err != nil { + if _, err := crypto.CertsFromPEM(rootCA); err != nil { return fmt.Errorf("error parsing root-ca-file at %s: %v", s.RootCAFile, err) } } else { diff --git a/pkg/apiserver/authenticator/authn.go b/pkg/apiserver/authenticator/authn.go index 2654e6f3aa9..b95767ad938 100644 --- a/pkg/apiserver/authenticator/authn.go +++ b/pkg/apiserver/authenticator/authn.go @@ -22,7 +22,7 @@ import ( "k8s.io/kubernetes/pkg/auth/authenticator" "k8s.io/kubernetes/pkg/auth/authenticator/bearertoken" "k8s.io/kubernetes/pkg/serviceaccount" - "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/password/passwordfile" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/basicauth" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/keystone" @@ -159,7 +159,7 @@ func newServiceAccountAuthenticator(keyfile string, lookup bool, serviceAccountG // newAuthenticatorFromClientCAFile returns an authenticator.Request or an error func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) { - roots, err := util.CertPoolFromFile(clientCAFile) + roots, err := crypto.CertPoolFromFile(clientCAFile) if err != nil { return nil, err } diff --git a/pkg/client/restclient/config.go b/pkg/client/restclient/config.go index b084a8eb2b8..cbddb2682d5 100644 --- a/pkg/client/restclient/config.go +++ b/pkg/client/restclient/config.go @@ -31,7 +31,7 @@ import ( "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api/unversioned" "k8s.io/kubernetes/pkg/runtime" - "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/pkg/version" ) @@ -235,7 +235,7 @@ func InClusterConfig() (*Config, error) { } tlsClientConfig := TLSClientConfig{} rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + api.ServiceAccountRootCAKey - if _, err := util.CertPoolFromFile(rootCAFile); err != nil { + if _, err := crypto.CertPoolFromFile(rootCAFile); err != nil { glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err) } else { tlsClientConfig.CAFile = rootCAFile diff --git a/pkg/genericapiserver/genericapiserver.go b/pkg/genericapiserver/genericapiserver.go index 23d82c58bb9..bf7c423117f 100644 --- a/pkg/genericapiserver/genericapiserver.go +++ b/pkg/genericapiserver/genericapiserver.go @@ -45,6 +45,7 @@ import ( "k8s.io/kubernetes/pkg/storage" "k8s.io/kubernetes/pkg/ui" "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/crypto" utilnet "k8s.io/kubernetes/pkg/util/net" utilruntime "k8s.io/kubernetes/pkg/util/runtime" "k8s.io/kubernetes/pkg/util/sets" @@ -679,7 +680,7 @@ func (s *GenericAPIServer) Run(options *ServerRunOptions) { } if len(options.ClientCAFile) > 0 { - clientCAs, err := util.CertPoolFromFile(options.ClientCAFile) + clientCAs, err := crypto.CertPoolFromFile(options.ClientCAFile) if err != nil { glog.Fatalf("Unable to load client CA file: %v", err) } @@ -699,7 +700,7 @@ func (s *GenericAPIServer) Run(options *ServerRunOptions) { alternateDNS := []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"} // It would be nice to set a fqdn subject alt name, but only the kubelets know, the apiserver is clueless // alternateDNS = append(alternateDNS, "kubernetes.default.svc.CLUSTER.DNS.NAME") - if err := util.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { + if err := crypto.GenerateSelfSignedCert(s.ClusterIP.String(), options.TLSCertFile, options.TLSPrivateKeyFile, alternateIPs, alternateDNS); err != nil { glog.Errorf("Unable to generate self signed cert: %v", err) } else { glog.Infof("Using self-signed cert (%v, %v)", options.TLSCertFile, options.TLSPrivateKeyFile) diff --git a/pkg/util/crlf/crlf.go b/pkg/util/crlf/crlf.go new file mode 100644 index 00000000000..e098e860079 --- /dev/null +++ b/pkg/util/crlf/crlf.go @@ -0,0 +1,57 @@ +/* +Copyright 2015 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package crlf + +import ( + "bytes" + "io" +) + +type crlfWriter struct { + io.Writer +} + +// NewCRLFWriter implements a CR/LF line ending writer used for normalizing +// text for Windows platforms. +func NewCRLFWriter(w io.Writer) io.Writer { + return crlfWriter{w} +} + +func (w crlfWriter) Write(b []byte) (n int, err error) { + for i, written := 0, 0; ; { + next := bytes.Index(b[i:], []byte("\n")) + if next == -1 { + n, err := w.Writer.Write(b[i:]) + return written + n, err + } + next = next + i + n, err := w.Writer.Write(b[i:next]) + if err != nil { + return written + n, err + } + written += n + n, err = w.Writer.Write([]byte("\r\n")) + if err != nil { + if n > 1 { + n = 1 + } + return written + n, err + } + written += 1 + i = next + 1 + } +} diff --git a/pkg/util/crypto.go b/pkg/util/crypto/crypto.go similarity index 99% rename from pkg/util/crypto.go rename to pkg/util/crypto/crypto.go index 42b890d1891..1085c0b300d 100644 --- a/pkg/util/crypto.go +++ b/pkg/util/crypto/crypto.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package util +package crypto import ( "bytes" diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc.go b/plugin/pkg/auth/authenticator/token/oidc/oidc.go index c9071b1d723..30a6b72192e 100644 --- a/plugin/pkg/auth/authenticator/token/oidc/oidc.go +++ b/plugin/pkg/auth/authenticator/token/oidc/oidc.go @@ -30,7 +30,7 @@ import ( "github.com/coreos/go-oidc/oidc" "github.com/golang/glog" "k8s.io/kubernetes/pkg/auth/user" - "k8s.io/kubernetes/pkg/util" + "k8s.io/kubernetes/pkg/util/crypto" "k8s.io/kubernetes/pkg/util/net" ) @@ -65,7 +65,7 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA } if caFile != "" { - roots, err = util.CertPoolFromFile(caFile) + roots, err = crypto.CertPoolFromFile(caFile) if err != nil { glog.Errorf("Failed to read the CA file: %v", err) } diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go index a2e3559ce29..bd5fc8bcbf1 100644 --- a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go +++ b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go @@ -137,7 +137,7 @@ func (op *oidcProvider) generateExpiredToken(t *testing.T, iss, sub, aud string, } // generateSelfSignedCert generates a self-signed cert/key pairs and writes to the certPath/keyPath. -// This method is mostly identical to util.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage' +// This method is mostly identical to crypto.GenerateSelfSignedCert except for the 'IsCA' and 'KeyUsage' // in the certificate template. (Maybe we can merge these two methods). func generateSelfSignedCert(t *testing.T, host, certPath, keyPath string) { priv, err := rsa.GenerateKey(rand.Reader, 2048)