mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-11-04 07:49:35 +00:00
165 lines
5.1 KiB
Go
165 lines
5.1 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package e2e
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"k8s.io/kubernetes/pkg/api"
|
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
|
client "k8s.io/kubernetes/pkg/client/unversioned"
|
|
utilnet "k8s.io/kubernetes/pkg/util/net"
|
|
"k8s.io/kubernetes/test/e2e/framework"
|
|
)
|
|
|
|
const (
|
|
rsaBits = 2048
|
|
validFor = 365 * 24 * time.Hour
|
|
)
|
|
|
|
// generateRSACerts generates a basic self signed certificate using a key length
|
|
// of rsaBits, valid for validFor time.
|
|
func generateRSACerts(host string, isCA bool, keyOut, certOut io.Writer) error {
|
|
if len(host) == 0 {
|
|
return fmt.Errorf("Require a non-empty host for client hello")
|
|
}
|
|
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
|
|
if err != nil {
|
|
return fmt.Errorf("Failed to generate key: %v", err)
|
|
}
|
|
notBefore := time.Now()
|
|
notAfter := notBefore.Add(validFor)
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate serial number: %s", err)
|
|
}
|
|
template := x509.Certificate{
|
|
SerialNumber: serialNumber,
|
|
Subject: pkix.Name{
|
|
CommonName: "default",
|
|
Organization: []string{"Acme Co"},
|
|
},
|
|
NotBefore: notBefore,
|
|
NotAfter: notAfter,
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
BasicConstraintsValid: true,
|
|
}
|
|
|
|
hosts := strings.Split(host, ",")
|
|
for _, h := range hosts {
|
|
if ip := net.ParseIP(h); ip != nil {
|
|
template.IPAddresses = append(template.IPAddresses, ip)
|
|
} else {
|
|
template.DNSNames = append(template.DNSNames, h)
|
|
}
|
|
}
|
|
|
|
if isCA {
|
|
template.IsCA = true
|
|
template.KeyUsage |= x509.KeyUsageCertSign
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
return fmt.Errorf("Failed to create certificate: %s", err)
|
|
}
|
|
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
|
|
return fmt.Errorf("Failed creating cert: %v", err)
|
|
}
|
|
if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
|
|
return fmt.Errorf("Failed creating keay: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// buildTransport creates a transport for use in executing HTTPS requests with
|
|
// the given certs. Note that the given rootCA must be configured with isCA=true.
|
|
func buildTransport(serverName string, rootCA []byte) (*http.Transport, error) {
|
|
pool := x509.NewCertPool()
|
|
ok := pool.AppendCertsFromPEM(rootCA)
|
|
if !ok {
|
|
return nil, fmt.Errorf("Unable to load serverCA.")
|
|
}
|
|
return utilnet.SetTransportDefaults(&http.Transport{
|
|
TLSClientConfig: &tls.Config{
|
|
InsecureSkipVerify: false,
|
|
ServerName: serverName,
|
|
RootCAs: pool,
|
|
},
|
|
}), nil
|
|
}
|
|
|
|
// buildInsecureClient returns an insecure http client. Can be used for "curl -k".
|
|
func buildInsecureClient(timeout time.Duration) *http.Client {
|
|
t := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
|
|
return &http.Client{Timeout: timeout, Transport: utilnet.SetTransportDefaults(t)}
|
|
}
|
|
|
|
// createSecret creates a secret containing TLS certificates for the given Ingress.
|
|
// If a secret with the same name already exists in the namespace of the
|
|
// Ingress, it's updated.
|
|
func createSecret(kubeClient *client.Client, ing *extensions.Ingress) (host string, rootCA, privKey []byte, err error) {
|
|
var k, c bytes.Buffer
|
|
tls := ing.Spec.TLS[0]
|
|
host = strings.Join(tls.Hosts, ",")
|
|
framework.Logf("Generating RSA cert for host %v", host)
|
|
|
|
if err = generateRSACerts(host, true, &k, &c); err != nil {
|
|
return
|
|
}
|
|
cert := c.Bytes()
|
|
key := k.Bytes()
|
|
secret := &api.Secret{
|
|
ObjectMeta: api.ObjectMeta{
|
|
Name: tls.SecretName,
|
|
},
|
|
Data: map[string][]byte{
|
|
api.TLSCertKey: cert,
|
|
api.TLSPrivateKeyKey: key,
|
|
},
|
|
}
|
|
var s *api.Secret
|
|
if s, err = kubeClient.Secrets(ing.Namespace).Get(tls.SecretName); err == nil {
|
|
// TODO: Retry the update. We don't really expect anything to conflict though.
|
|
framework.Logf("Updating secret %v in ns %v with hosts %v for ingress %v", secret.Name, secret.Namespace, host, ing.Name)
|
|
s.Data = secret.Data
|
|
_, err = kubeClient.Secrets(ing.Namespace).Update(s)
|
|
} else {
|
|
framework.Logf("Creating secret %v in ns %v with hosts %v for ingress %v", secret.Name, secret.Namespace, host, ing.Name)
|
|
_, err = kubeClient.Secrets(ing.Namespace).Create(secret)
|
|
}
|
|
return host, cert, key, err
|
|
}
|